If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#31
|
|||
|
|||
Malwarebytes warning
Jason
Sun, 22 Nov 2015 22:53:28 GMT in alt.windows7.general, wrote: On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown" wrote in article MPG.30bc00f2d87d37bd98f296 @news.individual.net I am a normal home user, I have not had to change any defaults, and I have not been bugged by Malwarebytes. There have been many suggestions over the years NOT to touch the Registry repair in MBAM (or anywhere else). I don't have the OP's post, but I believe he complained about registry damage. Best to avoid letting MBAM touch it. MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys and reset others to MS defaults. I don't know where you've read many suggestions over the years concerning MBAM and the registry, either. Without seeing some in context, it's hard to say how reliable the advice is and/or what it's based on. -- Error: Creative signature file missing |
Ads |
#32
|
|||
|
|||
Malwarebytes warning
"Mayayana"
Sun, 22 Nov 2015 20:51:29 GMT in alt.windows7.general, wrote: By overstep I mean saying xyz.exe is known malware when the program really doesn't know. It should inform the user as best it can: "This may be suspicious". It shouldn't be tagging things like security settings in the Registry as malware. If it can't provide an informative explanation of why the setting might be risky then that item should be left out of the "threat" list. As I told you, I've long disagreed with the wording concerning some registry key settings when they're detected as non default. The threat should be obvious. If you didn't make the changes, you might not know that your firewall is off, av is off, etc. A normal user probably doesn't want the firewall off and have no notification that it's indeed off. Malware would prefer things this way, though. When I first started using computers I used to run Norton System Works. It would find the usual 142 problems and I'd be delighted to get them all fixed. I felt like I had my own Special Forces attack squad. It never occurred to me that some of the "problems" might be frivolous or even problematic to fix. No doubt a lot of inexperienced people feel the same way about such programs as MB. Worse, those programs encourage trust with their tough- guy-against-evil style of presentation. Norton system works 'registry' repair has borked many a machine. I finally convinced a former employer to not only stop using it him, but stop asking/making us use it on computers in for servicing. Registry cleaners generally, do not, work. If I were an average computer user I would have told MB to fix all the problems it found. It gave no indication that my computer might survive if I didn't fix them. I might have never figured out that the resulting problems were actually caused by MB. MBAM leaves logs and has a quarantine area. If it makes changes that cause problems, they can be reversed by restoring from quarantine. At no time, based on what you decribed, would MBAM have 'nuked' your entire machine had you just let it run. Some apps might not function properly as a result. You *should* have viable copies of your system registry hives. if you don't already, please create some soon. So in the event that happened, you'd have a known good registry to come back from. | This is a false positive. if you email them a copy of the file | and/or post in the forums, they can resolve this for you and | anyone else who might also be affected by it. | In my experience it doesn't work that way. I didn't ask about your experience, and, with MBAM, it does work that way. I know this because I worked for them as a malware researcher and we always encouraged users to send us suspect files. A human WOULD examine it and make the necessary changes. I'm not in the habit of giving advice that will waste your time. Avira tagged my own EXE I wrote to them. I got back a robo-email telling me to upload the problem EXE. But it wasn't a problem EXE. Avira was tagging 6 of my EXEs. And if they issued a fix for those I'd be back in the same boat next time I compiled a new version. Something was either off in the way you were designing the exes, or protecting them after post compile. As they are most likely HLL written, it's also possible it was hitting on valid code that would also be present in malware; say a section of your programming languages runtime code. It might have been a simple enough fix to move the location of some of your own subroutines in the source file and recompile; as this will change the binary appearance and could have moved the code the AV was false hitting to another location. IE: AV no longer hitting on it. I had to do this with BugHunter because it shared some common code with actual malware written years before. Moving the location of the necessary routines solved the issue. altogether, and that their catchall category they call "TR/Dropper.Gen" was a problem. It sounds like you were packing your executable with a compressor/executable protection program before releasing to the public then? The same would be true for the BootIt EXE. Even if MB responds, in a few months I'll probably have a BootIt update. Depending on people to essentially run beta test software is not a way to design malware hunters. Have you ever taken the time to try writing one? I have. It's not an easy thing to do and you're always having to tweak and make changes to your technology as you go. False positives will come up, because most