Malwarebytes warning

I know a lot of people here like Malwarebytes.
I tried it last night for the first time and thought it
worthwhile to issue a warning: Malwarebytes
grossly oversteps its job and can recklessly label
things malware, with potentially disastrous
results.

I ran the latest version and it found 10 "threats".
No explanations. No uncertainty. It just brought up
the final diagnosis and said let's clean 'em up. Among
the list was no malware at all. What MB did want to
remove were the following:

* The disk imaging executable for BootIt. (MB
called it "Backdoor.Bifrose", even though the
description for a bifrose infection shares nothing
in common with the file MB wanted to delete.)

* Software license in the Registry (Probably from
Visual Studio 6 and certainly not a risk, but a big
problem if deleted. I'd have to completely reinstall
VS6.)

* The Registry entries for Windows Media Player
ActiveX control.

* An entry in the Registry for LowRiskFileTypes.
It's a tweak to stop IE and other browsers from
interfering with downloads.

* The Registry entries I use to stop Windows
from nagging me about updates, AV and Windows
firewall.

Any of these items would have caused problems
if removed. Some of them could have caused big
headaches. I was lucky insofar as I was able
to figure out exactly what these "threats" were.
Most people won't be able to figure it out.

I then tried the latest Microsoft Malicious Software
Removal tool. That worked fine. It found no problems.

AV and malware hunters in general have become
overzealous software with limited usability. Like
xenophobic email servers that block any source
they don't know, this kind of software works well
by being overzealous, but it only *really* works well
for people who do very little with their computer
and can't be bothered with security. If your PC
is an email machine then there's probably no harm
in letting AV or MB nuke it. They might even end up
nuking something that should be nuked. But for anyone
else I think it's time to start taking all of these programs
with a grain of salt -- and be very careful about letting
them "clean up malware" without being very sure of
exactly what they're going to clean up.

I would certainly never try MB again. (I also got
stuck cleaning up junk it left behind in all users
app data. Not the first program with a bad uninstaller,
but still inexcusable.)

"Mayayana"
Sun, 22 Nov 2015 15:47:26 GMT in alt.windows7.general, wrote:

I know a lot of people here like Malwarebytes.
I tried it last night for the first time and thought it
worthwhile to issue a warning: Malwarebytes
grossly oversteps its job and can recklessly label
things malware, with potentially disastrous
results.

I don't know what you mean by oversteps... Overstepping to me would
be if it just went ahead and make executive decisions regarding those
files future without your input. It is subject to a false positive,
as ANY other app AV/AM would.

I ran the latest version and it found 10 "threats".
No explanations. No uncertainty. It just brought up
the final diagnosis and said let's clean 'em up. Among
the list was no malware at all. What MB did want to
remove were the following:

Some of this is an issue of wording. I've gone back and forth with
them for ages over this. I'll explain more detail...

* The disk imaging executable for BootIt. (MB
called it "Backdoor.Bifrose", even though the
description for a bifrose infection shares nothing
in common with the file MB wanted to delete.)

This is a false positive. if you email them a copy of the file and/or
post in the forums, they can resolve this for you and anyone else who
might also be affected by it.

* Software license in the Registry (Probably from
Visual Studio 6 and certainly not a risk, but a big
problem if deleted. I'd have to completely reinstall
VS6.)

Another possible false positive and/or a problem with the newer
registry scanning module has been found. You should report this to
them so that they can look into it. They do try to correct bugs as
they crop up, whenever possible.


* The Registry entries for Windows Media Player
ActiveX control.

This can be ignored in MBAM. is it another tweak you've set yourself?
If so, you can tell MB to ignore it. You didn't specify what it's
'detecting' here, so I can't tell you if it might be a bug or a non
default setting and that's what got MBs interest.

* An entry in the Registry for LowRiskFileTypes.
It's a tweak to stop IE and other browsers from
interfering with downloads.

You can have MB ignore this in the future. The reason the software is
alerting on it is because it's not the default value and for normal
home users, could present a security risk. You know what you're
doing, so it doesn't apply as a risk to you. Tell MB to ignore it and
it won't bother you about this again.

I agree, this sort of detection should be rephrased so as to properly
inform the user exactly what's going on and why MB has alerted them
to it.

* The Registry entries I use to stop Windows
from nagging me about updates, AV and Windows
firewall.

