Is MBAM Too Aggressive?

Discussion in 'other anti-malware software' started by JerryM, Oct 29, 2013.

Thread Status:
Not open for further replies.
  1. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    When I scan with MBAM Pro it always identifies some registry items as malware. A couple of months ago I quarantined several and W7 crashed a couple of times. When I restored those items all was well. Accordingly I have ignored all registry items in the scan.

    A quick scan this AM showed two, one of which is listed here.
    PUP.Optional...Registry Key HKCR\237FDFDB-3722-470E-88A

    The other entry was similar.

    I scan with my AV, currently BD IS, and nothing is found. I then wonder if MBAM has become too aggressive?

    Comments?
    Thanks. Jerry
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    False positive? Legitimate detection? Only MBAM support can know. First report to them to get confirmation... then hopefully you can report here if MBAM was too aggressive :)
     
  3. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    That sounds like potentially unwanted program detection to me. Note the word 'optional'. As fax said, it can only be verified by MBAM Support whether that is indeed unwanted stuff or a false positive.
     
  4. NSG001

    NSG001 Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    617
    Location:
    Wembley, London
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it is good to have it in agresive mode
     
  6. quanzi_1507

    quanzi_1507 Registered Member

    Joined:
    Feb 18, 2009
    Posts:
    320
    PUP means potentially unwanted program (mostly toolbars and other useless craps). Considering the impact they have on your PC's performance you might want to call them grayware or even borderline malware.

    Perhaps BitDefender just doesn't want to get involved in legal battles with the advertising companies from which the pups come from, while Malwarebytes' (and some others, like avast!) aren't scared of doing so.
     
  7. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
  8. AdvancedSetup

    AdvancedSetup Security Expert

    Joined:
    May 8, 2008
    Posts:
    130
    Location:
    USA
    Too aggressive ? Well speaking only for myself and not for the company.
    It's a good thing I'm not in charge of Research as ALL of these type of programs are just about malware to me. You won't find them on any computers I manage or support. Installing any additional item without obviously listing it in the installer (without having to dive in deep to find it) and giving me the opportunity to not install it then it is JUNK and acting like malware to me.

    It's your computer and you have the right to run these PUP items if you like and you can certainly add or ignore or even turn off detection for your computer if you like.

    What are the 'PUP' detections, are they threats and should they be deleted?
     
  9. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Thanks to Malwarebytes, I was able to help a friend of mine (Saturday) clean his computer of the Babylon toolbar and some garbage that goes by the name BitGuard. I don't think my friend thinks MBAM is too aggressive, that's for sure.

    Bo
     
  10. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    No not too aggressive.

    It's just that some AV vendors don't think it is as important with PUP/PUA detections as it is with malware, to put it short.

    But it is also up to the user/s to know what type of "extra" detections that is enabled. Like PUAs or suspicious objects etc etc...and that goes for all products not only MBAM. :)
     
  11. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    It's the same kind of problem like the one I reported here, only that I was criticising MBAR, not MBAM... And apparently it is a design decision so I doubt they will change their mind and take a more realistic approach to malware detection.
     
    Last edited: Oct 30, 2013
  12. AdvancedSetup

    AdvancedSetup Security Expert

    Joined:
    May 8, 2008
    Posts:
    130
    Location:
    USA
    @Nebulus

    Yes it may be similar as in "perception" and you did receive a response on it.

    OFF TOPIC - further discussion on this subject really should go back over to the original topic but since you brought it up I'll respond here. If a Moderator wishes to split the posts over to that topic please do so.

    There certainly is malware that makes these changes and if you can provide us with 100% proven technology that can determine the difference of whether the user changed the default setting or if malware did then we'd be happy to review it. Otherwise it is there to indicate that yes there was an unknown change and can be used as an indicator that there may be malware on the system whether or not its detected. Those items though can be placed in your ignore list and we will never tell you about them again so the way I see it you have it both ways. If you've ever used TeaTimer from Spybot it works similar in that it does not know if a change is good or bad but it alerts that a "change" has been made and leaves it up to the user to decide if they did it or if the change was made without their knowledge.
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    some antivirus are now adapting the detention of pup in real time and nod32 is doing very well as mbampro is doing at this very moment and it is very important to have it on all the time:thumb:
     
  14. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    When I do the next scan where the log has the entries involving the registry I will send the log to MBAM support. I do not know how to zip it and send it, but I'll learn i guess. It appears that the log does not have a way to zip it from the MBAM.

    Regards,
    Jerry
     
  15. Impet

    Impet Registered Member

    Joined:
    May 5, 2013
    Posts:
    895
    I think so too, sometimes it kills windows registry entries (false positive). :(
     
  16. 1PW

    1PW Registered Member

    Joined:
    Apr 2, 2010
    Posts:
    702
    Location:
    North of the 38th parallel.
    Hello laris:

    If you believe MBAM may have found a false positive, here's a forum for you to report it:

    https://forums.malwarebytes.org/index.php?showforum=122

    HTH :)

    1PW
     
  17. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,247
    As a long time user of MBAM, my experience has been that it has never been too aggressive.

    Back in the day when there were numerous antispyware programs available false positives were very common place. However MBAM has given me probably only about 1 or 2 minor false positives over the years.
     
  18. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    It is pointless. They made up their minds, as you can see if you read the pinned thread called "PUP.Optional listings and disputes" on their forum.

    Yes, I did receive a response on it. And I will continue saying that a changed Windows setting by itself doesn't equal malware infection.
     
  19. exile360

    exile360 Registered Member

    Joined:
    Dec 21, 2011
    Posts:
    51
    Location:
    US
    You are 100% correct on the second point which is why MBAM classifies it as PUM (Potentially Unwanted Modification), e.g. a system setting modified from its default, similar to how PUP objects (Potentially Unwanted Programs) are classified.

    I agree regarding MBAR and do plan to address it by actually removing those detections from MBAR and leaving them to MBAM. MBAR should be more focused on just rootkits, it's simply using much of MBAM's database along with its own specialized antirootkit database for now while it's in beta for the sake of testing to ensure that its detection and removal capabilities are working as they should be. You'll notice for example that MBAR no longer detects PUP objects at all, unlike MBAM.
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
  21. JerryM

    JerryM Registered Member

    Joined:
    Aug 31, 2003
    Posts:
    4,221
    I do appreciate the help both here and the MBAM forum. I am glad it did what was requested to find the problem, which was a FP.
    I know so little that I am afraid to do anything that involves the registry.
    I did not know that the Babyon ToolBar was on my system. I recall that in the past I accidentally, by not noticing the option of installing it or not, installed it. I also found it difficult to get rid of, and evidently I did not.

    Thanks all,
    Jerry
     
  22. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Regarding MBAM i think those detections are ok because they will help revert malicious changes made by malware.

    That will be true in most cases, because most people doesn't manually disable the security center or the firewall(without having other in place). In less numerous cases, when the changes are intentional, it's more likely that the user that have the knowledge to made them, is also able to interpret the detection (for instance, if someone manually disables the security center for some reason, and see the detection "Pum.Disabled.SecurityCenter", it's not hard to guess what the detection is about). If those detections were simply turned off the majority of users would be unprotected. Anyway, imo, it should be some more info and not simply a "PUM" (maybe a balloon with info when hoovering the mouse?).
     
Loading...
Similar Threads
  1. FanJ
    Replies:
    10
    Views:
    798
  2. NonGeek
    Replies:
    10
    Views:
    1,679
Thread Status:
Not open for further replies.