malware these days is written in a high level language, no different than a legit program would be. This makes isolating actual malware code from code that could be found inside a legit program, difficult. So yes, when a legit file accidently gets hit, you ARE HELPING the company if you submit it for analysis to them. You're helping other users of the product avoid the issue you're having as well. It's a win win. In any case, all of that is beside the point. It's not for me that I started this thread. It's for the people who might be a bit too trusting and enthusiastic with AV/mawlare products. I have no problem with your thread. As long as you have no problem with my interjecting good/sound advice and explaining some of the issues you were having. | This can be ignored in MBAM. is it another tweak you've set | yourself? A tweak? No. Windows Media Player ActiveX control is pre-installed on all Windows systems. It's a core component. The Registry key is the HKCR\CLSID COM key that allows software to find and use the control in order to play media files. Without that entry the control -- and thus some software -- would break. MB called it a "Rogue.Regsort", which a bit of research indicates may be very nasty ransomware. (MB didn't say the setting *might* be Rogue.Regsort. MB said it *is* Rogue.Regsort and marked it for removal.) AFAIK, MBAMs language files do not have the ability to say, "this could be malware". Like I said, MBAM still has some cosmetic issues and some work should be done on better explaining detections which might not be harmful. | Not all of the items would have caused problems as in system | instability if removed, although some programs might have been | affected in a negative way. You're exaggerating a bit here. The | last three items would cause you unwanted nag screens and nothing | more. That is why you disabled them, right? Yes. And another would have stopped my disk imaging software from working. Another would have prevented me using some libraries in my software, for lack of a license. Another would have broken Windows Media Player. Worse, none of those would have been obviously caused by MB, so I likely would have spent a long time trying to figure out what was broken. Your own apparent inability to effectively troubleshoot isn't the fault of MBAM. Your lack of knowledge of the software isn't the fault of MBAM either. MBAM has a quarantine system. If it makes changes that you aren't okay with, you can restore them from quarantine. How much damage does it need to do before you'd count it as a problem? If it was doing damage and this wasn't a pebkac issue, I'd consider it a problem. While your points make some sense *for you* personally, I think you're making excuses for a product that you feel some loyalty toward. I'm not making any excuses for the product or your own misunderstanding of what it is and how it works, either. I have no loyalty to the program. I'd say the same thing if you bitched about another program you don't actually understand well. The advice would also have been the same as the issues you experienced ARE correctable. The points I made make sense to anyone who understands what the program is doing and why it's doing it. There's really just no excuse for things like labelling a Microsoft ActiveX control Registry setting as ransomware.... Well, except maybe if it's those Win10 nagware settings. I already covered this. I don't agree with some of the language MBAM uses when things that aren't actually malware are detected either. I make no excuse for it, I was on them for years concerning it. -- Error: Creative signature file missing |
#33
|
|||
|
|||
Malwarebytes warning
| Avira tagged my own EXE I wrote to them. I got
| back a robo-email telling me to upload the problem | EXE. But it wasn't a problem EXE. Avira was tagging | 6 of my EXEs. And if they issued a fix for those I'd | be back in the same boat next time I compiled a | new version. | | Something was either off in the way you were designing the exes, or | protecting them after post compile. As they are most likely HLL | written, I don't know what "HLL" stands for. Should I? There was nothing "off in the design" of the EXEs that I know of. The compiler has never asked for my design ideas. It's actually a common problem, and an example of the outdated approach of AV software. There are millions of "virus signatures", which are simply byte strings considered unique. Avira found something in my EXE that apparently looked similar. (It clearly wasn't a match. In that case Avira would have said it was xyz virus and not assigned it the meaningless name of "TR/Dropper.Gen", which they use as a catchall diagnosis.) After the Avira warning, and their non-responsiveness, I had to install Avira and test. I tried various things to change the exact byte order. What finally worked was to allow the compiler to add code to check for invalidly large integer values. Essentially I had to add unnecessary code to slow down my code. So it's fixable, yes. But it's a hassle. It's not realistic to install all the popular AV programs and run them all with each compile. And it's not something I'm willing to do with freeware. And there's a bigger problem with this: People using my software are getting warnings. In the case I'm talking about I was fortunate that someone wrote to me and told me about it. It's possible that my software is setting off alarms in other AV products now and I won't know because no one has told me. To