Malwarebytes Scan in Safe Mode

Status
Not open for further replies.

ksiemb

Distinguished
Nov 15, 2009
154
0
18,660
For some reason, the Thread that spawns this post, eludes me, as well as the fact the PM I sent remains unanswered, so hopefully this post remains in tact.

I made a comment in someone's post, saying Malwarebytes was less effective when running in Safe Mode, and was promptly told by a member, I did not know what I was talking about. Hopefully that person will refer to this link to bring his knowledge up to date.

http://forums.malwarebytes.org/index.php?showtopic=90791&st=0&gopid=458941&

 
Solution
Yes, MBAM works better and was designed to run in Windows Normal Mode. If you can run it in Normal mode then you should. If you can not but it will run in Safe Mode only then that is better than nothing, but once you have the system running better you should scan again in Normal Mode.

You are correct ^ :D
Yes, MBAM works better and was designed to run in Windows Normal Mode. If you can run it in Normal mode then you should. If you can not but it will run in Safe Mode only then that is better than nothing, but once you have the system running better you should scan again in Normal Mode.

You are correct ^ :D
 
Solution

aford10

Distinguished
Unless this is the result of a recent revision, I've always found it more effective in safe mode in the past. Most of the time, the client infections I see won't even allow MBAM to run in normal mode.

I'm sure they know their software better than I do. I'll be sure and do some more tests with their latest version. I'm just giving my experience from personal and client machines. When paired up with something like SuperAntiSpyware in safe mode, it will almost always clean it up.
 

Hawkeye22

Distinguished
Moderator


The guys from MBAM did state to run in safe mode only if you aren't able to run normally, then run it again in normal mode after it has removed stuff while in safe mode. So, they are aware that there are nasties out there that will prevent MBAM from working, just that it's best to run in normal mode if you can.
 

aford10

Distinguished
Yep, I read through their thread.

However, in normal windows, more files are in use/locked, malware will be more active, and there's a much greater chance that your scans are being tampered with.

Like I said, I'm sure they know their software, and I'll be sure to do some tests.
 

ksiemb

Distinguished
Nov 15, 2009
154
0
18,660


Yes, malware will be more active (there is an entry point) that MBAM can detect, and that is why it is better to scan in normal mode. In those cases where the scans are being inhibited, or something like RKILL does not remove the infected resource to allow the scans to run, by all means, try the scan in safe mode. But, make sure to repeat the scan in normal mode.

Post summary from MBAM:
MBAM Safe Mode Scanning - Why you shouldn't.
Safe Mode Scans are a last resort, eg, an infection
keeps you from scanning in normal mode. You have
run RKILL & still can't scan in safe mode.

In Safe Mode:
1) Not all Entry Points and resources are loaded.
2) The Direct Access Driver does not load which means
MBAM can't check for hidden "stuff" like rootkits.
3) scan will also be a decent amount slower in safe
mode becuase of the disk tech mbam and
windows allows in safe mode.
4) Because of the infections not being in memory
Quick scan would be quite hampered in safe mode.



If you MUST scan in Safe Mode:

If infections are found, REBOOT AND repeat
scan in Normal mode.
 

ksiemb

Distinguished
Nov 15, 2009
154
0
18,660


Please do your "tests" and let us know.
 

aford10

Distinguished
A client brought a computer in today. Here's the logs of 3 scans:

1. I ran Malwarebytes in normal mode. It found nothing, and note, it only scanned 175 items. Not good.


2. I booted into safe mode with networking, and ran Malwarebytes. Notice, it didn't find anything, but scanned over 186k items. Also, notice the time for the scans. It's not slower to run in safe mode.


3. I ran SuperAntiSpyware in safe mode with networking. Notice that it scanned over 82k items, and found 114 threats.


This is one test, on one computer, but I stand by my statements above. I've used the same process on a few hundred computers, and found Malwarebytes to be much more effective in safe mode with networking. And it's even more effective when combined with other scanners, such as SuperAntiSpyware, and Combofix.

 

1PW

Distinguished
Aug 12, 2011
10
0
18,570
@aford10:

About every third or fourth week a MBAM user will post a topic on the Malwarebytes' Forums where their Full Scan completes in an unexpected short period and that a miniscule number of objects were scanned.

I can't remember the last time that it wasn't the user's error.

fullscan.jpg
 

ksiemb

Distinguished
Nov 15, 2009
154
0
18,660

@aford10 - Thanks for posting your results. Quite Interesting. I certainly agree with using other scanners, as you mention, and is evident by your results. I wonder what the MBAM scan in Normal mode would have detected, had RKILL been run first , possibly allowing the scan to run its course instead of scanning only 175 items ? No one deserves to be infected, but if they are still on SP2, most assuredly their other software is out of date also, causing their problems.
 

shadowwar

Distinguished
Aug 12, 2011
2
0
18,510
I would love to know what the cause of that was Aford. Can you attach the full logs and maybe the combofix? Do you have any of the samples that were detected by combofix or SAS?

Our detection rates are still among the best. Superantispyware detects harmless tracking cookies and that greatly inflates their counts.

Using multiple scanners is always a good idea. Its impossible to catch everything with one tool.

Just something interesting here is an independent review.

http://www.youtube.com/watch?v=xuPxA6lQs5s
 

aford10

Distinguished


Well, the software isn't very complicated to use, and I've ran malwarebytes scans many many times. It's pretty hard to screw up the scan. I used the exact same options when I ran the scan in safe mode, so the results are there.

This was just one client's PC. There will be more to come if you'd like more logs.
 

aford10

Distinguished


Hey shadow. That client already picked up that computer. However, I'd be glad to upload more logs on when other PCs come my way.

Just want to make it clear, I'm not bashing Malwarebytes by any means. It's a great software. I've just found it more effective in safe mode with networking.
 

shadowwar

Distinguished
Aug 12, 2011
2
0
18,510
No problem.. Maybe i came off as too defensive.

That being said we are looking into self protection and any instances like this if we can figure out the cause would be very helpful. The only way i could duplicate your results without knowing the infection was if all the checkboxes were unchecked in scanner settings with the exception of scan startup objects.

One of the reasons we state Normal mode is because of the linking technology that mbam uses. If it doesnt see it in memory the registry keys and such may not be removed along with the infection. Thats why a full scan in safe mode is necessary.
 
Status
Not open for further replies.