If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
|
#1
|
|||
|
|||
Malwarebytes warning
I know a lot of people here like Malwarebytes.
I tried it last night for the first time and thought it worthwhile to issue a warning: Malwarebytes grossly oversteps its job and can recklessly label things malware, with potentially disastrous results. I ran the latest version and it found 10 "threats". No explanations. No uncertainty. It just brought up the final diagnosis and said let's clean 'em up. Among the list was no malware at all. What MB did want to remove were the following: * The disk imaging executable for BootIt. (MB called it "Backdoor.Bifrose", even though the description for a bifrose infection shares nothing in common with the file MB wanted to delete.) * Software license in the Registry (Probably from Visual Studio 6 and certainly not a risk, but a big problem if deleted. I'd have to completely reinstall VS6.) * The Registry entries for Windows Media Player ActiveX control. * An entry in the Registry for LowRiskFileTypes. It's a tweak to stop IE and other browsers from interfering with downloads. * The Registry entries I use to stop Windows from nagging me about updates, AV and Windows firewall. Any of these items would have caused problems if removed. Some of them could have caused big headaches. I was lucky insofar as I was able to figure out exactly what these "threats" were. Most people won't be able to figure it out. I then tried the latest Microsoft Malicious Software Removal tool. That worked fine. It found no problems. AV and malware hunters in general have become overzealous software with limited usability. Like xenophobic email servers that block any source they don't know, this kind of software works well by being overzealous, but it only *really* works well for people who do very little with their computer and can't be bothered with security. If your PC is an email machine then there's probably no harm in letting AV or MB nuke it. They might even end up nuking something that should be nuked. But for anyone else I think it's time to start taking all of these programs with a grain of salt -- and be very careful about letting them "clean up malware" without being very sure of exactly what they're going to clean up. I would certainly never try MB again. (I also got stuck cleaning up junk it left behind in all users app data. Not the first program with a bad uninstaller, but still inexcusable.) |
#2
|
|||
|
|||
Malwarebytes warning
"Mayayana"
Sun, 22 Nov 2015 15:47:26 GMT in alt.windows7.general, wrote: I know a lot of people here like Malwarebytes. I tried it last night for the first time and thought it worthwhile to issue a warning: Malwarebytes grossly oversteps its job and can recklessly label things malware, with potentially disastrous results. I don't know what you mean by oversteps... Overstepping to me would be if it just went ahead and make executive decisions regarding those files future without your input. It is subject to a false positive, as ANY other app AV/AM would. I ran the latest version and it found 10 "threats". No explanations. No uncertainty. It just brought up the final diagnosis and said let's clean 'em up. Among the list was no malware at all. What MB did want to remove were the following: Some of this is an issue of wording. I've gone back and forth with them for ages over this. I'll explain more detail... * The disk imaging executable for BootIt. (MB called it "Backdoor.Bifrose", even though the description for a bifrose infection shares nothing in common with the file MB wanted to delete.) This is a false positive. if you email them a copy of the file and/or post in the forums, they can resolve this for you and anyone else who might also be affected by it. * Software license in the Registry (Probably from Visual Studio 6 and certainly not a risk, but a big problem if deleted. I'd have to completely reinstall VS6.) Another possible false positive and/or a problem with the newer registry scanning module has been found. You should report this to them so that they can look into it. They do try to correct bugs as they crop up, whenever possible. * The Registry entries for Windows Media Player ActiveX control. This can be ignored in MBAM. is it another tweak you've set yourself? If so, you can tell MB to ignore it. You didn't specify what it's 'detecting' here, so I can't tell you if it might be a bug or a non default setting and that's what got MBs interest. * An entry in the Registry for LowRiskFileTypes. It's a tweak to stop IE and other browsers from interfering with downloads. You can have MB ignore this in the future. The reason the software is alerting on it is because it's not the default value and for normal home users, could present a security risk. You know what you're doing, so it doesn't apply as a risk to you. Tell MB to ignore it and it won't bother you about this again. I agree, this sort of detection should be rephrased so as to properly inform the user exactly what's going on and why MB has alerted them to it. * The Registry entries I use to stop Windows from nagging me about updates, AV and Windows firewall. See previous answer. The *same* applies here for the very *same* reasons. Any of these items would have caused problems if removed. Some of them could have caused big headaches. I was lucky insofar as I was able to figure out exactly what these "threats" were. Most people won't be able to figure it out. Not all of the items would have caused problems as in system instability if removed, although some programs might have been affected in a negative way. You're exaggerating a bit here. The last three items would cause you unwanted nag screens and nothing more. That is why you disabled them, right? -- Error: Creative signature file missing |
