Avast 7.0.1426 with definitions 12-05-15-0 is reporting that MBAMSwissArmy.Sys is a rootkit, and wanted to remove it.
(Edit: I have uploaded the file to avast via the Virus Chest)
Avast 7.0.1426 with definitions 12-05-15-0 is reporting that MBAMSwissArmy.Sys is a rootkit, and wanted to remove it.
(Edit: I have uploaded the file to avast via the Virus Chest)
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
What were you doing when this was detected ?
Or
What scan were you doing when this was detected ?
I have MBAM Pro and no alerts.
I can’t find any instance of MBAMSwissArmy.Sys on my system using explorer, so it is certainly a hidden driver if it does exist.
I had updated MBAM, and run a flash scan earlier in today’s session. A few minutes later — presumably during avast’s rootkit scan 8 minutes after bootup — I got a popup message saying that avast detected MBAMSwissArmy.sys as a rootkit. If there was any more information present, I couldn’t see it.
The choices were to delete it, or ignore. I ignored, so that I’d be able to investigate the matter further.
I know for a fact the file belongs to MBAM. In terms of the free version, the file is created/exists only while the user interface is open (it’s deleted when the UI is closed down). I am not at my home machine at the moment, and don’t recall its status/existence in the paid version… I can check again late this afternoon. When created, it’s located in C:\Windows\System32\drivers.
Only suggestion would be not to run any MBAM scan shortly after boot as it being a hidden driver could fall foul to the anti-rootkit scan 8 minutes after boot which is looking for such hidden drivers.
As AdrianH’s link shows the file isn’t present until required, which is somewhat strange given the location the driver is created in C:\Windows\System32\drivers folder, so it could be considered strange as the driver would have been very recently created.
EDIT: Contrary to what it says in AdrianH’s link, the mbamswissarmy.sys file remains after the scan is complete certainly for the few minutes that I was monitoring it after the scan. So I’m going to kick off an anti-rootkit scan before it disappears.
DavidR and Ky331.
I opened MBAM UI for the mbamswissarmy.sys file to be present in my system then waited for the rootkit scan 8 min after boot. Nothing. Avast! did not alerted the file. I also custom scan my pc for full rootkit search, still nothing. However, I have had several stream updates after VPS 120515-0 so, may be, one of those updates fixed the F/P ???
I don’t believe the mbamswissarmy.sys would be present just by opening the UI (if that is what happened on your system, fine), but it was present for the Flash scan that I ran and after the scan was complete.
I have just completed a custom scan in which I had it do a Full Anti-Rootkit scan (the most thorough of anti-rootkit scans) and no alert and mbamswissarmy.sys was still present in the drivers folder (and is still present) and no detection, see image.
So we will have to wait for ky331 to initiate an mbam scan shortly after boot and see if the anti-rootkit scan (8 minutes after boot detects again.
EDIT: However, closing the MBAM UI does remove the mbamswissarmy.sys file (I had left it open to display the scan results).
DavidR,
I concur that the “quirk of timing” (I typically don’t open the MBAM UI that early in my daily session), and/or the file’s temp nature (being created, then deleted) in the drivers subdirectory, may have been involved in what happened this morning.
At first, I was concerned that Avast deleted the file, and that I’d have to reinstall MBAM to get it back. But now that I’ve been reminded it’s only a temp file, that MBAM recreates as needed, I’m no longer concerned about that.
I will try to check things out when I’m home again at my avast system.
Believe me it is present, see screenshot, and not only that but it is also present when MBAM updates. Just like avast.setup file when it updates.
Back home, and testing again.
No problem now. I intentionally opened MBAM early (before the 8-minute rootkit testing), ran a flash scan, but no rootkit warning this time. Of course, my avast definitions had been updated to 12-05-15-1, so that might have been a factor if there had indeed been an F/P earlier today.
For the record, working with MBAM PRO/paid, I have confirmed that MBAMSwissArmy is created when the MBAM UI is opened, and it’s deleted with the UI is subsequently closed.
I am satisfied that nothing is wrong with my system at the moment, and appreciate the input from the contributors to this thread. A wonderful group of people helping-out here
Yes my EDIT comment in the last post confirmed it disappears when you close the UI, so it isn’t so unusual that it would create it when the UI is opened/
That MBAM URL has already given in Reply #4 above.
Hi, I’m sorry about that - but am pleased that you responded! Thank you.
