18 replies to this topic

[srtools1980y]

Hello

Will Mbam auto detect malware in pen drives?


Fyi:

I am having USB Virus Scan installed, with real time protection enabled, in my system.

I have disabled autoplay & OS is XP SP3.

[YoKenny1]

I like Autorun Eater that is similar to USB Virus Scan I believe:
http://download.cnet.com/Autorun-Eater/300...4-10752777.html

I have not disabled autoplay but I do not let things auto-run from Flash drives.

Welcome to Honorary Members

[srtools1980y]

YoKenny1

Thanks for your response, but I want to know whether Mbam will auto detect malware in pen drives?

[YoKenny1]

Select Perform full scan then un-select the main hard drive(s) then select the Flash drive.

[swagger]

YoKenny,

I think srtools wants to know if it will detect any malicious activity on the thumb drive automatically when plugged in or run from the drive. I'd say if it was run from the thumb drive and MBAM has the definitions for whatever nasty it is, it will detect it. Paid version with realtime protection of course.

[srtools1980y]

swagger

Your reply has cleared my doubt, but not fully. (fyi - mine's is paid version, with realtime protection checked).

I got this doubt because when I plug pendrives mbam is silent.

There is no indication whether it is scanning the drive or not.

I guess it will notify only if the drive is infected.

Am I right?

Can mbam staff answer me?

Fyi : USB Virus Scan immediately starts scanning & gives the report.

[swagger]

I don't believe MBAM is going to scan automatically unless you actually execute something from the USB drive OR something executes itself. I hope that clears it up.

[srtools1980y]

Yes I am clear now.

[exile360]

Yes, MBAM leaves any sort of automatic scanning, aside from the scans you schedule using the Task Scheduler, to your anti-virus. The protection module only looks at processes in memory, not accessed files. This is to avoid system slowdowns as well as potential conflicts with antivirus software.

[swagger]

exile360, on Sep 7 2009, 12:52 AM, said:

The protection module only looks at processes in memory, not accessed files.

Aren't they one in the same? Processes in memory and accessed files are both running, correct? I understand you're logic in that MBAM leaves the scanning up to the A/V when you plug a drive in for instance. But when that a file from that drive is executed, that file is therefore scanned. Please correct me if I am wrong so that I know for my own sake and that I don't tell others the wrong information.

[srtools1980y]

Now I am confused.
Please somebody clearly tell me will Mbam auto detect malware in pen drives?

[exile360]

swagger, on Sep 7 2009, 09:19 AM, said:

Aren't they one in the same? Processes in memory and accessed files are both running, correct? I understand you're logic in that MBAM leaves the scanning up to the A/V when you plug a drive in for instance. But when that a file from that drive is executed, that file is therefore scanned. Please correct me if I am wrong so that I know for my own sake and that I don't tell others the wrong information.

No, for example: if you're scanning your computer with your antivirus, the files being scanned are being accessed. Even if your av scans a file that MBAM would detect with its own scan, it won't be detected by the protection module (there is one specific case where this changes, but I'll get to that in a second ) as the file (lets say it's a trojan executable) isn't currently a running process in memory, it's file is simply being analyzed by your av.

The one exception is if you're using an av that has a built in execution emulator, meaning it executes files in a sandbox to determine an executable's behavior as part of a heuristic analyzation (Kaspersky does this, and I've seen MBAM catch inactive malware while being scanned by Kaspersky, but not when scanned by other tools as they don't have the emulation feature).

edit: So to clearly answer your question, no, MBAM will not automatically detect malware in pen drives, autochecking newly attached storage and files as they are accessed by anything (including explorer.exe) is the job of your antivirus, and MBAM is not designed to work this way, again, to avoid conflicts with your av as it would cause a serious performance hit to have 2 security programs checking each file and newly attached storage medium at once.

[swagger]

@exile,

Understood. I was thinking of "accessed" as opened and not as "scanned" by A/V or any other security tool. That makes sense to me. So in an effort to make this clear for srtools, MBAM will only catch malicious activity if the file is actually run from the drive or automatically runs (ex. from the autorun.inf file). Correct?

[exile360]

Exactly, and only then if the malicious exe on the pen drive is successfully executed. If you don't use autoplay to run what the autorun.inf file points to, it will not be automatically detected by MBAM because it is not running in memory, but if the malicious process does run, then MBAM will detect it as long as it's in MBAM's definitions .

[swagger]

Exactly what I thought, thanks for the clarification.

srtools, is this presented clearly now?

[srtools1980y]

I watched The debate from Post #12 to 15.
I am very clear now.
Thanks for your efforts swagger & exile360.

[swagger]

No problem at all Definitely not a debate though, just good ol fashioned intellectual conversation. I'm happy with the end result.

[exile360]

Me too, a good discussion to really root out the details never hurts, this way everyone who reads it can learn something .

[srtools1980y]

Yes this topic is truly educative.
In future posts if anyone raises the same doubt/question, here is the answer.