Re: Malwarebyte Anti-Malware finds many trojans, while others .... why?

VanguardLH <V@xxxxxxxxx> wrote in
news:gbm30a$vdi$1@xxxxxxxxxxxxxxxxxxxxxxxxx:

Dustin Cook wrote:

VanguardLH <V@xxxxxxxxx> wrote in
news:gbkvv3$taq$1@xxxxxxxxxxxxxxxxxxxxxxxxx:

As I can do for any false positive. What it found was a policy
setting. What it offered was to change it. It was not a pest. It
wasn't malware. It wasn't even anything the product should've
complained about.

Yes, and it will continue to do so anytime it finds a policy key that
malware is known to alter. As we have no way of knowing whether you
did this on purpose, or something did it against your wishes, we
offer to correct it. If you did it on purpose, simply select ignore.
It however, isn't a false positive.

Obviously it's not a pristine installation if you already have
modified policy keys in place, Sir.

Oh, so if the user ever actually USES their OS then they are
susceptible to false positives? Kind of self-defeats the product.

See above.

As it went, it wasn't bad at what it found but I know many users
that would've simply gone along with the proposed suggestion to
change the registry key. Most users don't know what those registry
keys are for.

And that would re-enable the users disabled menu item. Most users,
wouldn't have those policies keys set in the first place. :)

Right-click the taskbar, Properties, Start menu tab, Classic Start
menu. You're saying few users choose to get rid of the fluffy
Fisher-Price Start menu in Windows XP by choosing Classic? Then,

I have my windows setup as classic, with no fancy XP options. As my cpu
power is a bit lacking, and my video card hates me. :)

MBAM doesn't alert on me for those changes. You may have found a bug with
our engine, or perhaps something is amiss in our definitions. Can you be
more specific on how to duplicate this issue and exactly what MBAM says
concerning it? I will try to get this resolved. Now, If I edit my logoff
options, MBAM will alert on this, and let me know the policy key is
present.


So you're calling those policies? Yes, perhaps domain policies can be
pushed to a workstation to alter these settings, but you're also

Policies that are enabled, yes. We do not know of you set them, a group
setting configured them, or malware did it without your permission.

tweak? I pointed out one customization that the product thought
malware might touch. I'm sure there are other customizations through

I'm sorry. Like I said, We have no way of knowing if you caused the
change or if something else did.

know the registry keys associated with each such customization. Did I
miss where the product would actually explain the purpose of the
registry key that it was warning about?

We don't go into too much detail, as the information is all contained in
a centralized style database, and it would become bloated pretty quick if
we went into thorough explanations for every little thing we detect.
In fact, to prevent confusion, MBAM refers to enabled policy keys as
hijacked.

registry but through settings in dialog windows. Yes, I realize what
you're saying that malware /could've/ altered that registry key but so
can the user and those tweaks are not as esoteric as you make out to
believe. The user might also use the security policy editor to


I'm not trying to make them into a huge deal, only explaining why we
detect some of them.

editor that explains what changes are being made. The user isn't
looking at registry settings, so the user won't know what registry
keys are getting changed and they're not likely to remember them,
anyway. Many customizations to Windows and for apps are in the


registry but the user won't know which registry keys or data items are
for what. That's why if you're going to shove the user into the
registry for what might have possibly been touched by malware then

We don't shove the user into anything. We explain it's a HiJack point,
only. If the user doesn't want to do anything about it, they don't have
too. If they aren't sure, we do have a forum where they can post for
help.

something needs to be told to the user about why the product thought
it was a suspect source for malware. Maybe I missed where the product

It's not a source for malware, it's an option that's been enabled or
disabled, such as registry editor, task manager, desktop settings, etc
etc etc.

wasn't expecting users to have to Google or dig through Microsoft's
knowledgebase hoping to find info on a registry key, something that
might not be available at the time they're trying to get rid of
malware. That's why I suspect many reports claiming to have found a

We have users posting here asking how to get their desktop settings back
after having a fight with such and such malware, MBAM offers to do this,
and refers to it as a desktop hijack.

pest could be these type of registry changes which the user committed
deliberately but wouldn't know or memorize which particular keys or
data items those settings affected in the registry.

Basically, any change you make in windows is usually changing something
in the registry.

Even after running this product to eliminate a pest, how many go back
to analyze all the changes that got committed to determine which ones
to undo? Why do you think registry cleaners are dangerous? Typical

MBAM isn't a registry cleaner. We do not go willynilly and take a guess
with keys. We do not attempt to delete keys we know nothing about.

product proposes to make registry changes but undefined changes. The
registry change wasn't explained in the product, so long after this

It clearly shows you a before and after. Before being bad, after being
good. What it is now, what it plans to change it too if allowed. How much
simpler can we make that?

whether to undo a change or not? Typically something like this is the
duty of a realtime scanner checking for critical system changes so the
user gets immediate feedback at the time of the change to know it was
related to something they just did, or could go look it up while the
proposed change was still pending, or they can decide not to allow the
change. By the time they get to running an on-demand scanner, like
this one, it will be out of context and most such deliberate changes

MBAM can function as a resident scanner with the paid version. The free
version is restricted to on-demand only.

earlier. Yes, there is a commercial version of this product that does
add a realtime scanner but there already are other FREE products that
already provide realtime coverage, detection, and alerts regarding
critical registry keys.

Policy keys aren't always considered critical. We do not consider them as
such, irritating for new users, yes.

Personally I wouldn't consider the Logoff entry in the Start menu to
be a critical registry key but different folks have different opinions
as to what is considered critical. Remember that I tweaked a setting,
not a registry edit and not a policy editor change, and that setting

Your tweaked setting was actually a registry edit, which did set a policy
key. Now, whether you knew that was taking place at the time or not
does't much matter.


was to *SHOW* the Logoff menu, not to hide it which is what malware
might do. Why would malware offer MORE choices for the user to exit

Can you show me the MBAM log where this happened? It shouldn't have
alerted on the policy key alone, unless it was set to enabled, which
would hide, not show your logoff menu.


a pristine state after the initial install of Windows. It depends on
whether or not their *value* would have a negative impact on the user.
There is actually some malware that turns /*on*/ the Logoff entry in
the Start menu? Since the default state is off for this item, and

See above. MBAM shouldn't alert on that condition. Please provide your
logfile so we can get this cleared up.


--
Regards,
Dustin Cook, Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org


.

Relevant Pages

  • how do i restore original search in ie6
    ... of the spyware and malware but it changed my registry ... how do i restore the original registry keys so my ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: SMS 2.0 Component Errors - Pre Upgrade
    ... It's possible that the registry is corrupt, ... The other suggestion is try an upgrade instead of site reset. ... ACLRESET will fix the permissions but will not fix the keys. ... SMS Inventory Data Loader has moved this file to ...
    (microsoft.public.sms.admin)
  • Re: Non admin users cant do things they need to do
    ... You mean they are along with the registry entires? ... i added the keys below to the registry (as administrator) logged off, ... can set the time then they can fake out system event logs by changing ...
    (microsoft.public.windowsxp.embedded)
  • Re: 0x80070005 Installation Failure message
    ... I wonder why Microsoft ... it had different permissions than other ... Before you modify the registry, ... > one or more registry keys could not be deleted ...
    (microsoft.public.windowsupdate)
  • Re: I have a damaged MSI file which is preventing me from Updating
    ... Microsoft ... registry keys for Office. ... Delete the following registry keys if they exist: ... go to Office Product Updates Web site to ...
    (microsoft.public.officeupdate)