See previous answer. The *same* applies here for the very *same*
reasons.

Any of these items would have caused problems
if removed. Some of them could have caused big
headaches. I was lucky insofar as I was able
to figure out exactly what these "threats" were.
Most people won't be able to figure it out.

Not all of the items would have caused problems as in system
instability if removed, although some programs might have been
affected in a negative way. You're exaggerating a bit here. The last
three items would cause you unwanted nag screens and nothing more.
That is why you disabled them, right?


--
Error: Creative signature file missing

In message ,
Diesel writes:
[]
You can have MB ignore this in the future. The reason the software is
alerting on it is because it's not the default value and for normal
home users, could present a security risk. You know what you're
doing, so it doesn't apply as a risk to you. Tell MB to ignore it and
it won't bother you about this again.
[]
Hmm. So, a "normal home user" has to not change _any_ default in order
to not be bugged by MB - or if does, has to tell MB for each such
change?

I can see both sides of this "argument", but must admit I'm closer to
Mayayana on this one (-:!
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Can you open your mind without it falling out?

On Sun, 22 Nov 2015 18:42:11 +0000, J. P. Gilliver (John) wrote:
Hmm. So, a "normal home user" has to not change _any_ default in order
to not be bugged by MB - or if does, has to tell MB for each such
change?


I am a normal home user, I have not had to change any defaults, and I
have not been bugged by Malwarebytes.

--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown"
wrote in article MPG.30bc00f2d87d37bd98f296
@news.individual.net

I am a normal home user, I have not had to change any defaults, and I
have not been bugged by Malwarebytes.


There have been many suggestions over the years NOT to touch the
Registry repair in MBAM (or anywhere else). I don't have the OP's
post, but I believe he complained about registry damage. Best to
avoid letting MBAM touch it.

Jason wrote on 11/22/2015 5:53 PM:
On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown"
wrote in article MPG.30bc00f2d87d37bd98f296
@news.individual.net

I am a normal home user, I have not had to change any defaults, and I
have not been bugged by Malwarebytes.


There have been many suggestions over the years NOT to touch the
Registry repair in MBAM (or anywhere else). I don't have the OP's
post, but I believe he complained about registry damage. Best to
avoid letting MBAM touch it.


I don't see any option in MBAM about "registry repair".

On Sun, 22 Nov 2015 17:53:28 -0500, Jason wrote:
On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown"
wrote in article MPG.30bc00f2d87d37bd98f296
@news.individual.net

I am a normal home user, I have not had to change any defaults, and I
have not been bugged by Malwarebytes.


There have been many suggestions over the years NOT to touch the
Registry repair in MBAM (or anywhere else). I don't have the OP's
post, but I believe he complained about registry damage. Best to
avoid letting MBAM touch it.

Malwarebytes does not perform a registry repair and doesn't create
"registry damage", so I don't know what you're talking about.

Unless, of course, you're just echoing the usual FUD spread by
Mayayana.



--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

Jason
Sun, 22
Nov 2015 22:53:28 GMT in alt.windows7.general, wrote:

On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown"
wrote in article
MPG.30bc00f2d87d37bd98f296 @news.individual.net

I am a normal home user, I have not had to change any defaults,
and I have not been bugged by Malwarebytes.


There have been many suggestions over the years NOT to touch the
Registry repair in MBAM (or anywhere else). I don't have the OP's
post, but I believe he complained about registry damage. Best to
avoid letting MBAM touch it.


MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys
and reset others to MS defaults. I don't know where you've read many
suggestions over the years concerning MBAM and the registry, either.

Without seeing some in context, it's hard to say how reliable the
advice is and/or what it's based on.


--
Error: Creative signature file missing

"J. P. Gilliver (John)"
Sun, 22 Nov 2015 18:42:11
GMT in alt.windows7.general, wrote:

In message
, Diesel
writes: []
You can have MB ignore this in the future. The reason the software
is alerting on it is because it's not the default value and for
normal home users, could present a security risk. You know what
you're doing, so it doesn't apply as a risk to you. Tell MB to
ignore it and it won't bother you about this again.
[]
Hmm. So, a "normal home user" has to not change _any_ default in
order to not be bugged by MB - or if does, has to tell MB for each
such change?

Not any default, just those which concern Windows notifications
having to do with updates, firewall and AV. MBAM has no way of
knowing in advance that you turned these off, OR, something you don't
know about on your machine did and you wouldn't have had you known
they were off.

