Malwarebytes warning

Jason
Sun, 22
Nov 2015 22:53:28 GMT in alt.windows7.general, wrote:

On Sun, 22 Nov 2015 16:43:07 -0500 "Stan Brown"
wrote in article
MPG.30bc00f2d87d37bd98f296 @news.individual.net

I am a normal home user, I have not had to change any defaults,
and I have not been bugged by Malwarebytes.


There have been many suggestions over the years NOT to touch the
Registry repair in MBAM (or anywhere else). I don't have the OP's
post, but I believe he complained about registry damage. Best to
avoid letting MBAM touch it.


MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys
and reset others to MS defaults. I don't know where you've read many
suggestions over the years concerning MBAM and the registry, either.

Without seeing some in context, it's hard to say how reliable the
advice is and/or what it's based on.


--
Error: Creative signature file missing

"Mayayana"
Sun, 22 Nov 2015 20:51:29 GMT in alt.windows7.general, wrote:

By overstep I mean saying xyz.exe is known
malware when the program really doesn't know.
It should inform the user as best it can: "This
may be suspicious". It shouldn't be tagging
things like security settings in the Registry as
malware. If it can't provide an informative
explanation of why the setting might be risky
then that item should be left out of the "threat"
list.

As I told you, I've long disagreed with the wording concerning some
registry key settings when they're detected as non default.

The threat should be obvious. If you didn't make the changes, you
might not know that your firewall is off, av is off, etc. A normal
user probably doesn't want the firewall off and have no notification
that it's indeed off. Malware would prefer things this way, though.

When I first started using computers I used to
run Norton System Works. It would find the usual
142 problems and I'd be delighted to get them all
fixed. I felt like I had my own Special Forces attack
squad. It never occurred to me that some of the
"problems" might be frivolous or even problematic
to fix. No doubt a lot of inexperienced people feel
the same way about such programs as MB. Worse,
those programs encourage trust with their tough-
guy-against-evil style of presentation.

Norton system works 'registry' repair has borked many a machine. I
finally convinced a former employer to not only stop using it him,
but stop asking/making us use it on computers in for servicing.
Registry cleaners generally, do not, work.

If I were an average computer user I would have
told MB to fix all the problems it found. It gave no
indication that my computer might survive if I didn't
fix them. I might have never figured out that the
resulting problems were actually caused by MB.

MBAM leaves logs and has a quarantine area. If it makes changes that
cause problems, they can be reversed by restoring from quarantine. At
no time, based on what you decribed, would MBAM have 'nuked' your
entire machine had you just let it run. Some apps might not function
properly as a result. You *should* have viable copies of your system
registry hives. if you don't already, please create some soon. So in
the event that happened, you'd have a known good registry to come
back from.


| This is a false positive. if you email them a copy of the file
| and/or post in the forums, they can resolve this for you and
| anyone else who might also be affected by it.
|

In my experience it doesn't work that way.

I didn't ask about your experience, and, with MBAM, it does work that
way. I know this because I worked for them as a malware researcher
and we always encouraged users to send us suspect files. A human
WOULD examine it and make the necessary changes. I'm not in the habit
of giving advice that will waste your time.

Avira tagged my own EXE I wrote to them. I got
back a robo-email telling me to upload the problem
EXE. But it wasn't a problem EXE. Avira was tagging
6 of my EXEs. And if they issued a fix for those I'd
be back in the same boat next time I compiled a
new version.

Something was either off in the way you were designing the exes, or
protecting them after post compile. As they are most likely HLL
written, it's also possible it was hitting on valid code that would
also be present in malware; say a section of your programming
languages runtime code. It might have been a simple enough fix to
move the location of some of your own subroutines in the source file
and recompile; as this will change the binary appearance and could
have moved the code the AV was false hitting to another location. IE:
AV no longer hitting on it.

I had to do this with BugHunter because it shared some common code
with actual malware written years before. Moving the location of the
necessary routines solved the issue.

altogether, and that their catchall category they
call "TR/Dropper.Gen" was a problem.

It sounds like you were packing your executable with a
compressor/executable protection program before releasing to the
public then?

The same would be true for the BootIt EXE. Even
if MB responds, in a few months I'll probably have a
BootIt update. Depending on people to essentially
run beta test software is not a way to design
malware hunters.

Have you ever taken the time to try writing one? I have. It's not an
easy thing to do and you're always having to tweak and make changes
to your technology as you go. False positives will come up, because
most malware these days is written in a high level language, no
different than a legit program would be. This makes isolating actual
malware code from code that could be found inside a legit program,
difficult.


