Malwarebytes' founder on quick scan vs. full scan

Thanks for taking the time to drop in, Marcin.

 

I agree and Prevx and now Webroot SecureAnywhere has always been this way default Deep Scan 2 minutes or less most times same with MBAM, SAS, HMP no need scan the whole system even if you have MBAM in realtime if something tried to execute it would be detected like the others that's the important part.

TH

 

That makes absolute sense. I'll change the schedule to run only weekly quick scans.

 

Well I see Marcin did stop by so no need for me to say what he already said.

Cheers

 

So why does Malwarebytes Anti-Rootkit BETA take 20+ minutes to scan?

 

Full scan allows you to select a drive. Quick Scan doesn't. How do you Quick
Scan another drive that isn't the boot drive?

Al

 

Yeah, like, uh, exactly.

I keep changing my mind about believing him.

We need this 'surprise me variable scan length" option.

This would solve all my problems.


.

 

This is a good time for me to note that I have never had a problem believing Marcin... I'm simply piggybacking on his own words.

It's been an eyeopener for me to learn that the full scan is not necessary as long as you run a quick scan.
And I subsequently wonder why the Anti-Rootkit scan takes as long as it does?

 

The fact that they thought it necessary to create a separate program to specifically target rootkits suggests that MBAM is not optimal in that respect. Apparently the criteria for effectively detecting an removing rootkits is different..? Perhaps the Malwarebytes people can comment...

 

If you review rootkit detection and removal I think you will find that most of the major antivirus companies provide stand-alone rootkit scanners as well as integration of rootkit scanning capabilities. The stand alone offers a bit more flexibility for updates and functionality without being tied to the main product.

We already do rootkit scanning in our product but not the same technology and abilities as the stand alone tool does. We will be integrating that new technology into our 2.0 product though to answer your question.

As for Quick Scanning a non System Drive it's not supported as it will already do that if it's needed. Meaning that if for some reason their is active live malware running on your system that is housed and running from the G: drive as an example, we will scan and remove it from the G: drive. So again, there is no need to do something different or scan the other drives. I call that flat file scanning myself as its not live active malware and your antivirus is actually better suited to do that sort of flat file scanning to look for some file that is not actively installed and infecting your system. As an example Researchers often have hundreds or thousands of "sample" infections on their system but they're not active live infections so there is no threat just having them sit there. If they go to execute them then the PRO version with file system monitoring would detect and stop it.

 

Is the quick scan equally effective if the user runs portable browsers from a non-standard location, such as the Documents folder, or should the browser cache be scanned separately with a custom scan to be safe?

 

Well, my apologies. Since you've been developing MBAR I just assumed that it would be even better at rootkit removal then MBAM already is. In any case since the products will be combined I won't have to choose which to use

 

In other words, it's better to keep them separate so you're putting them together.

 

Ah, the vagaries of language I would cut them some slack as there are good reasons for a standalone RK scanner. Many vendors give them away as a "public service" and to raise their profile/promote other products. Also they can often be run from rescue boot disks.

 

They could keep a stable version of MBAR in MBAM and a standalone MBAR with the latest improvements, which are not stable enough for integration with MBAM.

 

There needs to be a MBAM rescue disk to scan outside of Windows. For those who are still not satisfied with the current offerings

 

The scanning is not based on which scanner you're using. In the current version there are entries in the browsers like Firefox and Chrome that use a database to store information that the current version cannot modify so it's possible for it to store an entry to allow it to go to some other location than expected. We do hope to have an update this year though to deal with that database so that we can modify it. We will still hit and remove files found that that are often linked to which would nullify an onboard infection that uses a file link. Currently it would require you to manually remove the entry from Firefox or Chrome or to use another tool like AdwCleaner to remove those entries. Learning how to manage the configuration of Firefox or Chrome though would benefit you in the long run though as you'd better understand and be able to remove such modifications without the need for a 3rd party tool.

 

We do have a tool already that we're working on that will provide that but it's marketed for the Technician Repair shops and not home users called Techbench

Part of the issue is being able to maintain and control some type of licensing to prevent piracy and abuse. Tools like the rootkit scanners from some vendors do not do normal full on scan and repair. They often target very specific threats and you still require their full product to do the normal scan for malware and viruses. Our product has always operated differently than a traditional antivirus or rootkit scanner and we've come up with MBAR to allow us to split the functions as well. What the final outcome will be is not set in stone. We currently plan to use MBAR in the 2.0 product. We do not currently plan to have a stand alone bootable product that can do full scans except for the Techbench. Will we ever make one even trimmed down for home users that's bootable? I'm not sure is the answer. We've talked about it but as said there are piracy and abuse issues to be concerned about as well. So the answer is "maybe" but the "when, or IF" is not known at this time.