Is MBAM Too Aggressive?

When I scan with MBAM Pro it always identifies some registry items as malware. A couple of months ago I quarantined several and W7 crashed a couple of times. When I restored those items all was well. Accordingly I have ignored all registry items in the scan.

A quick scan this AM showed two, one of which is listed here.
PUP.Optional...Registry Key HKCR\237FDFDB-3722-470E-88A

The other entry was similar.

I scan with my AV, currently BD IS, and nothing is found. I then wonder if MBAM has become too aggressive?

Comments?
Thanks. Jerry

 

False positive? Legitimate detection? Only MBAM support can know. First report to them to get confirmation... then hopefully you can report here if MBAM was too aggressive

 

That sounds like potentially unwanted program detection to me. Note the word 'optional'. As fax said, it can only be verified by MBAM Support whether that is indeed unwanted stuff or a false positive.

 

Since July this year PUP/PUA detection certainly has been increased:
Malwarebytes Adopts Aggressive PUP Policy
https://forums.malwarebytes.org/index.php?showtopic=130156#entry710493

As fax and Tony say probably best to liase direct with them.

 

it is good to have it in agresive mode

 

PUP means potentially unwanted program (mostly toolbars and other useless craps). Considering the impact they have on your PC's performance you might want to call them grayware or even borderline malware.

Perhaps BitDefender just doesn't want to get involved in legal battles with the advertising companies from which the pups come from, while Malwarebytes' (and some others, like avast!) aren't scared of doing so.

 

Finally, great news

 

Too aggressive ? Well speaking only for myself and not for the company.
It's a good thing I'm not in charge of Research as ALL of these type of programs are just about malware to me. You won't find them on any computers I manage or support. Installing any additional item without obviously listing it in the installer (without having to dive in deep to find it) and giving me the opportunity to not install it then it is JUNK and acting like malware to me.

It's your computer and you have the right to run these PUP items if you like and you can certainly add or ignore or even turn off detection for your computer if you like.

What are the 'PUP' detections, are they threats and should they be deleted?

 

Thanks to Malwarebytes, I was able to help a friend of mine (Saturday) clean his computer of the Babylon toolbar and some garbage that goes by the name BitGuard. I don't think my friend thinks MBAM is too aggressive, that's for sure.

Bo

 

No not too aggressive.

It's just that some AV vendors don't think it is as important with PUP/PUA detections as it is with malware, to put it short.

But it is also up to the user/s to know what type of "extra" detections that is enabled. Like PUAs or suspicious objects etc etc...and that goes for all products not only MBAM.

 

It's the same kind of problem like the one I reported here, only that I was criticising MBAR, not MBAM... And apparently it is a design decision so I doubt they will change their mind and take a more realistic approach to malware detection.

 

@Nebulus

Yes it may be similar as in "perception" and you did receive a response on it.

OFF TOPIC - further discussion on this subject really should go back over to the original topic but since you brought it up I'll respond here. If a Moderator wishes to split the posts over to that topic please do so.

There certainly is malware that makes these changes and if you can provide us with 100% proven technology that can determine the difference of whether the user changed the default setting or if malware did then we'd be happy to review it. Otherwise it is there to indicate that yes there was an unknown change and can be used as an indicator that there may be malware on the system whether or not its detected. Those items though can be placed in your ignore list and we will never tell you about them again so the way I see it you have it both ways. If you've ever used TeaTimer from Spybot it works similar in that it does not know if a change is good or bad but it alerts that a "change" has been made and leaves it up to the user to decide if they did it or if the change was made without their knowledge.

 

some antivirus are now adapting the detention of pup in real time and nod32 is doing very well as mbampro is doing at this very moment and it is very important to have it on all the time

 

When I do the next scan where the log has the entries involving the registry I will send the log to MBAM support. I do not know how to zip it and send it, but I'll learn i guess. It appears that the log does not have a way to zip it from the MBAM.

Regards,
Jerry

 

I think so too, sometimes it kills windows registry entries (false positive).

 

Hello laris:

If you believe MBAM may have found a false positive, here's a forum for you to report it:

https://forums.malwarebytes.org/index.php?showforum=122

HTH

1PW

 

As a long time user of MBAM, my experience has been that it has never been too aggressive.

Back in the day when there were numerous antispyware programs available false positives were very common place. However MBAM has given me probably only about 1 or 2 minor false positives over the years.

 

It is pointless. They made up their minds, as you can see if you read the pinned thread called "PUP.Optional listings and disputes" on their forum.

Yes, I did receive a response on it. And I will continue saying that a changed Windows setting by itself doesn't equal malware infection.

 

You are 100% correct on the second point which is why MBAM classifies it as PUM (Potentially Unwanted Modification), e.g. a system setting modified from its default, similar to how PUP objects (Potentially Unwanted Programs) are classified.

I agree regarding MBAR and do plan to address it by actually removing those detections from MBAR and leaving them to MBAM. MBAR should be more focused on just rootkits, it's simply using much of MBAM's database along with its own specialized antirootkit database for now while it's in beta for the sake of testing to ensure that its detection and removal capabilities are working as they should be. You'll notice for example that MBAR no longer detects PUP objects at all, unlike MBAM.

 

and in case you are curious... it was a false positive.
https://forums.malwarebytes.org/index.php?showtopic=135716

 

I do appreciate the help both here and the MBAM forum. I am glad it did what was requested to find the problem, which was a FP.
I know so little that I am afraid to do anything that involves the registry.
I did not know that the Babyon ToolBar was on my system. I recall that in the past I accidentally, by not noticing the option of installing it or not, installed it. I also found it difficult to get rid of, and evidently I did not.

Thanks all,
Jerry

 

Regarding MBAM i think those detections are ok because they will help revert malicious changes made by malware.

That will be true in most cases, because most people doesn't manually disable the security center or the firewall(without having other in place). In less numerous cases, when the changes are intentional, it's more likely that the user that have the knowledge to made them, is also able to interpret the detection (for instance, if someone manually disables the security center for some reason, and see the detection "Pum.Disabled.SecurityCenter", it's not hard to guess what the detection is about). If those detections were simply turned off the majority of users would be unprotected. Anyway, imo, it should be some more info and not simply a "PUM" (maybe a balloon with info when hoovering the mouse?).