malwarebytes free and uac

Discussion in 'other anti-malware software' started by cyro44, Feb 4, 2017.

  1. cyro44

    cyro44 Registered Member

    Joined:
    Feb 4, 2017
    Posts:
    22
    Location:
    next door
    Deleted and reinstalled Malwarebytes 3.06 last night and I noticed after re installation when I open the program UAC (using windows 10) doesn't pop up anymore, I could almost swear it did before, the program just opens upon double click, unless I run as admin in which case it does pop up. Can someone running windows 10 and Malwarebytes free version verify if UAC doesn't pop up when opening the program normally? I am almost sure it did before.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    On Win 8.1, UAC always popped up with MBAM v2, but this was probably a bug, because security tools shouldn't trigger UAC alerts. So it's actually a good thing.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I've tested it in VM and I also don't get UAC prompt (I've got it set on max). It seems that elevated actions are performed by it's service. OTOH service is stopped when MBAM is not running so I still don't know how program can start a service without admin credentials.
    Though when I close MBAM I do get UAC prompt.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Verify using Process Explorer what integrity level MBAM is running at. If your running as a limited admin and MBAM is running at medium integrity level, you will not receive a UAC alert since no privilege escalation is required.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Well there are three components (processes) running with application running in free mode. GUI runs at medium integrity level so it doesn't need UAC approval.
    When application is launched Malwarebytes service is started (System integrity level) which also launches mbamtray.exe (medium integrity level).
    To me only "mystery" is how MBAM service is started with no UAC prompt. Service has manual startup type and runs only when application is launched. There is no task scheduled to suppress UAC prompt. If I try to run service manually I need admin rights.
    There is also MBAMSwissArmy driver loaded, but I don't know if drivers can launch services...
    When app is closed mbamtray tries to shut down service that's why I get UAC prompt.
     
  6. guest

    guest Guest

    Some services can be switched from "Manual" to "Running" without admin-rights, but for stopping services admin-rights are always needed.

    It can also depend what manual startup type the services has:
    "Manual" or "Manual (trigger start)"
    If the service has the startup type of "Manual (trigger start)" the service can be started via a "trigger". Launching of an application can lead to the starting of a service or similar triggers, so admin rights might not be needed for starting these services.
     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    MBAM service has Manual startup type, without trigger start.

    upload_2017-2-6_6-24-14.png
     
  8. guest

    guest Guest

    i know someone that would be happy about it :D
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Check post #2 :)
     
  10. guest

    guest Guest

  11. guest

    guest Guest

    Ok, no trigger start available and for starting of the service admin credentials are needed... but "GUI runs at medium integrity level / MBAM service is started with no UAC prompt"
    It still remains a mystery.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I believe this might be the answer. Note the underlined portion:

    Starting with Windows 7, certain executables auto-elevate (no UAC prompt under the default setting). They pretty much have some common characteristics, such as being digitally signed, are located in %System32% and/or are instanced from a trusted Windows executable.

    Svchost.exe is a trusted Windows executable.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes this might be a case, but MBAM service executable is not located in %System32% - it's in Program files folder - and is also not run by svchost.exe - it's executable is run as service and it doesn't use Windows' service host.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I misspoke, mbamservice.exe is probably running just like Eset's service is in the below screenshot. It's running under services.exe which is a trusted Windows system process.

    It doesn't matter where the actual physical location of the .exe is as long as it is installed initially as a service in the registry. Reason why malware love to do the same.

    Services.png
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, you're right. I checked by Process monitor and it is indeed run by services.exe. It's file is also accessed by svchost.exe and csrss.exe but process is created by services.exe.
    Will try to find installer for older version and see if anything changed in latest versions.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Update:
    Version 2.2.1 requires admin rights when it's run.
    Versions 3.0.4, 3.0.5. and 3.0.6 don't need them.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    That's how it's suppose to work, so I assume there was something wrong with MBAM v2.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.