Jump to content

MBAM on Windows XP ... still okay


CharlotteTheHarlot

Recommended Posts

Malwarebytes' Anti-Malware, is a slim, fast, stable and well-liked anti-malware application. I wanted to verify that MBAM is still working soundly on Windows XP and audited the process of install and execution. NOTE: ther have been no rumors or announcements or anything like that to worry about, and they still list Windows XP on their site, this is pure research spawned by discussions in other threads here. No worries. Cutting to the chase I'm happy to report that all is still fine. :thumbup: There are a few very minor issues however for the new or casual user to be aware of, documented below.

At the MBAM Website the latest version as of January 4, 2014 is v1.75.0.1300 ( file is literally: mbam-setup-1.75.0.1300.exe ). First thing to note is that website has a few software offerings, and the top two selections on the page look like this ...

aHCjw3Q.jpg

Although they use separate two boxes, it is in fact the same file received from both. I assume this is for tracking purposes.

Issue-1 : Website download selection. That will definitely be a little confusing for non-experts but they can be assured that pressing either Free Download or Free Trial will return the same exact file ( 10,285,040 bytes, verified as binary duplicates ).

When executing the installer there are the usual agreement and description pages but the last one is most important ...


YQLpXzv.jpg

The final installation dialog after I unchecked all the options.

Issue-2 : Defaults to Trial-Mode. All of those options shown above were pre-selected by MBAM, including the first one which has consequences. So as always I unchecked them all preferring to install quickly without fuss and better control what happens next. Leaving that first one selected has the consequence of enabling the trial mode of the "Pro" component which is realtime monitoring of processes for suspicious activity. If you like that kind of thing fine, but I don't because I feel it is a burden on the CPU and I/O performance in general. Personally I prefer completely standalone, on-demand, as portable as possible, slim apps rather than the trendy uber-integrated always-running security package. MBAM doesn't fit either category exactly but is very close to the former case.

So after de-selecting the options and clicking "Finish" the installer completes and disappears. Nothing further happens since I declined to launch MBAM and run the definitions updater. At this point I took my first look around at system changes. I had originally planned to detail the placement of files but having thought twice about it I am not going to discuss the core too much so as to avoid tipping off the bad guys. MBAM are the good guys and our mutual enemies are going to get no hints from me as to how to defeat security and security apps. The bulk of the program files are placed right in the specified directory ( I used C:\Program Files\MBAM ) and the remainders are sent to the common All Users structure. No surprises here.

Issue-3 : One existing DLL I found effectively back-leveled ( okay, two), I will detail this interesting but very common annoyance below in the next comment.

Issue-4 : The MBAM installer left an autorun entry here ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="C:\\Program Files\\MBAM\\Mbamgui.exe /install /silent"


... which may appear suspicious but I found the explanation here, explained thusly ...


"That startup entry is placed in the RunOnce key in the registry, meaning it will only attempt to execute after the first reboot after installing a new version of MBAM. In the case of the free version it doesn't do anything except to check for a license key for the pro version, and if found, it installs the active protection module.

You can delete it if you'd like as it would do no harm and wouldn't affect MBAM, however leaving it alone won't hurt your PC's performance either and it will delete itself after the first reboot"


Yes it should run once and then disappear Mission Impossible style, but I suspect some folks find it persisting for one reason or another. It can definitely just be deleted ( as I did ) and its use is redundant anyway because the program itself certainly checks to see if it is registered. Frankly it is unnecessary that it would be set to run even once on a computer where the user de-selected "Enable Free Trial" ( as I did ). Perhaps they can fix this by simply skipping this step in the installer in the future.

So at this point I ran the program and it worked properly. The prompt came up for the outdated definitions and I allowed it to update itself with the 7 MB of data ( as usual it is very fast, much MUCH faster than anything at Windows Update which I always get a kick out of. Even if you just get a display monitor driver from WU which is typically just a few KB in size it will take extraordinarily long! ). So definitions update complete I went through all the tabs and looked for anything else to change and I think I found one ...

qOBS3E9.jpg

That checkmark should probably be cleared.

... I can't be absolutely sure, but it does feel like either a polling function, or at least a periodic task, which it would need to be in order to magically know that there is an update waiting for install ( because thankfully the Internet architecture is still largely "Pull" and not "Push" ). So I unchecked that box and moved on. I suspect the only thing it changes is that whenever the program is launched it skips phoning home with the current version and comparing to the latest. If I am correct, I'm not only doing myself a favor, but also the good people at MBAM by reducing their bandwidth and processing.

Aside from that, everything is working exactly as expected. :thumbup MBAM is a very thorough scanner, it is exactly what McAfee and Norton and all the others should be - it can be used ON-DEMAND - and more importantly - it is completely GONE when closed. That makes MBAM a great addition to the toolbox. It also does an excellent job with registry objects, typically finding more suspicious keys and data than any other tool that I use these days.

