Closed Solved

Malwarebytes Scan in Safe Mode

For some reason, the Thread that spawns this post, eludes me, as well as the fact the PM I sent remains unanswered, so hopefully this post remains in tact.

I made a comment in someone's post, saying Malwarebytes was less effective when running in Safe Mode, and was promptly told by a member, I did not know what I was talking about. Hopefully that person will refer to this link to bring his knowledge up to date.

http://forums.malwarebytes.org/index.php?showtopic=90791&st=0&gopid=458941&
22 answers Last reply Best Answer
More about malwarebytes scan safe mode
  1. It looks like the malwarebytes staff members agreed with you in the thread.
  2. While in safe mode, not all load points from the registry are loaded and not all processes get loaded.

    I've always run my scans with a normal boot for those reasons.
  3. I do both types of scans with Malwarebytes, just to make sure all is clear!
  4. Our DDA (Direct Disk Access) driver doesn't load in Safe Mode either, that means MBAM can't check for hidden stuff like rootkits.

    Post from a mod in malwarebytes forum^
  5. Best answer
    Yes, MBAM works better and was designed to run in Windows Normal Mode. If you can run it in Normal mode then you should. If you can not but it will run in Safe Mode only then that is better than nothing, but once you have the system running better you should scan again in Normal Mode.

    You are correct ^ :D
  6. Unless this is the result of a recent revision, I've always found it more effective in safe mode in the past. Most of the time, the client infections I see won't even allow MBAM to run in normal mode.

    I'm sure they know their software better than I do. I'll be sure and do some more tests with their latest version. I'm just giving my experience from personal and client machines. When paired up with something like SuperAntiSpyware in safe mode, it will almost always clean it up.
  7. aford10 said:
    Unless this is the result of a recent revision, I've always found it more effective in safe mode in the past. Most of the time, the client infections I see won't even allow MBAM to run in normal mode.

    I'm sure they know their software better than I do. I'll be sure and do some more tests with their latest version. I'm just giving my experience from personal and client machines. When paired up with something like SuperAntiSpyware in safe mode, it will almost always clean it up.


    The guys from MBAM did state to run in safe mode only if you aren't able to run normally, then run it again in normal mode after it has removed stuff while in safe mode. So, they are aware that there are nasties out there that will prevent MBAM from working, just that it's best to run in normal mode if you can.
  8. Yep, I read through their thread.

    However, in normal windows, more files are in use/locked, malware will be more active, and there's a much greater chance that your scans are being tampered with.

    Like I said, I'm sure they know their software, and I'll be sure to do some tests.
  9. aford10 said:
    Yep, I read through their thread.

    However, in normal windows, more files are in use/locked, malware will be more active, and there's a much greater chance that your scans are being tampered with.

    Like I said, I'm sure they know their software, and I'll be sure to do some tests.


    Yes, malware will be more active (there is an entry point) that MBAM can detect, and that is why it is better to scan in normal mode. In those cases where the scans are being inhibited, or something like RKILL does not remove the infected resource to allow the scans to run, by all means, try the scan in safe mode. But, make sure to repeat the scan in normal mode.

    Post summary from MBAM:
    MBAM Safe Mode Scanning - Why you shouldn't.
    Safe Mode Scans are a last resort, eg, an infection
    keeps you from scanning in normal mode. You have
    run RKILL & still can't scan in safe mode.

    In Safe Mode:
    1) Not all Entry Points and resources are loaded.
    2) The Direct Access Driver does not load which means
    MBAM can't check for hidden "stuff" like rootkits.
    3) scan will also be a decent amount slower in safe
    mode becuase of the disk tech mbam and
    windows allows in safe mode.
    4) Because of the infections not being in memory
    Quick scan would be quite hampered in safe mode.


    If you MUST scan in Safe Mode:

    If infections are found, REBOOT AND repeat
    scan in Normal mode.
  10. As I said, yes, I read all that in their responses. And I am just relaying my real world experience.

    I would also suggest not relying solely on MBAM.
  11. aford10 said:
    As I said, yes, I read all that in their responses. And I am just relaying my real world experience.

    I would also suggest not relying solely on MBAM.


