Malwarebytes antimalware cannot remove all test files it creates in cleanpc modes(3.0.16 x32)

hello

ok this has been going on for the past like 3 versions of comodo v3 but i beta tested
for malwarebytes anti-malware and it’s been releast and not beta no more but every time
i do a scan with it or any av,as program i use i scan offline and exit comodo before
i scan and when i scan with ewido 4(avg antispyware) or superantispy or avria antivir pe classic
it doin’t leave files in my pending files list but when i scan with malwarebytes antimalware
it leaves like 191 files in my pending files and the files are not on my pc but it still finds
them some how in my pending files list here is what it finds

i’m using comodo v3.0.16.295 with defense+ in clean mode and firewall in train with safe mode

thanks :slight_smile:

[Edit: Long list of pending files was replaced by *.txt attachment.
Please post such things as *.txt attachments.]

[attachment deleted by admin]

Hi!

You have all those files on your computer, but you can’t see them because they are in hidden directories.
To see them, you have to open Explorer, go to Tools → Map Settings → tab Show and check ‘Show hidden files’ (can’t remember names exactly co’s my XP isn’t in english, but I hope you understand), you also have some other settings there to show some other hidden files if you wish.
I’ve found out that some security programs leave harmless traces into ‘My pending files’, you can turn it off and get rid of them if you set Defense to ‘Train with Safe Mode’.

Hope this will help.

hello

will i guess i worded it wrong for here thanks

thank you snowhawk i understand that but the thing is between the two something is leaving
some of these files behind on my pc Rubber Ducky the maker of malwarebytes antimalware says this

MBAM attempts to create these files and then delete them to make sure they do not exist and are hidden (like a rootkit). Why Comodo retains this information is beyond me.

thanks :slight_smile:

Hi, lurkingatu2

You can try train w/safe mode for Defense+ instead of clean pc mode if you don’t want to deal with “my pending files”.

I don’t like walware bytes, i formated my PC, installed all micrsoft updates and CFP. I installed malwarebytes antimalware, i scaned my PC and found five objects,hehehe.
MBW AM hfind FP with CPF.

If someone is going to reproduce this issue with a barebone installation with only CFP and malwarebytes I’m going to move this topic to bugreporting board.

hello

thanks goodbrazer that seems to work and i will leave d+ in train with safe mode and
see how it go’s i just found it odd that comodo found these things even when i exit
comodo and some how something was leaving things behind

and thanks Rafel thats your opinion but i have found f/p’s with many other programs
also not just mbam thats why i doin’t let nothing clean but quarantine then look them up

thanks :slight_smile:

I can confirm that there is this conflict between CFP and MBAM.

I also beta tested MBAM, and reported this conflict in their forum. Basically, whenever I scan with MBAM, more than 100 0 byte files are placed in CFP’s Pending files. Unless they are purged, a subsequent scan with MBAM detects them as FP infections.

The workaround, of course, is to purge one’s Pending Files after every MBAM scan.

I don’t know if the cause of this conflict resides with CFP, or with MBAM. Either way, it is a major nuisance!

Infections? can you post a screenshoot for curiosity sake?
How did MBAM call them?

Okay, here’s what I just now experienced:

  1. I confirm my Pending Files list in CFP is empty
  2. I run MBAM, which reports no infection
  3. I open my Pending Files, and find there are now 213 files listed. Most of these are files created, then deleted by MBAM, and thus no longer exist
  4. I hit the Purge button, which removes all the invalid entries, but in this case 2 “valid” files remain:

  1. I confirm these files exist, were created during the MBAM scan, and are 0 byte files (from the file properties).
  2. I run another MBAM scan, and during its heuristic scan it finds these:

These are clearly false positive detections of the files created during the first MBAM scan.

As I understand it, MBAM creates, then deletes all these files during its scan. Subsequent scans should not pick them up.

The question is, is there some conflict between CFP and MBAM that is preventing this for some of the files? Users of MBAM who do not also use CFP are not reporting this.

From what you say it may be these file were not created by MBAM.

