Plugin Available?, BartPE support please :D Options

[PyrK]

First of all, thanks for the incredible product, I had tried the top anti-spyware / anti-virus software and tools to no success until I found yours. Kaspersky, Spybot, Adaware, McAfee, HiJackThis, etc. etc. etc. I was basically out of options and at a point of desperation (format c:), so thanks.


Anyways, I was wondering if there is a version of malwarebytes that could run on my bootable BartPE CD. I am contemplating making one myself after having no googleing success.

thanks --

[RubbeR DuckY]

I will look into making this a possibility.

[handydude40]

I will look into making this a possibility.

Just started using this product Like it i scanned with spy bot till clean the ran this product it found and removed more very noticeable speed at start after but really want a Bart pe plug in like spybot has

[GT500]

I will look into making this a possibility.

Still think it will take you a year of coding to get MBAM ported into 100% C++ before it will be possible?

[SkeeterPE]

Still think it will take you a year of coding to get MBAM ported into 100% C++ before it will be possible?

@Rubber Ducky

with respect to anyone who can C++....

I am an admin who has XPE shell running on BartPE. MalwareBytes' Anti-Malware scanner has been a life saver installed on windows. I installed it and ran Plugin Creator to develop a working plugin. Frustratingly enough it doesn't. There's been quite a bit of talk of MBAM not able to run in Pre-installed Environment however; Bartpe does in fact support VB, because I have the VB plugin enabled and it still reports C+ errors. Could this error be evidence of another requirement that BartPE does not have? .Net is also enabled on my rescue CD.

Any input would be more than I have now. Many, many many thanks in advance!!

Chris
Houston,TX.

[RubbeR DuckY]

Chris,

A lot of Malwarebytes' Anti-Malware is already programmed in C++ including one of the DLL's and all of the drivers. Without having BartPE on hand, I have no idea how to resolve the issue you are having. In fact, I have never used a pre-installed environment.

[SkeeterPE]

Chris,

A lot of Malwarebytes' Anti-Malware is already programmed in C++ including one of the DLL's and all of the drivers. Without having BartPE on hand, I have no idea how to resolve the issue you are having. In fact, I have never used a pre-installed environment.

@RubbeR DuckY:

Admins rely on BartPE for data rescue and other administrative tasks. It brought admins like myself out of the dark ages. Truly. When SpyBot introduced it's spyware scanner it was a god-send because of most Malwares' MO, makes cleaning the "C" drive while in windows, utterly impossible. Re-imaging the PC was the only fix. More and more, malwares disable the launch of anti-malware appllications inside of windows. Enter, BartPE. It IS a pseudo-windows installed temporarily on the RAM sticks(operating completely independent of the hard drive).

MBAM being programmed in C++ means that whatever platform it runs on must have VB software installed in order to run properly. BartPE is setup to accept what we call "plug-ins" in the PE(Pre-installed Environment) community. Plug-ins are just programs and applications that have been scripted into the BartPE, Windows-like environment so that these things run like they were at one time actually installed complete with registry entries and shortcuts on the desktop.

The fact that my custom MBAM plugin doesn't work could be a multitude of issues not even related to how it is programmed. MBAM has worked impecably everytime. When you or one of the other posters mentioned that BartPE didn't support VB applications I wanted to mention that it recently had support for VB added. It could be that maybe if I told the scripting app to process MBAM plugin after everything else or process it last it might work because it could be that the plugin is being over written with something else at the end of the process. (happens all the time)

Any suggestions or questions are welcome.

SkeeterPE

[WayneQ]

Here is a simple work-around for Malwarebytes and BartPE.
Boot the CD with Network support.
Use TotalCommander to share the root of the C:/ drive.
On another computer with MalwareBytes installed, map the shared folder (drive) from the target computer, then run MalwareBytes from that computer and scan the shared drive.
While it doesn't do the registry on the drive properly, it does do about everything else.
Hope this helps.

[SkeeterPE]

Here is a simple work-around for Malwarebytes and BartPE.
Boot the CD with Network support.
Use TotalCommander to share the root of the C:/ drive.
On another computer with MalwareBytes installed, map the shared folder (drive) from the target computer, then run MalwareBytes from that computer and scan the shared drive.
While it doesn't do the registry on the drive properly, it does do about everything else.
Hope this helps.

What an excellent idea! I didn't think about that. Truly outside the box thinking! I can't wait to attempt this at the office on monday.

I'll let you know the results.

SkeeterPE

[Richard Jordan]

I have created what seems to be a working plug-in for Anti-Malware. Here goes...

Note the following is based on version 1.31...

1. Install MalwareBytes Anti-Malware on your PC.

2. Follow the instructions given in the MalwareBytes Anti-Malware.htm file included in plug-in folder.

Please note that I needed this and threw it together yesterday after searching for one that had already been created. By all means, give feedback if something does not work right or even if it works as wished. While I am not in a position to support this, I will fix what needs to be fixed. This may be distributed on other sites without the need to ask permission.

Attached File(s)

 MalwareBytes_Anti_Malware.zip ( 2.46K ) Number of downloads: 589

 

[RubbeR DuckY]

I don't think that everyone understands. Malwarebytes' Anti-Malware will LOSE power in the PE environment. It is not worth running in the PE environment at all. Running it in Windows will be the safest and most effective way (and not in safe mode either).

[exile360]

Yup, the drivers are essential to it's effectiveness and so is scanning the processes in memory. It's not your typical scanner that relies on file signatures and registry data alone, that's why it's so darn effective and why the definitions files are so small.