#3
|
|||
|
|||
Malwarebytes warning
In message ,
Diesel writes: [] You can have MB ignore this in the future. The reason the software is alerting on it is because it's not the default value and for normal home users, could present a security risk. You know what you're doing, so it doesn't apply as a risk to you. Tell MB to ignore it and it won't bother you about this again. [] Hmm. So, a "normal home user" has to not change _any_ default in order to not be bugged by MB - or if does, has to tell MB for each such change? I can see both sides of this "argument", but must admit I'm closer to Mayayana on this one (-:! -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf Can you open your mind without it falling out? |
#4
|
|||
|
|||
Malwarebytes warning
On Sun, 22 Nov 2015 18:42:11 +0000, J. P. Gilliver (John) wrote:
Hmm. So, a "normal home user" has to not change _any_ default in order to not be bugged by MB - or if does, has to tell MB for each such change? I am a normal home user, I have not had to change any defaults, and I have not been bugged by Malwarebytes. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
#5
|
|||
|
|||
Malwarebytes warning
On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown"
wrote in article MPG.30bc00f2d87d37bd98f296 @news.individual.net I am a normal home user, I have not had to change any defaults, and I have not been bugged by Malwarebytes. There have been many suggestions over the years NOT to touch the Registry repair in MBAM (or anywhere else). I don't have the OP's post, but I believe he complained about registry damage. Best to avoid letting MBAM touch it. |
#6
|
|||
|
|||
Malwarebytes warning
Jason wrote on 11/22/2015 5:53 PM:
On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown" wrote in article MPG.30bc00f2d87d37bd98f296 @news.individual.net I am a normal home user, I have not had to change any defaults, and I have not been bugged by Malwarebytes. There have been many suggestions over the years NOT to touch the Registry repair in MBAM (or anywhere else). I don't have the OP's post, but I believe he complained about registry damage. Best to avoid letting MBAM touch it. I don't see any option in MBAM about "registry repair". |
#7
|
|||
|
|||
Malwarebytes warning
On Sun, 22 Nov 2015 17:53:28 -0500, Jason wrote:
On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown" wrote in article MPG.30bc00f2d87d37bd98f296 @news.individual.net I am a normal home user, I have not had to change any defaults, and I have not been bugged by Malwarebytes. There have been many suggestions over the years NOT to touch the Registry repair in MBAM (or anywhere else). I don't have the OP's post, but I believe he complained about registry damage. Best to avoid letting MBAM touch it. Malwarebytes does not perform a registry repair and doesn't create "registry damage", so I don't know what you're talking about. Unless, of course, you're just echoing the usual FUD spread by Mayayana. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
#8
|
|||
|
|||
Malwarebytes warning
Jason
Sun, 22 Nov 2015 22:53:28 GMT in alt.windows7.general, wrote: On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown" wrote in article MPG.30bc00f2d87d37bd98f296 @news.individual.net I am a normal home user, I have not had to change any defaults, and I have not been bugged by Malwarebytes. There have been many suggestions over the years NOT to touch the Registry repair in MBAM (or anywhere else). I don't have the OP's post, but I believe he complained about registry damage. Best to avoid letting MBAM touch it. MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys and reset others to MS defaults. I don't know where you've read many suggestions over the years concerning MBAM and the registry, either. Without seeing some in context, it's hard to say how reliable the advice is and/or what it's based on. -- Error: Creative signature file missing |
#9
|
|||
|
|||
Malwarebytes warning
"J. P. Gilliver (John)"
Sun, 22 Nov 2015 18:42:11 GMT in alt.windows7.general, wrote: In message , Diesel writes: [] You can have MB ignore this in the future. The reason the software is alerting on it is because it's not the default value and for normal home users, could present a security risk. You know what you're doing, so it doesn't apply as a risk to you. Tell MB to ignore it and it won't bother you about this again. [] Hmm. So, a "normal home user" has to not change _any_ default in order to not be bugged by MB - or if does, has to tell MB for each such change? Not any default, just those which concern Windows notifications having to do with updates, firewall and AV. MBAM has no way of knowing in advance that you turned these off, OR, something you don't know about on your machine did and you wouldn't have had you known they were off. I can see both sides of this "argument", but must admit I'm closer to Mayayana on this one (-:! I'm not. But, I also disclose that I'm not a typical home user, and, I worked for the company so I have a better understanding of what the software is doing and why it's doing it. -- Error: Creative signature file missing |
