{"id":24,"date":"2011-03-20T19:17:45","date_gmt":"2011-03-20T19:17:45","guid":{"rendered":"http:\/\/emtunc.org\/blog\/?p=24"},"modified":"2015-05-24T14:29:18","modified_gmt":"2015-05-24T13:29:18","slug":"downloading-the-latest-malwarebytes-definitions-file-for-offline-use","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/03\/2011\/downloading-the-latest-malwarebytes-definitions-file-for-offline-use\/","title":{"rendered":"Downloading the Latest Malwarebytes Definitions File for Offline Use"},"content":{"rendered":"<p><strong>UPDATE 05\/2015:<\/strong> <a href=\"http:\/\/emtunc.org\/blog\/05\/2015\/downloading-the-latest-malwarebytes-definitions-file-for-offline-use-with-powershell\/\" target=\"_blank\">See version 2 of the script where I have written it in PowerShell. This one is easier to understand and doesn&#8217;t require wget.exe. It will work on any machine with PowerShell v3 and greater.<\/a><\/p>\n<p>Malwarebytes is no doubt one of the best anti-malware softwares available on the net &#8211; I have it as part of my default installation kit when I build\/re-build a machine.<\/p>\n<p>One of the annoying things about Malwarebytes though is the fact that they do not offer their definitions files to be downloaded manually.<br \/>\n(Well, technically they do, however this comes as a 6.5MB file which needs to be <strong>installed<\/strong> before being able to download the file (disadvantage for those on-the-go)&#8230; also, the file is not updated very often &#8211; once a week it seems &#8211; See <a title=\"mbam rules\" href=\"http:\/\/malwarebytes.gt500.org\/\" target=\"_blank\">here<\/a>)<\/p>\n<p>Why would one want to manually download the definitions file I hear you ask.<\/p>\n<ul>\n<li>You have an infected machine with all sorts of bad things like remote key-loggers etc.<br \/>\nYou want to scan the machine with Malwarebytes but you do not have the latest definitions file&#8230; you obviously do not want to connect the machine to the internet in this state; who knows what could be transmitted to\/fro the machine.<\/li>\n<li>You are a PC support specialist and like to carry around the latest definition files for portable anti-virus\/malware applications on your USB.<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h3>How?<\/h3>\n<p>I used <a title=\"Wireshark\" href=\"http:\/\/www.wireshark.org\/\" target=\"_blank\">Wireshark<\/a> to see exactly what was going on when an update was performed in the actual software interface.<\/p>\n<p>I came across several URLs in the output, one of which was:<\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_checkversion.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-26\" title=\"wireshark_checkversion\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_checkversion-300x10.png\" alt=\"Image showing the check.version URL in Wireshark\" width=\"300\" height=\"10\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_checkversion-300x10.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_checkversion.png 377w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Hmmm&#8230; looked tasty, so I inspected the packet in more detail:<\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_pktinspection.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-29\" title=\"wireshark_pktinspection\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_pktinspection-300x94.png\" alt=\"Image showing the check.version packet in more detail in Wireshark\" width=\"300\" height=\"94\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_pktinspection-300x94.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_pktinspection.png 377w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Okay so this gives us the full URL used for the &#8216;version.check&#8217; page. Going on to that page will return an integer which represents the latest database version (definitions file) &#8211; go on, give it a try: <a href=\"http:\/\/data-cdn.mbamupdates.com\/v0\/database\/version.check\" target=\"_blank\"><code>http:\/\/data-cdn.mbamupdates.com\/v0\/database\/version.check<\/code><\/a><\/p>\n<p>I did a bit more digging around in Wireshark in an attempt to find the URL used to download the actual definitions file&#8230; I found this:<\/p>\n<p><a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_rulesref.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-28\" title=\"wireshark_rulesref\" src=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_rulesref-300x10.png\" alt=\"Image showing the download link for the definitions file in Wireshark\" width=\"300\" height=\"10\" srcset=\"https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_rulesref-300x10.png 300w, https:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/wireshark_rulesref.png 419w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Interesting. So it checks the local definitions database against <em>\/version.check<\/em>. If it finds that <em>\/version.check<\/em> returns a later version, it fires off a GET request to <em>\/data\/rules.n.ref<\/em><\/p>\n<p>Nice. So with this information, we can script something up that will automatically put the latest database version integer in to the <em>\/data\/rules.ref<\/em> request.<\/p>\n<p>I did this in a batch file with the help of wget.<\/p>\n<h3>Script<\/h3>\n<p><code>@echo off<br \/>\nwget -O latest.txt http:\/\/data-cdn.mbamupdates.com\/v0\/database\/version.check<br \/>\nFOR \/F \"tokens=1 delims=\" %%A in ('type latest.txt') do SET var=%%A<br \/>\nwget -O rules.ref http:\/\/data-cdn.mbamupdates.com\/v0\/database\/data\/rules.%var%.ref<br \/>\nREM copy rules.ref driveLetter:\\<br \/>\nexit 0<\/code><\/p>\n<p>I left in a REM (remark\/comment) on the last line which will automatically copy the definitions file straight on to the root of a flash drive &#8211; all you need to do is remove the REM and replace driveLetter with the letter of your flash drive.<\/p>\n<p>You can download the script <a href=\"http:\/\/emtunc.org\/blog\/wp-content\/uploads\/2011\/03\/MalwarebytesDefinitionsDownload.zip\" target=\"_blank\">here<\/a> &#8211; it includes wget so all you have to do is double click the bat file (<strong>MBDownloadLatestDefs.bat<\/strong>)<\/p>\n<p><strong>UPDATE 05\/2015:<\/strong> <a href=\"http:\/\/emtunc.org\/blog\/05\/2015\/downloading-the-latest-malwarebytes-definitions-file-for-offline-use-with-powershell\/\" target=\"_blank\">See version 2 of the script here where I have written it in PowerShell. This one is easier to understand and doesn&#8217;t require wget.exe. It will work on any machine with PowerShell v3 and greater.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>UPDATE 05\/2015: See version 2 of the script where I have written it in PowerShell. This one is easier to understand and doesn&#8217;t require wget.exe. It will work on any machine with PowerShell v3 and greater. Malwarebytes is no doubt one of the best anti-malware softwares available on the net &#8211; I have it as [&hellip;]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[6],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-tech","tag-malwarebytes"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-o","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":3,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":1457,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions\/1457"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}