Malwarebytes antimalware making systems unbootable

Last night I was working on my PC when Malwarebytes flashed-up multiple times, it found 237 infections (trojan downloader) but Comodo was disabled, hitmanpro and malwarebytes I’ve had to format my entire PC and start again, can anyone why Comodo was instantly disabled/did not react :o :o :o

I am seriously doubting Comodo (:AGY)

Can you please post a screenshot of the Malwarebytes results?

Also, can you please post the configuration you were using for CIS and what you were doing at the time Malwarebytes found these?

Also, was Malwarebytes running in real-time, or was this the free version?

MBAM major FP incident

You may want to blame Malwarebytes as they caused systems to be unbootable. This what one of the MBAM forum mods tells:

Yes the Database v2013.04.15.13 and later has this fixed.

We are working on picking up the pieces now from this. This was a failure in the engine to ignore a bad line in the database . To make backwards compatibility work MBAM is supposed to ignore anything that is not in the engine specs and this should have qualified but it didn’t. This was a serious multiple level failure that should not have been possible. Support is working on figuring out the best way to restore the systems affected.

For those affected by this please read this article at the MBAM forums on how to solve: ***False positive Trojan.Downloader.ED*** - File Detections - Malwarebytes Forums

Edit: I changed the topic title and moved it.

Because MBAM is trusted.

Are trusted programs really allowed to kill CIS? In my opinion this should be blocked even for trusted applications, only the user should be able to disable CIS in my opinion (well, the user and CIS itself)

OMG. And that’s why you set MBAM Pro to ask not auto-mode and think twice before sending something to quarantine or delete.

This is what egemen tells us about when a program is allowed to install a driver (i.e. getting kernel access):

In short, a trusted program that runs in the kernel is allowed to do everything. That is why products like CIS are vigilant about driver installations; in D+ you will get a warning with a red banner. CIS is about preventing installation of unwanted programs.

I see, so in a situation with HIPS on and BB off, where a keylogger has been loaded into memory and been allowed to do pretty much anything but access the keyboard and touch CIS (assuming that it is not trusted but is still running and we have allowed it access to many things except keyboard and CIS) would this keylogger easily be able to bypass the HIPS security for keyboard access?

I’m not sure if what I just asked makes any sense to anyone else ^-^‘’ I’m not very good at explaining situations but I hope you understand what I’m asking.

Edit: also, what does “kernel access” actually mean? Any links you can give if it’s too much information to write?

Thank you all for the info, it was Malwarebytes that messed-up the lot, all other scans kaspersky rescue disk, avg rescue etc., found nothing. I have removed Malwarebytes and will not use it again not even free version (:AGY)

I’m sorry to say this, but this sort of thing happens periodically to all scanners. Some are more trustworthy, and Malwarebytes is actually one of those, however you can never entirely trust them.

I wouldn’t recommend getting rid of Malwarebytes. What I would recommend is that you change your settings for all scanners to alert you to detected malware but not to automatically remove it. Then, if something gets detected you should check it yourself to make sure it’s not a false positive. I seriously doubt that something like this will happen to Malwarebytes again, but it does periodically happen to all scanners.

I’m glad I read this. I was under the misconception that a program had to be given installer/updater rights to bypass CIS.

I know certain security applications require a captcha to be entered to bypass/shutdown or be uninstalled. If I remember correctly Emsisoft Antimalware is one.

From what I understand you’re talking about keyloggers who inject them in other programs. This is not loading a driver and therefor no kernel access.

With kernel access the malware simply unhooks the CIS kernel hooks disabling it. Then it simply erases files and or registry entries. It has unrestricted access to everything. The CIS uninstaller does not need to be run.

I agree with Chiron this happens but some AV vendors never learn. The best thing you can do is to set everything to manual instead of the auto-mode so you gonna be the one who makes the final decision but I’m aware that some users can’t A such things. I personally don’t trust any AV to work in the auto-mode in my system. Also check everything with other AV’s if they are not detecting such malware it might be FP. Plus if you use CIS it is highly unlikely that you will get 237 infections out of the blue. So just Q everything.

There seems to be two different topics in this thread. I understand why and how Malwarebyte’s was allowed to do what it wanted because it is trusted. What caught my attention was the quote from Egemen and the posts about disabling/bypassing CIS.

Kaspersky, Norton and Bitdefender offer self protection. Maybe this is something Comodo could look at. On the other hand if any security suite trusts a file what’s to stop it from disabling the self protection in the same manner. It’s a complex topic that generates a lot of questions. At least for me.

I wouldn’t be too sure they can defend themselves against actions originating from the kernel including unhooking used kernel hooks.

Remember CIS has various self defense options and cannot be easily terminated. But against programs with kernel access there is nothing that can be done according to egemen. That accounts for Comodo as much as for others.

I’m not a computer expert so when it started flagging trojan downloader I trusted Malwarebytes, it even disabled hitmanpro which I find weird. To me when this happened I instantly thought it was a trojan as it disabled everything. Thanks Chiron for the excellent info (as always!) I’m pleased I use Comodo as where would you find a forum you can ask question(s) and get expert answers from moderators and other users!? :rocks:

I’ve changed it to not instantly deal with threats so I can check it out first!

A couple of months ago MBAM gave me a lot of FP’s, I knew the files were safe so I stopped it from quarantining the files.

About time… Should done that ages ago…

“From now on, antivirus updates from Malwarebytes will be tested on a virtual server before they are pushed out into the world, we’re told, a move that ought to identify at least more obvious problems.”

Source: Malwarebytes declares Windows 'malicious', nukes 1,000s of PCs • The Register