So yes, when a legit file accidently gets hit, you ARE HELPING the
company if you submit it for analysis to them. You're helping other
users of the product avoid the issue you're having as well. It's a
win win.

In any case, all of that is beside the point. It's
not for me that I started this thread. It's for the
people who might be a bit too trusting and
enthusiastic with AV/mawlare products.

I have no problem with your thread. As long as you have no problem
with my interjecting good/sound advice and explaining some of the
issues you were having.

| This can be ignored in MBAM. is it another tweak you've set
| yourself?

A tweak? No. Windows Media Player ActiveX
control is pre-installed on all Windows systems.
It's a core component. The Registry key is
the HKCR\CLSID COM key that allows software
to find and use the control in order to play media
files. Without that entry the control -- and thus
some software -- would break. MB called it a
"Rogue.Regsort", which a bit of research indicates
may be very nasty ransomware. (MB didn't say
the setting *might* be Rogue.Regsort. MB said it
*is* Rogue.Regsort and marked it for removal.)

AFAIK, MBAMs language files do not have the ability to say, "this
could be malware". Like I said, MBAM still has some cosmetic issues
and some work should be done on better explaining detections which
might not be harmful.

| Not all of the items would have caused problems as in system
| instability if removed, although some programs might have been
| affected in a negative way. You're exaggerating a bit here. The
| last three items would cause you unwanted nag screens and nothing
| more. That is why you disabled them, right?

Yes. And another would have stopped my disk
imaging software from working. Another would
have prevented me using some libraries in my
software, for lack of a license. Another would
have broken Windows Media Player. Worse, none
of those would have been obviously caused by
MB, so I likely would have spent a long time trying
to figure out what was broken.

Your own apparent inability to effectively troubleshoot isn't the
fault of MBAM. Your lack of knowledge of the software isn't the fault
of MBAM either. MBAM has a quarantine system. If it makes changes
that you aren't okay with, you can restore them from quarantine.

How much damage does it need to do before you'd count
it as a problem?

If it was doing damage and this wasn't a pebkac issue, I'd consider
it a problem.


While your points make some sense
*for you* personally, I think you're making excuses
for a product that you feel some loyalty toward.

I'm not making any excuses for the product or your own
misunderstanding of what it is and how it works, either. I have no
loyalty to the program. I'd say the same thing if you bitched about
another program you don't actually understand well. The advice would
also have been the same as the issues you experienced ARE
correctable.

The points I made make sense to anyone who understands what the
program is doing and why it's doing it.

There's really just no excuse for things like labelling
a Microsoft ActiveX control Registry setting as
ransomware.... Well, except maybe if it's those
Win10 nagware settings.

I already covered this. I don't agree with some of the language MBAM
uses when things that aren't actually malware are detected either. I
make no excuse for it, I was on them for years concerning it.


--
Error: Creative signature file missing

| Avira tagged my own EXE I wrote to them. I got
| back a robo-email telling me to upload the problem
| EXE. But it wasn't a problem EXE. Avira was tagging
| 6 of my EXEs. And if they issued a fix for those I'd
| be back in the same boat next time I compiled a
| new version.
|
| Something was either off in the way you were designing the exes, or
| protecting them after post compile. As they are most likely HLL
| written,

I don't know what "HLL" stands for. Should I?
There was nothing "off in the design" of the EXEs
that I know of. The compiler has never asked for
my design ideas. It's actually a common problem,
and an example of the outdated approach of AV
software. There are millions of "virus signatures",
which are simply byte strings considered unique.
Avira found something in my EXE that apparently
looked similar. (It clearly wasn't a match. In that
case Avira would have said it was xyz virus and not
assigned it the meaningless name of "TR/Dropper.Gen",
which they use as a catchall diagnosis.)

After the Avira warning, and their non-responsiveness,
I had to install Avira and test. I tried various things
to change the exact byte order. What finally worked
was to allow the compiler to add code to check for
invalidly large integer values. Essentially I had to add
unnecessary code to slow down my code.

So it's fixable, yes. But it's a hassle. It's not
realistic to install all the popular AV programs and run
them all with each compile. And it's not something I'm
willing to do with freeware.
And there's a bigger problem with this: People using
my software are getting warnings. In the case I'm talking
about I was fortunate that someone wrote to me and
told me about it. It's possible that my software is setting
off alarms in other AV products now and I won't know
because no one has told me. To imply that that is somehow
my fault simply doesn't make sense.

