RollBack RX and Malwarebytes AntiMalware

Discussion in 'backup, imaging & disk mgmt' started by manolito, May 29, 2015.

  1. manolito

    manolito Registered Member

    Joined:
    Apr 23, 2013
    Posts:
    341
    There is a strange interaction between Rollback RX and MalwareBytes AntiMalware.

    If Rootkit Detection is enabled under MBAM, most system drivers which have been installed or updated while Rollback was active will be detected as rootkits. This mostly happens after a Windows update, but just now even MBAMs own system driver was flagged as an unknown rootkit after a version update.

    This is false alarm. You can safely exclude such drivers from future scans. If you are paranoid, just reset the Rollback baseline to the current state and run MBAM again.

    It looks like MBAM has a method to defeat the Rollback preboot driver which makes the files which are not part of the physical NTFS file system transparent for Windows. I found something about it in the MBAM forum where a company techie said something to the effect that these drivers were "faked" by Rollback. Not sure if I understand what he was saying...


    Cheers
    manolito
     
  2. appster

    appster Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    530
    Location:
    Paradise (Hawaii)
    That's right. Very same issue with Hitman Pro.
     
  3. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,566
    False alarm would be if Rollback RX wasn't a rootkit/bootkit.
    That is intentionally installed from RBRX users is another thing and yes it should be excluded it from the scans.

    Panagiotis
     
  4. Kurtis Smejkal

    Kurtis Smejkal Registered Member

    Joined:
    Mar 17, 2015
    Posts:
    253
    Location:
    Vancouver, BC
    Greetings,

    This is indeed a false alarm. There's things our software does (MBR/GPT partition modification, disabling automatic Windows Update installation) that causes these false alarms.

    It's nothing malicious, but of course, it will show up as a red flag. If this is an issue for you, I'd recommend disabling the rootkit scan for Malwarebytes. There's also adding RollBack Rx to the exemptions list for this software. Aside from that, there aren't any other known workarounds (waits for Froggie to prove me wrong)

    Cheers,
     
  5. bgoodman4

    bgoodman4 Registered Member

    Joined:
    Jan 13, 2009
    Posts:
    3,131
    This issue was mentioned in Froggies "Rollback RX™ - The “unOfishul” FAQ", (waits for HDS to address and fix these known issues).
     
  6. manolito

    manolito Registered Member

    Joined:
    Apr 23, 2013
    Posts:
    341
    Looks like you misunderstood me...

    I am not talking about Malwarebytes flagging Rollback drivers or files. I am talking about genuine Microsoft Windows drivers in the System32\Drivers folder. If these drivers have been copied there by a Windows update under the control of Rollback, they will not be part of the "real" file system (aka the baseline). Instead they are located in the Rollback Protected Area. The Rollback pre-boot driver makes this transparent to the OS so these drivers work flawlessly.

    Somehow Malwarebytes can detect that these drivers are not part of the "real" file system and flags them as "unknown Rootkits". Move these driver files into the "real" file system by uninstalling Rollback or resetting the baseline to the current state, and Malwarebytes will no longer have a problem with these drivers.


    Cheers
    manolito
     
  7. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,052
    Location:
    The Pond - USA
    Due to a question over on the RBrx Forums, it's probably worth a mention over here.

    One of the most common obfuscations put in place by a RootKit is a file entry with a FileSYstem path that looks kinda normal, but underneath that entry, the RootKit does not follow what appears to be its path. In the process of chasing these down, a good RootKit scanner will check the FileSystem path, then use the Windows API for disk surface reading and see if that FileSystem path is real as far as the item being checked.

    If you haven't already figured it out, the FileSystem path, by design, is obfuscated by Rollback due to its Redirect-on-Write technology... it tells users of the FileSystem that pieces of the object are in one place, but if the item (or its parts) has ever been changed, it's really located somewhere else on the disk. Now the RootKit scanner takes the FileSystem information, and uses the Direct Disk read API to see if the item is really there. Since that API is not obfuscated by Rollback (I use it all the time to look at direct blocks on the surface of the disk), the RootKit scanner sees a disconnect in the item being checked and immediately flags it as a RootKit.

    There's really no way to solve this problem unless HDS was to rewrite the Direct Disk API and obfuscate it the same way it does the FileSystem... I do not think they are capable of doing this. You either need to turn off your RootKit scanning in MalwareBytes, or give up your snapshots following a Windows update either with an uninstall/install at the current snapshot, or with a Rollback Baseline Update... both cases you need to be willing to give up your snapshots.
     
    Last edited: Dec 20, 2015
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,198
    Location:
    in a remote land :)
    i dont get those alerts at all either in HMP or MBAM.
     
  9. manolito

    manolito Registered Member

    Joined:
    Apr 23, 2013
    Posts:
    341
    With MBAM you will only get these alerts if the option "Check for Rootkits" is enabled. The option is disabled by default.

    Cheers
    manolito
     
  10. Magic_The

    Magic_The Registered Member

    Joined:
    Jun 24, 2015
    Posts:
    31
    I got something from mbam and emsisoft emergency kit> Riskware in registry files in windows:

    MBAM log:


    Registry Keys Detected: 2
    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE (RiskWare.IFEOHijack) -> No action taken. [e8ada493abeeb185e2bc7c82d2314cb4]
    HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE (RiskWare.IFEOHijack) -> No action taken. [b7de97a0b0e976c04a54a35b21e254ac]

    Registry Values Detected: 2
    HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE|debugger (RiskWare.IFEOHijack) -> Data: svchost.exe -> No action taken. [e8ada493abeeb185e2bc7c82d2314cb4]
    HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\USERACCOUNTCONTROLSETTINGS.EXE|debugger (RiskWare.IFEOHijack) -> Data: svchost.exe -> No action taken. [b7de97a0b0e976c04a54a35b21e254ac
     
Loading...