#10
|
|||
|
|||
Malwarebytes warning
| I don't know what you mean by oversteps... Overstepping to me would
| be if it just went ahead and make executive decisions regarding those | files future without your input. It is subject to a false positive, | as ANY other app AV/AM would. | By overstep I mean saying xyz.exe is known malware when the program really doesn't know. It should inform the user as best it can: "This may be suspicious". It shouldn't be tagging things like security settings in the Registry as malware. If it can't provide an informative explanation of why the setting might be risky then that item should be left out of the "threat" list. When I first started using computers I used to run Norton System Works. It would find the usual 142 problems and I'd be delighted to get them all fixed. I felt like I had my own Special Forces attack squad. It never occurred to me that some of the "problems" might be frivolous or even problematic to fix. No doubt a lot of inexperienced people feel the same way about such programs as MB. Worse, those programs encourage trust with their tough- guy-against-evil style of presentation. If I were an average computer user I would have told MB to fix all the problems it found. It gave no indication that my computer might survive if I didn't fix them. I might have never figured out that the resulting problems were actually caused by MB. | This is a false positive. if you email them a copy of the file and/or | post in the forums, they can resolve this for you and anyone else who | might also be affected by it. | In my experience it doesn't work that way. When Avira tagged my own EXE I wrote to them. I got back a robo-email telling me to upload the problem EXE. But it wasn't a problem EXE. Avira was tagging 6 of my EXEs. And if they issued a fix for those I'd be back in the same boat next time I compiled a new version. So I wrote back to say that what was needed was to re-assess how they're tagging EXEs altogether, and that their catchall category they call "TR/Dropper.Gen" was a problem. I would have been happy to work with them, but they never responded to that email. I've had to put notes on my own website as I find out about such problems. The same would be true for the BootIt EXE. Even if MB responds, in a few months I'll probably have a BootIt update. Depending on people to essentially run beta test software is not a way to design malware hunters. In any case, all of that is beside the point. It's not for me that I started this thread. It's for the people who might be a bit too trusting and enthusiastic with AV/mawlare products. | | * The Registry entries for Windows Media Player | ActiveX control. | | This can be ignored in MBAM. is it another tweak you've set yourself? A tweak? No. Windows Media Player ActiveX control is pre-installed on all Windows systems. It's a core component. The Registry key is the HKCR\CLSID COM key that allows software to find and use the control in order to play media files. Without that entry the control -- and thus some software -- would break. MB called it a "Rogue.Regsort", which a bit of research indicates may be very nasty ransomware. (MB didn't say the setting *might* be Rogue.Regsort. MB said it *is* Rogue.Regsort and marked it for removal.) So yes, I can ignore it. But most people won't know to look up that particular GUID in the Registry. Even if they did they're unlikely to understand the values they find. | Not all of the items would have caused problems as in system | instability if removed, although some programs might have been | affected in a negative way. You're exaggerating a bit here. The last | three items would cause you unwanted nag screens and nothing more. | That is why you disabled them, right? Yes. And another would have stopped my disk imaging software from working. Another would have prevented me using some libraries in my software, for lack of a license. Another would have broken Windows Media Player. Worse, none of those would have been obviously caused by MB, so I likely would have spent a long time trying to figure out what was broken. How much damage does it need to do before you'd count it as a problem? While your points make some sense *for you* personally, I think you're making excuses for a product that you feel some loyalty toward. There's really just no excuse for things like labelling a Microsoft ActiveX control Registry setting as ransomware.... Well, except maybe if it's those Win10 nagware settings. |
#11
|
|||
|
|||
Malwarebytes warning
"Mayayana"