Increasingly I've been taking the approach of letting
people know about bugs I'm aware of, recommending
against Avira, and generally warning that my software
may not always work properly if people lock down their
machines.

| altogether, and that their catchall category they
| call "TR/Dropper.Gen" was a problem.
|
| It sounds like you were packing your executable with a
| compressor/executable protection program before releasing to the
| public then?
|

No. It's just a plain EXE, VB6 code compiled with Visual
Studio 6. No "design". No aspack, UPX, or other compressors.
It's free software, so there are no protection tricks. Again,
your reasoning that a false positive must be the fault of
the software author is backward.

| The same would be true for the BootIt EXE. Even
| if MB responds, in a few months I'll probably have a
| BootIt update. Depending on people to essentially
| run beta test software is not a way to design
| malware hunters.
|
| Have you ever taken the time to try writing one? I have. It's not an
| easy thing to do and you're always having to tweak and make changes
| to your technology as you go.

You mean with AV software? No, I haven't written
any. Yes, I'm sure it takes a lot of work. And now I
know why you're blaming the person who writes the
software that sets off a false positive. Bugs are
bugs. Avira was not even willing to talk about their
bug. To say it's a tricky job writing AV software is
not an excuse for a poor product. But I don't really
think it's mostly the fault of the AV companies, either.
As I was saying above, the whole concept of AV
virus definitions/signatures is long outdated. People
are running software that scans every process started,
looking for any one of millions of byte strings, and
even then only works with malware that's already
known. If computers didn't currently have far more
power than people are using then no one would
even put up with the resource drag of AV software.

| Your own apparent inability to effectively troubleshoot isn't the
| fault of MBAM. Your lack of knowledge of the software isn't the fault
| of MBAM either. MBAM has a quarantine system. If it makes changes
| that you aren't okay with, you can restore them from quarantine.


You're reacting defensively, making excuses for
MB. I've said repeatedly that I can and do research
these things, and that my post was meant only
to warn people who might be too trusting.

Say, for example, someone has used the IE download
tweak for safe file types and allows MB to "fix" it
without understanding what it is. Later, IE refuses to
let them download an EXE file. It's unlikely they'll
connect that to the MB changes. They'll just be
confused. So the "quarantine" will be of little use.

If you read my original post you'll see that while
I didn't hide my low regard for malware/AV software
in general, the point of that post was just to warn
people who might be too trusting. I see people here,
time and again, talk about running numerous malware
checkers whenever something seems off. That
means a lot of people don't know how to go about
diagnosing problems and turn first to malware hunters.
They need to know to take those programs with a
grain of salt and to research any malware warnings
before letting the software make changes.

| There have been many suggestions over the years NOT to touch the
| Registry repair in MBAM (or anywhere else). I don't have the OP's
| post, but I believe he complained about registry damage. Best to
| avoid letting MBAM touch it.
|
|
| MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys
| and reset others to MS defaults.

You don't call that Registry repair? If not then
we're just quibbling over terminolgy. The MB I
ran listed mostly Registry "threats". It even
made up official sounding names for them. The
tweak to stop IE from blocking downloads gets
the name "PUM.LowRiskFileTypes". Sounds like
a virus. Turns out "PUM" stands for "potentially
unwanted modification". Would you expect
the average person to understand all that? Many
people might apply the IE nag-stop without
understanding the details. Those same people might
very well run MB, see scary threats with names
like "PUM.LowRiskFileTypes", and let MB fix them.
Whether you call that repair or not is splitting hairs.

Mayayana presented the following explanation :
Avira tagged my own EXE I wrote to them. I got
back a robo-email telling me to upload the problem
EXE. But it wasn't a problem EXE. Avira was tagging
6 of my EXEs. And if they issued a fix for those I'd
be back in the same boat next time I compiled a
new version.

Something was either off in the way you were designing the exes, or
protecting them after post compile. As they are most likely HLL
written,

I don't know what "HLL" stands for. Should I?

You're using one, so no you shouldn't necessarily know what it is.

[...]

| I don't know what "HLL" stands for. Should I?
|
| You're using one, so no you shouldn't necessarily know what it is.
|

Thanks. You're very helpful.

Frankly, I think all of this arguing is just
confusing things. There's one simple "takeaway":
As FredW said, don't let anti-malware software
change anything unless you fully understand the
implications and what is being changed. Period.

| I don't know what "HLL" stands for. Should I?
|
| You're using one, so no you shouldn't necessarily know what it is.
|

It just occurred to me.... high level language?
Do you really want to wander even further afield
into a programming ****ing contest worthy of the
cranks on slashdot?

