Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Should I Accept My Security Software’s Recommendation of What to Remove?

//
I downloaded the Malwarebytes you suggested and did a scan. It showed more than 330 things which it asked whether to remove. Do I just accept that these are things that should be removed? The things recommended for removal are listed below. Some of the sentences include microsoft explorer, lenovo browser guard, etc, which when I look at them I am uncertain about deleting because I do not know if I am deleting something that’s important.

Do I just delete whatever Malwarebytes asks to delete every time it makes such suggestions?

<~300 entries, mostly registry-related, snipped>

This is one of those questions we never think about until someone asks.

What we’re really asking is, “Do I trust my security software to make the right recommendations?”

And the answer, as it is so many times, is: it depends.

Become a Patron of Ask Leo! and go ad-free!

Protecting yourself

The concern, of course, is that your security software might mistakenly recommend that something important be deleted. It’s not an unfounded fear. While it doesn’t happen often, it has happened.

The good news is, it’s really easy to protect yourself. You can probably already guess what action might be involved.

If there’s ever even the slightest doubt, back up first. And by “back up”, I mean a full system image backup of your entire system drive (typically C:), and ideally the entire hard disk on which it resides. If you’re doing daily image backups, as I so often recommend, you’re already ready.

The issue is, we don’t know ahead of time what might be removed, or what might be important. That’s why we’re asking the question in the first place. A system image makes no assumptions. It saves everything.

If, after allowing the anti-malware software to do its job, you find something is broken, you simply restore the image and get on with your life — nothing lost except the time to perform the operations.

Trustworthy software is worthy of trust

AntivirusI realize this is a kind of chicken-and-egg statement, but there’s a reason computer folks such as myself have recommendations: we’ve come to trust the software we recommend. In the case of anti-malware and security tools, that trust encompasses at least two distinct considerations:

  1. The security software will prevent as much malicious software as possible from doing harm.
  2. The security software will itself do no harm.

It’s the second one we’re concerned about today. Security software might cause performance impacts or do things like prevent some email or files from being downloaded by intrusive scanning, but at worst, they can break the system if they delete or quarantine the wrong thing in the name of “security”.

I try not to recommend software that has a history of doing that. 🙂

And yes, Malwarebytes remains a recommendation.

“Yes” is easy when you trust

Given that I trust Malwarebytes, my default answer is easy.

Yes: when it recommends something be deleted, it’s probably safe to delete it.

In this case, the list of around 300 registry entries our questioner shared were all flagged as relating to PUPS, or “potentially unwanted programs”. There’s rarely any “potential” about it; you don’t want them, and Malwarebytes Anti-malware is a tool I often recommend for its ability to ferret out and remove exactly those types of programs.

In your shoes, I’d say “Yes”, and I’d say “Yes” to whatever Malwarebytes identifies in the future.

Why do you have so many PUPs to begin with?

First, let’s be clear about at least one thing, lest you really panic: 300 discoveries by a tool like Malwarebytes does not mean you have 300 separate PUPs, or pieces of malware. My guess is you have maybe half a dozen or so. Each PUP can be responsible for any number of traces that tools like Malwarebytes identify individually and remove.

But we’re still left with the question: why do you have even those six? And if Malwarebytes is repeatedly identifying things after having run, why are things returning?

In my opinion, once security software cleans your system, the real lesson to be learned here is to stop installing software that causes PUPs to be installed, or perhaps visiting sites that cause questionable software to be downloaded and installed.

I have no way to know what those might be in any specific case, but things like accepting the default installations of downloaded software is by far the leading cause of PUPs and other malicious software. The solution? Always choose “custom install” instead, and be careful to decline any software you didn’t ask for.

In general, be more vigilant and discerning. PUPs in particular usually install with your consent, and your consent can often be implied when you take shortcuts like a default installation, or fail to read all the installation options presented.

Podcast audio

Play

19 comments on “Should I Accept My Security Software’s Recommendation of What to Remove?”

  1. I am looking for a replacement forMalwarebytes Premium.

    I have had several very unsatisfactory dealings with their support site. I do not know why Leo and others lionise MBAM.

