Malwarebytes antimalware cannot remove all test files it creates in cleanpc modes(3.0.16 x32)

[Guest]

[lurkingatu2]

hello

ok this has been going on for the past like 3 versions of comodo v3 but i beta tested
for malwarebytes anti-malware and it's been releast and not beta no more but every time
i do a scan with it or any av,as program i use i scan offline and exit comodo before
i scan and when i scan with ewido 4(avg antispyware) or superantispy or avria antivir pe classic
it doin't leave files in my pending files list but when i scan with malwarebytes antimalware
it leaves like 191 files in my pending files and the files are not on my pc but it still finds
them some how in my pending files list here is what it finds

i'm using comodo v3.0.16.295  with defense+ in clean mode and firewall in train with safe mode

   thanks 

[Edit: Long list of pending files was replaced by *.txt attachment.
Please post such things as *.txt attachments.]

[Thunderbear]

Hi!

You have all those files on your computer, but you can't see them because they are in hidden directories.
To see them, you have to open Explorer, go to Tools -> Map Settings -> tab Show and check 'Show hidden files' (can't remember names exactly co's my XP isn't in english, but I hope you understand), you also have some other settings there to show some other hidden files if you wish.
I've found out that some security programs leave harmless traces into 'My pending files', you can turn it off and get rid of them if you set Defense to 'Train with Safe Mode'.

Hope this will help.
 

[lurkingatu2]

hello

will i guess i worded it wrong for here thanks

thank you snowhawk i understand that but the thing is between the two something is leaving
some of these files behind on my pc Rubber Ducky the maker of malwarebytes antimalware says this

MBAM attempts to create these files and then delete them to make sure they do not exist and are hidden (like a rootkit). Why Comodo retains this information is beyond me.

 thanks 

[SS26]

Hi, lurkingatu2

You can try train w/safe mode for Defense+ instead of clean pc mode if you don't want to deal with "my pending files".

[Rafel]

I don't like walware bytes, i formated my PC, installed all micrsoft updates and CFP. I installed malwarebytes antimalware, i scaned my PC and found five objects,hehehe.
MBW AM hfind FP with CPF.

[gibran]

If someone is going to reproduce this issue with a barebone installation with only CFP and malwarebytes I'm going to move this topic to bugreporting board.

[lurkingatu2]

hello

thanks goodbrazer that seems to work and i will leave d+ in train with safe mode and
see how it go's i just found it odd that comodo found these things even when i exit
comodo and some how something was leaving things behind

and thanks Rafel thats your opinion but i have found f/p's with many other programs
also not just mbam thats why i doin't let nothing clean but quarantine then look them up   

  thanks 

[gaslad]

I can confirm that there is this conflict between CFP and MBAM.

I also beta tested MBAM, and reported this conflict in their forum. Basically, whenever I scan with MBAM, more than 100 0 byte files are placed in CFP's Pending files. Unless they are purged, a subsequent scan with MBAM detects them as FP infections.

The workaround, of course, is to purge one's Pending Files after every MBAM scan.

I don't know if the cause of this conflict resides with CFP, or with MBAM. Either way, it is a major nuisance!

[gibran]

snip

Unless they are purged, a subsequent scan with MBAM detects them as FP infections.

snip

Infections? can you post a screenshoot for curiosity sake?
How did MBAM call them?

[gaslad]

Okay, here's what I just now experienced:

1) I confirm my Pending Files list in CFP is empty
2) I run MBAM, which reports no infection
3) I open my Pending Files, and find there are now 213 files listed. Most of these are files created, then deleted by MBAM, and thus no longer exist
4) I hit the Purge button, which removes all the invalid entries, but in this case 2 "valid" files remain:


5) I confirm these files exist, were created during the MBAM scan, and are 0 byte files (from the file properties).
6) I run another MBAM scan, and during its heuristic scan it finds these:


These are clearly false positive detections of the files created during the first MBAM scan.

As I understand it, MBAM creates, then deletes all these files during its scan. Subsequent scans should not pick them up.

The question is, is there some conflict between CFP and MBAM that is preventing this for some of the files? Users of MBAM who do not also use CFP are not reporting this.

[gibran]

From what you say it may be these file were not created by MBAM.

If those files are really 0 bytes files and not ADS placeholders I guess it would be enough to create two 0 bytes files with those names to see if MBAM give the same results.

It's a bit strange for a software to dynamically create many files in windows directory tree.

EDIT: I was completely off track
A complete explanation can be found just below

[Malwarebytes]

Hello everybody, I see some familiar faces here. Perhaps I can explain a bit how these files are created.

During a scan MBAM creates those and then deletes them. If they are created successfully, nothing happens. If they can not be created, and Windows returns an error "File already exists", it is a rootkit and we flag it for removal.

This is a common method used by other anti-malware utilities. Most also do this for service keys with the same results. If a rootkit has a lock on a registry key, when the anti-malware utility calls RegCreateKeyEx and REG_CREATED_NEW_KEY is returned, the key did not previously exist.

This is just one of our many advanced methods that we use. It does appear however that there is a conflict here.

Marcin Kleczynski

[gaslad]

Thanks Marcin (author of MBAM).

I should have read this thread more carefully. When I switched D+ from Clean PC Mode to Train with Safe Mode, this conflict disappears, at least for me.

It seems that Clean PC Mode detects and lists in Pending Files all those files MBAM creates, and somehow prevents at least some of them from being deleted by MBAM, resulting in persistant 0 byte files, which a subsequent MBAM scan detects as false positives.

For whatever reason, this does not happen in Train with Safe Mode.

[MiguelAngelXP]

Hi everyone :

I had Malwarebytes (installed a few days ago), very good program, so thanks a lot Marcin. Well I had none the trouble that lurkingatu2 has.

To Lurkin : As the others forumers said and its posted in the COMODO's release note, My Pending Files will fill up ONLY as said GoodBrazer, so try in Train in Safe Mode

Regards
MiguelAngelXP

[lurkingatu2]

hello

and thanks to marcin and everybody 

and i'm in train with safe mode now and it works so far but i did not mind
clean pc mode with the pending files ethier and i just found it odd that this was
happening so i reported it in bugs

 thanks 

[Tags:]