Downloading the Latest Malwarebytes Definitions File for Offline Use

Malwarebytes is no doubt one of the best anti-malware softwares available on the net – I have it as part of my default installation kit when I build/re-build a machine.

One of the annoying things about Malwarebytes though is the fact that they do not offer their definitions files to be downloaded manually.
(Well, technically they do, however this comes as a 6.5MB file which needs to be installed before being able to download the file (disadvantage for those on-the-go)… also, the file is not updated very often – once a week it seems – See here)

Why would one want to manually download the definitions file I hear you ask.

  • You have an infected machine with all sorts of bad things like remote key-loggers etc.
    You want to scan the machine with Malwarebytes but you do not have the latest definitions file… you obviously do not want to connect the machine to the internet in this state; who knows what could be transmitted to/fro the machine.
  • You are a PC support specialist and like to carry around the latest definition files for portable anti-virus/malware applications on your USB.

How?

I used Wireshark to see exactly what was going on when an update was performed in the actual software interface.

I came across several URLs in the output, one of which was:

Image showing the check.version URL in Wireshark

Hmmm… looked tasty, so I inspected the packet in more detail:

Image showing the check.version packet in more detail in Wireshark

Okay so this gives us the full URL used for the ‘version.check’ page. Going on to that page will return an integer which represents the latest database version (definitions file) – go on, give it a try: http://data-cdn.mbamupdates.com/v0/database/version.check

I did a bit more digging around in Wireshark in an attempt to find the URL used to download the actual definitions file… I found this:

Image showing the download link for the definitions file in Wireshark

Interesting. So it checks the local definitions database against /version.check. If it finds that /version.check returns a later version, it fires off a GET request to /data/rules.n.ref

Nice. So with this information, we can script something up that will automatically put the latest database version integer in to the /data/rules.ref request.

I did this in a batch file with the help of wget.

Script

@echo off
wget -O latest.txt http://data-cdn.mbamupdates.com/v0/database/version.check
FOR /F "tokens=1 delims=" %%A in ('type latest.txt') do SET var=%%A
wget -O rules.ref http://data-cdn.mbamupdates.com/v0/database/data/rules.%var%.ref
REM copy rules.ref driveLetter:\
exit 0

I left in a REM (remark/comment) on the last line which will automatically copy the definitions file straight on to the root of a flash drive – all you need to do is remove the REM and replace driveLetter with the letter of your flash drive.

You can download the script here – it includes wget so all you have to do is double click the bat file (MBDownloadLatestDefs.bat)

This entry was posted in Tech and tagged . Bookmark the permalink.

10 Responses to Downloading the Latest Malwarebytes Definitions File for Offline Use

  1. kakraul says:

    After rules.ref is created, how do you apply it to update Malwarebytes’ Anti Malware?

  2. E Mikail T says:

    Hi Kakraul,
    The rules.ref for MB are usually stored in the following folder:
    Documents & Settings\All Users\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware

    You can copy the rules.ref created by my batch script over to the above folder for Malwarebytes to use.

    Hope that helps :)

  3. kakraul says:

    Thanks alot, in answering in such a short time.
    Dude, you are a genius. You rock.
    It works. Thanks a million.

  4. Alex says:

    Very nice – works a treat

  5. Sunny says:

    I download the latest version as “rules.7376.ref” rename it to “rules.ref” and replace it with the old one in alluser application data mbam folder but still it shows the old defination value that is 7035. I restart my computer and even change the value in registry too. but still it shows 7035, how to change this…

    • E Mikail T says:

      Sunny,
      That is just the user interface not updating… as well as the rules.ref, there are other files that MB downloads during the update process. One of these files no doubt updates the interface to show the correct version. I did not bother including these other files as we are only interested in the definitions file.

  6. Lavi Rizky says:

    Thanks for this post. Very usefull for helping me.

  7. Steve H says:

    Thanks for this. You have helped to get rid of the security protection virus and made me few dollars.. Again I thank you very much

  8. Massimo says:

    Work fine! Thank you GENIUS!!! :)

Comments are closed.