imply that that is somehow my fault simply doesn't make sense. Increasingly I've been taking the approach of letting people know about bugs I'm aware of, recommending against Avira, and generally warning that my software may not always work properly if people lock down their machines. | altogether, and that their catchall category they | call "TR/Dropper.Gen" was a problem. | | It sounds like you were packing your executable with a | compressor/executable protection program before releasing to the | public then? | No. It's just a plain EXE, VB6 code compiled with Visual Studio 6. No "design". No aspack, UPX, or other compressors. It's free software, so there are no protection tricks. Again, your reasoning that a false positive must be the fault of the software author is backward. | The same would be true for the BootIt EXE. Even | if MB responds, in a few months I'll probably have a | BootIt update. Depending on people to essentially | run beta test software is not a way to design | malware hunters. | | Have you ever taken the time to try writing one? I have. It's not an | easy thing to do and you're always having to tweak and make changes | to your technology as you go. You mean with AV software? No, I haven't written any. Yes, I'm sure it takes a lot of work. And now I know why you're blaming the person who writes the software that sets off a false positive. Bugs are bugs. Avira was not even willing to talk about their bug. To say it's a tricky job writing AV software is not an excuse for a poor product. But I don't really think it's mostly the fault of the AV companies, either. As I was saying above, the whole concept of AV virus definitions/signatures is long outdated. People are running software that scans every process started, looking for any one of millions of byte strings, and even then only works with malware that's already known. If computers didn't currently have far more power than people are using then no one would even put up with the resource drag of AV software. | Your own apparent inability to effectively troubleshoot isn't the | fault of MBAM. Your lack of knowledge of the software isn't the fault | of MBAM either. MBAM has a quarantine system. If it makes changes | that you aren't okay with, you can restore them from quarantine. You're reacting defensively, making excuses for MB. I've said repeatedly that I can and do research these things, and that my post was meant only to warn people who might be too trusting. Say, for example, someone has used the IE download tweak for safe file types and allows MB to "fix" it without understanding what it is. Later, IE refuses to let them download an EXE file. It's unlikely they'll connect that to the MB changes. They'll just be confused. So the "quarantine" will be of little use. If you read my original post you'll see that while I didn't hide my low regard for malware/AV software in general, the point of that post was just to warn people who might be too trusting. I see people here, time and again, talk about running numerous malware checkers whenever something seems off. That means a lot of people don't know how to go about diagnosing problems and turn first to malware hunters. They need to know to take those programs with a grain of salt and to research any malware warnings before letting the software make changes. |
#34
|
|||
|
|||
Malwarebytes warning
| There have been many suggestions over the years NOT to touch the
| Registry repair in MBAM (or anywhere else). I don't have the OP's | post, but I believe he complained about registry damage. Best to | avoid letting MBAM touch it. | | | MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys | and reset others to MS defaults. You don't call that Registry repair? If not then we're just quibbling over terminolgy. The MB I ran listed mostly Registry "threats". It even made up official sounding names for them. The tweak to stop IE from blocking downloads gets the name "PUM.LowRiskFileTypes". Sounds like a virus. Turns out "PUM" stands for "potentially unwanted modification". Would you expect the average person to understand all that? Many people might apply the IE nag-stop without understanding the details. Those same people might very well run MB, see scary threats with names like "PUM.LowRiskFileTypes", and let MB fix them. Whether you call that repair or not is splitting hairs. |
#35
|
|||
|
|||
Malwarebytes warning
Mayayana presented the following explanation :
Avira tagged my own EXE I wrote to them. I got back a robo-email telling me to upload the problem EXE. But it wasn't a problem EXE. Avira was tagging 6 of my EXEs. And if they issued a fix for those I'd be back in the same boat next time I compiled a new version. Something was either off in the way you were designing the exes, or protecting them after post compile. As they are most likely HLL written, I don't know what "HLL" stands for. Should I? You're using one, so no you shouldn't necessarily know what it is. [...] |
#36
|
|||
|
|||
Malwarebytes warning
| I don't know what "HLL" stands for. Should I?
| | You're using one, so no you shouldn't necessarily know what it is. | Thanks. You're very helpful. Frankly, I think all of this arguing is just confusing things. There's one simple "takeaway": As FredW said, don't let anti-malware software change anything unless you fully understand the implications and what is being changed. Period. |
#37
|
|||
|
|||
Malwarebytes warning
| I don't know what "HLL" stands for. Should I?
