Hello,
When the protection module of MBAM is running, is it supposed to protect against everything MBAM detects or is it supposed to do something else? I have a system that scans clean and protection module is enabled. Today, during a scheduled scan, two infected keys were found (and cleaned). I was surprised. I thought the protection module would do just that - protect. Here is the MBAM log from the scheduled scan:

Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 5.1.2600 Service Pack 3

2/2/2009 2:02:46 PM
mbam-log-2009-02-02 (14-02-46).txt

Scan type: Quick Scan
Objects scanned: 54732
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The protection module protects against things installing. It does not detect things that are running in real time like an anti-virus does, and it does not detect registry settings that have been changed by an already running application, unless that application is trying to install something that MBAM protects against.

The registry entries that your log contains are just settings that were changed, and are not big issues. They can effect the way certain things work though, so MBAM fixes them. The ones in your log show that script files will open in notepad instead of running, and that registry exports will open in notepad instead of regedit. These make malware removal hard for experts (we often have users run scripts and sometimes use registry exports to fix registry issues), and they can break a few things, but they do not actually cause harm.

Thanks for the quick reply and info.
Panagiotis

I wasn't aware of that. So basically, if I have say, a trojan not yet detected by MBAM, I update MBAM and detection for that trojan is added, it won't be caught running in memory and will require running a scan to be detected?

Quite correct. That's why there is the ability to schedule daily scans.

Doesn't seem very proactive, but it does help to make sure there are no conflicts with AV software. Thanks for the info GT.

It also prevents slowing down your PC.

I think most antiviruses will have the same problem. You certainly don't want it to scan your system fully every single time you update, on the off chance you might have something new in memory. That would be very taxing on system resources. So we have to make tradeoffs!