Sign in with
Sign up | Sign in
Your question
Closed

Malwarebytes Scan in Safe Mode

Last response: in Apps General Discussion
Share
a b 8 Security
July 29, 2011 1:09:45 PM

For some reason, the Thread that spawns this post, eludes me, as well as the fact the PM I sent remains unanswered, so hopefully this post remains in tact.

I made a comment in someone's post, saying Malwarebytes was less effective when running in Safe Mode, and was promptly told by a member, I did not know what I was talking about. Hopefully that person will refer to this link to bring his knowledge up to date.

http://forums.malwarebytes.org/index.php?showtopic=9079...

August 1, 2011 1:43:19 PM

It looks like the malwarebytes staff members agreed with you in the thread.
Score
0
a b 8 Security
August 1, 2011 8:19:18 PM

While in safe mode, not all load points from the registry are loaded and not all processes get loaded.

I've always run my scans with a normal boot for those reasons.
Score
0
Related resources
a b 8 Security
August 1, 2011 8:34:26 PM

I do both types of scans with Malwarebytes, just to make sure all is clear!
Score
0
a b 8 Security
August 1, 2011 8:45:23 PM

Our DDA (Direct Disk Access) driver doesn't load in Safe Mode either, that means MBAM can't check for hidden stuff like rootkits.

Post from a mod in malwarebytes forum^
Score
0

Best solution

a b 8 Security
August 1, 2011 8:48:48 PM

Yes, MBAM works better and was designed to run in Windows Normal Mode. If you can run it in Normal mode then you should. If you can not but it will run in Safe Mode only then that is better than nothing, but once you have the system running better you should scan again in Normal Mode.

You are correct ^ :D 
Share
a b 8 Security
August 3, 2011 12:37:49 PM

Unless this is the result of a recent revision, I've always found it more effective in safe mode in the past. Most of the time, the client infections I see won't even allow MBAM to run in normal mode.

I'm sure they know their software better than I do. I'll be sure and do some more tests with their latest version. I'm just giving my experience from personal and client machines. When paired up with something like SuperAntiSpyware in safe mode, it will almost always clean it up.
Score
0
a b 8 Security
August 3, 2011 12:42:11 PM

aford10 said:
Unless this is the result of a recent revision, I've always found it more effective in safe mode in the past. Most of the time, the client infections I see won't even allow MBAM to run in normal mode.

I'm sure they know their software better than I do. I'll be sure and do some more tests with their latest version. I'm just giving my experience from personal and client machines. When paired up with something like SuperAntiSpyware in safe mode, it will almost always clean it up.


The guys from MBAM did state to run in safe mode only if you aren't able to run normally, then run it again in normal mode after it has removed stuff while in safe mode. So, they are aware that there are nasties out there that will prevent MBAM from working, just that it's best to run in normal mode if you can.
Score
0
a b 8 Security
August 3, 2011 1:47:13 PM

Yep, I read through their thread.

However, in normal windows, more files are in use/locked, malware will be more active, and there's a much greater chance that your scans are being tampered with.

Like I said, I'm sure they know their software, and I'll be sure to do some tests.
Score
0
a b 8 Security
August 3, 2011 2:51:15 PM

aford10 said:
Yep, I read through their thread.

However, in normal windows, more files are in use/locked, malware will be more active, and there's a much greater chance that your scans are being tampered with.

Like I said, I'm sure they know their software, and I'll be sure to do some tests.


Yes, malware will be more active (there is an entry point) that MBAM can detect, and that is why it is better to scan in normal mode. In those cases where the scans are being inhibited, or something like RKILL does not remove the infected resource to allow the scans to run, by all means, try the scan in safe mode. But, make sure to repeat the scan in normal mode.

Post summary from MBAM:
MBAM Safe Mode Scanning - Why you shouldn't.
Safe Mode Scans are a last resort, eg, an infection
keeps you from scanning in normal mode. You have
run RKILL & still can't scan in safe mode.

In Safe Mode:
1) Not all Entry Points and resources are loaded.
2) The Direct Access Driver does not load which means
MBAM can't check for hidden "stuff" like rootkits.
3) scan will also be a decent amount slower in safe
mode becuase of the disk tech mbam and
windows allows in safe mode.
4) Because of the infections not being in memory
Quick scan would be quite hampered in safe mode.



If you MUST scan in Safe Mode:

If infections are found, REBOOT AND repeat
scan in Normal mode.
Score
0
a b 8 Security
August 3, 2011 3:21:18 PM

As I said, yes, I read all that in their responses. And I am just relaying my real world experience.

I would also suggest not relying solely on MBAM.
Score
0
a b 8 Security
August 3, 2011 6:20:37 PM

aford10 said:
As I said, yes, I read all that in their responses. And I am just relaying my real world experience.

I would also suggest not relying solely on MBAM.


Please do your "tests" and let us know.
Score
0
a b 8 Security
August 12, 2011 2:33:34 AM

A client brought a computer in today. Here's the logs of 3 scans:

1. I ran Malwarebytes in normal mode. It found nothing, and note, it only scanned 175 items. Not good.


2. I booted into safe mode with networking, and ran Malwarebytes. Notice, it didn't find anything, but scanned over 186k items. Also, notice the time for the scans. It's not slower to run in safe mode.


