Jump to content


Photo

MBAMSwissArmy service - where is it?


  • Please log in to reply
7 replies to this topic

#1 TheSpirit

TheSpirit

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Denmark

Posted 07 December 2008 - 03:17 AM

New user running MBAM free on XP pro SP2+. Everything works just fine, and when I run a scan, this event pops up in the system event log:

Event Type:	Information
Event Source:	Service Control Manager
Event Category:	None
Event ID:	7035
Date:		2008-12-07
Time:		08:49:00
User:		**********\Administrator
Computer:	**********
Description:
The MBAMSwissArmy service was successfully sent a start control.

It looks fine to me, so I tried to trace this service using Windows and Sysinternals tools, but this seems to be impossible.

So, where is it? Rootkit? :D

#2 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 07 December 2008 - 03:34 AM

MBAMSwissArmy is actually a driver, not a service so it loads as a driver would load and wouldn't show up in the system under installed services. Perhaps somehow it is designed to run as a hidden service, but you'd have to ask one of the developers about that. I run the free version as well and have never found any hidden processes loaded by MBAM and as far as I know, the drivers load on demand when you start the program. In fact, the only component I've found from MBAM that loads on boot is the context menu handler which allows you to right click a file or folder and scan it with MBAM. The drivers MBAM loads as far as I know are actually used to remove rootkits/trojans etc.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 TheSpirit

TheSpirit

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Denmark

Posted 07 December 2008 - 05:40 AM

Thanks exile, but then I should be able to find it in Process Explorer as a driver in the System process like all other drivers, or listed on Autoruns' driver tab, right?

This is a bit like tracking malware. :D

#4 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 07 December 2008 - 05:55 AM

Well in the free version it doesn't load at boot so it wouldn't show up using Autoruns, not sure about ProcessExplorer though. It loads on demand when you load MBAM so if you were to try to trace it I would probably use ProcessMonitor and observe MBAM to see how it loads it.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5 TheSpirit

TheSpirit

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Denmark

Posted 07 December 2008 - 06:03 AM

Thanks again exile, I did manage to find a mysterious handle in Process Explorer.

Process Monitor is interesting, of course. I'll try that later. Millions of events, I'm sure.

#6 Swandog46

Swandog46

    Elite Member

  • Administrators
  • PipPipPipPipPip
  • 958 posts
  • Gender:Male

Posted 07 December 2008 - 12:54 PM

It is loaded at scan time and unloaded afterwards so as to be lightweight. The file is mbamswissarmy.sys in your System32\drivers folder, feel free to have a look at it. :)
Doug Swanson
Chief Technical Officer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#7 TheSpirit

TheSpirit

    New Member

  • Members
  • Pip
  • 6 posts
  • Gender:Male
  • Location:Denmark

Posted 07 December 2008 - 02:08 PM

It is loaded at scan time and unloaded afterwards so as to be lightweight. The file is mbamswissarmy.sys in your System32\drivers folder, feel free to have a look at it. :)


Yes indeed, you are right, and it does appear in the list of drivers in Process Explorer, but only during the scan. Thank you.

#8 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 07 December 2008 - 09:18 PM

Yup, I knew where it was. It was actually fascinating reading your investigation though, as I wasn't sure how/when MBAM loaded it's detection drivers. Now, thanks to you I have a better understanding of how it works. Thanks a lot. Good luck and safe surfing.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users