I can see both sides of this "argument", but must admit I'm closer
to Mayayana on this one (-:!

I'm not. But, I also disclose that I'm not a typical home user, and,
I worked for the company so I have a better understanding of what the
software is doing and why it's doing it.




--
Error: Creative signature file missing

| I don't know what you mean by oversteps... Overstepping to me would
| be if it just went ahead and make executive decisions regarding those
| files future without your input. It is subject to a false positive,
| as ANY other app AV/AM would.
|

By overstep I mean saying xyz.exe is known
malware when the program really doesn't know.
It should inform the user as best it can: "This
may be suspicious". It shouldn't be tagging
things like security settings in the Registry as
malware. If it can't provide an informative
explanation of why the setting might be risky
then that item should be left out of the "threat"
list.

When I first started using computers I used to
run Norton System Works. It would find the usual
142 problems and I'd be delighted to get them all
fixed. I felt like I had my own Special Forces attack
squad. It never occurred to me that some of the
"problems" might be frivolous or even problematic
to fix. No doubt a lot of inexperienced people feel
the same way about such programs as MB. Worse,
those programs encourage trust with their tough-
guy-against-evil style of presentation.

If I were an average computer user I would have
told MB to fix all the problems it found. It gave no
indication that my computer might survive if I didn't
fix them. I might have never figured out that the
resulting problems were actually caused by MB.

| This is a false positive. if you email them a copy of the file and/or
| post in the forums, they can resolve this for you and anyone else who
| might also be affected by it.
|

In my experience it doesn't work that way. When
Avira tagged my own EXE I wrote to them. I got
back a robo-email telling me to upload the problem
EXE. But it wasn't a problem EXE. Avira was tagging
6 of my EXEs. And if they issued a fix for those I'd
be back in the same boat next time I compiled a
new version. So I wrote back to say that what was
needed was to re-assess how they're tagging EXEs
altogether, and that their catchall category they
call "TR/Dropper.Gen" was a problem. I would have
been happy to work with them, but they never
responded to that email. I've had to put notes on
my own website as I find out about such problems.

The same would be true for the BootIt EXE. Even
if MB responds, in a few months I'll probably have a
BootIt update. Depending on people to essentially
run beta test software is not a way to design
malware hunters.

In any case, all of that is beside the point. It's
not for me that I started this thread. It's for the
people who might be a bit too trusting and
enthusiastic with AV/mawlare products.

|
| * The Registry entries for Windows Media Player
| ActiveX control.
|
| This can be ignored in MBAM. is it another tweak you've set yourself?

A tweak? No. Windows Media Player ActiveX
control is pre-installed on all Windows systems.
It's a core component. The Registry key is
the HKCR\CLSID COM key that allows software
to find and use the control in order to play media
files. Without that entry the control -- and thus
some software -- would break. MB called it a
"Rogue.Regsort", which a bit of research indicates
may be very nasty ransomware. (MB didn't say
the setting *might* be Rogue.Regsort. MB said it
*is* Rogue.Regsort and marked it for removal.)

So yes, I can ignore it. But most people won't
know to look up that particular GUID in the Registry.
Even if they did they're unlikely to understand the
values they find.

| Not all of the items would have caused problems as in system
| instability if removed, although some programs might have been
| affected in a negative way. You're exaggerating a bit here. The last
| three items would cause you unwanted nag screens and nothing more.
| That is why you disabled them, right?

Yes. And another would have stopped my disk
imaging software from working. Another would
have prevented me using some libraries in my
software, for lack of a license. Another would
have broken Windows Media Player. Worse, none
of those would have been obviously caused by
MB, so I likely would have spent a long time trying
to figure out what was broken. How much
damage does it need to do before you'd count
it as a problem? While your points make some sense
*for you* personally, I think you're making excuses
for a product that you feel some loyalty toward.
There's really just no excuse for things like labelling
a Microsoft ActiveX control Registry setting as
ransomware.... Well, except maybe if it's those
Win10 nagware settings.

"Mayayana"
Sun, 22 Nov 2015 20:51:29 GMT in alt.windows7.general, wrote:

By overstep I mean saying xyz.exe is known
malware when the program really doesn't know.
It should inform the user as best it can: "This
may be suspicious". It shouldn't be tagging
things like security settings in the Registry as
malware. If it can't provide an informative
explanation of why the setting might be risky
then that item should be left out of the "threat"
list.

