Jump to content


Photo

1.60 Didn't catch a known test .zip file...


  • This topic is locked This topic is locked
7 replies to this topic

#1 LifeIsPhun

LifeIsPhun

    New Member

  • Members
  • Pip
  • 17 posts
  • Gender:Male

Posted 21 December 2011 - 07:14 PM

I am a MBAM PRO user and decided to try 1.60 BETA. I uninstalled 1.5, ran mbam-clean.exe and rebooted, installed 1.6, updated, re-registered and did a quick scan, then a full scan. I saved a file received in eMail just today (as everyday) that is the popular "FedEx_Tracking_Report_Notification...zip" file FULL of malware. VirusTotal.com lights-up with hits on the file. I had it sitting on my Win7 Pro desktop which lives on C:\Users\... A full scan did not detect anything. Then I right-clicked the file on the desktop and had MBAM scan it directly...0 hits! What am I missing?

Below is the dump of my scan::

Malwarebytes Anti-Malware (PRO) 1.60.0.1400
www.malwarebytes.org

Database version: v2011.12.20.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Mark :: ZOOOM [administrator]

Protection: Enabled

12/21/2011 3:32:57 PM
mbam-log-2011-12-21 (15-32-57).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 465934
Time elapsed: 21 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#2 LifeIsPhun

LifeIsPhun

    New Member

  • Members
  • Pip
  • 17 posts
  • Gender:Male

Posted 21 December 2011 - 07:17 PM

SORRY...didn't mean to start a new topic...meant to just add it to the end on the one that was running.

#3 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,246 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 21 December 2011 - 07:21 PM

"FedEx_Tracking_Report_Notification...zip" file FULL of malware. VirusTotal.com lights-up with hits on the file.


MBAM doesn't scan the contents of archive files (ZIP, RAR, 7z, CAB, LZH, CHM, JAR, TAR, LZA, etc)
David H. Lipman
DLipman@Verizon.Net

#4 LifeIsPhun

LifeIsPhun

    New Member

  • Members
  • Pip
  • 17 posts
  • Gender:Male

Posted 21 December 2011 - 07:26 PM

Thanx, I guess I knew that at one time then forgot. I carefully extracted it from the Archive and scanned...MBAM did beautifully!!!

Sorry for the panic...

#5 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 21 December 2011 - 07:27 PM

No worries, thanks for testing :)!
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,246 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 21 December 2011 - 07:54 PM

Thanx, I guess I knew that at one time then forgot. I carefully extracted it from the Archive and scanned...MBAM did beautifully!!!

Sorry for the panic...


No panic.

Many are confused over what is scanned and what is targeted.

The best way to describe it is to state what is scanned and targeted. MBAM specifically targets executable types of binaries which start with 'MZ' as the first two characters in the binary which could be; EXE, DLL, SYS and CPL files but can be renamed to any file extension or executable file extension like; LNK, BAT, CMD and PIF. Often we find malicious binaries posted on photo or other web sites that have been renamed from EXE to JPG, PNG or GIF to obfuscate the malicious intent of the file.

This means that MBAM will not scan data files such as; SWF, DOC, PPT, XLS, PDF, CLASS, etc. or script files such as; HTML, JS, PHP, BAT, CMD, etc.

The fully installed anti virus application that is installed on one's computer that performs both "On Access" and "On Demand" scanning will scan those files types. That is one of the two main reasons why MBAM supplements anti virus software and does not replace anti virus software. The second is MBAM doesn't specifically "target" viruses because MBAM can't "clean" the malicious code from an infected file where code has been; prepended, appended or cavity injected. For that matter MBAM can't "clean" a trojanized file either. At best MBAM will delete these files. To my knowledge, with the present version (and the version in Beta) MBAM can't "clean" MBR code either.

I can't tell you how often I see subjects posted here that call everything a "virus". With a few minor exception of virus droppers, MBAM doesn't target viruses.

References:
http://en.wikipedia....S_MZ_executable
http://www.fileforma...e/corion-mz.htm
David H. Lipman
DLipman@Verizon.Net

#7 LifeIsPhun

LifeIsPhun

    New Member

  • Members
  • Pip
  • 17 posts
  • Gender:Male

Posted 21 December 2011 - 08:05 PM

David,

Thanx for taking the time to explain. I REALLY appreciate it. I am now wiser as to the pairing of MBAM with my AV software...never quite understood it until you precise explanation.

#8 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,246 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 21 December 2011 - 08:08 PM

David,

Thanx for taking the time to explain. I REALLY appreciate it. I am now wiser as to the pairing of MBAM with my AV software...never quite understood it until you precise explanation.



Posted Image
David H. Lipman
DLipman@Verizon.Net




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users