mbamservice.exe false positives

Avast Free Antivirus / Premium Security
1

My scheduled scan this morning found 10 threats, all of which are mbamservice.exe.
Since I have MBAM excluded, there was no action taken, meaning they are not in the virus chest, but I’d like these FPs to be known.
What should I do?
Thanks. :slight_smile:

2

I don’t know if this wasn’t something you mentioned before, but it most certainly is in many other forum topics.

They aren’t FPs as you asked avast to scan the memory for malware, so don’t be surprised when it finds (and reports) unencrypted virus/malware signatures in memory. It isn’t mbamservice.exe that is infected, that is the process that loaded them into memory.

  • Detections in Memory - My guess is that you are doing a Custom scan in which you have elected to scan Memory and that all these detections are in memory. Since they aren’t physical files they can’t be moved to the chest, deleted, etc. so there is no action that can be taken, hence the Apply button being greyed out.

The detections in memory are frequently other security applications loading unencrypted virus signatures into memory. Having set off a scan of memory by an antivirus application looking for virus signatures, don’t be too surprised if it finds some in memory.

3

Dave is right…!!
Just want to add, that this only occurs with the paid (pro version) of mbam…
asyn

4

Do either of you helpful folks find it odd that I have had this same scheduled scan running daily for months and today is the first time that this detection has appeared?

5

Yes. :wink:
asyn

6

Have you had MBAM Pro all this time also?

7

No I don’t find it strange at all as those signatures may not be loaded into memory all of the time, if you had done a recent mbam scan these could have been loaded and remain in memory. If that is the case then there may be times when the signatures aren’t loaded.

All you have to remember there are consequences of scanning memory when you have another security application/s installed.

8

Never had that problem on my XP Pro system.

Is it XP Home or Pro and how much RAM does the system have ???

That’s good info for the signature. :wink:

9

I opened a ticket with the avast support center and sent them the same info I posted here.
The reply I received said:

Please, update your avast! virus database and then scan that file again. There were some false alarms removed. Anyway, if there's still false detection, send me that particular file to analyse.
10

You aren’t going to be able to send a file as none exists, these are memory blocks as I have said.

11

False alarms removed, per avast support. Problem SOLVED.
Thanks for all the replies.

12

I just wanted to briefly report back that this “infection” has happened a number of times since I declared this issue “RESOLVED”.
My correspondence with avast tech support people (the last of which I excerpted below) has confirmed that DavidR was spot on with his analysis that these detections were MBAM definitions in memory being flagged by avast.

There is nothing you can do except using just one antivirus solution if it´s avast! detecting malwarebytes service in the memory.
13

Thanks for the feedback, Snagglegrain…!
asyn

14

Snagglegrain are these the exclusions you have added as they will need to be added to the file system shield exclusions as well as the settings exclusions,
If you have any problems after the install of the pro version of malwarebytes you may wish to add the exclusions into the file system shield and to the exclusions in settings, these will need to be added one at a time. For Windows XP:CODE C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes’ Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes’ Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys

15

Hello craigb
Thank you for your reply!
I only have a couple of exclusions in the settings, namely:
C:\Program Files\Malwarebytes’ Anti-Malware*
C:\Documents and Settings\All Users\Application Data\Malwarebytes*
I hadn’t thought to add exclusions to the File System Shield.
As a bit of an experiment, I have added (only) the two listed above to the File System Shield, and will see if that makes a difference.
If I still get the ‘virus found’ results, I will insert every exclusion you have listed.
Appreciate the assistance. :slight_smile:

16

Those exclusions will be of no use in this case as the detections aren’t on the files, but the signatures placed into memory. So it is the memory blocks being detected and you can’t exclude them, excluding a file from scanning doesn’t exclude its actions.

17

Maybe I’m just nuts, but it sure seems like a situation where avast and MBAM could get together (if they really wanted to) and figure out a way to prevent these memory detections… or at least account for them and make it so an exclusion would work.
Today I had 1. Yesterday I had 47. Prior to that, about a week without any.
I’m going to enter all of the exclusions craigb alluded to, and see what, if anything, that does.
It’s better than doing nothing.

18

@ craigb: I just realized something!
I’m running a custom scan, and I’ve entered the exclusions in the general settings area as well as the File Shield, but I’ve overlooked adding the exclusions to the custom scan!
I’ve done that now (it’s about time!), and maybe this will make a diff.

@ DavidR: You’ve made it clear that you think that exclusions will not matter with this issue, but I’m still trying to get this fixed, and maybe this will work! If you come up with anything else, please let me know.

@ Asyn: You said awhile back, “Just want to add, that this only occurs with the paid (pro version) of mbam”. Do you have anymore details on that? Where did you read about this happening to others? Any links to other threads? Thanks!

In addition to posting here on the avast forum, I’ve now opened tickets with both avast and MBAM support. I’ve also received some much appreciated PMs from other members. I’ll report back on what, if anything, I learn. :slight_smile:

19

Only the pro version has resident protection and it seems that it loads its signatures unencrypted into memory. That’s what avast is dedecting. The free Mbam has no resident protection and therefore no problem with avast…
Sorry, no links to other threads, but you can use the forum’s search function or look for info in Mbam forum.
asyn

20

@ Asyn: So, when you said, “Just want to add, that this only occurs with the paid (pro version) of mbam”, were you making the point that it is only possible with the Pro version, or are you saying you have seen this avast detection of mbamservice.exe before? That’s what I am trying to determine.