Wierd bug in MBAM, or just missed malware?

Discussion in 'other anti-malware software' started by sbcc, May 17, 2008.

Thread Status:
Not open for further replies.
  1. sbcc

    sbcc Guest

    Hi,

    I recently posted that MBAM was IMHO far superior at removing multiple infections in real-world situations as opposed to zoo collections. Since I've been home with the flu and have too much time on my hands, I took a clean computer (XP Pro SP2) with the only resident protection (Anti-Vir) turned off and did some web surfing. I'm not a professional tester by any means. I tried to emulate the browsing behavior of some of my customers.

    I got a nifty Waterfall Screen Saver for free (180 Solutions/Mirar), then I watched some cool videos (Zango). Then I noticed my computer was slowing down so I got some prorams that said they could fix it (WinAntispyware and WinFixer 2005). All were freshly downloaded and installed this afternoon. I then installed and updated MBAM Free and ran a full scan.

    screen3.JPG

    No malware found! I left 'em running, even! Here's a second scan with SAS Free, minutes later:

    screen4.JPG

    The other installed scanners all picked up on at least part of the infection. I really did not expect this at all. MBAM hasn't let me down before today. This is a recent install of XP Pro SP2 that was clean and patched when I started. I had stated that a paid version of MBAM was in my future, but I'm not quite so confident now.

    If the developers are looking in, please let me know if there is anything I can do to help you troubleshoot the problem. I did clone the partition before cleanup so the situation shown should be easily repeatable.
     
  2. jtcst

    jtcst Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    30
    They probably don't have the exact definitions for it so it can't detect the malware.
     
  3. sbcc

    sbcc Guest

    Must be. The update file is quite small. This is common malware, though. I'm really suprised MBAM missed WinFixer and WinAntiSpyware.
     
  4. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Any chance you can post your findings here.
    http://www.malwarebytes.org/forums/index.php?showforum=41
    I'd be interested in their response.
     
  5. sbcc

    sbcc Guest

  6. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    How did you get zango to install with a single component , when I install it I get nearly 100 (which we remove) ?

    How did you install winfixer (a rogue I have not removed from a client machine for more than 4 years) with only 10 components ?

    How did you install an obsolete version of winantispyware with only 2 components ?


    Looks like yet again I will be adding rogues that are long dead just to make people happy . This will not protect people from what trojans are currently spamming .

    I will install zango and scan , how much do you want to bet their are more than 1 component ?
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    More than likely archived droppers from some time back:shifty:
    winfixer2005....bit of a giveaway;)

    That said this is not fair comparison between the 2 softwares.So nothing should be read into the results.
     
  8. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,

    perhaps that is exactly the disadvantage being a new comer in AS/AM arena.

    Newer AS/AM apparatus seldom contains archived(old timer) definitions ?

    When these old timers resurface, new kid got a bite, and suddenly woke up ?
     
  9. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I just in the last week helped a friend by cleaning out their computer. It was the most infested that I had messed with. I down loaded SAS and removed over 500 Trojans, Vundo's and assorted spyware. I ran Hijackthis and cleaned out more stuff. I then down loaded Malwarebytes and ran it. It found 96 additional creatures. Now I am not saying which is the best. I really don't know. At the present time I would not give up SAS. But Malwarebytes is looking pretty good. I will run them both.
     
  10. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    Have him upload the samples. ;)

    I clean a lot of infected systems, and to this day I still encounter Winfixer 200x infections. A quick search on bleepingcomputer.com lists a lot of current Winfixer related threads.

    If it was installed then SAS is only detecting a fraction of the rogue files & reg entries.

    An old infection is not necessarily a dead infection. sbcc is picking these infections up today by downloading free screensavers that are probably being downloaded by millions of other people.

    I don't doubt it one bit.
     
  11. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    While there are numerous rogues that use components of winfixer (or are close enough that string detection detects them as winfixer) the actual winfixer (as in exe called winfixer running from winfixer folder) is quite dead . There is one called winIfixer that is current though .

    I cant seem to find a live URL for the old winfixer , will look a bit more .

    If someone wants to know what the winfixer clowns are up to they should check out their 2008 software

    http://winantispyware2008.com/

    This is so new that it does not even have a live download yet . Once it does MBAM will pounce on it as I am sure SAS will do as well .
     
