- Apr 13, 2013
- 3,150
A quick Malwarebytes 3.0 test
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Apr 13, 2013
- 3,150
A few things:
1). I ran malware from the Desktop- Is this a valid way of testing the product?
Yes it is- I direct you to a comment from MB staff on their forums (found here: Malwarebytes latest video review. )
“ Testing URLs that point to malware is not real-world testing. Typically before a URL pointing to an EXE gets executed, it is tripped by either an Exploit Kit or a JavaScript downloader in a ZIP email attachment. These are the top 2 infection vectors nowadays representing pretty much the vast majority of prevalent malware. If the infection vector is replicated during the test (either visiting an exploit-rigged website or opening the ZIP from an email) these infection vectors would have been blocked by MB3 before the malware was downloaded.”
Note that email attachments are mentioned- an email attachment MUST be saved (usually to Temp) and run locally. So whether a file is saved to and run from Temp or Desktop is trivial. Both are equally valid.
2). about the stuff left behind after the initial scan- These were primarily script based (from the Locky, Cerber, RAA, and Nemucod families). All of the Locky variants were blocked as they could not contact their C&C to download the payload (as mentioned in the MB note above); but the others were able to pass through just like the RAA demonstrated in the video.
3). The Petya file (Original Red flavor) was able to bypass MB but I chose not to dwell on this as it is not really distributed anymore.
1). I ran malware from the Desktop- Is this a valid way of testing the product?
Yes it is- I direct you to a comment from MB staff on their forums (found here: Malwarebytes latest video review. )
“ Testing URLs that point to malware is not real-world testing. Typically before a URL pointing to an EXE gets executed, it is tripped by either an Exploit Kit or a JavaScript downloader in a ZIP email attachment. These are the top 2 infection vectors nowadays representing pretty much the vast majority of prevalent malware. If the infection vector is replicated during the test (either visiting an exploit-rigged website or opening the ZIP from an email) these infection vectors would have been blocked by MB3 before the malware was downloaded.”
Note that email attachments are mentioned- an email attachment MUST be saved (usually to Temp) and run locally. So whether a file is saved to and run from Temp or Desktop is trivial. Both are equally valid.
2). about the stuff left behind after the initial scan- These were primarily script based (from the Locky, Cerber, RAA, and Nemucod families). All of the Locky variants were blocked as they could not contact their C&C to download the payload (as mentioned in the MB note above); but the others were able to pass through just like the RAA demonstrated in the video.
3). The Petya file (Original Red flavor) was able to bypass MB but I chose not to dwell on this as it is not really distributed anymore.
Nice video! I'm just about to record my test now
- Nov 19, 2014
- 2,346
It was expected for the ransomware protection to suck. You already said their MBAR sucks and they didn't do anything than combine the 3 products.
Thanks for the video.
Thanks for the video.
- Sep 22, 2014
- 1,767
- Sep 22, 2016
- 211
Well, I saw so many fails by standalone Malwarebytes Anti-Ransomware that I'm not surprised with the results of this test. It stills provides very average protection. Just like @SHvFl said.
Btw... I can't focus on this test anymore since I saw the latest readme file on the video with two Polish words at the end - "Trudno kochać". @cruelsister
Btw... I can't focus on this test anymore since I saw the latest readme file on the video with two Polish words at the end - "Trudno kochać". @cruelsister
Nice share @cruelsister! They've still some need for improvement in our RW plagued world.
The MBAM UI obviously has a bug, it showed x/0 files processed during the quarantining process.
Great tune also
The MBAM UI obviously has a bug, it showed x/0 files processed during the quarantining process.
Great tune also
- Jan 4, 2016
- 1,022
I notice that this RAA sample is bypassing most of AVs in your tests. What does it have of so special?
- Jun 12, 2014
- 314
I believe pbust's point was that the malware has to be executed by the browser or the e-mail program. So, if you save the malware, close the browser/e-mail programm, go to the folder on your own and execute it from there, their anti-exploit can no longer keep track of the execution chain (parent to child process).
