Tag Archives | mbar

Thanks Malwarebytes!

I was just browsing the press sections on some of the anti-malware products I use and noticed that press.malwarebytes.org linked to my post on using MBAR at work.  Thanks Malwarebytes, wasn’t expecting to see that today! 

malwarebytes-remove-malware

Continue Reading · 3

Malwarebytes Anti-Rootkit (MBAR) Review and Real World Test at Work

So yesterday I was sitting at my desk and I got an email from one of our Vipre Enterprise Antivirus Agents….

Machine:          PC  (10.30.11.29)
User:             domain\user
Scan Date:        11/13/2012 2:17 PM
Software Version: 5.0.4464 (we’re in the process of upgrading to version 6.1.22 which has current anti-rootkit tech)
ThreatDB Version: 13968
Policy:           FGWKS

—————–

Threat:     Trojan.Win32.Sirefef.pq (v)
Category:   Trojan
Severity:   Moderate Risk (since when are rootkits moderate risks?!?!)
Action:     Quarantined (not true…those rootkits are still very much there)
Traces Found:
Rootkit:       2724,c:\Windows\explorer.exe,c:\windows\system32\z
Rootkit:       916,c:\Windows\System32\svchost.exe,c:\windows\system32\z

—————–

So essentially what this email means is that the Vipre agent let a rootkit come through at some point, is now able to detect it, but cannot not remove it.

So, what to do now…I know!!!  I’ll test that new Malwarebytes Anti-Rootkit (MBAR) and then post to results to my blog…and here we are.

Ok, let’s extract the mbar.zip.  Here’s what we have.  Let’s double click on MBAR.

mbar-icon

Once MBAR has been opened we’ll update the database

mbar-database-update

Once the database has been updated we’ll do a scan

mbar-scan

MBAR finds 18 infections and removes them.

mbar-infections

A subsequent scan via MBAR tells us that everything is clean

mbar-scan-no-more-rootkits

For a second opinion, we’ll turn to the proven Hitman Pro.  Looks all clean!

hitman-pro-scan



 


 

 


Continue Reading · 7