  12. sbcc

    sbcc Guest

    nosirrah wrote: How did you get zango to install with a single component , when I install it I get nearly 100 (which we remove) ?

    How did you install winfixer (a rogue I have not removed from a client machine for more than 4 years) with only 10 components ?

    How did you install an obsolete version of winantispyware with only 2 components ?


    I got all of these infections from their parent websites except WinFixer 2005 which is hosted on Simtel. I found it by Googling. I spent maybe 20 minutes total. I remove WinFixer a few times a year. New customers who either had it floating around or got it the same way I did yesterday.

    I Installed all of them using the downloaded installers. It wasn't meant as a test between MBAM and SAS. Actually, Avira and Cure-It respectively found many more components than SAS. Whatever. I see EliteKiller answered this already.

    Looks like yet again I will be adding rogues that are long dead just to make people happy . This will not protect people from what trojans are currently spamming .


    Don't bother. A couple of defs won't make me happy. You see, people aren't picking up rogues only through spam in my customer base. More often its a teenager trying to fix whatever he/she broke before their parents get mad. Hence the test. A kid doesn't care that it is the 2005 version. It says it is free and it claims to fix it. That's why I keep running into these programs.

    I didn't realize the scope of MBAM was meant to be limited. I now understand that it has some usefulness, but only against "current" infections. Regardless of how you slice it though, stuff downloaded yesterday is still current and I will have to remove them from other infected computers.

    I will install zango and scan , how much do you want to bet their are more than 1 component ?

    Again, my friend, feel free. I later installed Spybot S&D and found more components for each. You are basing your assumptions on two screen shots. If I had run Cure-It next you would have seen different results. I got the answer to my question. Indirectly. For me, MBAM has a useful function but not what I intended it to do.
     
    Last edited by a moderator: May 18, 2008
  13. sbcc

    sbcc Guest

  14. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    MBAM is designed to remove/prevent current malware that users get infected with today . It has only existed in a form you could buy since early 2008 .

    I could add detection for millions of infections that users cant get in the real world and then show a screen shot of us detection them but that is not how we do things .

    I see no URLs that would allow anyone to confirm your finding BTW .



    OK , let me ask more direct questions , please answer directly .

    You show SAS detection 1 component of zango , why ? Did you download their adware installer and install it ?

    Did you do a cleanup first ?

    Why are the SAS results not expanded so we can see what was detected ?

    What is that exactly ?

    If its remove everything that was ever malicious , give up the search , that does not exist .

    If its remove/block what will attack your computer today then it will do a good job .

    Let me ask a favor of you , please install the full zango , remove none of it and then scan and remove with both SA and MBAM . I am willing to bet that neither will leave anything that has the ability to execute . There may be a trace or two but nothing that is actually malicious .

    Next go and get the current new rogues directly installing :

    http://xpsecuritycenter.com/
    http://advancedxpdefender.com/

    Test us both again , again I bet we both wipe them out .
     
  15. sbcc

    sbcc Guest

    NOT A COMPETITION BETWEEN YOU AND SAS.

    Let that part go, please. I JUST HAPPENED TO RUN IT NEXT. NO ULTERIOR MOTIVE.

    I should have run something else next instead of SAS. If I had any idea of the reaction I would have. I didn't expand it because I wasn't worried about it. I was concerned that MBAM did not find the malware.

    I have used MBAM to clean very recent infections. It did a great job. You are focusing on this as some sort of "us vs. them" issue. It isn't.

    Yes, I directly downloaded Zango. I surfed their site and agreed to the prompts to install their viewer.You chose to make it personal

    Sorry, can't duplicate the exact URL's. I did run CCleaner prior to the scans, to reduce scanning time. Maybe that affected the results? Are there temp files that MBAM needs to see to detect the malware? If so, I better change how I use it. My browsers are set to clear the cache and history anyway. For the umpteenth time, iIt was not intended to be a professional test. I got unexpected results and posted them.

    I had intended to install MBAM on infected computers to clean them up. I see that I cannot use it as a broad spectrum cleanup tool. For certain infections it appears to be without equal, such as Vundo layered with other rogues and malware, and on the first pass. Nothing else that I am aware of can do that. You deserve the praise you get. I still intend to use MBAM regularly in that role. I see now that it is useful only for the most current malware.