None of this has anything to do with the original
topic, unless you're making the claim that only
hardcore C programming geeks, armed with lots of
obscure acronyms, are capable of using MalwareBytes.

That would seem to me, well... a teensy weensy
bit extreme.

Mayayana laid this down on his screen :
I don't know what "HLL" stands for. Should I?

You're using one, so no you shouldn't necessarily know what it is.


It just occurred to me.... high level language?
Do you really want to wander even further afield
into a programming ****ing contest worthy of the
cranks on slashdot?

No, I was just answering your question. There's really no reason for
someone to know what HLL means unless they desire to make some
distinction between that and the more intimate machine languages.

None of this has anything to do with the original
topic, unless you're making the claim that only
hardcore C programming geeks, armed with lots of
obscure acronyms, are capable of using MalwareBytes.

To me, C is just another HLL. There is no need for the C programmer to
know the underlying code except for debugging the compiler's output if
that becomes necessary.

That would seem to me, well... a teensy weensy
bit extreme.

No, one doesn't even need to be a programmer to use these tools. It
does however help with understanding just exactly how things can go
wrong.

"Mayayana" wrote in message
...
| There have been many suggestions over the years NOT to touch the
| Registry repair in MBAM (or anywhere else). I don't have the OP's
| post, but I believe he complained about registry damage. Best to
| avoid letting MBAM touch it.
|
|
| MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys
| and reset others to MS defaults.

You don't call that Registry repair? If not then
we're just quibbling over terminolgy. The MB I
ran listed mostly Registry "threats". It even
made up official sounding names for them. The
tweak to stop IE from blocking downloads gets
the name "PUM.LowRiskFileTypes". Sounds like
a virus. Turns out "PUM" stands for "potentially
unwanted modification". Would you expect
the average person to understand all that? Many
people might apply the IE nag-stop without
understanding the details. Those same people might
very well run MB, see scary threats with names
like "PUM.LowRiskFileTypes", and let MB fix them.
Whether you call that repair or not is splitting hairs.

Would you not set PUP and PUM to to be 'fixed' automatically? Even if I saw
the thing it was warning against I still wouldn't have a clue. This is a
very interesting thread and it has thrown things up that concern me. Users
like me just trust the stuff to work! In the past I had dreadful problems
with Norton and would never touch it again. Are you saying I ought to be
wary of this?. I would appreciate any advice on how to set these things.


--
http://www.helpforheroes.org.uk/shop/

Ophelia schrieb:



Would you not set PUP and PUM to to be 'fixed' automatically? Even if I

It is always a bad idea, to let Security-Software act automatically.

There were false alarms in the past, where parts of the operating
systems are quarantined: It means, the computer don't start, don't work
as expected etc. (As example google for Avira and Panda)

So the best thing is, to configure such programs to "only inform me,
don't do anything as long I don't tell you".

Then, if such a program claims, that there is a problem: one has to
investigate: Friends, colleagues and via Internet.

"ha" wrote in message
...
Ophelia schrieb:



Would you not set PUP and PUM to to be 'fixed' automatically? Even if I

It is always a bad idea, to let Security-Software act automatically.

There were false alarms in the past, where parts of the operating
systems are quarantined: It means, the computer don't start, don't work
as expected etc. (As example google for Avira and Panda)

So the best thing is, to configure such programs to "only inform me,
don't do anything as long I don't tell you".

Then, if such a program claims, that there is a problem: one has to
investigate: Friends, colleagues and via Internet.

Thank you very much!





--
http://www.helpforheroes.org.uk/shop/

"jetjock" wrote in message
...
On Thu, 26 Nov 2015 12:43:42 -0000, "Ophelia"
wrote:



"Mayayana" wrote in message
...
| There have been many suggestions over the years NOT to touch the
| Registry repair in MBAM (or anywhere else). I don't have the OP's
| post, but I believe he complained about registry damage. Best to
| avoid letting MBAM touch it.
|
|
| MBAM doesn't perform 'registry repair' It can remove bad/unwanted keys
| and reset others to MS defaults.

You don't call that Registry repair? If not then
we're just quibbling over terminolgy. The MB I
ran listed mostly Registry "threats". It even
made up official sounding names for them. The
tweak to stop IE from blocking downloads gets
the name "PUM.LowRiskFileTypes". Sounds like
a virus. Turns out "PUM" stands for "potentially
unwanted modification". Would you expect
the average person to understand all that? Many
people might apply the IE nag-stop without
understanding the details. Those same people might
very well run MB, see scary threats with names
like "PUM.LowRiskFileTypes", and let MB fix them.
Whether you call that repair or not is splitting hairs.