As I told you, I've long disagreed with the wording concerning some
registry key settings when they're detected as non default.

The threat should be obvious. If you didn't make the changes, you
might not know that your firewall is off, av is off, etc. A normal
user probably doesn't want the firewall off and have no notification
that it's indeed off. Malware would prefer things this way, though.

When I first started using computers I used to
run Norton System Works. It would find the usual
142 problems and I'd be delighted to get them all
fixed. I felt like I had my own Special Forces attack
squad. It never occurred to me that some of the
"problems" might be frivolous or even problematic
to fix. No doubt a lot of inexperienced people feel
the same way about such programs as MB. Worse,
those programs encourage trust with their tough-
guy-against-evil style of presentation.

Norton system works 'registry' repair has borked many a machine. I
finally convinced a former employer to not only stop using it him,
but stop asking/making us use it on computers in for servicing.
Registry cleaners generally, do not, work.

If I were an average computer user I would have
told MB to fix all the problems it found. It gave no
indication that my computer might survive if I didn't
fix them. I might have never figured out that the
resulting problems were actually caused by MB.

MBAM leaves logs and has a quarantine area. If it makes changes that
cause problems, they can be reversed by restoring from quarantine. At
no time, based on what you decribed, would MBAM have 'nuked' your
entire machine had you just let it run. Some apps might not function
properly as a result. You *should* have viable copies of your system
registry hives. if you don't already, please create some soon. So in
the event that happened, you'd have a known good registry to come
back from.


| This is a false positive. if you email them a copy of the file
| and/or post in the forums, they can resolve this for you and
| anyone else who might also be affected by it.
|

In my experience it doesn't work that way.

I didn't ask about your experience, and, with MBAM, it does work that
way. I know this because I worked for them as a malware researcher
and we always encouraged users to send us suspect files. A human
WOULD examine it and make the necessary changes. I'm not in the habit
of giving advice that will waste your time.

Avira tagged my own EXE I wrote to them. I got
back a robo-email telling me to upload the problem
EXE. But it wasn't a problem EXE. Avira was tagging
6 of my EXEs. And if they issued a fix for those I'd
be back in the same boat next time I compiled a
new version.

Something was either off in the way you were designing the exes, or
protecting them after post compile. As they are most likely HLL
written, it's also possible it was hitting on valid code that would
also be present in malware; say a section of your programming
languages runtime code. It might have been a simple enough fix to
move the location of some of your own subroutines in the source file
and recompile; as this will change the binary appearance and could
have moved the code the AV was false hitting to another location. IE:
AV no longer hitting on it.

I had to do this with BugHunter because it shared some common code
with actual malware written years before. Moving the location of the
necessary routines solved the issue.

altogether, and that their catchall category they
call "TR/Dropper.Gen" was a problem.

It sounds like you were packing your executable with a
compressor/executable protection program before releasing to the
public then?

The same would be true for the BootIt EXE. Even
if MB responds, in a few months I'll probably have a
BootIt update. Depending on people to essentially
run beta test software is not a way to design
malware hunters.

Have you ever taken the time to try writing one? I have. It's not an
easy thing to do and you're always having to tweak and make changes
to your technology as you go. False positives will come up, because
most malware these days is written in a high level language, no
different than a legit program would be. This makes isolating actual
malware code from code that could be found inside a legit program,
difficult.


So yes, when a legit file accidently gets hit, you ARE HELPING the
company if you submit it for analysis to them. You're helping other
users of the product avoid the issue you're having as well. It's a
win win.

In any case, all of that is beside the point. It's
not for me that I started this thread. It's for the
people who might be a bit too trusting and
enthusiastic with AV/mawlare products.

I have no problem with your thread. As long as you have no problem
with my interjecting good/sound advice and explaining some of the
issues you were having.

| This can be ignored in MBAM. is it another tweak you've set
| yourself?

A tweak? No. Windows Media Player ActiveX
control is pre-installed on all Windows systems.
It's a core component. The Registry key is
the HKCR\CLSID COM key that allows software
to find and use the control in order to play media
files. Without that entry the control -- and thus
some software -- would break. MB called it a
"Rogue.Regsort", which a bit of research indicates
may be very nasty ransomware. (MB didn't say
the setting *might* be Rogue.Regsort. MB said it
*is* Rogue.Regsort and marked it for removal.)

