Ask Leo! #627 – Trusting Your Security Software, Second Hand Access, The Mess That Is Event Viewer, and more…

"Given that I trust Malwarebytes, my default answer is easy. Yes: when it recommends something be deleted, it's probably safe to delete it." - I disagree. Incorrect detections are not at all uncommon, as you can see from the company's own forum:

https://forums.malwarebytes.org/forum/42-file-detections/

Sometimes, as you said, incorrect detections can cause major problems - as was the case a couple of years ago when Malwarebytes broke tens of thousands of machines:

"As many of you are aware, we suffered a false positive earlier today which caused many of our users' systems to be rendered inoperable."

https://forums.malwarebytes.org/topic/125138-trojandownloadered/

To be clear, I'm in no way criticizing Malwarebytes: like death and taxes, false positives are inevitable. It does mean, however, that it's not a good idea to blindly allow your security apps to delete things. Instead, it's better to first do some research. And in some cases, simply uninstalling a program in the usual way may be a better option that allowing a security app to delete it.

Lenovo Browser Guard - mentioned at the start of your post - is neither malware nor a PUP:

"Q: Why does my antivirus program display a warning about Lenovo Browser Guard?

A: The way Browser Guard operates to protect your settings can in some cases be mistaken for being suspicious activity by some antivirus programs. Since antivirus programs take the road of caution when they cannot fully determine if a file is a threat or not they prompt the user to investigate the file to ensure it is something they want.

Q: Is Browser Guard so called malware?

A: No, that an antivirus program may prompt the user about Browser Guard should not be a cause of alarm. All the program does is to stop other pieces of software from changing the user's browser settings without the user's consent."

https://forums.lenovo.com/t5/Security-Malware-Knowledge-Base/Lenovo-Browser-Guard-Facts-and-Q-amp-A/ta-p/1722691

If somebody doesn't need/want it installed, the best course of action is to simply uninstall it.

At the conceptual level I actually agree. Researching proposed removals would be the safest thing to do. The problem is that it's neither practical or pragmatic for the average computer user to do so, or to understand the results of that research if they do.

While bad things can happen, they don't happen that often, in my experience.

The best protection, in my opinion, remains a solid backup. Should disaster happen (of any kind), a restore should clean it right up. I think it's more important that everyone have a backup strategy in place than it is to expect them all to be able to knowledgeably and reliably research the random items reported by their security software.

Ray Smith, you must be psychic. A day after your above reply to me, I scan my PC using Malwarebytes Anti-Malware (MAM) - and, for the very first time, it detected two malicious items. What a coincidence! And this is a PC I use just for online banking and is therefore kept very clean.

In my slight state of panic, I clicked on the Remove button -- and thinking shortly afterward I shouldn't have done that, concerned that I prematurely deleted the two threats from quarantine. It turned out the Remove button only moved the threats to quarantine. Then, remembering your internet link, Ray, I went to the MAM forum and discovered that my two threats were in fact false positives. (Reason: Microsoft forgot to digitally sign two of their own files.) Hooray! These same false positives had caused havoc to many PC's in the corporate world. Fortunately for me, because these were corporate clients who were adversely impacted, MAM investigated the problem quickly. A sigh of relief from me, because I had been thinking I would have to go through the trouble of restoring my PC using a disk image backup.

So I thought: no problem. I'll just restore those two threats, and I'll be done. Unfortunately, MAM wouldn't restore the two files. (It turns out that many users in the corporate world couldn't restore them either. Some users couldn't even re-boot their PC's, which was a problem I didn't have, thank God.) So, I used a restore point to return the two files to the registry. Fortunately, restore point completed successfully (it doesn't always). Unfortunately, I then discovered that restore point corrupted MAM and Norton, my real time anti-malware software (an occasional side effect when using restore point.) So for a short period of time, I had to connect with the internet without any protection in order to reinstall my anti-malware software. Finally, after some double-checking, I was done. I hope everything is okay now.

Moral of the story: I had said be careful about deleting items from quarantine. Be careful also about transferring items into quarantine in the first place - because you may not be able to restore them if the 'threats' turn out to be false positives. (Unfortunately for me, my inclination is to quarantine potential threats asap.) And, oh yeah, stay calm.

Thanks, Leo, for a very timely article -- and to you, Ray, for some very timely and on-target advice.