| | You're using one, so no you shouldn't necessarily know what it is. | It just occurred to me.... high level language? Do you really want to wander even further afield into a programming ****ing contest worthy of the cranks on slashdot? None of this has anything to do with the original topic, unless you're making the claim that only hardcore C programming geeks, armed with lots of obscure acronyms, are capable of using MalwareBytes. That would seem to me, well... a teensy weensy bit extreme. |
#38
|
|||
|
|||
Malwarebytes warning
Mayayana laid this down on his screen :
I don't know what "HLL" stands for. Should I? You're using one, so no you shouldn't necessarily know what it is. It just occurred to me.... high level language? Do you really want to wander even further afield into a programming ****ing contest worthy of the cranks on slashdot? No, I was just answering your question. There's really no reason for someone to know what HLL means unless they desire to make some distinction between that and the more intimate machine languages. None of this has anything to do with the original topic, unless you're making the claim that only hardcore C programming geeks, armed with lots of obscure acronyms, are capable of using MalwareBytes. To me, C is just another HLL. There is no need for the C programmer to know the underlying code except for debugging the compiler's output if that becomes necessary. That would seem to me, well... a teensy weensy bit extreme. No, one doesn't even need to be a programmer to use these tools. It does however help with understanding just exactly how things can go wrong. |
#39
|
|||
|
|||
Malwarebytes warning
"Mayayana" wrote in message ... | There have been many suggestions over the years NOT to touch the | Registry repair in MBAM (or anywhere else). I don't have the OP's | post, but I believe he complained about registry damage. Best to | avoid letting MBAM touch it. | | | MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys | and reset others to MS defaults. You don't call that Registry repair? If not then we're just quibbling over terminolgy. The MB I ran listed mostly Registry "threats". It even made up official sounding names for them. The tweak to stop IE from blocking downloads gets the name "PUM.LowRiskFileTypes". Sounds like a virus. Turns out "PUM" stands for "potentially unwanted modification". Would you expect the average person to understand all that? Many people might apply the IE nag-stop without understanding the details. Those same people might very well run MB, see scary threats with names like "PUM.LowRiskFileTypes", and let MB fix them. Whether you call that repair or not is splitting hairs. Would you not set PUP and PUM to to be 'fixed' automatically? Even if I saw the thing it was warning against I still wouldn't have a clue. This is a very interesting thread and it has thrown things up that concern me. Users like me just trust the stuff to work! In the past I had dreadful problems with Norton and would never touch it again. Are you saying I ought to be wary of this?. I would appreciate any advice on how to set these things. -- http://www.helpforheroes.org.uk/shop/ |
#40
|
|||
|
|||
Malwarebytes warning
Ophelia schrieb:
Would you not set PUP and PUM to to be 'fixed' automatically? Even if I It is always a bad idea, to let Security-Software act automatically. There were false alarms in the past, where parts of the operating systems are quarantined: It means, the computer don't start, don't work as expected etc. (As example google for Avira and Panda) So the best thing is, to configure such programs to "only inform me, don't do anything as long I don't tell you". Then, if such a program claims, that there is a problem: one has to investigate: Friends, colleagues and via Internet. |
#41
|
|||
|
|||
Malwarebytes warning
"ha" wrote in message ... Ophelia schrieb: Would you not set PUP and PUM to to be 'fixed' automatically? Even if I It is always a bad idea, to let Security-Software act automatically. There were false alarms in the past, where parts of the operating systems are quarantined: It means, the computer don't start, don't work as expected etc. (As example google for Avira and Panda) So the best thing is, to configure such programs to "only inform me, don't do anything as long I don't tell you". Then, if such a program claims, that there is a problem: one has to investigate: Friends, colleagues and via Internet. Thank you very much! -- http://www.helpforheroes.org.uk/shop/ |
#42
|
|||
|
|||
Malwarebytes warning
"jetjock" wrote in message ... On Thu, 26 Nov 2015 12:43:42 -0000, "Ophelia" wrote: "Mayayana" wrote in message ... | There have been many suggestions over the years NOT to touch the | Registry repair in MBAM (or anywhere else). I don't have the OP's | post, but I believe he complained about registry damage. Best to | avoid letting MBAM touch it. | | | MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys | and reset others to MS defaults. You don't call that Registry repair? If not then we're just quibbling over terminolgy. The MB I ran listed mostly Registry "threats". It even made up official sounding names for them. The tweak to stop IE from blocking downloads gets the name "PUM.LowRiskFileTypes". Sounds like a virus. Turns out "PUM" stands for "potentially unwanted modification". Would you expect the average person to understand all that? Many people might apply the IE nag-stop without understanding the details. Those same people might very well run MB, see scary threats with names like "PUM.LowRiskFileTypes", and let MB fix