/  Blog /
EnglishMalwarebytes lies and deliberately issues false/positive messages

Malwarebytes lies and deliberately issues false/positive messages

Published: 01.09.2019 Edited: 14.09.2023

Malwarebytes is a widely used anti-virus and anti-malware program from Malwarebytes Inc. The software includes an integrated mechanism that can assess the hosts file as malicious.

These misleading messages from malwarebytes refer to the presence of supposedly unauthorized versions where entries are present in the hosts file.


Fear of product "piracy" justifies false reports?

For non-legally purchased and installed versions of malwarebytes, entries are added to the hosts file to avoid contacting activation servers. A popular method is to use key generators, or auto-patchers, that take all the work off users.

Depending on this, this mechanism can turn out to be problematic if consumers have a legal license and still certain entries to the activation servers of malwarebytes exist in the hosts. In this case, there is an immediate alarm, the own device security is questioned and the hosts files are modified independently, although everything is fine and there is no danger for users.

The software from Malwarebytes, Inc. is an example of how those who declare security and rules first assert their own interests.

Data preparation by Trifacta
Malwarebytes uses Trifacta on AWS for data processing and analytics

  Malwarebytes Trifacta

 Imagesize: 61.59 kB | 2560x1440px | Format: webp
Sha-256: 52935569375561B77AA823A59F425403C2BDFB18FD091571410DDEB60904AE73

Malwarebytes independently modifies hosts files

Unsolicited modification of your own files and settings? Softening your own security settings? False reports? This can happen faster than you think, because the behavior is often observed in the wild with "snake oil software" and various "cleaners."

In addition to Wise Care 365 and IObit, Malwarebytes also exhibits this behavior under certain circumstances. Thus, the software deletes entries from its own hosts without feedback if certain entries are present, additionally outputs error fertilization for alleged threat scenarios and wants to move the corresponding file directly into quarantine.

In addition to this behavior, users get another telemetry service that is routed via Amazon's AWS (Elastic Compute Cloud) and tracks individual user actions as in the software of Avast S.R.O.

Malwarebytes Telemetry
In addition to the activation servers and update checks, Malwarebytes is characterized above all by telemetry and recording of user actions

  Malwarebytes Telemetry

 Imagesize: 235.13 kB | 2545x1116px | Format: webp
Sha-256: FD7B75B47FFFA346A09462EEB25D79B16405E528F8DFEC119BF8EF43C08E91A1

The two addresses that may NOT be in the hosts contain user data such as account ID, installation token, user IPv4 address, license key, time stamp of the last server contact, product version, product when received, license term, subscription model, affiliate data, etc. A part is of course required for the purpose of comparing the registration.

Keystone.txt - 24.04.2022 - CRC32: A74EDF3E
Details: Keystone.txt - Dateigröße: 3.61 kB
Sha-256: C5144EA19400F0A6B30FC2CABDB512DF38C09F0F793F81A60B57580611715A99

Sirius for Updatechecks
Sirius.txt - 24.04.2022 - CRC32: E54B55C0
Details: Sirius.txt - Dateigröße: 5.28 kB
Sha-256: 6B6042823B50525A95DC9102B936F310C7F2795FB8E43747C97A6291D216E802

Scan log of Malwarebytes with the entries Keystone and Sirius. Result: Riskware.DontStealOurSoftware
How about "Don't mess around in files that don't concern you"?
Scanlog_Riskware.txt - 24.04.2022 - CRC32: AD25C391
Details: Scanlog_Riskware.txt - Dateigröße: 1.60 kB
Sha-256: 8D596651A636892272BEA9CF0CC26B00F36111F64474072D41B5F6FF8F12386F

The third address in the bundle contains the user's own desktop ID
My-Device.txt - 24.04.2022 - CRC32: 85CB2DD4
Details: My-Device.txt - Dateigröße: 369.00 B(ytes)
Sha-256: 2127B69527647B951832C7982650DAF4976FFD6DA07A8248430D7DAE5A7FB90E

Data is thus sent via both addresses, which users can clearly identify and link to the program itself. This not only once, but for every program start, every program call and every call of the account tab.

If you do not want malwarebytes to connect to the Internet regularly, an exception rule must be created so that the entries are not deleted, or optionally a firewall or systems such as Pi-Hole are used.

Intentional false reports by malwarebytes

The aggressive behavior by independently modifying your own files is accompanied by false reports by the malwarebytes software, which put users before an alleged threat scenario. Users who use the filter lists in which entries of Keystone and Sirius are listed are guided here on the ice and deliberately unsettled.


Evil hosts?
If certain entries can be found in the hosts that affect malwarebytes activation server, the program issues intentional false reports regarding malware, deletes corresponding entries and wants to move corresponding files to quarantine.

  Malwarebytes Falschmeldung

 Imagesize: 37.39 kB | 890x646px | Format: webp
Sha-256: F543ED446207F9C4B3BFCCEDF5DBB289A998F18F15F9AB085F89AABD0BBC679C

Unwanted elements? Undesirable here is merely something from the point of view of the company Malwarebytes, Inc.

Always Online does not work without the Internet

Another nuisance is the "Always Online" mentality, because as soon as an internet connection no longer exists, malwarebytes are teetering elsewhere. Blocking by hosts is not possible without further action.


Activation Error?
Internet off? Immediately an important looking error message appears with the note that the user should please check his own connection. However, it also shows that (if possible) there is a permanent online connection.

  Malwarebytes AktiVierungsfehler

 Imagesize: 21.53 kB | 889x645px | Format: webp
Sha-256: 1F900D821660A61681D1F75BDF5D4B3DDE60D3E0783C3023EC0A2CB45AF4009A


  Rules for posting comments can be found in the F.A.Q.