Yes.
asyn
Well, the high severity virus detections continue.
So far, in addition to starting this topic here in the forum, I have contacted avast support and MBAM support. Not surprisingly (to me at least), each says it’s the other’s fault.
MBAM was able to replicate the detections, and escalated the issue to their QA people who said, “We’ve tried all options and tweaks and it’s their end that needs correcting. There is no amount of coding we can do to correct this as we tried, we don’t have the issue with any other antivirus or antimalware for that matter.”
avast told me, “These detection are done by malwarebytes. Some problems may arise if you use more antivirus/antimalware solutions. It involves more detection that makes it even more complicated. We do not know why it is not possible to exclude it (it may be other downloading data then excluded one, it can be detected in the memore etc.) There is nothing you can do except using just one antivirus solution if it´s avast! detecting malwarebytes service in the memory.”
What do you guys think? I think it would be nice if they worked together, but then again, hardly anyone has experienced this detection, so there is definitely no push or motivation to straighten it out.
Well I don’t know what they MBAM are talking about:
“We’ve tried all options and tweaks and it’s their end that needs correcting. There is no amount of coding we can do to correct this as we tried, we don’t have the issue with any other antivirus or antimalware for that matter.”
Encrypting the signatures that they place into memory shouldn’t take much in the way of coding, it would however require that they have to use decryption when scanning which would probably slow scanning.
As for other other AVs not detecting this, neither does avast if you don’t have it scan memory. There is no mention if the other AVs are in fact scanning memory or not.
So I don’t know if you passed that little gem on to them that it is an on-demand scan that you have asked to scan memory which is detecting the unencrypted signatures that mbam placed there.
From what I see, avast scans memory in the Full system scan (“modules loaded in memory”) as well as in the Custom scan (“operating memory of the computer”).
And of course I passed on to them (that these are on-demand custom scans).
Did you not read that I said they replicated the detections?
this situation only happen if you scanning simultaneously, two scanner detect the treats at the same time. mbamservice.exe is identified as mbam chest it means that avast is scanning also the mbam chest. it is detected but cannot be delete because it is in the safe place(mbam chest). as you can see the treat is in the mbamservice so try to clear the mbam chest and try scanning again. and don’t forget use only security scanner 1 at time 
best regards!!!
The MBAM “chest” (I’m assuming you refer to Quarantine) is empty.
Also, I’m not scanning with two scanners simultaneously.
Thanks for the input.
Well my guess is it also depends on the other settings you have in your custom scan as you appear to have it set to the absolute maximum sensitivity, etc.
Replicating it isn’t the issue, resolving it is and as I said if they encrypted the signatures loaded into memory that wouldn’t happen.
I have Hueristics set at High, but the detections still occur when the setting is rolled back to Normal.
Use code emulation is also checked.
As for the other three setting on the Sensitivity page, I have:
Test whole files
Scan for PUPS
Follow links
I have no idea if these are default or tweaked… it’s been too long and I can’t recall.
Anyone with knowledge of default settings, please speak up.
Well test whole files (and Scan for PUPs) isn’t on by default and is possibly the area where it is picking them up.
You have basically enabled almost every level of scanning at the highest levels. To find the defaults all you need do is create a new custom scan and that will show the options enabled by default.
I think I’ll try these regularly scheduled scans, but with “Scan for PUPS” turned off.
If that doesn’t make a difference, I’ll disable “Test whole files”.
It may take a few days or more to see if there is a change (because sometimes the detections don’t happen each day anyway), but I may be able to isolate the problem this way.
I have noted that the detections still occur with heuristics set at default, so that really only leaves the two settings listed above (that I have tweaked) as possible suspects… if indeed this is a sensitivity issue.
Thanks for the suggestion to view defaults simply by creating a new scan.
You’re welcome.
Note to self (and/or anyone else following this issue who might care):
I have reset the Sensitivity settings to all default conditions (per screenshot)
and rebooted just in case that is needed for the settings to stick.
For the record, I am optimistic that the MBAM detections will cease.
If and when they do, I will then singularly add back in the two settings that I had tweaked, until I isolate the problem.
Some might say that luck has no hand in this game, but if someone wants to wish me some, I’ll gladly accept!
Good luck…!
@ Asyn, thanks for that.
@ self (and anyone else interested) :), Unfortunately, even after resetting all Sensitivity settings to default, I encountered the mbamservice.exe detection on one computer early this morning.
I’ll leave the current settings alone at least until after tomorrow’s scan, before deciding the next move.
At this point I am left questioning my decision to use the Custom scan in the first place. I have switched back to the Full system scan now and then to see if I get the mbam detection, and so far I have not. To answer my own question, I suppose I am attracted to the Custom scan’s option to perform a full rootkit scan, as compared to the quick rootkit scan that runs in the Full system scan.
I also see that in the Custom scan, I have selected “Scan all files”, whereas the default setting leaves that unchecked. This might be a setting to change.
I can also elect to remove Memory from the scan areas, and that would seemingly eliminate this whole issue. Does anyone have an opinion on the practice of scanning (or not scanning) memory… aside from the obvious conflict that it is causing on my systems? I’m convinced that it is a good practice, that viruses can hide in system memory, and that good scanners look at memory. But I’d like to hear what others think.
I am also a bit puzzled by the fact that these mbam detections do not happen when I run Full system scans, yet according to avast, memory is scanned in both the Full system scan (“modules loaded in memory”) as well as in the Custom scan (“operating memory of the computer”).
And one more question, on a related note… does anyone know if rootkit scans on system startup (found under Troubleshooting in Basic Settings) are full or quick scans?
Hi again Snagglegrain, i would think that it would be a quick rootkit scan at starup otherwise the boot time’s would be huge.
Hope the standard full scan help’s you with those detections, i did mention in one of our PM’s that you would be better using that scan.
Wrong, the anti-rootkit scan happens 8 minutes after boot, so shouldn’t contribute to boot duration.
There is little point in doing a rootkit scan during boot as a) the rootkit may or may not be established that early and b) I don’t know if the APIs, etc. used to check what is running against what is actually running (but not shown in the API) may not be available at boot.
Your right, i had forgotten about the scan delay at startup.
@ DavidR: Not exactly what I would call a compelling argument.
By the way, I disabled “Scan all files” and changed the rootkit scan to quick scan,
and the mbamservice.exe detection still occured on one computer.
Guess I’ll eliminate the memory scan, and that should be the end of the detections.
If you actually check your aswAr.log file, the one that happens 8 mins after boot you will find it doesn’t very long, mine for this morning only took 3 seconds. The last Full System scan I did also includes a more comprehensive anti-rootkit scan aswAr1.log only took 27 seconds.
Compelling argument for what exactly ?
My comment was correcting craigb’s assumption that a rootkit scan doesn’t contribute boot duration. The further expansion as to an anti-rootkit scan at boot-time wouldn’t be a good idea. If at boot the windows APIs that report what they see as running isn’t available then there is nothing to compare making an anti-rootkit scan pointless.
If at the time of the anti-rootkit scan the rootkit isn’t established then the scan is pointless. This is why avast introduced the delay of the anti-rootkit scan 8 minutes after boot.
So I really haven’t a clue what it is you are saying, “Not exactly what I would call a compelling argument.” Argument for what ?