I recently downloaded MBAM onto a desktop PC running Windows XP Home SP3. I updated and ran the programme and a number of rogues were found, quarantined and then deleted. I then uninstalled MBAM. Just out of interest, I ran a straightforward search of the machine to determine if anything had been ‘left behind’ - this is what was found:
http://i47.tinypic.com/fkqmg3.jpg
After some research I discovered that I should run this programme to ‘properly’ clean the computer - mbam-clean-1-1.60.2.0003.exe
I did so and expected to have totally removed all references to MBAM but after another search, discovered that files were still retained on the machine!
Where? Here … Windows/PCHealth/HelpCtr/DataColl
Opening up the ‘Windows’ folder on an XP Home SP3 machine one may progress to PCHealth/HelpCtr/DataColl where one finds many icons(files?).
I note that I can open each one by double-clicking the icon and a page opens in Internet Explorer or I can right-click, click on ‘Edit’ and read the file content in Notepad.
Now, my questions is - What is the purpose of these files?
Internet Explorer (Version: 8.0.6001.18702) throws up an Information bar which says “To help protect your security, Internet Explorer has restricted this webpage from running scripts or ActiveX controls that could access your computer. Click here for options”.
I have not allowed Blocked Content!
I’d appreciate some advice to help me better understand matters. TIA
–
Hi, I’m sorry about that - but am pleased that you responded! Thank you.
I wanted to let everyone here know who you are. Before I do that tho, I’m going to disclose who I am and my background so there is no debate or question concerning this post. My name is Dustin Cook. I’m a former employee of Malwarebytes Corporation. I was one of the malware researchers. My posting handle on the malwarebytes forum is Raid. While I’m no longer affiliated with the company, I still maintain “expert” status on their forum.
This person “Brawdy14” is also known as BD or David Brooks of Devon. He was banned from the Malwarebytes forum several years ago for trolling and being a general nuisance; as he is now. He’s had a personal vendetta against the company since his removal from the forum several years ago for being a trollish nuisance. Essentially, he asks questions with the implication something shady is underfoot.
He’s been asking for several months now on usenet if Malwarebytes installs malware under the guise of a legitimate application. Malwarebytes does not and never has done this.
Please disregard questions from this individual, he isn’t here to learn and isn’t asking questions of you. His intent is purely to slime. Here’s the reference usenet post where he mentions this thread: (Which is how I found it)
Message-ID: Ht6dnZ3YM63sKTbNnZ2dnUVZ8q2dnZ2d@bt.com
After some research I discovered that I should run this programme to 'properly' clean the computer - mbam-clean-1-1.60.2.0003.exe
I mentioned this to him as he was having problems re-running another “trial” copy on a friends computer.
I did so and expected to have totally removed all references to MBAM but after another search, discovered that files were [b]still[/b] retained on the machine!
Some information is left behind so that you can’t just elect to use free trials for life, that’s all. Malwarebytes knows if you have already had a trial and if it’s expired. Obviously it has to leave information behind in order to do that.
David Brooks has been informed of this as i told him weeks ago on usenet. He’s simply here to slime Malwarebytes. You can check the wilders forum or just google David Brooks of Devon. This guy is well known.
I'd appreciate some advice to help me better understand matters. TIA
You should choose another forum then. I won’t site idly by while you slime people and good companies under the guise of innocent help, David.
Thanks for the heads up.
I can’t understand why someone would go to those lengths to keep using the trial version when A) the Pro version is a one off reasonable payment and B) they can always use the free version.
I also can’t understand why he would give this topic as a reference as there is nothing about any bad activity on the part of MBAM, pretty much a given that security based drivers may be hidden. Not to mention the topic is 6 months old, so both programs will have changed considerably in that time.
Dustin Cook said…
“Some information is left behind so that you can’t just elect to use free trials for life, that’s all. Malwarebytes knows if you have already had a trial and if it’s expired. Obviously it has to leave information behind in order to do that.”
WHERE is that information left behind?
–
No one is going to tell you that here as this isn’t the MBAM forums and I rather doubt you will get that answer their either. As to do so is likely circumvent legitimate protection against running the trial version to avoid payment.
This isn’t the forum to raise your MBAM questions unless they are directly related to avast, and this doesn’t seem so. This is then off-topic for this topic.
Hi!
I find another reference to mbamswissarmy.sys being classified as malware, here:-
http://community.norton.com/t5/Norton-Internet-Security-Norton/mbamswissarmy-sys/m-p/780176#M213374
Do you have it in your computer? What does it do? :-\
It remained resident in my PC even when I uninstalled MBAM!
Why is a driver left behind in Systems32/drivers?
Someone here must know! :
–