If those files are really 0 bytes files and not ADS placeholders I guess it would be enough to create two 0 bytes files with those names to see if MBAM give the same results.

It’s a bit strange for a software to dynamically create many files in windows directory tree.

EDIT: I was completely off track :-[
A complete explanation can be found just below

Hello everybody, I see some familiar faces here. Perhaps I can explain a bit how these files are created.

During a scan MBAM creates those and then deletes them. If they are created successfully, nothing happens. If they can not be created, and Windows returns an error “File already exists”, it is a rootkit and we flag it for removal.

This is a common method used by other anti-malware utilities. Most also do this for service keys with the same results. If a rootkit has a lock on a registry key, when the anti-malware utility calls RegCreateKeyEx and REG_CREATED_NEW_KEY is returned, the key did not previously exist.

This is just one of our many advanced methods that we use. It does appear however that there is a conflict here.

Marcin Kleczynski

Thanks Marcin (author of MBAM).

I should have read this thread more carefully. When I switched D+ from Clean PC Mode to Train with Safe Mode, this conflict disappears, at least for me.

It seems that Clean PC Mode detects and lists in Pending Files all those files MBAM creates, and somehow prevents at least some of them from being deleted by MBAM, resulting in persistant 0 byte files, which a subsequent MBAM scan detects as false positives.

For whatever reason, this does not happen in Train with Safe Mode.

Hi everyone :

I had Malwarebytes (installed a few days ago), very good program, so thanks a lot Marcin. Well I had none the trouble that lurkingatu2 has.

To Lurkin : As the others forumers said and its posted in the COMODO’s release note, My Pending Files will fill up ONLY as said GoodBrazer, so try in Train in Safe Mode

Regards
MiguelAngelXP

hello

and thanks to marcin and everybody :slight_smile:

and i’m in train with safe mode now and it works so far but i did not mind
clean pc mode with the pending files ethier and i just found it odd that this was
happening so i reported it in bugs

thanks :slight_smile:

After I read Marcin Kleczynski explanation it’s possible to say that pending list work as designed.

Anyway in order to address CFP side I have four tests for gaslad. :stuck_out_tongue:

If MBAM is run in cleanpc mode as long it is trused (meaning it is not listed in pendig files) it should have no issue to delete those files.
File deletion falls under MBAM file protections privileges.

So if those files cannot be deleted by MBAM it should mean that actually those MBAM enties are not false positives.
In order to confirm that there is no cfp glitch or alike I guess it would be useful to know:

[ol]- if those 0-byte files are still on the hd

  • if those files can be deleted manually using explorer
  • if MBAM consistently create those two filenames on each scan
  • if changing all executables in MBAM folder to trusted yeld different results[/ol]

Once this info is gathered it would be possible to move this topic in the help board or keep it here

yiou can delete 0 bytes files without problems.

gibran:

To answer your questions:

  1. After purging all the invalid file references from Pending Files, the valid files left are all 0 byte files that still exist on the HD. They most certainly are all false positives that MBAM created (but was blocked from deleting), by using D+ in Clean PC Mode.

  2. Those 0 byte files can be deleted manually using explorer (and indeed, must be- you can detect and delete them with another MBAM scan, but this just creates more 0 byte files!)

  3. No, the same two 0 byte files are not consistently re-created; it can be any number of the more than 200 files currently appearing in Pending Files after an MBAM scan. The choice, and number of these 0 byte files blocked from deletion is random.

  4. All my MBAM executables are already listed as Trusted Applications in both the Firewall, and in the D+ lists. It makes no difference.

I repeat, the temporary fix that prevents all this is to change the D+ Security Level setting to Train with Safe Mode. Scans with MBAM consistently no longer detect these false positive 0 byte files, presumably because this setting allows MBAM to delete them.

Thanks, I guess there should be no diference in behaviour between cleanpc and tain with safe.

I’m going to change the title. Please confirm this issue with 3.0.17 too

I can confirm the conflict persists in CFP 3.0.17, and that switching D+ to Train with Safe Mode still avoids it.