    This is my last experience with MBAM from last month, extracts from my emails to their support”:

    “On the morning of the 23rd October I was warned and presented with the list of 567 “Trojan.fileless” as sent to you in MWBScan.pdf.
    Neither of the logs for the 22nd, or the 23rd logs record anything about this. (later asked and sent all logs from 20th to 25th)
    “Save” results- also did not record these: see attached reports txt & xml. That is why I did a screen snip and pdf.
    I have been using this program for over a year – MWB passed all these until today.
    Virus Scan passed this including a scan pass by MBAM: attached VirusTotal.pdf
    Yesterday it identified and quarantined a 3 year old 4 byte file in Appdata/Local/Temp called Raidtest as a Trojan .
    Clearly false positives? Has my installation of MBAM become faulty/ unreliable ?”

    “I did not quarantine anything as I am convinced the scan was wrong. The same files have been there for over a year with run logs did not report any problem until the above: it has not reported any threats since this episode even though the files are all still there. So what is the explanation?”

    I wasted a lot of time trying to get the message through to them that MBAM did not record in any logs the above: I kept getting back messages to send logs again and again even though I kept telling them the logs did not record any of the above, and to run test programs which resulted in no response when I sent a back the results. Frankly I think they kept this up until I gave up.

    While the above was going on ( there were some 6 emails back and forth) a week later when I clicked on MBAM in the tray I got this in the cascade menu:

    “Add to Web Exclusions 118.179.151.2”
    I did not trust MBAM.
    Whois:
    IP Information for 118.179.151.2
    Quick Stats
    IP Location Bangladesh Dhaka Dhakacom Limited
    ASN AS23956 AMBERIT-BD-AS AmberIT Limited, BD (registered Mar 15, 2005)
    Why would I add this to web exclusions?
    MBAM support response “Well, it picked it up” Yes – and MBAM told me to add it to exclusions.

    Do not trust MBAM (probably none of this trype of programs). But if paying for a subscription one should expect at least an honest try to help, even if an admission that the program got things wrong – not just bullshit which is what I got.

  2. I’ve used the free version of Malwarebytes Anti-Malware (MAM) for many years. Fortunately, MAM hasn’t detected any threats so far. But if it does, it looks like MAM would first quarantine the potentially malicious items where their ability to do harm is removed. So maybe the original poster should just leave the 300 identified threats in quarantine for a while to see if there is any adverse impact to PC performance. If there isn’t any, then go ahead and delete those threats. Shouldn’t this be adequate precaution to take before deleting any detected threats? If not, how can a user ever feel safe about deleting threats detected by ANY anti-malware software? (And if a performance problem does develop after the threats are quarantined, I would have to admit I wouldn’t know which of those 300 threat items to restore, so I would probably end up restoring all of them. The only recourse at that point, I guess, is to do what Leo said: restore the PC using a disk image backup, which, from experience, has its own risk.)

    • “Shouldn’t this be adequate precaution to take before deleting any detected threats?” – Perhaps, perhaps not. The thing is, quarantining something is a bit like putting it in the Recycle Bin: it’s moved from it’s original location and put in a temporary holding area. Now, if it’s a non-essential file, that’s okay; but if it’s an essential system file that gets incorrectly deleted,/quarantined your machine may be immediately unbootable – as happened to numerous people in the case I mentioned above.

      This is why I think the best option is to only use a single security app – Windows Defender or whatever. Each additional app you run increases the likelihood that you’ll encounter a problem. Sure, if you’ve got a problem that your preferred security app cannot fix, then you may need to use an alternative – but it really doesn’t make sense to be scanning your computer with multiple security apps when there’s no clear need to do so.

      • Ray Smith, you must be psychic. A day after your above reply to me, I scan my PC using Malwarebytes Anti-Malware (MAM) – and, for the very first time, it detected two malicious items. What a coincidence! And this is a PC I use just for online banking and is therefore kept very clean.

        In my slight state of panic, I clicked on the Remove button — and thinking shortly afterward I shouldn’t have done that, concerned that I prematurely deleted the two threats from quarantine. It turned out the Remove button only moved the threats to quarantine. Then, remembering your internet link, Ray, I went to the MAM forum and discovered that my two threats were in fact false positives. (Reason: Microsoft forgot to digitally sign two of their own files.) Hooray! These same false positives had caused havoc to many PC’s in the corporate world. Fortunately for me, because these were corporate clients who were adversely impacted, MAM investigated the problem quickly. A sigh of relief from me, because I had been thinking I would have to go through the trouble of restoring my PC using a disk image backup.

