15 replies to this topic

[edge]

I not sure if this is the right forum for a false positive with Kaspersky AV 8.0.0.454. I am running KAV 8.0.0.454 and did the manual update for MBAM 1.37 . KAV reports suspicious activity: MBAB-setup is trying to download driver in a hidden way. What choices in KAV : Allow or Add to Exclusions? I would assume Quarantine and Terminate are not the correct choices.

[exile360]

Greetings . This is a known issue with Kaspersky and it is due to it's heuristics engine which automatically flags any program that installs a driver the way that MBAM does, just have Kaspersky allow it and it should be fine.

[Rocky]

exile360, on May 27 2009, 04:22 AM, said:

Greetings . This is a known issue with Kaspersky and it is due to it's heuristics engine which automatically flags any program that installs a driver the way that MBAM does, just have Kaspersky allow it and it should be fine.

I've been using Kaspersky Internet Security togheter with MBAM free version for a long time. Would you pls. then explain why only with this last version of MBAM I've received for the first time the warning that MBAM was attempting to install a hide drive (obviously mbam.sys)?
Thanks in advance for your answer
Rocky

[exile360]

@remixed: That's true unfortunately, and is my only hinderance in widely advising novice users to use the two together so I usually recommend they use Avira just so they don't have to worry about remembering to tell Kaspersky to allow it every time a new version is installed

@Rocky: The driver was changed quite a bit in 1.37 and that most likely has a lot to do with it, also if you're running Vista 64, 1.37 would've been the first version that the driver actually functioned in which is why Kaspersky would give the alert because it wouldn't concern itself with a "dormant" driver that didn't function. I never got these alerts myself either (note I'm running Vista 64) until version 1.37, but users running 32 bit Windows versions have been getting these alerts every time they installed a new version of MBAM if Kaspersky was running at the time.

[exile360]

Ah, I see. It either has to do with a change in Kaspersky's heuristics or the many changes to the drivers that MBAM uses with version 1.37. Probably the latter, although I did have to reboot after a recent KAV update a few days ago, meaning they did alter some part of the KAV engine itself.

edit: I just found this on the KL forums. Looks like "whitelisting" by them for MBAM is not an option. Users will just have to live with it and the uninformed will still be breaking MBAM on installation because Kaspersky suspects it of being a threat because of the way it installs its drivers. Bummer .

[Rocky]

Thanks for the answers
But is there anybody who can explain the reason of a hidden driver installation (mbam.sys) which is of concern for many users (because obviously the antivirus in this way can not monitor the application any longer!)?
Thank you
Rocky

[Rocky]

Rocky, on May 28 2009, 08:50 AM, said:

Thanks for the answers
But is there anybody who can explain the reason of a hidden driver installation (mbam.sys) which is of concern for many users (because obviously the antivirus in this way can not monitor the application any longer!)?
Thank you
Rocky

Btw I use win Vista and winxp both 32, but as already said it is really the first time that I get such a warning.
It doesn't matter; however what i would like to understand is WHY MBAM driver needs a hidden installation, which is not covered by any AV products (not only Kaspersky)???
Thanks in advance for a kind reply from someone of MBAM great team.
Rocky

[vinod_r2]

Rocky, on May 28 2009, 06:36 PM, said:

Btw I use win Vista and winxp both 32, but as already said it is really the first time that I get such a warning.
It doesn't matter; however what i would like to understand is WHY MBAM driver needs a hidden installation, which is not covered by any AV products (not only Kaspersky)???
Thanks in advance for a kind reply from someone of MBAM great team.
Rocky

Its not just KAV.... loads of other vendors are picking up the drivers and .tmp files on installation...

I am trying to see why..... submitting to online
scanners.............................................................

[Rocky]

any news from MBAM team?
mmmm....
no news .....bad news
Rocky

[exile360]

I'm not part of the MBAM development team, but I believe the driver works the way it does to be able to get lower level access to the system to check for rootkits, hidden malware etc and be able to remove it (very similar to the drivers used by many AV's themselves). I believe if the driver installed normally it would be much more easily blocked or disabled by an infection that could already be present on the system. I could be wrong of course, this is just my guess based on the observations I've made about MBAM and how it works.

[Baz.]

Hi guys,

I'm also a mod at the Kaspersky forum so perhaps I can explain this a bit further.

What is happening is that MBAM is trying to install it's protection driver, and Kaspersky is intercepting this attempt and alerting you to a hidden driver installation.

Some rootkits (TDSS, Bagle) and bad malware install a driver in order to bypass antivirus and security tools by invisibly installing a driver. However, security software and legitimate programs also need to install drivers in order to protect your system. Hence, an alert is given by Kaspersky in order for you to decide if you trust the program installing the driver or not. If you know and trust the program making the driver install, it is fine to allow...however, if you are not doing anything (e.g. updating software or installing a new version) and suddenly get such an alert (citing a program you do not know or recognise) it may be wise to block it and investigate further.

The reason MBAM triggers such an alert is because v1.37 includes a new, improved protection driver which needs to be installed in order to complete the update. Previous updates did not need to do this because the update did not include such fundamental driver changes.

Kaspersky will not be removing this detection because it is a very important interception point for a number of rootkits and removing this detection mechanism would leave people running their programs vulnerable to rootkit installation.

To sum up, in the case of updating MBAM it is perfectly safe to allow.

[dalem29]

I wonder if this driver problem has anything to do with the updating problem some of us are having?

[secret365]

I am using Kaspersky Anti-Virus & notice this behavior.

What I do is to pause protection in Kaspersky Anti-Virus before I upgrade Malwarebyte to a newer version.

[AdvancedSetup]

secret365, on May 30 2009, 06:03 PM, said:

I am using Kaspersky Anti-Virus & notice this behavior.

What I do is to pause protection in Kaspersky Anti-Virus before I upgrade Malwarebyte to a newer version.

As is the recommendation with ANY software install. If you read the fine print for many applications they ask or tell you to DISABLE your Anti-Virus while installing.


If you're still having problems with installation or update of MBAM please DISABLE your Anti-Virus temporarily and follow the directions below.



[indent]Basic procedures to correct freezing issues often due to other Security Software
If these procedures do not correct the problem please create a new post seeking further assistance

• Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  
• Restart your computer (very important).
  
• Download and run this utility.
  
• It will ask to restart your computer (please allow it to).
  
• After the computer restarts, install the latest version from here
  Note: If you're using a PAID version of Malwareybtes, you will need to reactivate the program using the license you were sent via e-mail.

BEFORE registering and starting the Protection Module, locate the Exclusion List for your Anti-Virus. Probably under an advanced menu in the program.
Add the following folders, sub-folders if you can, at a minimum add the files to the exclusion to be safe.

• C:\Program Files\Malwarebytes' Anti-Malware
  
• C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  
• C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
  
• C:\WINDOWS\system32\drivers\mbam.sys
  
• C:\WINDOWS\system32\drivers\mbamswissarmy.sys
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
  
• C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

[/indent]