    Please do your "tests" and let us know.
  12. A client brought a computer in today. Here's the logs of 3 scans:

    1. I ran Malwarebytes in normal mode. It found nothing, and note, it only scanned 175 items. Not good.
    http://img708.imageshack.us/img708/748/malwarebytesnormalmode.jpg

    2. I booted into safe mode with networking, and ran Malwarebytes. Notice, it didn't find anything, but scanned over 186k items. Also, notice the time for the scans. It's not slower to run in safe mode.
    http://img233.imageshack.us/img233/6910/malwarebytessafemode.jpg

    3. I ran SuperAntiSpyware in safe mode with networking. Notice that it scanned over 82k items, and found 114 threats.
    http://img806.imageshack.us/img806/7169/superantispyware.jpg

    This is one test, on one computer, but I stand by my statements above. I've used the same process on a few hundred computers, and found Malwarebytes to be much more effective in safe mode with networking. And it's even more effective when combined with other scanners, such as SuperAntiSpyware, and Combofix.
  13. Nice to see the results,thanks aford!
  14. @aford10:

    About every third or fourth week a MBAM user will post a topic on the Malwarebytes' Forums where their Full Scan completes in an unexpected short period and that a miniscule number of objects were scanned.

    I can't remember the last time that it wasn't the user's error.

  15. aford10 said:
    A client brought a computer in today. Here's the logs of 3 scans:

    1. I ran Malwarebytes in normal mode. It found nothing, and note, it only scanned 175 items. Not good.
    http://img708.imageshack.us/img708/748/malwarebytesnormalmode.jpg

    2. I booted into safe mode with networking, and ran Malwarebytes. Notice, it didn't find anything, but scanned over 186k items. Also, notice the time for the scans. It's not slower to run in safe mode.
    http://img233.imageshack.us/img233/6910/malwarebytessafemode.jpg

    3. I ran SuperAntiSpyware in safe mode with networking. Notice that it scanned over 82k items, and found 114 threats.
    http://img806.imageshack.us/img806/7169/superantispyware.jpg

    This is one test, on one computer, but I stand by my statements above. I've used the same process on a few hundred computers, and found Malwarebytes to be much more effective in safe mode with networking. And it's even more effective when combined with other scanners, such as SuperAntiSpyware, and Combofix.

    @aford10 - Thanks for posting your results. Quite Interesting. I certainly agree with using other scanners, as you mention, and is evident by your results. I wonder what the MBAM scan in Normal mode would have detected, had RKILL been run first , possibly allowing the scan to run its course instead of scanning only 175 items ? No one deserves to be infected, but if they are still on SP2, most assuredly their other software is out of date also, causing their problems.
  16. I would love to know what the cause of that was Aford. Can you attach the full logs and maybe the combofix? Do you have any of the samples that were detected by combofix or SAS?

    Our detection rates are still among the best. Superantispyware detects harmless tracking cookies and that greatly inflates their counts.

    Using multiple scanners is always a good idea. Its impossible to catch everything with one tool.

    Just something interesting here is an independent review.

    http://www.youtube.com/watch?v=xuPxA6lQs5s
  17. 1PW said:
    @aford10:

    About every third or fourth week a MBAM user will post a topic on the Malwarebytes' Forums where their Full Scan completes in an unexpected short period and that a miniscule number of objects were scanned.

    I can't remember the last time that it wasn't the user's error.

    http://imageshack.us/photo/my-images/838/fullscan.jpg/


    Well, the software isn't very complicated to use, and I've ran malwarebytes scans many many times. It's pretty hard to screw up the scan. I used the exact same options when I ran the scan in safe mode, so the results are there.

    This was just one client's PC. There will be more to come if you'd like more logs.
  18. shadowwar said:
    I would love to know what the cause of that was Aford. Can you attach the full logs and maybe the combofix? Do you have any of the samples that were detected by combofix or SAS?

    Our detection rates are still among the best. Superantispyware detects harmless tracking cookies and that greatly inflates their counts.

    Using multiple scanners is always a good idea. Its impossible to catch everything with one tool.

    Just something interesting here is an independent review.

    http://www.youtube.com/watch?v=xuPxA6lQs5s


    Hey shadow. That client already picked up that computer. However, I'd be glad to upload more logs on when other PCs come my way.

    Just want to make it clear, I'm not bashing Malwarebytes by any means. It's a great software. I've just found it more effective in safe mode with networking.
  19. No problem.. Maybe i came off as too defensive.

    That being said we are looking into self protection and any instances like this if we can figure out the cause would be very helpful. The only way i could duplicate your results without knowing the infection was if all the checkboxes were unchecked in scanner settings with the exception of scan startup objects.

    One of the reasons we state Normal mode is because of the linking technology that mbam uses. If it doesnt see it in memory the registry keys and such may not be removed along with the infection. Thats why a full scan in safe mode is necessary.
  20. aford10 said:


    Snip, snip...

    This was just one client's PC. There will be more to come if you'd like more logs.

    Hello aford10:

    Certainly if you have more logs of any nature. Since you have good membership on the Malwarebytes' forum, it would be good to post there if you'd like to have the MBAM staffers work with you.

    Thank you!

    HTH :)
  21. Best answer selected by ksiemb.
  22. This topic has been closed by Area51reopened
Ask a new question

Read More

Security Safe Mode Apps