Sign in to follow this  
Followers 0
TheSpirit

MBAMSwissArmy service - where is it?

8 posts in this topic

New user running MBAM free on XP pro SP2+. Everything works just fine, and when I run a scan, this event pops up in the system event log:

Event Type:	InformationEvent Source:	Service Control ManagerEvent Category:	NoneEvent ID:	7035Date:		2008-12-07Time:		08:49:00User:		**********\AdministratorComputer:	**********Description:The MBAMSwissArmy service was successfully sent a start control.

It looks fine to me, so I tried to trace this service using Windows and Sysinternals tools, but this seems to be impossible.

So, where is it? Rootkit? :D

Share this post


Link to post
Share on other sites

MBAMSwissArmy is actually a driver, not a service so it loads as a driver would load and wouldn't show up in the system under installed services. Perhaps somehow it is designed to run as a hidden service, but you'd have to ask one of the developers about that. I run the free version as well and have never found any hidden processes loaded by MBAM and as far as I know, the drivers load on demand when you start the program. In fact, the only component I've found from MBAM that loads on boot is the context menu handler which allows you to right click a file or folder and scan it with MBAM. The drivers MBAM loads as far as I know are actually used to remove rootkits/trojans etc.

Share this post


Link to post
Share on other sites

Thanks exile, but then I should be able to find it in Process Explorer as a driver in the System process like all other drivers, or listed on Autoruns' driver tab, right?

This is a bit like tracking malware. :D

Share this post


Link to post
Share on other sites

Well in the free version it doesn't load at boot so it wouldn't show up using Autoruns, not sure about ProcessExplorer though. It loads on demand when you load MBAM so if you were to try to trace it I would probably use ProcessMonitor and observe MBAM to see how it loads it.

Share this post


Link to post
Share on other sites

Thanks again exile, I did manage to find a mysterious handle in Process Explorer.

Process Monitor is interesting, of course. I'll try that later. Millions of events, I'm sure.

Share this post


Link to post
Share on other sites

It is loaded at scan time and unloaded afterwards so as to be lightweight. The file is mbamswissarmy.sys in your System32\drivers folder, feel free to have a look at it. :)

Share this post


Link to post
Share on other sites
It is loaded at scan time and unloaded afterwards so as to be lightweight. The file is mbamswissarmy.sys in your System32\drivers folder, feel free to have a look at it. :)

Yes indeed, you are right, and it does appear in the list of drivers in Process Explorer, but only during the scan. Thank you.

Share this post


Link to post
Share on other sites

Yup, I knew where it was. It was actually fascinating reading your investigation though, as I wasn't sure how/when MBAM loaded it's detection drivers. Now, thanks to you I have a better understanding of how it works. Thanks a lot. Good luck and safe surfing.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.