Issue-5 : The last nitpick is a longtime annoyance ...

zYCERXU.jpg

Still no folder selection :realmad:

... Since you can only select "Drives" you kinda are committed to a long duration scan these days. But there is at least few ways to work around this, either assign a drive letter to a Folder ( SUBST should work, or through the Disk Management GUI "mount" a folder ), or instead, use a small flashdrive holding your suspicious files ( insert it before running MBAM ). Hopefully they will get around to adding a folder option here for quick scans of targeted objects and downloads.

UPDATE: as mentioned below by RacerBG the easiest solution is to right-click a folder and use the "Scan with Malewarebytes Anti-Malware" context menu entry!

Edited by CharlotteTheHarlot
Link to comment
Share on other sites


As mentioned above ... Version conflicts

Issue-3 : An existing DLL on this system became effectively back-leveled from the MBAM installer. Actually the file was in fact still just fine but a different one that came in alongside MBAM was self-registered which for all practical purposes swapped itself into use. This is very common in the Windows DCOM ( or whatever term they are using this year ) architecture, the sad legacy of the genius who invented self-registering files, "registering" means punching-in a slew of code into the the Registry whether or not anything was already registered there, even if the older stuff was better.

This is a non-destructive kind of update however. The original file still exists just fine, it's just no longer pointed to by the necessary keys and data in the registry. It can be undone by re-registering the original file later. Old-timers will probably remember when this began to happen, IIRC around the MSVC4 days when OLE was all the rage. Famous cases I still recall vividly were MFC42.DLL. Anytime someone called me up and said their programs were suddenly in another language I knew there were three keys that MFC42.DLL would wreck when it got self-registered ( actually it would just change the file pointer to itself so any programs referencing one of those three registry keys would now import from that new MFC42.DLL located in some new program's folder ) and if the language was for example Spanish or Russian, any MSVC4 apps would with laughingly degrees of success attempt to display the new language in its dialogs.

Anywho, it still happens today, most often when the author of an installer adds "self-register" flags to the part that copies files to the destination system. MBAM does this with the file called Ssubtmr6.dll, a 3rd party VB support library that is pretty popular. It is not a dealbreaker though and this particular case is as tame as can be. No language changes and I happen to know that the author of that library actually cares about backward compatibility, a lot! No harm no foul. But it leads to an interesting saga in the Windows universe - just how the heck can you be sure which of two DLL's are better? It's a great question. Let's find the answer step-by-step ...

I had a Ssubtmr6.dll in Windows\System32 already registered and in use by programs that utilized it. MBAM has its own local copy that got self-registered ( again, this only replaces pointers in the registry to the first file, but leaves it physically alone ). Comparison ...

Xi7DJWX.png

My original on left, a different one from MBAM on right.


Let's break down all the possible criteria for determination of "better" file.

  • File Size. Never a good indicator, but the ORIGINAL is bigger.
  • File Date. Modification sometimes has meaning ( e.g., Windows timestamps ) but rarely otherwise. MBAM is newer ( but instinct says older is better here )
  • File Version. Clear win for the ORIGINAL, but be aware I've seen some real doozy mistakes made in here by authors, and even the compilers ( "10" comes after "9" :whistle: )
  • Description. This is a tie.
  • Copyright. Somebody edited that field. ~sigh~ I hate when that happens. Vote for the ORIGINAL.
  • Digital Signature. Okay, the MBAM file wins this one.
  • Comment. Believe it or not, this is the most telling bit. The text of the ORIGINAL is unambiguously declaring itself a superset of the MBAM file. It wins.
  • Strings. In the registry I see that in the CLSID Version there 1.1 for the ORIGINAL and 1.0 for the MBAM file. The ORIGINAL wins this one too.
  • Internals. Where the rubber really meets the road. The exported functions match identically in name and ordinal. But a careful sort and compare of the IMPORTS show several functions missing from the MBAM version indicating updated MSVB6 code in the ORIGINAL. See details.

So after checking a bunch of criteria, the votes simply must go to the ORIGINAL being the better file after all, even though the date is much older. Indeed, I checked out the author of the actual file, Steve McMahon (steve@vbaccelerator.com), and as luck would have it, he still has his site up and the latest available version of Ssubtmr6.dll ( get it here ) is the ORIGINAL I have, I downloaded and diffed it to be sure and they are identical. The author deserves a bunch of kudos by the way as one of those rare programmers that is conscientious and documents things well. :thumbup:

I mentioned that this also affected one other file, but just barely: Vbalsgrid6.ocx. Same author and website and that one was resolved in the same way.

Finally, reverting these are very simple indeed ( in my case ) ...

REGSVR32 C:\Windows\System32\Vbalsgrid6.ocx
REGSVR32 C:\Windows\System32\Ssubtmr6.dll


And now all the registry entries point to the better file and some other inconsequential bits in there are changed back. Version certainly conflicts lead to some strange digressions!