    Based on the statements you made in your own forum, why would I now be inclined to do you a favor? You seem to be intent on exposing me as a shill or saboteur. Why would you believe anything I post? I have learned a valuable lesson, and will not post informal test results again. I will run your proposed tests when convenient, but for my edification only.

    Apologies to everyone involved for the waste of time.
     
  16. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    No need to apologise to anyone. The response to your innocent question has been quite revealing.
     
  17. Jadda

    Jadda Registered Member

    Joined:
    Jun 5, 2007
    Posts:
    422
    nosirrah: Are you really getting offended by this or what? A fraud? MBAM are not perfect. Or no program is perfect, but it sounds like you think that MBAM can take any malware. And you say also say you can get all these infections in a update, without any problem - OK, do that then. What's the problem? A lot of people get infected by these malware - not necessary to implent them, because they are old? Yeah right ...

    ALSO; if you can't take it that people like SAS over MBAM, then you have nothing to do in this business. Grow up. At least act like a professional.
     
  18. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Just read the response at Malwarebytes forum to your question. Quite amazed at the overreaction to what seems on the face of it a perfectly reasonable question from a fellow member.

    Previous posts from the OP have been positive with respect to MBAM. In fact many posts on this forum have been positive. I can't see the justification for this.
     
  19. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Man this is not going where I wanted it to go .

    Look , I work my butt off making MBAM do very well against current malware and yes it does get under my skin when there is (at more than one forum) what looks like info that we do not remove something as easy to remove as Zango and some very old rogues .

    The test results do not match at all what you would get if you actually installed these pests both in terms of what we detect and for that matter what SAS would detect .

    I think I made it clear that both SAS and MBAM completely own zango and current rogues .

    I only asked why there were odd test results and if the OP could retest to see what they could find .

    To the best of my knowledge both MBAM and SAS take zango and all current rogues to school .
     
  20. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    If I was a little too aggressive in the defence of MBAM then I am sorry , she is my baby .

    I work way to many hours not to stand up when I see something that makes us look bad and from what I can see seems fishy .
     
  21. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, I can sense that. But

    You need to nurture your baby properly. Over feeding, expecting him/her to grow one feet a month is virtually impossible,

    moreover, you and your baby are new comer in this arena. I have not witnessed any single one and his/her baby can evolve into a big figure overnight/or in very short time. You will not be an exception to this rule of dumbness(not thumb).

    Slow cooking often bring about better tasting meal. 15 second deep frying french fries is always tasted as such, lasting only one minutes, nothing more.

    Confrontation with your potential clients is a big no no. Giving them your full ears will help you in the long way. After all, you are in the business to assist people and meantime to earn a decent living.

    Keep up your excellent work and maintain a good relationship with all(friends and foes). Just my toonie sense.
     
  22. Cloudcroft

    Cloudcroft Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    433
    Location:
    The Hill Country of Texas
    Good advice!
     
  23. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    I remember that a few years ago SAS as a newcomer here on Wilders was almost beaten to death to an degree that i felt sorry for Nick !

    As you can see now where SAS stands,it emerged victorious against all odds. ;)
     
  24. sbcc

    sbcc Guest

    OK, had a little time and rolled back the partition.

    Updated defs, scanned again, no detection.

    After uninstallling BD 10 Free and using Revo to uninstall MBAM free, I reinstalled a fresh copy. Log:

    ~Log converted to attachment. - Ron~

    236 detections, log prior to cleaning obviously. This was the result I expected initially. Apparently my install was corrupt in some way, or there is a compatibility issue with BD 10. Neither MBAM nor BD10 showed any error messages. Don't know, not going further with it.

    It would have been preferable to receive some guidance rather than accusations. It seemed fishy to me, too. I never saw MBAM miss all the malware. That's why I posted in the first place.
     

    Attached Files:

    Last edited by a moderator: May 19, 2008
  25. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Now that looks a lot more like what I see on my end and is what SAS will show as well .

    Sorry if I was quick to assume that there was some kind of funny business .
     
Loading...
Thread Status:
Not open for further replies.