AFAIK, MBAMs language files do not have the ability to say, "this
could be malware". Like I said, MBAM still has some cosmetic issues
and some work should be done on better explaining detections which
might not be harmful.

| Not all of the items would have caused problems as in system
| instability if removed, although some programs might have been
| affected in a negative way. You're exaggerating a bit here. The
| last three items would cause you unwanted nag screens and nothing
| more. That is why you disabled them, right?

Yes. And another would have stopped my disk
imaging software from working. Another would
have prevented me using some libraries in my
software, for lack of a license. Another would
have broken Windows Media Player. Worse, none
of those would have been obviously caused by
MB, so I likely would have spent a long time trying
to figure out what was broken.

Your own apparent inability to effectively troubleshoot isn't the
fault of MBAM. Your lack of knowledge of the software isn't the fault
of MBAM either. MBAM has a quarantine system. If it makes changes
that you aren't okay with, you can restore them from quarantine.

How much damage does it need to do before you'd count
it as a problem?

If it was doing damage and this wasn't a pebkac issue, I'd consider
it a problem.


While your points make some sense
*for you* personally, I think you're making excuses
for a product that you feel some loyalty toward.

I'm not making any excuses for the product or your own
misunderstanding of what it is and how it works, either. I have no
loyalty to the program. I'd say the same thing if you bitched about
another program you don't actually understand well. The advice would
also have been the same as the issues you experienced ARE
correctable.

The points I made make sense to anyone who understands what the
program is doing and why it's doing it.

There's really just no excuse for things like labelling
a Microsoft ActiveX control Registry setting as
ransomware.... Well, except maybe if it's those
Win10 nagware settings.

I already covered this. I don't agree with some of the language MBAM
uses when things that aren't actually malware are detected either. I
make no excuse for it, I was on them for years concerning it.


--
Error: Creative signature file missing

| Avira tagged my own EXE I wrote to them. I got
| back a robo-email telling me to upload the problem
| EXE. But it wasn't a problem EXE. Avira was tagging
| 6 of my EXEs. And if they issued a fix for those I'd
| be back in the same boat next time I compiled a
| new version.
|
| Something was either off in the way you were designing the exes, or
| protecting them after post compile. As they are most likely HLL
| written,

I don't know what "HLL" stands for. Should I?
There was nothing "off in the design" of the EXEs
that I know of. The compiler has never asked for
my design ideas. It's actually a common problem,
and an example of the outdated approach of AV
software. There are millions of "virus signatures",
which are simply byte strings considered unique.
Avira found something in my EXE that apparently
looked similar. (It clearly wasn't a match. In that
case Avira would have said it was xyz virus and not
assigned it the meaningless name of "TR/Dropper.Gen",
which they use as a catchall diagnosis.)

After the Avira warning, and their non-responsiveness,
I had to install Avira and test. I tried various things
to change the exact byte order. What finally worked
was to allow the compiler to add code to check for
invalidly large integer values. Essentially I had to add
unnecessary code to slow down my code.

So it's fixable, yes. But it's a hassle. It's not
realistic to install all the popular AV programs and run
them all with each compile. And it's not something I'm
willing to do with freeware.
And there's a bigger problem with this: People using
my software are getting warnings. In the case I'm talking
about I was fortunate that someone wrote to me and
told me about it. It's possible that my software is setting
off alarms in other AV products now and I won't know
because no one has told me. To imply that that is somehow
my fault simply doesn't make sense.

Increasingly I've been taking the approach of letting
people know about bugs I'm aware of, recommending
against Avira, and generally warning that my software
may not always work properly if people lock down their
machines.

| altogether, and that their catchall category they
| call "TR/Dropper.Gen" was a problem.
|
| It sounds like you were packing your executable with a
| compressor/executable protection program before releasing to the
| public then?
|

No. It's just a plain EXE, VB6 code compiled with Visual
Studio 6. No "design". No aspack, UPX, or other compressors.
It's free software, so there are no protection tricks. Again,
your reasoning that a false positive must be the fault of
the software author is backward.

| The same would be true for the BootIt EXE. Even
| if MB responds, in a few months I'll probably have a
| BootIt update. Depending on people to essentially
| run beta test software is not a way to design
| malware hunters.
|
| Have you ever taken the time to try writing one? I have. It's not an
| easy thing to do and you're always having to tweak and make changes
| to your technology as you go.