        So I thought: no problem. I’ll just restore those two threats, and I’ll be done. Unfortunately, MAM wouldn’t restore the two files. (It turns out that many users in the corporate world couldn’t restore them either. Some users couldn’t even re-boot their PC’s, which was a problem I didn’t have, thank God.) So, I used a restore point to return the two files to the registry. Fortunately, restore point completed successfully (it doesn’t always). Unfortunately, I then discovered that restore point corrupted MAM and Norton, my real time anti-malware software (an occasional side effect when using restore point.) So for a short period of time, I had to connect with the internet without any protection in order to reinstall my anti-malware software. Finally, after some double-checking, I was done. I hope everything is okay now.

        Moral of the story: I had said be careful about deleting items from quarantine. Be careful also about transferring items into quarantine in the first place – because you may not be able to restore them if the “threats” turn out to be false positives. (Unfortunately for me, my inclination is to quarantine potential threats asap.) And, oh yeah, stay calm.

        Thanks, Leo, for a very timely article — and to you, Ray, for some very timely and on-target advice.

  3. At the conceptual level I actually agree. Researching proposed removals would be the safest thing to do. The problem is that it’s neither practical or pragmatic for the average computer user to do so, or to understand the results of that research if they do.

    While bad things can happen, they don’t happen that often, in my experience.

    The best protection, in my opinion, remains a solid backup. Should disaster happen (of any kind), a restore should clean it right up. I think it’s more important that everyone have a backup strategy in place than it is to expect them all to be able to knowledgeably and reliably research the random items reported by their security software.

    • “The problem is that it’s neither practical or pragmatic for the average computer user to do so, or to understand the results of that research if they do.” – I think it’s within the average user’s capabilities to do a little digging. Less experienced users may be bamboozled, but many people will be able to make some sense of what they read.

      I agree with you about backups but: 1) they don’t work 100% of the time so it’s best not to use ’em unless you need to; and 2) not everybody has ’em – no matter how often they’re told that they should.

      • Ask Leo! exists principally to help the perpetually bamboozled. The geeks can usually figure those things out for themselves. 😉

        • And it’s not totally hard to reverse some things by simply using System Restore.

          I came to this page because Ray said something about not going there in the first place, and yeah, that’s common sense, but the internet has no common sense. You’d think that ‘this type of site (insert type)’ would be the obvious place for malware or a drive-by installation, and you’d only be partly correct. Exploits show up anywhere, for reasons few of us would fathom, or ever know.

          Malwarebytes isn’t an antivirus scanner, as they themselves state, it’s an addition to catch things antivirus scanner might now look for. Once quarantined, you can research the problem. A drive-by with multiple installations that are ‘friendly’ to each other, THAT’S not a mistaken act…in fact it was the reason I used their trial, to remove one that was already there, a REAL problem and recommended several time over (especially when I looked on the Microsoft Answers site and saw what peers had to say).

          Now drive-bys aren’t common in my experience, and antivirus software has gotten pretty advanced and has started to block several ‘social’ exploits including some of the ones that lock your browser page (not all) but I was happy to have my computer back after the drive-by, at least long enough to assess what happened to the rest of it and take action to repair/rebuild.

          It’s also true that 99% of my scans in the free version come up empty, but I also clear the cache quite regularly and that gets rid of a lot of it (and I mean everything, including the saved logins for favorites).

          And while I would assume that some of the detections might be unnecessary to some users, I would also figure that if it doesn’t look like it does anything you are going to think it’s useless and get rid of it. Human psychology, folks! You can’t make security programs too quiet for the average Joe.

    • Sadly, _my_ experience is that if something happens only rarely, or less, it’s more than likely that _I_ will be the one it happens to. That comes from years of experience as well as my Ph.D. degree in Murphy’s Law from the “University of Hard Knocks”.

      Eruadan

  4. I had Malware Bytes installed. When running the program I noticed other program’s desktop icons had disappeared. I would have to reinstall these programs only to have this happen again. I contacted the tech department for these other programs and discovered that running Bytes and their software was incompatible. Since the other programs were of more value to me than Bytes, I deleted it. Everything works fine now.