Edited by CharlotteTheHarlot
Link to comment
Share on other sites

I appreciate you going into more depth about MBAM. You wrote about it a few days ago in the XP Security post and I decided to try the free version. I don't like something always running or wanting to update. I like running the program when I just want to do a quick check. I like the free version and it did find three suspicious items on my notebook which probably have been there for sometime.

From what I could find on searching around ... these items should probably not be there.

Items Found:

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

...

Link to comment
Share on other sites

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

These are the settings for the Security Center's notifications. 1 means that it will notify you if the corresponding item isn't enabled or present or - in the case of the Antivirus - not updated while 0 means that it won't. They are settings changed by the user, except for the security risk of disabling these elements there is nothing really malicious here.

Link to comment
Share on other sites

I appreciate you going into more depth about MBAM. You wrote about it a few days ago in the XP Security post and I decided to try the free version. I don't like something always running or wanting to update. I like running the program when I just want to do a quick check.

No problem. And I feel the same way about these programs. The more hostile AV programs ( including MSSE ) are burning up CPU and I/O protecting you from yourself and even have the temerity to intercept flashdrives, deleting tools and causing delays. MBAM has always ( in the non-realtime version ) been much more friendly.

I like the free version and it did find three suspicious items on my notebook which probably have been there for sometime.

From what I could find on searching around ... these items should probably not be there.

Items Found:

Registry Data Items Detected: 3

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

That report states there is no problem, so no worries. Under that key are a bunch of policies, the three that you show ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify"=dword:00000000

"FirewallDisableNotify"=dword:00000000

"UpdatesDisableNotify"=dword:00000000

... should look like above to receive warnings. In that report MBAM is telling you that DWORD "0" is considered good and "1" is bad. It says that you have zeroes so it's fine and no action taken.

Those values are using the patented and confusing Microsoft reverse logic ( just think the opposite of what it says ). In actuality it is a mistake according to MSKB949737 ...

AntiVirusDisableNotify REG_DWORD

0x00—Display AntiVirus alerts.

0x01—Disable AntiVirus alerts.

FirewallDisableNotify REG_DWORD

0x00—Display firewall alerts.

0x01—Disable firewall alerts.

UpdatesDisableNotify REG_DWORD

0x00—Display Automatic Update alerts.

0x01—Disable Automatic Update alerts.

Link to comment
Share on other sites

If you want to scan ONLY specific folder/file/anything: right click on it and then click to scan with Malwarebytes. Simple as that. ;)

dohsmall.jpg Thanks RacerBG :thumbup:

I saw the ShellEx context menu entries in the registry capture and totally forgot about them. When I right-clicked a folder its entry was way down past the scrolling part so I have been not even seeing the "Scan with Malewarebytes Anti-Malware" for quite sometime.

Indeed that method works just fine! I'll update the top post. Thanks again.

Link to comment
Share on other sites

If you want to scan ONLY specific folder/file/anything: right click on it and then click to scan with Malwarebytes. Simple as that. ;)

dohsmall.jpg Thanks RacerBG :thumbup:

I saw the ShellEx context menu entries in the registry capture and totally forgot about them. When I right-clicked a folder its entry was way down past the scrolling part so I have been not even seeing the "Scan with Malewarebytes Anti-Malware" for quite sometime.

Indeed that method works just fine! I'll update the top post. Thanks again.

No problems. :) You know sometimes the hardest questions have simple answer.

Link to comment
Share on other sites

Thanks Charlotte, RacerBG and HarryTri for all the information. Nice little program to have handy for a quick check. Was aware of MAMB for several years, just never really checked it out. I thought it might have to be "running" all the time so I never took interest.

I saw that right click ... check a file tab, have used it for some downloads. I have three notebooks to update which is simple and quick to do but I sometimes just update one notebook and then manually update the other two myself with the "rules.ref" file and also the "database.conf" located within the Configuration folder.

I found these instructions for anyone with a computer not online: Just a quick note ... C:\Documents and Settings\All Users\Application Data ... the Application Data folder is a hidden folder so I changed that to be always visible.

Malwarebytes' Anti-Malware (MBAM)

I need to get the latest database onto a computer that cannot access the Internet.

You can manually copy the database from a working computer using a flash drive or CD onto the infected PC. Our database file is stored in the following locations.

Windows XP and 2000:

C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

Windows Vista and Windows 7:

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

Note: Starting with Malwarebytes Anti-Malware 1.60, you must also copy the file database.conf located within the Configuration folder which is in the same folder as rules.ref listed above.

Update:

http://data.mbamupdates.com/tools/mbam-rules.exe

You can also download a manual update from here - NOTE: This manual update will always

be way behind in version level compared to updates from within the program.

MajorGeeks - Malwarebytes' Anti-Malware Database

http://www.majorgeeks.com/files/details/malwarebytes_anti_malware_database.html

TECHSPOT - Malwarebytes Anti-Malware Database

http://www.techspot.com/downloads/4844-malwarebytes-anti-malware-update.html

...

Edited by duffy98
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...