You mean with AV software? No, I haven't written
any. Yes, I'm sure it takes a lot of work. And now I
know why you're blaming the person who writes the
software that sets off a false positive. Bugs are
bugs. Avira was not even willing to talk about their
bug. To say it's a tricky job writing AV software is
not an excuse for a poor product. But I don't really
think it's mostly the fault of the AV companies, either.
As I was saying above, the whole concept of AV
virus definitions/signatures is long outdated. People
are running software that scans every process started,
looking for any one of millions of byte strings, and
even then only works with malware that's already
known. If computers didn't currently have far more
power than people are using then no one would
even put up with the resource drag of AV software.

| Your own apparent inability to effectively troubleshoot isn't the
| fault of MBAM. Your lack of knowledge of the software isn't the fault
| of MBAM either. MBAM has a quarantine system. If it makes changes
| that you aren't okay with, you can restore them from quarantine.


You're reacting defensively, making excuses for
MB. I've said repeatedly that I can and do research
these things, and that my post was meant only
to warn people who might be too trusting.

Say, for example, someone has used the IE download
tweak for safe file types and allows MB to "fix" it
without understanding what it is. Later, IE refuses to
let them download an EXE file. It's unlikely they'll
connect that to the MB changes. They'll just be
confused. So the "quarantine" will be of little use.

If you read my original post you'll see that while
I didn't hide my low regard for malware/AV software
in general, the point of that post was just to warn
people who might be too trusting. I see people here,
time and again, talk about running numerous malware
checkers whenever something seems off. That
means a lot of people don't know how to go about
diagnosing problems and turn first to malware hunters.
They need to know to take those programs with a
grain of salt and to research any malware warnings
before letting the software make changes.

Mayayana presented the following explanation :
Avira tagged my own EXE I wrote to them. I got
back a robo-email telling me to upload the problem
EXE. But it wasn't a problem EXE. Avira was tagging
6 of my EXEs. And if they issued a fix for those I'd
be back in the same boat next time I compiled a
new version.

Something was either off in the way you were designing the exes, or
protecting them after post compile. As they are most likely HLL
written,

I don't know what "HLL" stands for. Should I?

You're using one, so no you shouldn't necessarily know what it is.

[...]

"Mayayana"
Wed, 25 Nov 2015 14:26:00 GMT in alt.windows7.general, wrote:

| Avira tagged my own EXE I wrote to them. I got
| back a robo-email telling me to upload the problem
| EXE. But it wasn't a problem EXE. Avira was tagging
| 6 of my EXEs. And if they issued a fix for those I'd
| be back in the same boat next time I compiled a
| new version.
|
| Something was either off in the way you were designing the exes,
| or protecting them after post compile. As they are most likely
| HLL written,

I don't know what "HLL" stands for. Should I?
There was nothing "off in the design" of the EXEs
that I know of. The compiler has never asked for
my design ideas. It's actually a common problem,
and an example of the outdated approach of AV
software. There are millions of "virus signatures",
which are simply byte strings considered unique.
Avira found something in my EXE that apparently
looked similar. (It clearly wasn't a match. In that
case Avira would have said it was xyz virus and not
assigned it the meaningless name of "TR/Dropper.Gen",
which they use as a catchall diagnosis.)

I suppose it doesn't matter in your case knowing what HLL is. You are
doing HLL, but, if you're okay with not realizing it, it's really not
my place to try and explain and wind up derailing this thread in the
process.

It's not a common problem per say... It's entirely possible avira
didn't hit on an actual byte style signature but either during
emulation or routine analysis, thought something might be amiss; to
the point of closely resembling a trojan.dropper. If you aren't
protecting your executable after post compile, this problem can be
mitigated in one of two ways. Send avira a sample of your executable
thats being wrongly said to contain malware, OR, change the physical
location of some of your subroutines in the source file and compile
it- you might be very surprised by the results of doing that simple
task.

So it's fixable, yes. But it's a hassle. It's not
realistic to install all the popular AV programs and run
them all with each compile. And it's not something I'm
willing to do with freeware.

I hate to tell you this, but a responsible author of
freeware/shareware/commercial software SHOULD be checking it against
the popular AV\AM packages to ensure (a) the package isn't going to
scare clients and give you unnecessary support calls/emails. and (b)
to ensure your software can install properly AND function with this
AV program also present on the same machine.