Sun, 22 Nov 2015 20:51:29 GMT in alt.windows7.general, wrote: By overstep I mean saying xyz.exe is known malware when the program really doesn't know. It should inform the user as best it can: "This may be suspicious". It shouldn't be tagging things like security settings in the Registry as malware. If it can't provide an informative explanation of why the setting might be risky then that item should be left out of the "threat" list. As I told you, I've long disagreed with the wording concerning some registry key settings when they're detected as non default. The threat should be obvious. If you didn't make the changes, you might not know that your firewall is off, av is off, etc. A normal user probably doesn't want the firewall off and have no notification that it's indeed off. Malware would prefer things this way, though. When I first started using computers I used to run Norton System Works. It would find the usual 142 problems and I'd be delighted to get them all fixed. I felt like I had my own Special Forces attack squad. It never occurred to me that some of the "problems" might be frivolous or even problematic to fix. No doubt a lot of inexperienced people feel the same way about such programs as MB. Worse, those programs encourage trust with their tough- guy-against-evil style of presentation. Norton system works 'registry' repair has borked many a machine. I finally convinced a former employer to not only stop using it him, but stop asking/making us use it on computers in for servicing. Registry cleaners generally, do not, work. If I were an average computer user I would have told MB to fix all the problems it found. It gave no indication that my computer might survive if I didn't fix them. I might have never figured out that the resulting problems were actually caused by MB. MBAM leaves logs and has a quarantine area. If it makes changes that cause problems, they can be reversed by restoring from quarantine. At no time, based on what you decribed, would MBAM have 'nuked' your entire machine had you just let it run. Some apps might not function properly as a result. You *should* have viable copies of your system registry hives. if you don't already, please create some soon. So in the event that happened, you'd have a known good registry to come back from. | This is a false positive. if you email them a copy of the file | and/or post in the forums, they can resolve this for you and | anyone else who might also be affected by it. | In my experience it doesn't work that way. I didn't ask about your experience, and, with MBAM, it does work that way. I know this because I worked for them as a malware researcher and we always encouraged users to send us suspect files. A human WOULD examine it and make the necessary changes. I'm not in the habit of giving advice that will waste your time. Avira tagged my own EXE I wrote to them. I got back a robo-email telling me to upload the problem EXE. But it wasn't a problem EXE. Avira was tagging 6 of my EXEs. And if they issued a fix for those I'd be back in the same boat next time I compiled a new version. Something was either off in the way you were designing the exes, or protecting them after post compile. As they are most likely HLL written, it's also possible it was hitting on valid code that would also be present in malware; say a section of your programming languages runtime code. It might have been a simple enough fix to move the location of some of your own subroutines in the source file and recompile; as this will change the binary appearance and could have moved the code the AV was false hitting to another location. IE: AV no longer hitting on it. I had to do this with BugHunter because it shared some common code with actual malware written years before. Moving the location of the necessary routines solved the issue. altogether, and that their catchall category they call "TR/Dropper.Gen" was a problem. It sounds like you were packing your executable with a compressor/executable protection program before releasing to the public then? The same would be true for the BootIt EXE. Even if MB responds, in a few months I'll probably have a BootIt update. Depending on people to essentially run beta test software is not a way to design malware hunters. Have you ever taken the time to try writing one? I have. It's not an easy thing to do and you're always having to tweak and make changes to your technology as you go. False positives will come up, because most malware these days is written in a high level language, no different than a legit program would be. This makes isolating actual malware code from code that could be found inside a legit program, difficult. So yes, when a legit file accidently gets hit, you ARE HELPING the company if you submit it for analysis to them. You're helping other users of the product avoid the issue you're having as well. It's a win win. In any case, all of that is beside the point. It's not for me that I started this thread. It's for the people who might be a bit too trusting and enthusiastic with AV/mawlare products. I have no problem with your thread. As long as you have no problem with my interjecting good/sound advice and explaining some of the issues you were having. | This can be ignored in MBAM. is it another tweak you've set | yourself? A tweak? No. Windows Media Player ActiveX control is pre-installed on all Windows systems. It's a core component. The Registry key is the HKCR\CLSID COM key that allows software to find and use the control in order to play media files. Without that entry the control -- and thus some software -- would break. MB called it a "Rogue.Regsort", which a bit of research indicates may be very nasty ransomware. (MB