them. Whether you call that repair or not is splitting hairs. Would you not set PUP and PUM to to be 'fixed' automatically? Even if I saw the thing it was warning against I still wouldn't have a clue. Do you not know how to do an Internet search for whatever is found? I surely don't pretend to know what all the things in Windows mean, but by Googling or DuckDuckGo-ing the term I will get enough responses to help me determine if it's legit or should be removed. I certainly do know how to do internet searches. This is a very interesting thread and it has thrown things up that concern me. Users like me just trust the stuff to work! In the past I had dreadful problems with Norton and would never touch it again. Are you saying I ought to be wary of this?. I would appreciate any advice on how to set these things. -- http://www.helpforheroes.org.uk/shop/ |
#43
|
|||
|
|||
Malwarebytes warning
In message , jetjock
writes: On Thu, 26 Nov 2015 12:43:42 -0000, "Ophelia" wrote: "Mayayana" wrote in message ... [] understanding the details. Those same people might very well run MB, see scary threats with names like "PUM.LowRiskFileTypes", and let MB fix them. Whether you call that repair or not is splitting hairs. Would you not set PUP and PUM to to be 'fixed' automatically? Even if I saw the thing it was warning against I still wouldn't have a clue. Do you not know how to do an Internet search for whatever is found? I surely don't pretend to know what all the things in Windows mean, but by Googling or DuckDuckGo-ing the term I will get enough responses to help me determine if it's legit or should be removed. That wouldn't help if you _had_ chosen "fix automatically". This is a very interesting thread and it has thrown things up that +1. When the protagonists can step back from disagreeing for it's own sake (does the fact that I'm watching an episode of Deep Space 9 involving some Klingons determined to die in honourable battle influence my thinking on this!), there is much useful information being let slip by both sides. concern me. Users like me just trust the stuff to work! In the past I had dreadful problems with Norton and would never touch it again. Are you saying I ought to be wary of this?. I would appreciate any advice on how to set these things. The consensus seems to be set them to ask you about what they find, rather than "fix" things automatically. Any more than that - e. g. on how to _make_ the decision(s) you then have to make - there is less consensus about (-:! -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf Lewis: ... d'you think there's a god? Morse: ... There are times when I wish to god there was one. (Inspector Morse.) |
#44
|
|||
|
|||
Malwarebytes warning
This is a very interesting thread and it has thrown things up that +1. When the protagonists can step back from disagreeing for it's own sake (does the fact that I'm watching an episode of Deep Space 9 involving some Klingons determined to die in honourable battle influence my thinking on this!), there is much useful information being let slip by both sides. lol I feel pretty much like a Klingon atm. I am recovering from flu so you just hit the spot g concern me. Users like me just trust the stuff to work! In the past I had dreadful problems with Norton and would never touch it again. Are you saying I ought to be wary of this?. I would appreciate any advice on how to set these things. The consensus seems to be set them to ask you about what they find, rather than "fix" things automatically. Any more than that - e. g. on how to _make_ the decision(s) you then have to make - there is less consensus about (-:! Indeed I have now changed those settings so I am very grateful for the discussion -- http://www.helpforheroes.org.uk/shop/ |
#45
|
|||
|
|||
Malwarebytes warning
On 11/24/2015 9:47 PM, Mayayana wrote:
| * The disk imaging executable for BootIt. (MB | called it "Backdoor.Bifrose", even though the | description for a bifrose infection shares nothing | in common with the file MB wanted to delete.) | | Interesting, I will have to watch for this. | That particular file is C:\image.exe | I then tried the latest Microsoft Malicious Software | Removal tool. That worked fine. It found no problems. | | Lol, be serious! You'll never find anything with that! | That seems to be the consensus. I thought I'd read somewhere that it was pretty good, but didn't research it. This all came out of an issue where I was getting messages about Windows being unable to access files. I was trying out some malware hunter options to be on the safe side, though it seems the problem ended up being another category of software that tends to overstep its job: My firewall settings were allowing it to monitor running programs. I had recently reinstalled the system and hadn't adjusted those settings. | Just do what you've done, review its findings. | It's still the best tool out there. I would look into the details of any such reports, anyway. My concern was for others who might have limited experience combined with undue confidence in malware hunters. I appreciate Mayanna's observations in what she found Mbam doing using it as a 'Mbam beginner' (though an experienced computer user among her other areas on usenet) and giving warning to other newbies to using the program; especially those who are not used to sleuthing or with limited experience. Reading reviews of this nature is both helpful and a reminder, for at least myself, to be cautious with any new program, even with programs that have a great track record. JA |
Thread Tools | |
Display Modes | Rate This Thread |
|
|