And there's a bigger problem with this: People using
my software are getting warnings. In the case I'm talking
about I was fortunate that someone wrote to me and
told me about it. It's possible that my software is setting
off alarms in other AV products now and I won't know
because no one has told me. To imply that that is somehow
my fault simply doesn't make sense.

It's a little worse than that, actually. Some people are wrongly
going to assume that you're writing malicious software and never take
the time to check into the issue and learn otherwise. They'll tell
others to avoid your programs for the very same reason. Their own
ignorance will be your loss (as others won't even download your
program, let alone try to use it; there friend said it was bad, the
AV said so) and harm to your credibility.

No. It's just a plain EXE, VB6 code compiled with Visual
Studio 6. No "design". No aspack, UPX, or other compressors.
It's free software, so there are no protection tricks. Again,
your reasoning that a false positive must be the fault of
the software author is backward.

It's not backward if you understood what was actually going on here
as well as whats involved in the development of AV/AM software and
associated signatures.

As I was saying above, the whole concept of AV
virus definitions/signatures is long outdated.

It was outdated when it began. Luckily, other technologies have been
developed since then that not only increase reliability of the
scanner, but, also work diligently to reduce false positives.


| Your own apparent inability to effectively troubleshoot isn't the
| fault of MBAM. Your lack of knowledge of the software isn't the
| fault of MBAM either. MBAM has a quarantine system. If it makes
| changes that you aren't okay with, you can restore them from
| quarantine.
You're reacting defensively, making excuses for
MB. I've said repeatedly that I can and do research
these things, and that my post was meant only
to warn people who might be too trusting.

I'm not reacting at all, and I assure you, I'm the last person you'll
see making excuses for MBAM or otherwise defending them.



--
Error: Creative signature file missing

On 22/11/2015 16:47, Mayayana wrote:
I know a lot of people here like Malwarebytes.
I tried it last night for the first time and thought it
worthwhile to issue a warning: Malwarebytes
grossly oversteps its job and can recklessly label
things malware, with potentially disastrous
results.

I ran the latest version and it found 10 "threats".
No explanations. No uncertainty. It just brought up
the final diagnosis and said let's clean 'em up. Among
the list was no malware at all. What MB did want to
remove were the following:

* The disk imaging executable for BootIt. (MB
called it "Backdoor.Bifrose", even though the
description for a bifrose infection shares nothing
in common with the file MB wanted to delete.)

* Software license in the Registry (Probably from
Visual Studio 6 and certainly not a risk, but a big
problem if deleted. I'd have to completely reinstall
VS6.)

* The Registry entries for Windows Media Player
ActiveX control.

* An entry in the Registry for LowRiskFileTypes.
It's a tweak to stop IE and other browsers from
interfering with downloads.

* The Registry entries I use to stop Windows
from nagging me about updates, AV and Windows
firewall.

Any of these items would have caused problems
if removed. Some of them could have caused big
headaches. I was lucky insofar as I was able
to figure out exactly what these "threats" were.
Most people won't be able to figure it out.

I then tried the latest Microsoft Malicious Software
Removal tool. That worked fine. It found no problems.

AV and malware hunters in general have become
overzealous software with limited usability. Like
xenophobic email servers that block any source
they don't know, this kind of software works well
by being overzealous, but it only *really* works well
for people who do very little with their computer
and can't be bothered with security. If your PC
is an email machine then there's probably no harm
in letting AV or MB nuke it. They might even end up
nuking something that should be nuked. But for anyone
else I think it's time to start taking all of these programs
with a grain of salt -- and be very careful about letting
them "clean up malware" without being very sure of
exactly what they're going to clean up.

I would certainly never try MB again. (I also got
stuck cleaning up junk it left behind in all users
app data. Not the first program with a bad uninstaller,
but still inexcusable.)





When I run it on our pc's, it finds mostly unimportant thingies, like
some advertising issues. I always kill them.
When I ran it on our server (file server, FTP server, printer server,
Web server etc) it found a lot of entries. All very dangerous - what
Malwarebytes said, but all were useful applications that run on the server.
So I uninstalled it from our server, will never run it there again, but
will still use on our pc's.
Using the free version, though.
I use Emsisoft (paid version) to protect our pc's from malware.

Fokke