Alright I've done my test & may upload it this afternoon. MalwareBytes did much much better than I thought it would in my test.
- Apr 13, 2013
- 3,150
Fleischmann- about the email attachments- when you open, say, a Doc or Excel file that is malicious it will be opened LOCALLY on your system by either Word or Excel; if the attachment is some sort of script it will be processed by wscript also locally. In neither case are the files contained within an email app.
Whenever you read a comment from a developer (NOT MB, because they are not stating this!) saying that a test in not valid because the malware should have come from X and not Y, be very cautious as they are trying to Jive you to make up for inadequate protection.
Adnage- I saw Kayah in concert in Krakow. I had no idea what she was singing about but I felt every word...
Whenever you read a comment from a developer (NOT MB, because they are not stating this!) saying that a test in not valid because the malware should have come from X and not Y, be very cautious as they are trying to Jive you to make up for inadequate protection.
Adnage- I saw Kayah in concert in Krakow. I had no idea what she was singing about but I felt every word...
- Dec 23, 2014
- 8,168
- Jun 29, 2014
- 260
You do know that is possible to track relationships between processes, right? How do you think process trees can be generated? And yes, it makes a very big difference for MBAE for example if you run a .JS from Word via a macro or from the Desktop by double clicking it.
Actually, MB will dismiss your test. Then they will point you to this:
Malwarebytes 3.0 - Frequently Asked Questions
I still think I'll stick with HMPA
- Dec 5, 2016
- 22
5 years ago i would have grabbed up a copy of Mbam to clean a system, last couple years, its detection's have been slacking, and are actually very poor. I do not even bother looking at it any more. I just stopped in to watch some of Cruelsisters work
I think they're the best at PUP detection.5 years ago i would have grabbed up a copy of Mbam to clean a system, last couple years, its detection's have been slacking, and are actually very poor. I do not even bother looking at it any more. I just stopped in to watch some of Cruelsisters work
- Apr 13, 2013
- 3,150
FW- 1). As I'm sure you are quite aware, my point was that an email attachment is not run from within an email application. And as to a Doc macro- try it with MB, but please on a test system.
2). MB always dismisses my tests. Perhaps that's why they are having protection issues with their product.
2). MB always dismisses my tests. Perhaps that's why they are having protection issues with their product.
Last edited:
- Mar 15, 2011
- 13,070
2 typical infection vector
A) Through Web
B) Through Email attachment
Unfortunately to the world of trending technology, many Antivirus are also aligned to what is the common and usual way of infection; which rely heavily on web filtering rather on signatures.
Developers should conduct little home work where infection vector regardless if run locally or not, it must be detect in usual matter.
A) Through Web
B) Through Email attachment
Unfortunately to the world of trending technology, many Antivirus are also aligned to what is the common and usual way of infection; which rely heavily on web filtering rather on signatures.
Developers should conduct little home work where infection vector regardless if run locally or not, it must be detect in usual matter.
- Apr 13, 2013
- 3,150
Well put, James!! Any product that touts itself as the PRIMARY security solution for a given system should not have exceptions to what or what not it covers. A deficiency in one module should be made up for by the superiority of another. The user of that product should have the reasonable expectation that malware, no matter what type, will be stopped wherever it is run without regard to if it comes from the Internet, Email, Desktop, USB, or teleported onto the system by aliens from the Planet Zog.
It surprises me that there are apologists for products with inadequate protection.
It surprises me that there are apologists for products with inadequate protection.
- Jun 12, 2014
- 314
I didn't see anything like that in this thread. @Fabian Wosar and I explained to you in which ways components of Malwarebytes 3 would prevent infection, which you somehow fail to understand, as otherwise you would have tried to reproduce an actual infection pathway to see whether Malwarebytes' arguments are valid or not.
On top of that I don't like the product which I have said before.
I am eagerly awaiting your Comodo vs prevalent PUPs test.
Similar threads