didn't say the setting *might* be Rogue.Regsort. MB said it *is* Rogue.Regsort and marked it for removal.) AFAIK, MBAMs language files do not have the ability to say, "this could be malware". Like I said, MBAM still has some cosmetic issues and some work should be done on better explaining detections which might not be harmful. | Not all of the items would have caused problems as in system | instability if removed, although some programs might have been | affected in a negative way. You're exaggerating a bit here. The | last three items would cause you unwanted nag screens and nothing | more. That is why you disabled them, right? Yes. And another would have stopped my disk imaging software from working. Another would have prevented me using some libraries in my software, for lack of a license. Another would have broken Windows Media Player. Worse, none of those would have been obviously caused by MB, so I likely would have spent a long time trying to figure out what was broken. Your own apparent inability to effectively troubleshoot isn't the fault of MBAM. Your lack of knowledge of the software isn't the fault of MBAM either. MBAM has a quarantine system. If it makes changes that you aren't okay with, you can restore them from quarantine. How much damage does it need to do before you'd count it as a problem? If it was doing damage and this wasn't a pebkac issue, I'd consider it a problem. While your points make some sense *for you* personally, I think you're making excuses for a product that you feel some loyalty toward. I'm not making any excuses for the product or your own misunderstanding of what it is and how it works, either. I have no loyalty to the program. I'd say the same thing if you bitched about another program you don't actually understand well. The advice would also have been the same as the issues you experienced ARE correctable. The points I made make sense to anyone who understands what the program is doing and why it's doing it. There's really just no excuse for things like labelling a Microsoft ActiveX control Registry setting as ransomware.... Well, except maybe if it's those Win10 nagware settings. I already covered this. I don't agree with some of the language MBAM uses when things that aren't actually malware are detected either. I make no excuse for it, I was on them for years concerning it. -- Error: Creative signature file missing |
#12
|
|||
|
|||
Malwarebytes warning
| Avira tagged my own EXE I wrote to them. I got
| back a robo-email telling me to upload the problem | EXE. But it wasn't a problem EXE. Avira was tagging | 6 of my EXEs. And if they issued a fix for those I'd | be back in the same boat next time I compiled a | new version. | | Something was either off in the way you were designing the exes, or | protecting them after post compile. As they are most likely HLL | written, I don't know what "HLL" stands for. Should I? There was nothing "off in the design" of the EXEs that I know of. The compiler has never asked for my design ideas. It's actually a common problem, and an example of the outdated approach of AV software. There are millions of "virus signatures", which are simply byte strings considered unique. Avira found something in my EXE that apparently looked similar. (It clearly wasn't a match. In that case Avira would have said it was xyz virus and not assigned it the meaningless name of "TR/Dropper.Gen", which they use as a catchall diagnosis.) After the Avira warning, and their non-responsiveness, I had to install Avira and test. I tried various things to change the exact byte order. What finally worked was to allow the compiler to add code to check for invalidly large integer values. Essentially I had to add unnecessary code to slow down my code. So it's fixable, yes. But it's a hassle. It's not realistic to install all the popular AV programs and run them all with each compile. And it's not something I'm willing to do with freeware. And there's a bigger problem with this: People using my software are getting warnings. In the case I'm talking about I was fortunate that someone wrote to me and told me about it. It's possible that my software is setting off alarms in other AV products now and I won't know because no one has told me. To imply that that is somehow my fault simply doesn't make sense. Increasingly I've been taking the approach of letting people know about bugs I'm aware of, recommending against Avira, and generally warning that my software may not always work properly if people lock down their machines. | altogether, and that their catchall category they | call "TR/Dropper.Gen" was a problem. | | It sounds like you were packing your executable with a | compressor/executable protection program before releasing to the | public then? | No. It's just a plain EXE, VB6 code compiled with Visual Studio 6. No "design". No aspack, UPX, or other compressors. It's free software, so there are no protection tricks. Again, your reasoning that a false positive must be the fault of the software author is backward. | The same would be true for the BootIt EXE. Even | if MB responds, in a few months I'll probably have a | BootIt update. Depending on people to essentially | run beta test software is not a way to design | malware hunters. | | Have you ever taken the