  5. I guess like anything it’s a question of horses for courses and what other software one uses. I have used Malwarebytes for a good number of years for a system consisting essentially of Windows, Hotmail/Outlook, IE/MS Edge, Office and photography software and never had one single problem with it in any respect. After my son started at university this year I recommended that he installed it also to help with some problems and it cleaned up his laptop beautifully. Therefore I would recommend it unequivocally.

  6. I do like Malwarebytes
    I use it every day
    So I can’t accumilate somany items at once
    In case It found something potentially dangerous I put That in quarantine so that I could reverse in case I face adverse effects
    Doing that I have never face difficulties with Malwarebytes

    What do you thing about that??

    • “I use it every day. So I can’t accumilate so many items at once.” – You should think about how/why your computer is being compromised. If you’re using your computer in safe manner, it should be clean and Malwarebytes should never detect anything.

      • This is what I was referencing earlier. You never know exactly where you might find malware, maybe your favorite and normally clean website was attacked..

        This is the real world of course, in the virtual one there be Dragons. That is why you backup and learn to fix your OS in various ways, and use security software.

        Not everyone will like X or Y, not every program fits all. I remember the ‘good old daze’ when I got a drive-by for the first time (we’re talking 98SE and found myself having to reinstall Windows, no backup, no CD-Rs, imaging, nothing. I just didn’t have any of that then…my first CD-R/RW drive didn’t come to me for another year or so, when I wanted to make music CDs). I saw no other choice but to reinstall back then. Now I can back up my FILES and ARCHIVED programs, to be honest it’s easier to reload Windows for me and rebuild and I can change things from the start if I see a need. I also stopped at 7, I have no need for newer. After 38 years (from age 12 and TRS-80 Model I) and 19 years on the Wild Wild Internet I might always have something to learn but I recognize the range I’m riding.

  7. Malwarebytes has a check box for every program or unneeded app that you can check before hitting delete. Use it frequently so you don’t accumulate so many unwanted items.

  8. I run Windows Defender and I use Malwarebytes when I think I need to check my machine. I remember in the past reading that malware could spoof legitimate files. Is this possibly happening? Also I am dealing at present with a problem with Windows update on a Win 7 machine and it seems possible that a driver for my audio hookup is conflicting with something. Seems rather odd but I wonder if conflicts of this sort could also cause problems given how complex computers have become.

  9. I use Malwarebytes quite often and trust it since many times it found something no others did find. I never had any problems with it so far after many years of use.
    I also use many different protection programs which were never in conflict so far.

    One of them is WinPatrol which warn me if something want to change something somewhere in my computer. Spybot is another one. IObit Advanced System Care. IObit Malware Fighter. IObit Uinstaller which clean remaining junk usualy not deleted after you uninstall a program. CCleaner. Norton Security. Also I use IObit Driver Booster which is perfect to keep Drivers up-to-date and IObit Smart Defrag.

    All of them helps me keep my computer clean and more secure. Might be too much for many but I try to protect myself the best I can with what I do know.

    • I see comments like this a lot and scratch my head. More is not necessarily better in this case. You have several apps/programs that are going to fight each other in the end instead of work together. Pare it down to some basics and get some harmony back. This is a mistake you often make when you are newer to things.

      I used to use a registry cleaner too, up through XP. I wouldn’t do that myself anymore. Notice how Microsoft wants you to edit your registry more and more these days:? People find that strange and fidget or get upset because they expect MS to ‘push a button’ after so many years of hands-off updating and hotfixes. A skill has been lost to apathy and when the paradigm changed back to more ‘old school’ ways they didn’t get it.

      Messing up the registry is a lot more serious than needing a System Restore. One bad move and you’ll probably never guess what you messed up and maybe never fix it. If you just learn it Windows will do a lot of cleanup for you. there is little or no need to ‘delete’ every single extraneous thing you find. Deleting is simply disassociating data from the registry anyway. It will eventually written over by new data eventually or it will sit there doing nothing forever. When you save a file you modified the new file is written over that disassociated data and it’s not even all placed in the same block. It can be in sections all over the hard drive. the registry tells Windows where to find it and how to assemble it. One error and you may have lost a file.

      THAT is why I don’t use a lot of security programs at once or a registry cleaner. And I have used Windows since 1985.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Typically that's off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.