[Richard Jordan]

This was made for myself. I saw there was this post looking for a way to do it so I shared it. What drivers are you refering to and how would functionality be lost? Not meaning to be defensive, but rather curious since I have not seen anyone post these comments until now.

[exile360]

The drivers like mbamswissarmy.sys and mbam.sys. As far as lost functionality, like I said, MBAM is not a raw file scanner like an antivirus is, it's designed specifically to detect active infections on a running system booted in normal mode (safe mode even hinders it's detection rates). You could literally take a bunch of trojans, dll's etc that are malware that MBAM would normally detect, put them all into a single folder on your desktop or elsewhere (as long as it's not the location the files would be in if they were active), have MBAM scan the folder, and it won't find a thing. This is why MBAM typically gets poor reviews from a lot of anti-spyware review sites, because they just fill a folder with malware samples and throw scanners at it to see which one gets the most hits. MBAM uses detections based on location of a file, entries in the registry, and processes in memory to do most of what it does for detections. The drivers are part of that, although I'm not a developer, so I couldn't tell you how much, but I'm sure it has to do with MBAM's ability to detect/remove rootkits and hard to remove trojans and other malware. MBAM is pretty unique in this, it's one of the reasons that it also catches a lot of zero day infections, even without an update due to it's heuristics because it knows where to look based on an infection's previous variants, again that's also why the definitions are small because many of the infections it finds are located using simple patterns that a particular malware will show on a system, like entries in the registry and/or certain files like drivers and dll's. Personally, I use an offline disc like Avira, or if I need to Bart's, UBCD, or ERD/MS DaRT to do repairs on an unbootable system to get it running and then run what scanners I can from normal mode and only go into safe mode if I absolutely have to. I'd much prefer a portable version of MBAM that would run from a cd or flash drive, or even just a folder copied to the desktop than an offline scanner, I believe that's already in the works though.

[Richard Jordan]

The drivers like mbamswissarmy.sys and mbam.sys. ...

In the instructions I provide, those drivers are covered for the plug-in and ensuring they are placed where they should be. Without those, I found that the program did not work as it should as you pointed out. I follow what you say about processes running in memory not able to be detected in safe mode or via PE environments, however.

My advise is never rely on a single product. I love AntiMalware, else I would not have taken the time to create this. I recently had a laptop come in that prevented AntiMalware and McAfee from running. I performed a scan with AntiMalware and again with McAfee (both from PE). Once I rebooted, I repeated the process in a normal Windows environment. AntiMalware found no infections. McAfee found only remnants of infections that were not running in memory.

Thanks for the feedback.

[exile360]

Oh yeah, I absolutely agree about not relying on one product, my signature will show you how much protection I run. And you should see my malware removal toolkit, it's insane how much stuff I have in there. I don't really use McAfee's command line scanner or stinger anymore though, they just never seemed to pick much up. These days I use Trend's Sysclean, Kaspersky's AVZ and/or AVPTool and a portable version of Avira. I also throw Dr. Web's Cureit and Norman Malware Cleaner at it. That's just for viruses, I have a lot of anti-spyware/anti-malware apps that I run as well.

[SkeeterPE]

I have created what seems to be a working plug-in for Anti-Malware. Here goes...

Note the following is based on version 1.31...

1. Install MalwareBytes Anti-Malware on your PC.

2. Follow the instructions given in the MalwareBytes Anti-Malware.htm file included in plug-in folder.

Please note that I needed this and threw it together yesterday after searching for one that had already been created. By all means, give feedback if something does not work right or even if it works as wished. While I am not in a position to support this, I will fix what needs to be fixed. This may be distributed on other sites without the need to ask permission.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Wow Guys. Awesome. Thanks for everyone's efforts. I reimaged a notebook just this afternoon because of destructive malware. Prevented mbam.exe from running. I tried renaming the executable, but still not able to get going so this is going to be a sweet time for me and my group of guys.

SkeeterPE Admin in Houston

xw4300, Windows XP x64, superantispyware, malwarebytes' anti-malware, trendmicro, and spybot S&D

[xA4Hx]

I never know what computer I will be fixing. As a independent person, I have had to go into safe mode using malwarebytes to install and then hope to god it is update enough to remove enough just to be able to boot windows since windows seems to freeze up this one guys laptop every time he gets malware, last case was like 43. It is literally not able to be used , you just have to turn it off by holding the key. So from that stand point I started looking at Vista PE in hopes everyone will be on vista to use. So I dont know about malwarebytes being less powerful in safe mode but it really is the only way I can get enough damage repair before I can even boot into windows and when this doesnt work anymore. I hate to image a machine, back in the day, I had to reimage alot because non of the tools in market were effective enough, Spybot to me drop the ball and so many others. So as I take income in, from malwarebytes sololy , not my only tool , but sololy fixing a machine I plan to donate money just by buying pro verison. Will have so many licenses depending on if this ever repicks back up on the side then I know what to do with.

-illusion

Ps. Just my view, I hope malwarebytes doesnt drop the cookie and let someone else eat their lunch by looking for the small cookie. LOL , ok I am done

[siniman]

I will try the plugin today. I am a BartPe Fan and use it remove Spyware and Viruses. So I have at least 3 programs that remove spyware and about 5 antivirus programs on my CD.

[Raid]

I will try the plugin today. I am a BartPe Fan and use it remove Spyware and Viruses. So I have at least 3 programs that remove spyware and about 5 antivirus programs on my CD.

Just so that everyone understands. Malwarebytes is *not* the author of this plugin. We do not support it in any way shape or form. The program was not designed for this purpose, and is hindered in operation while running under these conditions. We do not support MBAM running under this PE environment. So if you choose to do this, you do so on your own.