time to try writing one? I have. It's not an | easy thing to do and you're always having to tweak and make changes | to your technology as you go. You mean with AV software? No, I haven't written any. Yes, I'm sure it takes a lot of work. And now I know why you're blaming the person who writes the software that sets off a false positive. Bugs are bugs. Avira was not even willing to talk about their bug. To say it's a tricky job writing AV software is not an excuse for a poor product. But I don't really think it's mostly the fault of the AV companies, either. As I was saying above, the whole concept of AV virus definitions/signatures is long outdated. People are running software that scans every process started, looking for any one of millions of byte strings, and even then only works with malware that's already known. If computers didn't currently have far more power than people are using then no one would even put up with the resource drag of AV software. | Your own apparent inability to effectively troubleshoot isn't the | fault of MBAM. Your lack of knowledge of the software isn't the fault | of MBAM either. MBAM has a quarantine system. If it makes changes | that you aren't okay with, you can restore them from quarantine. You're reacting defensively, making excuses for MB. I've said repeatedly that I can and do research these things, and that my post was meant only to warn people who might be too trusting. Say, for example, someone has used the IE download tweak for safe file types and allows MB to "fix" it without understanding what it is. Later, IE refuses to let them download an EXE file. It's unlikely they'll connect that to the MB changes. They'll just be confused. So the "quarantine" will be of little use. If you read my original post you'll see that while I didn't hide my low regard for malware/AV software in general, the point of that post was just to warn people who might be too trusting. I see people here, time and again, talk about running numerous malware checkers whenever something seems off. That means a lot of people don't know how to go about diagnosing problems and turn first to malware hunters. They need to know to take those programs with a grain of salt and to research any malware warnings before letting the software make changes. |
#13
|
|||
|
|||
Malwarebytes warning
Mayayana presented the following explanation :
Avira tagged my own EXE I wrote to them. I got back a robo-email telling me to upload the problem EXE. But it wasn't a problem EXE. Avira was tagging 6 of my EXEs. And if they issued a fix for those I'd be back in the same boat next time I compiled a new version. Something was either off in the way you were designing the exes, or protecting them after post compile. As they are most likely HLL written, I don't know what "HLL" stands for. Should I? You're using one, so no you shouldn't necessarily know what it is. [...] |
#14
|
|||
|
|||
Malwarebytes warning
"Mayayana"
Wed, 25 Nov 2015 14:26:00 GMT in alt.windows7.general, wrote: | Avira tagged my own EXE I wrote to them. I got | back a robo-email telling me to upload the problem | EXE. But it wasn't a problem EXE. Avira was tagging | 6 of my EXEs. And if they issued a fix for those I'd | be back in the same boat next time I compiled a | new version. | | Something was either off in the way you were designing the exes, | or protecting them after post compile. As they are most likely | HLL written, I don't know what "HLL" stands for. Should I? There was nothing "off in the design" of the EXEs that I know of. The compiler has never asked for my design ideas. It's actually a common problem, and an example of the outdated approach of AV software. There are millions of "virus signatures", which are simply byte strings considered unique. Avira found something in my EXE that apparently looked similar. (It clearly wasn't a match. In that case Avira would have said it was xyz virus and not assigned it the meaningless name of "TR/Dropper.Gen", which they use as a catchall diagnosis.) I suppose it doesn't matter in your case knowing what HLL is. You are doing HLL, but, if you're okay with not realizing it, it's really not my place to try and explain and wind up derailing this thread in the process. It's not a common problem per say... It's entirely possible avira didn't hit on an actual byte style signature but either during emulation or routine analysis, thought something might be amiss; to the point of closely resembling a trojan.dropper. If you aren't protecting your executable after post compile, this problem can be mitigated in one of two ways. Send avira a sample of your executable thats being wrongly said to contain malware, OR, change the physical location of some of your subroutines in the source file and compile it- you might be very surprised by the results of doing that simple task. So it's fixable, yes. But it's a hassle. It's not realistic to install all the popular AV programs and run them all with each compile. And it's not something I'm willing to do with freeware. I hate to tell you this, but a responsible author of freeware/shareware/commercial software SHOULD be checking it against the popular AV\AM packages to ensure (a) the package isn't going to scare clients and give you unnecessary support calls/emails. and (b) to ensure your software can install properly AND function with this AV program also present on the same machine. And there's a bigger problem with this: People using my software are getting warnings. In the case I'm talking about I was fortunate that someone wrote to me and told me about it. It's possible that my software is setting off alarms in other AV products now and I won't know because no one has told me. To imply that that is somehow my fault simply doesn't make sense. It's a little worse than that, actually. Some people are wrongly going to assume that you're writing malicious software and never take the time to check into the issue and learn otherwise. They'll tell others to avoid your programs for the very same reason. Their own ignorance will be your loss (as others won't even download your program, let alone try to use it; there friend said it was bad, the AV said so) and harm to your credibility. No. It's just a plain EXE, VB6 code compiled with Visual Studio 6. No "design". No aspack, UPX, or other compressors. It's free software, so there are no protection tricks. Again, your reasoning that a false positive must be the fault of the software author is backward. It's not backward if you understood what was actually going on here as well as whats involved in the development of AV/AM software and associated signatures. As I was saying above, the whole concept of AV virus definitions/signatures is long outdated. It was outdated when it began. Luckily, other technologies have been developed since then that not only increase reliability of the scanner, but, also work diligently to reduce false positives. | Your own apparent inability to effectively troubleshoot isn't the | fault of MBAM. Your lack of knowledge of the software isn't the | fault of MBAM either. MBAM has a quarantine system. If it makes | changes that you aren't okay with, you can restore them from | quarantine. You're reacting defensively, making excuses for MB. I've said repeatedly that I can and do research these things, and that my post was meant only to warn people who might be too trusting. I'm not reacting at all, and I assure you, I'm the last person you'll see making excuses for MBAM or otherwise defending them. -- Error: Creative signature file missing |
#15
|
|||
|
|||
Malwarebytes warning
On 22/11/2015 16:47, Mayayana wrote:
I know a lot of people here like Malwarebytes. I tried it last night for the first time and thought it worthwhile to issue a warning: Malwarebytes grossly oversteps its job and can recklessly label things malware, with potentially disastrous results. I ran the latest version and it found 10 "threats". No explanations. No uncertainty. It just brought up the final diagnosis and said let's clean 'em up. Among the list was no malware at all. What MB did want to remove were the following: * The disk imaging executable for BootIt. (MB called it "Backdoor.Bifrose", even though the description for a bifrose infection shares nothing in common with the file MB wanted to delete.) * Software license in the Registry (Probably from Visual Studio 6 and certainly not a risk, but a big problem if deleted. I'd have to completely reinstall VS6.) * The Registry entries for Windows Media Player ActiveX control. * An entry in the Registry for LowRiskFileTypes. It's a tweak to stop IE and other browsers from interfering with downloads. * The Registry entries I use to stop Windows from nagging me about updates, AV and Windows firewall. Any of these items would have caused problems if removed. Some of them could have caused big headaches. I was lucky insofar as I was able to figure out exactly what these "threats" were. Most people won't be able to figure it out. I then tried the latest Microsoft Malicious Software Removal tool. That worked fine. It found no problems. AV and malware hunters in general have become overzealous software with limited usability. Like xenophobic email servers that block any source they don't know, this kind of software works well by being overzealous, but it only *really* works well for people who do very little with their computer and can't be bothered with security. If your PC is an email machine then there's probably no harm in letting AV or MB nuke it. They might even end up nuking something that should be nuked. But for anyone else I think it's time to start taking all of these programs with a grain of salt -- and be very careful about letting them "clean up malware" without being very sure of exactly what they're going to clean up. I would certainly never try MB again. (I also got stuck cleaning up junk it left behind in all users app data. Not the first program with a bad uninstaller, but still inexcusable.) When I run it on our pc's, it finds mostly unimportant thingies, like some advertising issues. I always kill them. When I ran it on our server (file server, FTP server, printer server, Web server etc) it found a lot of entries. All very dangerous - what Malwarebytes said, but all were useful applications that run on the server. So I uninstalled it from our server, will never run it there again, but will still use on our pc's. Using the free version, though. I use Emsisoft (paid version) to protect our pc's from malware. Fokke |
Thread Tools | |
Display Modes | Rate This Thread |
|
|