Would you not set PUP and PUM to to be 'fixed' automatically? Even if I
saw
the thing it was warning against I still wouldn't have a clue.

Do you not know how to do an Internet search for whatever is found? I
surely don't pretend to know what all the things in Windows mean, but
by Googling or DuckDuckGo-ing the term I will get enough responses to
help me determine if it's legit or should be removed.

I certainly do know how to do internet searches.



This is a very interesting thread and it has thrown things up that concern
me. Users
like me just trust the stuff to work! In the past I had dreadful problems
with Norton and would never touch it again. Are you saying I ought to be
wary of this?. I would appreciate any advice on how to set these things.

--
http://www.helpforheroes.org.uk/shop/

In message , jetjock
writes:
On Thu, 26 Nov 2015 12:43:42 -0000, "Ophelia"
wrote:



"Mayayana" wrote in message
...
[]
understanding the details. Those same people might
very well run MB, see scary threats with names
like "PUM.LowRiskFileTypes", and let MB fix them.
Whether you call that repair or not is splitting hairs.

Would you not set PUP and PUM to to be 'fixed' automatically? Even if I saw
the thing it was warning against I still wouldn't have a clue.

Do you not know how to do an Internet search for whatever is found? I
surely don't pretend to know what all the things in Windows mean, but
by Googling or DuckDuckGo-ing the term I will get enough responses to
help me determine if it's legit or should be removed.

That wouldn't help if you _had_ chosen "fix automatically".

This is a very interesting thread and it has thrown things up that

+1. When the protagonists can step back from disagreeing for it's own
sake (does the fact that I'm watching an episode of Deep Space 9
involving some Klingons determined to die in honourable battle influence
my thinking on this!), there is much useful information being let slip
by both sides.

concern me. Users
like me just trust the stuff to work! In the past I had dreadful problems
with Norton and would never touch it again. Are you saying I ought to be
wary of this?. I would appreciate any advice on how to set these things.

The consensus seems to be set them to ask you about what they find,
rather than "fix" things automatically. Any more than that - e. g. on
how to _make_ the decision(s) you then have to make - there is less
consensus about (-:!
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

Lewis: ... d'you think there's a god?
Morse: ... There are times when I wish to god there was one. (Inspector Morse.)

This is a very interesting thread and it has thrown things up that

+1. When the protagonists can step back from disagreeing for it's own sake
(does the fact that I'm watching an episode of Deep Space 9 involving some
Klingons determined to die in honourable battle influence my thinking on
this!), there is much useful information being let slip by both sides.

lol I feel pretty much like a Klingon atm. I am recovering from flu so you
just hit the spot g


concern me. Users
like me just trust the stuff to work! In the past I had dreadful
problems
with Norton and would never touch it again. Are you saying I ought to be
wary of this?. I would appreciate any advice on how to set these things.

The consensus seems to be set them to ask you about what they find, rather
than "fix" things automatically. Any more than that - e. g. on how to
_make_ the decision(s) you then have to make - there is less consensus
about (-:!

Indeed I have now changed those settings so I am very grateful for the
discussion

--
http://www.helpforheroes.org.uk/shop/

On 11/24/2015 9:47 PM, Mayayana wrote:
| * The disk imaging executable for BootIt. (MB
| called it "Backdoor.Bifrose", even though the
| description for a bifrose infection shares nothing
| in common with the file MB wanted to delete.)
|
| Interesting, I will have to watch for this.
|

That particular file is C:\image.exe

| I then tried the latest Microsoft Malicious Software
| Removal tool. That worked fine. It found no problems.
|
| Lol, be serious! You'll never find anything with that!
|

That seems to be the consensus. I thought I'd
read somewhere that it was pretty good, but didn't
research it.

This all came out of an issue where I
was getting messages about Windows being unable
to access files. I was trying out some malware hunter
options to be on the safe side, though it seems the
problem ended up being another category of software
that tends to overstep its job: My firewall settings
were allowing it to monitor running programs. I had
recently reinstalled the system and hadn't adjusted
those settings.

| Just do what you've done, review its findings.
| It's still the best tool out there.

I would look into the details of any such reports,
anyway. My concern was for others who might have
limited experience combined with undue confidence
in malware hunters.

I appreciate Mayanna's observations in what she found Mbam doing using it as a 'Mbam beginner' (though an experienced computer user among her other areas on usenet) and giving warning to other newbies to using the program; especially those who are not used to sleuthing or with limited experience. Reading reviews of this nature is both helpful and a reminder, for at least myself, to be cautious with any new program, even with programs that have a great track record.
JA