mbamservice.exe false positives

Avast Free Antivirus / Premium Security
41

Just checked my rootkit scan from this morning, 9 seconds. Definately a very quick scan.

42

5 secs here…
Only thing is that it freezes the browser here, but no big deal. :wink:
asyn

43

My aswAr.log indicates the scan happened 8 min 20 sec after boot and lasted 5 sec.
The aswAr1.log file shows that the rootkit scan (that I had changed from full to quick) ran for 1 min 42 sec. On a 2nd machine the scan time was shorter, 1 min 6 sec.

Back to the Custom scan issue…
one machine found a mbamservice.exe detection this morning, but the other didn’t.
The rootkit scans (both on startup and on scheduled Custom scan) checked mbam in 4 places on both computers…

Process C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe [744]
Process C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe [3912]
Service MBAMProtector [C:\WINDOWS\system32\drivers\mbam.sys]
Service MBAMService [C:\Program Files\Malwarebytes’ Anti-Malware\mbamservice.exe]

The machine that detected the mbamservice.exe ‘virus’ said it was in Process 744.

I am going to remove the rootkit scan from the Custom scan and see if that eliminates the mbamservice detection tomorrow.

44

The rootkit scan wouldn’t have found it as the detections that you are getting are conventional signature detections and not the rootkit detection. See image example of the rootkit detection screen, is that the one you saw ?

45

The detections are, as I stated, part of a Custom scan, and I posted an image in the very first post in this topic. Would a detection found during the rootkit scan portion of the Custom scan produce an image like you posted, or would it be like the one I posted?

46

The rootkit scan although integrated into the Full scan I believe would produce the normal rootkit alert as it isn’t using signature detections as the other parts of the full system scan. So at the very least I don’t think it could be integrated into the report file and none of the alerts you got are rootkit related but signature detections.

So not running the rootkit scan as you are suggesting wouldn’t make any difference as it isn’t the rootkit part of the scan that is alerting.

47

Okay, I’ll take your word for it, and instead of messing around with disabling the rootkit portion of the Custom scan, I’ll disable the memory area. All indicators point to that being the solution to this issue. And if doing so does cause the detections to cease, I’ll be even more puzzled by the fact that Full system scans (that claim to scan “modules loaded in memory”) are not producing these detections. I’ll report back. Appreciate the input!

48

Removed memory area from the Custom scan.
It has now been one day in a row without the mbamservice.exe detection, on either machine. :slight_smile:
But I have to see if it is going to last.
On a previous occasion I have experienced back-to-back days of zero mbam detections.
If the issue is resolved by this, then I plan to slowly add back in the other areas I have removed or reset to default… like sensitivity, Scan all files and full rootkit scan.

49

Two days in a row. :slight_smile:

50

With the memory area removed from the Custom scan, it’s been four days without a mbamservice.exe detection.

Yesterday I added back all of the other Custom scan settings that I prefer…

Full rootkit scan
Heuristics on High
Sensitivity set to test whole files
Scan for PUPS
and
Scan all files

… and no mbam detections.

The problem totally lies within the memory scanning portion of the Custom scan, whereas there is no such issue with the memory scanning portion of the Full system scan.

51

Which is what I have been saying all along, scanning the memory in a custom scan will find and alert on the unencrypted virus signatures loaded by MBAM when they are present.

52

You have been saying that?
Where exactly have you been saying that?
<just joking, DavidR>

In fairness, you have also said the problem might be in other areas as well…

But I give you credit for identifying the problem even when avast support was calling it a false detection that they would fix.
Now if only they would fix what we have found. :slight_smile:

53

Just a quick follow up note (even though the thread is old I was advised it would be best to post here)…

the mbamservice.exe memory detections during custom scan have all but stopped over the last couple of weeks.

I had broken the custom scan into two, one with and one without memory scanning. Naturally, all the detections then occured in the memory scans. But it has now been a full week, at least, without any detections whatsoever (on either machine), and maybe just a couple prior to that, going back two weeks.

Perhaps either avast or MBAM changed something, or maybe it is the implementation of v1.50. Whatever the case, I wanted people to see the follow up, even though it involves resurrecting an old thread.

54

Thanks for the feedback…!
asyn

55

Glad that it’s all working fine for you now, it was certainly a mission :slight_smile: