Exclusion by file types

[brmwia]

I saw a thread on this from back in 2009 where the feeling apparently was that Malwarebytes was a smart enough product to not need file exclusion. I disagree. I work on a fair amount of PC's that need cleaned and it's a major PIA to watch this product needlessly scan avi,jpg, png, gif and other files when doing a full scan. Number one reason, I won't run the paid version and can't get clients to run a full scan on a regular basis.

Anyone who has ever worked on other people's PC's knows people store files in the craziest places and is very cumbersome to set up folder exclusion a clients PC because of this. Also excluding by folder does not work well as many time multiple file types can be in one folder.

If you can give the user the ability to exclude by folder, which is damn near useless IMO, how difficult could it be to exclude by file type? Seems to me this it's pure stubborness on behalf of developers not including this feature. Just get on with it and provide what people want.

[exile360]

Countless times we've discovered infections disguised as such filetypes (they're actually exe's simply renamed to .jpeg, .gif etc.), that being said, MBAM skims through those files very quickly to verify that they are not executable and moves on.

Secondly, a Full Scan is not our recommended scanning method, the Quick Scan is designed to check all known locations where infections have been seen to install themselves.

[brmwia]

Countless times we've discovered infections disguised as such filetypes (they're actually exe's simply renamed to .jpeg, .gif etc.), that being said, MBAM skims through those files very quickly to verify that they are not executable and moves on.

Secondly, a Full Scan is not our recommended scanning method, the Quick Scan is designed to check all known locations where infections have been seen to install themselves.

If you don't want to have people doing full scan then remove it from the product. I've yet to have an AV product find an pic/video file disguised as a virus. Not saying it doesn't happen, but it's not a common occurrence in any event. Even if your argument was a valid reason how can you then justify excluding by folder. Excluding by file type is surely no worse. Give people the flexibility rather than enforce your opinions over user's needs.

[exile360]

It's all based on what our researchers have seen in the wild. Excluding a location enables the user the flexibility of excluding a program, that's the primary reason it is there, because it will prevent MBAM from detecting that program as a threat or interfering with that program's activity (this is a good method for helping to prevent resource conflicts between MBAM and the user's AV).

We have the Full Scan as an option because it does have its uses, if for example the user wants to check removable drives connected to the system, or if in the rare event there is an infection in a location besides the ones we check with the Quick Scan.

Excluding an entire type of file would expose the user to being completely vulnerable to the types of infections I'm referring to. It's a type of tech often used by email worms and the like.

[brmwia]

It's all based on what our researchers have seen in the wild. Excluding a location enables the user the flexibility of excluding a program, that's the primary reason it is there, because it will prevent MBAM from detecting that program as a threat or interfering with that program's activity (this is a good method for helping to prevent resource conflicts between MBAM and the user's AV).

We have the Full Scan as an option because it does have its uses, if for example the user wants to check removable drives connected to the system, or if in the rare event there is an infection in a location besides the ones we check with the Quick Scan.

Excluding an entire type of file would expose the user to being completely vulnerable to the types of infections I'm referring to. It's a type of tech often used by email worms and the like.

While exclusion by folder is there for what you state, you can not prevent it from being used to exclude a folder containing other files. I would submit for what you are trying to achieve in the example you present, it would actually be better to exclude the file not the location. What if malware decides to take residence in the excluded folder/location?

What about programs like news readers and torrent gui's that allow users to set up specific locations for downloads. Is your quick scan is going to catch malware in those locations. In my experience with MBAM, only a full scan gets those. I still maintain I would rather have the ability to exclude by file for this exact reason. MBAM's logic for not having this feature presume there is one an only one model for hop people stores file and that presumption is not valid.

[exile360]

If malware decides to reside in an AV's folder (and the user's AV allows that to happen) then that is certainly a problem, but to date I've never seen it happen. Not even once.

As for torrents and the like, it's generally not the type of thing that we as a company promote, so setting our priorities on checking such would be pretty low on our list of priorities (generally it is the illegal activities done with P2P programs that lead to infections being downloaded, not so much the legit/legal torrent downloads).

Another concern is that we are not an AV, we have a specific purpose: to catch the latest, nastiest threats out there, especially if they're active (another thing to keep in mind is that if an infection is running in memory and it is something we would normally detect, then we will detect it, regardless of whether the location the file itself is in is contained in the Quick Scan or not).

[brmwia]

If malware decides to reside in an AV's folder (and the user's AV allows that to happen) then that is certainly a problem, but to date I've never seen it happen. Not even once.

As for torrents and the like, it's generally not the type of thing that we as a company promote, so setting our priorities on checking such would be pretty low on our list of priorities (generally it is the illegal activities done with P2P programs that lead to infections being downloaded, not so much the legit/legal torrent downloads).

Another concern is that we are not an AV, we have a specific purpose: to catch the latest, nastiest threats out there, especially if they're active (another thing to keep in mind is that if an infection is running in memory and it is something we would normally detect, then we will detect it, regardless of whether the location the file itself is in is contained in the Quick Scan or not).

I'm not able to catch what you mean by "regardless of whether the location the file itself is in is contained in the Quick Scan or not". In any event you catch and remove it from memory, but how do you remove it from a folder that is excluded from the scan?

While, I can see why you don't condone certain activities, flat out telling people you don't care if they are infected by something obtained from said method is certainly a bit bold and most likely would put a serious hurt on sales if you were market your product in that manner. I would expect your customers would expect your priority is to keep their computer safe from all malware no matter how it was obtained(I know I do). There have been times I have purposely downloaded content hoping it had malware for the sole purposes of testing/comparing scanners, be them virus/malware/spyware... whatever you choose to call it.

Obviously MBAM is only interested providing protection for how it thinks people should use a pc and thus fails to meet the needs for many user's in doing so. Certainly that is your choice, and thankfully user's like myself have other options. As well.. it's hard to recommend a product to other people that is lacking in basic functionality.

[SpySentinel]

I'm not able to catch what you mean by "regardless of whether the location the file itself is in is contained in the Quick Scan or not". In any event you catch and remove it from memory, but how do you remove it from a folder that is excluded from the scan?

The Quick scan is enough to find and remove any infections on the system, as the quick scan targets where malware it seen installing itself. The Full Scan, scans everywhere on the system, and is also used to scan removable devices to search for any malware that could be present there.

While, I can see why you don't condone certain activities, flat out telling people you don't care if they are infected by something obtained from said method is certainly a bit bold and most likely would put a serious hurt on sales if you were market your product in that manner. I would expect your customers would expect your priority is to keep their computer safe from all malware no matter how it was obtained(I know I do). Obviously MBAM is only interested providing protection for how it thinks people should use a pc and thus fails to meet the needs for many user's in doing so. Certainly that is your choice, and thankfully user's like myself have other options. As well.. it's hard to recommend a product to other people that is lacking in basic functionality.

Of course we care about how our users are infected, and that is why we are dedicated to helping create software to eradicate malware from systems, to keep our users safe. We are always striving to come up with the best ways to help remove the latest threats, and for that reason, we only concentrate on the malware that is a threat to our users, and that is why we do not go after what the antivirus vendors do. If we did, we would be able to spend less time on the really nasty malware that is currently out there today. We jump on the latest malware right away, and sometimes before any user has seen it in the wild. Therefore we protect our users from the latest threats, that most AVs will miss because they are tying to catch everything.

[exile360]

I'm not able to catch what you mean by "regardless of whether the location the file itself is in is contained in the Quick Scan or not". In any event you catch and remove it from memory, but how do you remove it from a folder that is excluded from the scan?

At the very beginning of a scan, regardless of the scan type (Quick, Full or Flash), Malwarebytes' Anti-Malware checks running processes (i.e. in memory) to see if any of them are infected, regardless of where they may be located, so if an infection is active/running on the system, the file still gets detected no matter where the file may be (the only exception being if the file itself or the folder it is in is in the Ignore List).

[brmwia]

The Quick scan is enough to find and remove any infections on the system, as the quick scan targets where malware it seen installing itself. The Full Scan, scans everywhere on the system, and is also used to scan removable devices to search for any malware that could be present there.

Of course we care about how our users are infected, and that is why we are dedicated to helping create software to eradicate malware from systems, to keep our users safe. We are always striving to come up with the best ways to help remove the latest threats, and for that reason, we only concentrate on the malware that is a threat to our users, and that is why we do not go after what the antivirus vendors do. If we did, we would be able to spend less time on the really nasty malware that is currently out there today. We jump on the latest malware right away, and sometimes before any user has seen it in the wild. Therefore we protect our users from the latest threats, that most AVs will miss because they are tying to catch everything.

If I configure a program like Excel/Word to save my files in D:\Data a Quick scan is going to find malware in that folder? Forgive me for doubting a quick scan can find any infection on the system. If a quick scan can find and remove any infection on the system, then by definition it must be scanning the entire system.

As far as caring about how users are infected, that was not was Exile360 said. I quote "so setting our priorities on checking such would be pretty low on our list of priorities". Yeah, right... put that on your web page to help market your product and see what happens.

[shadowwar]

This is why its normally a bad idea to exclude file types like .jpg

http://www.google.com/search?q=extension.mismatch+malwarebytes&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#q=%22.jpg+%28extension.mismatch%29%22+malwarebytes&hl=en&safe=off&client=firefox-a&hs=af4&rls=org.mozilla:en-US:official&prmd=ivnsfd&ei=2QswTqSiGYjcgQeGibzmCg&start=10&sa=N&bav=on.2,or.r_gc.r_pw.&fp=316272035e4775e0&biw=1660&bih=770

[DarkSnakeKobra]

If I configure a program like Excel/Word to save my files in D:\Data a Quick scan is going to find malware in that folder? Forgive me for doubting a quick scan can find any infection on the system. If a quick scan can find and remove any infection on the system, then by definition it must be scanning the entire system.

As far as caring about how users are infected, that was not was Exile360 said. I quote "so setting our priorities on checking such would be pretty low on our list of priorities". Yeah, right... put that on your web page to help market your product and see what happens.

A quick scan only looks in the most common areas infected by malware. Mostly critical Windows folders and browser settings.

Torrents are often used for downloading pirated software and such. They are not law officials nor is it a critical area to focus on. That is usually done by your antivirus such as Avast! and others which support this. Unless the malware file is severe, spreading or a crack to hack their software they probably won't detect it.

I'm not a staff member, but a user offering his opinion.

[brmwia]

A quick scan only looks in the most common areas infected by malware. Mostly critical Windows folders and browser settings.

Torrents are often used for downloading pirated software and such. They are not law officials nor is it a critical area to focus on. That is usually done by your antivirus such as Avast! and others which support this. Unless the malware file is severe, spreading or a crack to hack their software they probably won't detect it.

I'm not a staff member, but a user offering his opinion.

I agree with you on the quick scan. IMO the claim a quick scan will catch any malware infection is horse hockey.

I also agree torrents are generally for obtaining pirated wares. However, my example of torrents and news reader was to point out there is software out there that lets the user decide where to save files. In fact you would be hard pressed to find any software that creates/updates files forces you to save in the files in a designated folder. Either way I find it laughable a staff member would state some malware obtained in any manner is less of a priority to them.

I would also point out its the claim that staff has made about Malwarebytes is only looking for malware and not viruses is bit misleading. Their statements would have one believe anything an AV program catches Malwarebytes would not and vice versa and it simply not true. I also believe it is naive of Malwarebytes to think that malware can't exist outside the common locations a quick scan checks.

Al in all it would be interesting to see a poll from user's if they would use file exclusion if the Malwarebytes had it. Up to now, from what I see, we are getting a very one sided view/opinion.

[brmwia]

This is why its normally a bad idea to exclude file types like .jpg

http://www.google.com/search?q=extension.mismatch+malwarebytes&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a#q=%22.jpg+%28extension.mismatch%29%22+malwarebytes&hl=en&safe=off&client=firefox-a&hs=af4&rls=org.mozilla:en-US:official&prmd=ivnsfd&ei=2QswTqSiGYjcgQeGibzmCg&start=10&sa=N&bav=on.2,or.r_gc.r_pw.&fp=316272035e4775e0&biw=1660&bih=770

I saw nothing there to indicate that.

[DarkSnakeKobra]

I would also point out its the claim that staff has made about Malwarebytes is only looking for malware and not viruses is bit misleading. Their statements would have one believe anything an AV program catches Malwarebytes would not and vice versa and it simply not true. I also believe it is naive of Malwarebytes to think that malware can't exist outside the common locations a quick scan checks.

Al in all it would be interesting to see a poll from user's if they would use file exclusion if the Malwarebytes had it. Up to now, from what I see, we are getting a very one sided view/opinion.

I do agree the descriptions they provide can be a bit confusing. Personally I think for less knowledgeable folks the explanation it can catch all forms of malware including viruses, spyware etc often gets misinterpreted. I won't say anything else other then I think they could do better on explaining malwarebytes is not an antivirus as the descriptions certainly conflict. Malwarebytes' does catch things an AV does. The reaction time is different however in order to allow the AV priority and avoid conflicts. As stated before by Exile:

We have the Full Scan as an option because it does have its uses, if for example the user wants to check removable drives connected to the system, or if in the rare event there is an infection in a location besides the ones we check with the Quick Scan.

Malwarebytes' is certainly aware of that it does infect more then the common areas. The majority of the time they do not and a quick scan is more then enough.

[exile360]

MBAM is designed from the ground up to detect active infections that are largely not targeted by antivirus software. That's the difference here. We aren't trying to catch every infection in existence and our purpose on a system is as a complementary form of protection, not a first line of defense. MBAM's job as a scanner (the Free version), is primarily to detect any active infections that may have slipped by a user's AV and have now infected the system and remove them.

A prime example of this philosophy is the fact that we do not scan within archives (zip, rar etc.). We don't do it, because you won't find an active infection there (an active infection would be extracted/installed to another location and running).

We look at the locations used by malware to install itself, beyond that, we look for the droppers/installers themselves, and while it is certainly true that a dropper/installer could have been saved anywhere on the system, if the user is running the PRO version of MBAM, it would block the threat and detect it the second the user tries to execute it and the Free version would detect the threat if already installed/running.

What you're referring to is essentially using the Free version's scanning capabilities as a preventative technology, but that never was and is not now its purpose. It certainly helps a user to stay clean, but once an infection is onboard/active, the location of the infection is a moot point, because MBAM will detect it in memory, trace the file to its location (even if said location is not in the Quick Scan) and allow the user to remove the infection, file and all.

[exile360]

One more quick thing to add if I may. We're essentially discussing two things here:

1. Adding the capability of excluding user-selected file types from being scanned by MBAM
   
2. The idea that a Full Scan is preferable to a Quick Scan in some scenarios where a user may have potentially infected files in locations other than those already checked by the Quick Scan
   

To me the solution seems simple enough. If you have a folder full of torrent downloads or whatever else that might indeed contain infections, why not simply right click on said folder and choose Scan with Malwarebytes' Anti-Malware? That would save the user a lot of time scanning locations that they know are safe to focus on the areas that they suspect to potentially contain infections. That seems to be what most users are doing (at least based on what I've read in my years on this forum) and seems to be working out quite well.

[brmwia]

One more quick thing to add if I may. We're essentially discussing two things here:

1. Adding the capability of excluding user-selected file types from being scanned by MBAM
   
2. The idea that a Full Scan is preferable to a Quick Scan in some scenarios where a user may have potentially infected files in locations other than those already checked by the Quick Scan
   

To me the solution seems simple enough. If you have a folder full of torrent downloads or whatever else that might indeed contain infections, why not simply right click on said folder and choose Scan with Malwarebytes' Anti-Malware? That would save the user a lot of time scanning locations that they know are safe to focus on the areas that they suspect to potentially contain infections. That seems to be what most users are doing (at least based on what I've read in my years on this forum) and seems to be working out quite well.

Why not simply right click on said folder and choose Scan with Malwarebytes? Here is why. In a environment where multiple profiles are used, as an administrator I want to be able to scan the entire pc, but have it not waste time scanning music/video libraries (mp3, flac, mkv). To me the solution is even simpler... give us the ability to exclude by file.

[exile360]

I understand that, but as explained already, the time taken to actually scan those file types is very brief because MBAM deliberately looks at the files to immediately determine if they are executable or not, so not too much time is actually added to the scan.

I see your points, but we've weighed it and decided that the risk of implementing such an option at this point far outweighs the potential gains or usefulness. It isn't something that many users have requested either, which is something that we do take into consideration when determining the possibility of implementing a new feature or function.

[brmwia]

I understand that, but as explained already, the time taken to actually scan those file types is very brief because MBAM deliberately looks at the files to immediately determine if they are executable or not, so not too much time is actually added to the scan.

I see your points, but we've weighed it and decided that the risk of implementing such an option at this point far outweighs the potential gains or usefulness. It isn't something that many users have requested either, which is something that we do take into consideration when determining the possibility of implementing a new feature or function.

Just for grins, I tried, as suggested, right clicking a folder to scan the contents. I scanned my top level folder which contains sub folders of mp3's which has 7000+ files to see how fast it was. 4 seconds! Now I see why! It never scanned anything! MBAM is not recursively scanning sub folders! This is safer than file type exclusion?

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7457

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/14/2011 7:59:29 AM

mbam-log-2011-08-14 (07-59-29).txt

Scan type: Quick scan

Objects scanned: 0

Time elapsed: 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[brmwia]

Just for grins, I tried, as suggested, right clicking a folder to scan the contents. I scanned my top level folder which contains sub folders of mp3's which has 7000+ files to see how fast it was. 4 seconds! Now I see why! It never scanned anything! MBAM is not recursively scanning sub folders! This is safer than file type exclusion?

Malwarebytes' Anti-Malware 1.51.1.1800

www.malwarebytes.org

Database version: 7457

Windows 6.1.7600

Internet Explorer 8.0.7600.16385

8/14/2011 7:59:29 AM

mbam-log-2011-08-14 (07-59-29).txt

Scan type: Quick scan

Objects scanned: 0

Time elapsed: 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)0

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Never mind on that point... My bad here.. i had the top level folder excluded. Duh!

Still, your claim that the scan is so fast excluding by file type isn't warranted doesn't hold water in my opinion. Once I removed the folder exclusion, it took 40 minutes to scan these folders and I can tell you there are many people that have 10 * the content I have. I don't know how you define "brief", but 40 minutes doesn't fit my definition of brief. I think my results makes a stronger case for exclusion by file type. Where MBAM makes the argument against exclusion by file type because it claims you have seen malware files renamed to .jpg, I would submit it would be far safer to exclude all my media content (mp3,flac,mkv, avi) by file type rather than exclude by folder and chance that a file other than (mp3,flac,mkv,avi) containing malware somehow made it's way into one of these folders.

As I have previously stated, you are looking at this from one size fits all perspective and a very biased position. While my position is also biased, I can guarantees you I am far from an isolated case. You have said you have not had many requests for this and I can see why as you guys try to squash any such requests for it and few people will debate the pros/cons with you. I would submit if you put it to vote to the user community, you may see different results.

[exile360]

Where MBAM makes the argument against exclusion by file type because it claims you have seen malware files renamed to .jpg, I would submit it would be far safer to exclude all my media content (mp3,flac,mkv, avi) by file type rather than exclude by folder and chance that a file other than (mp3,flac,mkv,avi) containing malware somehow made it's way into one of these folders.

Again, that's the purpose of an AV, not MBAM. There is a reason MBAM scans where it does and how it does. It is designed to look for ACTIVE infections on the system when scanning, not archived installers/droppers residing in other locations. If the PM (Protection Module) is running, or the threat is running in memory, MBAM will detect it when the treat tries to execute. This is the same reason we do not scan within archives (zipped/compressed folders).

As I have previously stated, you are looking at this from one size fits all perspective and a very biased position. While my position is also biased, I can guarantees you I am far from an isolated case. You have said you have not had many requests for this and I can see why as you guys try to squash any such requests for it and few people will debate the pros/cons with you. I would submit if you put it to vote to the user community, you may see different results.

Actually, I've never debated this issue with anyone before. If you want to see an issue with a high user demand that we do debate quite frequently, do a search for "bootable" and "portable".

The fact of the matter is, you are attempting to use Malwarebytes' Anti-Malware in a way for which it was not designed. It is not an antivirus, and the free version is not intended to clean up trace malware on an otherwise uninfected system. Its intent and purpose is to allow a user who may be infected to scan their system quickly and remove any active threats that may reside on the system. That's why we offer it for free, the free version is not, and never was intended to be a primary component of protection for an uninfected system (and by uninfected, I mean a system that has no ACTIVE infections on it), it is simply there to be a second opinion, to verify that your AV didn't let anything malicious slip through and infect your system.

I do see your points, I really do, however, again, our viewpoint is based on what we have actually seen real infections do. We have seen them install (note, I'm not referring to where a user may have saved a dropper/installer here) in the locations that we check in the Quick Scan. We have seen them disguise themselves as audio, video, image and various document files (PDF's, Word Documents etc.).

There is a real reason we generally do not recommend the Full Scan, we simply have it there as an option should a user choose to use it.

The difference between excluding a location and excluding a file type is huge. It means that if there were a fake picture that is actually a trojan, installed, active and in the user's Windows folder, MBAM would not detect it if file types are excluded (something that users like yourself would surely do if we offered this function), however, it is highly unlikely that a user would deliberately exclude the Windows folder from being scanned. That's the difference here.

I can see that we are at an impasse here, and while I do see the validity of your points (as I'm sure you do mine), we simply will not likely be able to agree.

I'm not going to debate this any further, however I will read and consider any replies that you have and I am not locking this topic, I simply have nothing more to add as I believe we have sufficiently explained our perspective on this matter so that anyone reading this topic (including yourself of course) can understand why we have chosen the methods that we have, regardless of whether you or any other reader actually agrees.

Thank you for the comments and for the suggestion, and please don't lose heart, just because we do not agree right now, does not necessarily mean that the matter is closed. If our developers and malware researchers determine at some point in the future that it is safe enough, or find a safe way to implement it, this option would certainly be added to MBAM .