3. I ran SuperAntiSpyware in safe mode with networking. Notice that it scanned over 82k items, and found 114 threats.


This is one test, on one computer, but I stand by my statements above. I've used the same process on a few hundred computers, and found Malwarebytes to be much more effective in safe mode with networking. And it's even more effective when combined with other scanners, such as SuperAntiSpyware, and Combofix.

Score
0
a b 8 Security
August 12, 2011 4:30:56 AM

Nice to see the results,thanks aford!
Score
0
August 12, 2011 7:26:31 AM

@aford10:

About every third or fourth week a MBAM user will post a topic on the Malwarebytes' Forums where their Full Scan completes in an unexpected short period and that a miniscule number of objects were scanned.

I can't remember the last time that it wasn't the user's error.

Score
0
a b 8 Security
August 12, 2011 9:00:19 AM

aford10 said:
A client brought a computer in today. Here's the logs of 3 scans:

1. I ran Malwarebytes in normal mode. It found nothing, and note, it only scanned 175 items. Not good.
]http://img708.imageshack.us/img708/748/malwarebytesnormalmode.jpg

2. I booted into safe mode with networking, and ran Malwarebytes. Notice, it didn't find anything, but scanned over 186k items. Also, notice the time for the scans. It's not slower to run in safe mode.
]http://img233.imageshack.us/img233/6910/malwarebytessafemode.jpg

3. I ran SuperAntiSpyware in safe mode with networking. Notice that it scanned over 82k items, and found 114 threats.
]http://img806.imageshack.us/img806/7169/superantispyware.jpg

This is one test, on one computer, but I stand by my statements above. I've used the same process on a few hundred computers, and found Malwarebytes to be much more effective in safe mode with networking. And it's even more effective when combined with other scanners, such as SuperAntiSpyware, and Combofix.

@aford10 - Thanks for posting your results. Quite Interesting. I certainly agree with using other scanners, as you mention, and is evident by your results. I wonder what the MBAM scan in Normal mode would have detected, had RKILL been run first , possibly allowing the scan to run its course instead of scanning only 175 items ? No one deserves to be infected, but if they are still on SP2, most assuredly their other software is out of date also, causing their problems.
Score
0
August 12, 2011 1:28:53 PM

I would love to know what the cause of that was Aford. Can you attach the full logs and maybe the combofix? Do you have any of the samples that were detected by combofix or SAS?

Our detection rates are still among the best. Superantispyware detects harmless tracking cookies and that greatly inflates their counts.

Using multiple scanners is always a good idea. Its impossible to catch everything with one tool.

Just something interesting here is an independent review.

http://www.youtube.com/watch?v=xuPxA6lQs5s
Score
0
a b 8 Security
August 12, 2011 1:41:10 PM

1PW said:
@aford10:

About every third or fourth week a MBAM user will post a topic on the Malwarebytes' Forums where their Full Scan completes in an unexpected short period and that a miniscule number of objects were scanned.

I can't remember the last time that it wasn't the user's error.

http://imageshack.us/photo/my-images/838/fullscan.jpg/


Well, the software isn't very complicated to use, and I've ran malwarebytes scans many many times. It's pretty hard to screw up the scan. I used the exact same options when I ran the scan in safe mode, so the results are there.

This was just one client's PC. There will be more to come if you'd like more logs.
Score
0
a b 8 Security
August 12, 2011 1:50:34 PM

shadowwar said:
I would love to know what the cause of that was Aford. Can you attach the full logs and maybe the combofix? Do you have any of the samples that were detected by combofix or SAS?

Our detection rates are still among the best. Superantispyware detects harmless tracking cookies and that greatly inflates their counts.

Using multiple scanners is always a good idea. Its impossible to catch everything with one tool.

Just something interesting here is an independent review.

http://www.youtube.com/watch?v=xuPxA6lQs5s


Hey shadow. That client already picked up that computer. However, I'd be glad to upload more logs on when other PCs come my way.

Just want to make it clear, I'm not bashing Malwarebytes by any means. It's a great software. I've just found it more effective in safe mode with networking.
Score
0
August 12, 2011 2:03:01 PM

No problem.. Maybe i came off as too defensive.

That being said we are looking into self protection and any instances like this if we can figure out the cause would be very helpful. The only way i could duplicate your results without knowing the infection was if all the checkboxes were unchecked in scanner settings with the exception of scan startup objects.

One of the reasons we state Normal mode is because of the linking technology that mbam uses. If it doesnt see it in memory the registry keys and such may not be removed along with the infection. Thats why a full scan in safe mode is necessary.
Score
0
August 15, 2011 10:16:29 PM

aford10 said:


Snip, snip...

This was just one client's PC. There will be more to come if you'd like more logs.

Hello aford10:

Certainly if you have more logs of any nature. Since you have good membership on the Malwarebytes' forum, it would be good to post there if you'd like to have the MBAM staffers work with you.

Thank you!

HTH :) 

Score
0
a b 8 Security
August 23, 2011 7:01:09 AM

Best answer selected by ksiemb.
Score
0
a b 8 Security
August 23, 2011 7:11:25 PM

This topic has been closed by Area51reopened
Score
0
!