Malwarebytes scanning real Disk while in Shadow Mode?

View previous topic View next topic Go down

Malwarebytes scanning real Disk while in Shadow Mode?

Post by noorismail on 24/10/2010, 02:21

I wish more people still had Shadow defender installed to try and confirm this.

Here is the deal.
I have a large mixed media folder,6.28 GB,and folder properties show 7829 files.
This folder is stored not in my documents and settings,but in my C/root folder.

It is a Sandboxie forced folder,but the Sandbox was empty,and the scan was in ShadowDefenders shadow mode.

Today I started to do a Malwarebytes right click scan of this folder.
I decided to remove a large sub folder (4.64gb,503 files) of MP3's that had been static for years,to speed up the scan.
I dragged the MP3 folder to my desktop,and and began my scan of the main folder.

At that point I noticed Malewarebytes was displaying the scan file paths of the folder that had been removed to the desktop!

At the end of the scan, the Malwarebytes scan log showed:

10/23/2010 3:41:55 PM
mbam-log-2010-10-23 (15-41-55).txt

Scan type: Quick scan
Objects scanned: 7829
Time elapsed: 2 minute(s), 32 second(s).

Please note this is the original number of files in the folder prior to removing the 503 MP3s!!

A right click on the scanned folder at this point,reflected the removal of the MP3's,and showed a file count of 7326 files in properties!! (7829-503=7326).

Not to mention the fact it is pretty rare to have any malware scan reflect the number of files in a scanned folder,listed in folder properties,Malwarebytes seemed to scan through ShadowDefenders virtualization and "see" the file as it exists on my real disk!!

Or is this something to do with registry paths that still exist in my virtual session even after the MP3 file was removed?

perplexed,
noor


PS:

booted out of shadow mode,removed the Mp3 folder from the main folder,and ran
another Malwarebytes right click scan.
The reults were:

10/23/2010 4:30:05 PM
mbam-log-2010-10-23 (16-30-05).txt

Scan type: Quick scan
Objects scanned: 7326
Time elapsed: 1 minute(s), 14 second(s)


_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by simmikie on 24/10/2010, 03:04

i have Shadowprotect installed and Malwarebytes as well. how can i help??


Mike

simmikie
Member
Member

Posts : 17
Join date : 2010-10-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by noorismail on 24/10/2010, 03:28

Thanks simmikie,and by the way,a cordial welcome to the forums!!


I don't know if ShadowProtect is the same sort of virtualization as ShadowDefender,but if you could, enter its protected mode,select a folder with multiple sub-folders,click folder properties and note the number of files listed.

Then remove one of the subfolders, again note the number of files listed in folder properties.

Then do a right click scan with Malwarebytes.

After the scan completes note if the malwarebytes log lists the same number of files as existed in the main folder prior to removing the sub-folder.

regards,
noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by simmikie on 24/10/2010, 03:41

whoops....i do mean Shadowdefender....i have both. sorry.


Mike

simmikie
Member
Member

Posts : 17
Join date : 2010-10-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by simmikie on 24/10/2010, 03:55

okay the math does not add up. i started with 147 files and 29 folders (in Shadow Mode) i moved a subfolder with 41 files, and 0 (zero) folders. Malwarebytes scanned 88 files and 26 folders. 88 + 41 does not equal 147. but it does not seem in this case Malwarebytes read the actual folder.


Mike

simmikie
Member
Member

Posts : 17
Join date : 2010-10-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by ssj100 on 24/10/2010, 04:41

noor, just to confirm, you don't actually have MBAM on the REAL system? You're installing it in Shadow Mode right?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by ssj100 on 24/10/2010, 04:53

By the way, I can confirm your exact findings. Here's what I did:

Freshly installed Windows XP, SP3, 32-bit (run in VirtualBox):

1. Installed Shadow Defender 1.1.0.326
2. Enabled Shadow Mode
3. Installed MBAM 1.46
4. Right click on folder - properties: 52 files
5. Right click scan with MBAM: scanned 52 objects (so far so good)
6. Removed a sub-folder containing 3 files
7. Right click on folder - properties: 49 files (that's correct)
8. Right click scan with MBAM: scanned 52 objects! (should be 49 objects).

I suspect this has something to do with how Shadow Defender functions. I have to admit that I initially liked the idea of Shadow Defender, but little "bugs" like these made me move on from it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by noorismail on 24/10/2010, 04:58

Thanks guys,
I just do not understand how it does this.


I need to update my signature,I have since installed Malwarebytes paid,with real time off on my real system.

noor

ps: I am a member at Malwarebytes Forum,but it has been so long since I posted there,
I dont even remember my log in.
Maybe I will try to check with them.

Its pretty interesting however. (ssj,you know how I love this kind of stuff!!)
Especially since Mike is getting pretty predictable results,and we are getting
results that indicate malwarebytes is at least scanning the real disk.

I wish Malewarebytes detected eicar,I would stick it in a real system folder,run a scan with malwarebytes,
and let it detect and remove,then check the real system to see if it is gone,and listed as quarantined in Malwarebytes GUI.

I thank Malwarebytes does detect SpyCar,so i might try that.


Last edited by noorismail on 24/10/2010, 05:10; edited 1 time in total

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by ssj100 on 24/10/2010, 05:02

noor, it's probably something to do with the fact that Shadow Defender generally doesn't allow any changes on the REAL system. So since you're moving the sub-folder while in Shadow Mode, "your system still thinks" that ALL the contents of the original folder are still there. Therefore, MBAM manages to scan the same number of files.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by noorismail on 24/10/2010, 05:12

Ok,that makes sense.

I am going to try the spycar thing now,to see what happens.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by noorismail on 24/10/2010, 05:54

Ok, I downloaded the SpyCar test's 18 exes,and confirmed that Malwarebytes does detect them.
I then placed them in a folder with 18 picture files and booted into shadow mode.
Then a Malwarebytes right click scan was done,and it detected the 18 exes.
I then clicked through the prompts,and Malwarebytes spontaneously rebooted.
When Windows came back up,the 18 spycar exes were still in the folder,
no new entries were logged by Malwarebytes,and the quarantine was empty.

When the same test was ran out of Shadow mode,Malwarebytes once more detected the 18 Spycar exes,and this time asked for a reboot.

After reboot the exes were gone from the folder,and showed up in the Malwarebytes quarantine.

So I thank it is thing similar to what happens when you go through a seasonal time change while in ShadowMode.
An hour gets added or subtracted,and when you boot again,Windows once more adds or subtracts an hour.

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Malwarebytes scanning real Disk while in Shadow Mode?

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum