App Review A quick Malwarebytes 3.0 test

[cruelsister]

Running malware from the Desktop or folder on the hard drive is an invalid test? If that is what you are saying then one can infer that no protection should be expected if a file is downloaded from the Internet and run from the Downloads folder! This would make MB3 anything but primary protection.

But what totally confused me was FW's toleration of the protection inadequacy of MB3 that I am sure he would never accept in his own.

 

[Lucent Warrior]

Running malware from the Desktop or folder on the hard drive is an invalid test? If that is what you are saying then one can infer that no protection should be expected if a file is downloaded from the Internet and run from the Downloads folder! This would make MB3 anything but primary protection.

But what totally confused me was FW's toleration of the protection inadequacy of MB3 that I am sure he would never accept in his own.

I don't know about you, but most people I know that download applications either do so to the desktop or downloads folder and execute from either or, this makes testing from the desktop quite valid in my book.

 

[cruelsister]

Thanks, LW. It really baffles me that so many don't realize that they are being served up a BS sandwich...

 

[Lucent Warrior]

Thanks, LW. It really baffles me that so many don't realize that they are being served up a BS sandwich...

When it comes to Products/Vendors/Developers and making money being priority, you will see garbage truck loads of that BS, enough to make sandwichs for every member of MT

 

[Evjl's Rain]

MB3 is officially now a beta product under the badge "final"

 

[Fabian Wosar]

But what totally confused me was FW's toleration of the protection inadequacy of MB3 that I am sure he would never accept in his own.

I wouldn't. But the point is not to be apologetic for MB3's clear deficiencies, which are even more atrocious than your little test demonstrated, but to show you how with 2 minutes of extra work you can eliminate any excuses Malwarebytes (or any other vendor really) would have to dismiss your test.

 

[BoraMurdar]

I think you guys @Lucent Warrior and @Fabian Wosar can discuss about this in a gentleman manner. Please don't prove me wrong.

 

[BoraMurdar]

I would absolutely love too, should he decided to quit wasting time attacking users and just either show us a better way, or leave us alone and go bother someone else, or maybe he should just focus working on the product that is far from perfect.

I am just saying that everything can be solved in a polite way. There's no need to hard words. Or it will not be discussed at all. Reviewer should take constructive critics but critic should also bring a valid points.

 

[Lucent Warrior]

I am just saying that everything can be solved in a polite way. There's no need to hard words. Or it will not be discussed at all. Reviewer should take constructive critics but critic should also bring a valid points.

I agree completely this is how it should be. Those valid points should they prove to be valid, should be clear enough for the tester to be able to utilize them to improve.

 

[Andy Ful]

Again failing to understand basic OS features. In that case, files would have a Zone Identifier, clearly indicating they came from the Internet. It makes a difference if you copy over files via the sharing feature of your favourite VM solution or downloading them via your browser to your Desktop and execute them.
...

I think that both you and @cruelsister are right.
If MB3 clearly states that executables should be run from the Web browser or e-mail client to be checked, then @cruelsister test procedure is flawed.
Yet, @cruelsister is right in that MB3 shield is too short, because users can get files from many sources.

Here are some examples listed below, when files can have no Zone Identifier.
You have got the executable file using:
*the downloader or torrent application (EagleGet, utorrent, etc.);
*container format file (zip, 7z, arj, rar, etc.);
*CD/DVD/Blue-ray disc;
*CD/DVD/Blue-ray disc image (iso,bin,etc.);
*non NTFS USB storage device(FAT32 pendrive, FAT32 usb disk);
*Memory Card;

It would be good to cover all those sources (especially the first and the second).
E-mail attachments are often in container format so they cannot be run directly from the browser.

 

[Deleted Member 3a5v73x]

Running malware from the Desktop or folder on the hard drive is an invalid test? If that is what you are saying then one can infer that no protection should be expected if a file is downloaded from the Internet and run from the Downloads folder! This would make MB3 anything but primary protection.

In that case, files would have a Zone Identifier, clearly indicating they came from the Internet. It makes a difference if you copy over files via the sharing feature of your favourite VM solution or downloading them via your browser to your Desktop and execute them.

Im reading this over and over and still don't get it. And what about just plain Antivirus/Anti-Malware vendors who doesn't have any web protection features or "Zone Identifier" and can't recognize from where the malware.exe came from (Internet, USB, Desktop) Testing method is still wrong if malware.exe is executed from Virtual Machine Desktop for example if it magicaly appeared there? I hope my question is understandable. Thanks

 

[Fabian Wosar]

Yet, @cruelsister is right in that MB3 shield is too short, because users can get files from many sources.

There is no doubt about that. In fact, I am pretty sure for the samples displayed, there will be no difference at all. However, the difference is, that at the moment they will dismiss the test. I have been through that. During the MB3 beta I tried to get them to fix massive flaws in their ransomware protection that downright failed completely with high profile ransomware families like Locky and Cerber. I spoke to two different Malwarebytes employees directly. The reaction was always the same: "Oh, you must not replicate the infection vector correctly!"

If your motivation as a tester is, that you improve everyone's security, which I think is the case for cruelsister, not giving them the opportunity for easy excuses, especially if it adds only a very small amount of overhead, is something worth doing.

On a more personal note: Yes, it sucks big time that jumping through hoops like that to get some attention for a flaw is even necessary. In a perfect world, this shouldn't be necessary at all. However, we are not in a perfect world. I am a pragmatist. I can try arguing for hours, days, or even months, trying to change their mind and then start all over again with the next company, or I can simply adjust my testing, provided it doesn't compromise my test's integrity, which takes me a couple of minutes to do, and give them no platform for excuses to begin with. It's an easy pick for me.

Here are some examples listed below, when files can have no Zone Identifier.

Correct. Although MBAE and MB3 treat stuff executing from a packer differently as well. Also a lot of packers and download manager tools these days preserve the zone identifier. Not all of them do, though.

 

[Fabian Wosar]

Im reading this over and over and still don't get it. And what about just plain Antivirus/Anti-Malware vendors who doesn't have any web protection features or "Zone Identifier" and can't recognize from where the malware.exe came from (Internet, USB, Desktop)

How do you know the plain anti-virus/anti-malware vendor doesn't? Plain is a very deceptive thing. I think we can all agree, that Windows Defender is one of the most basic anti-virus out there. But you would be surprised about what kind of tech is working in the background. A lot of stuff you don't notice at all on the surface.

So why not just assume it does and add the extra 1 or 2 minutes of work to download the samples instead of just copying them? If it would make a difference, you get more accurate results. If it doesn't, you get the same results as before, but someone can't discredit your test because you "didn't replicate the attack vector".

 

[Andy Ful]

...
Also a lot of packers and download manager tools these days preserve the zone identifier. Not all of them do, though.

I meant that the problems arise when a packed executables have not initially Zone Identifier attached (as for many malware files). Then after downloading and unpacking on the user's computer, the executables still do not have Zone Identifier. That is well known developers trick to avoid the SmartScreen check of applications, that did not gain sufficient reputation.

If MB3 can manage such situation, then they are on the right track.

 

[Rodney74]

Hi CS...

Hey I setup Comodo F.W per your recommendations via the video...

I am wondering can I just use the CFW and nothing else.

I mean I have Windows 10 (Defender).

Do you think I need an AV or Should I add something else like NVTRP or Appguard. (Any recommendations?)

Thanks for all the help.

 

[cruelsister]

I've been away for the past little bit so I must say upfront that I missed many of the recent posts on this topic, and was sort of warned that I may be wise in continuing my ignorance.

That being said, I know occasionaly my videos may be disturbing for some, but I choose rather to focus on the flaws that can be found, both as a prod to product development (which some indeed have), as well as making sure the typical user does not dwell in some sort of CloudCookooLand with regard to the Security products that are used. In addition, my handle is CRUEL-sister and certainly not Unicorns-and Rainbows-Sister.

But for those that found this little video revolting, I do hope that you likes the song- Kayah has a very nice voice and should be more popular!

 

[Rodney74]

I've been away for the past little bit so I must say upfront that I missed many of the recent posts on this topic, and was sort of warned that I may be wise in continuing my ignorance.

That being said, I know occasionaly my videos may be disturbing for some, but I choose rather to focus on the flaws that can be found, both as a prod to product development (which some indeed have), as well as making sure the typical user does not dwell in some sort of CloudCookooLand with regard to the Security products that are used. In addition, my handle is CRUEL-sister and certainly not Unicorns-and Rainbows-Sister.

But for those that found this little video revolting, I do hope that you likes the song- Kayah has a very nice voice and should be more popular!

Continue, please do:

Hi CS...

Hey I setup Comodo F.W per your recommendations via the video...

I am wondering can I just use the CFW and nothing else.

I mean I have Windows 10 (Defender).

Do you think I need an AV or Should I add something else like NVTRP or Appguard. (Any recommendations?)

Thanks for all the help.

 

[Andy Ful]

I meant that the problems arise when a packed executables have not initially Zone Identifier attached (as for many malware files). Then after downloading and unpacking on the user's computer, the executables still do not have Zone Identifier. That is well known developers trick to avoid the SmartScreen check of applications, that did not gain sufficient reputation.
...

I was not quite precise. I have just tested this in the new Windows 10 (version 1607) and this trick does not work if someone is using Windows Explorer to run/copy/extract executables from a Zip archive flagged with Zone Identifier. So, unpacked executables also have Zone Identifier.
Yet, if the archive is unpacked/copied by 7-Zip, then the trick still works, and unpacked executables have not got Zone Identifier. But on the contrary, if the archive is opened with 7-Zip, and then run from the 7-Zip window (right mouse click - 'Open Outside' ), then the trick does not work. In Total Commander the trick works again.
So, this seems to me like a mess.

 

[509322]

Continue, please do:

Hi CS...

Hey I setup Comodo F.W per your recommendations via the video...

I am wondering can I just use the CFW and nothing else.

I mean I have Windows 10 (Defender).

Do you think I need an AV or Should I add something else like NVTRP or Appguard. (Any recommendations?)

Thanks for all the help.

I am going to chime-in here since you are asking about an AppGuard - COMODO FIrewall combo.

Supplementing COMODO Firewall with AppGuard really isn't necessary. In fact, it makes no sense. CFW will intercept a file in User Space before AppGuard. If the file is unknown to COMODO, then CFW will attempt to auto-sandbox the file. However, even if you want the file to run sandboxed, then AppGuard is going to block its execution and thereby prevent auto-sandboxing. To not interfere with auto-sandboxing, you have to lower AppGuard's protections to "Allow Installs" or "OFF." Only then can you run files inside COMODO's sandbox or Virtual Desktop. The same applies to combining CFW with NVT ERP - but you have the option to "Allow" in the ERP alert while running it in Alert mode. In ERP Locked Down mode, the same procedure as for AppGuard will be required.

I am of the opinion that these sorts of security software combinations are nothing but a needless usability hassle created by the user. How much of hassle it will be depends - mostly - upon how often the user introduces executable files to their system. If the system is essentially static, software kept up-to-date, then CFW and AppGuard will rarely block anything - if ever - since there is nothing that has been introduced by the user to the system that needs to be blocked. If the user constantly changes the system - continually introducing executable files to it - then that user will quickly tire of a CFW - AppGuard combo. Like nearly all things IT, the most influential variable is user computing habits. The user makes it much more complicated than what is required to sensibly protect the system. It makes a big difference in the overall usability index.

In CFW you can configure it to be complete default-deny (blocking both file execution & network access) if you so wish. If you configure it this way, then you might have to create some Allow exclusions - and that will depend upon what is installed on your system and whether or not all the safe\legitimate files are known to COMODO. If you configure CFW for absolute-blocking then, once again, AppGuard is pointless.

Between AppGuard and COMODO Firewall, you would be better off choosing one product or the other - and learning to use that product knowledgeably.

 

[Rodney74]

I am going to chime-in here since you are asking about an AppGuard - COMODO FIrewall combo.

Supplementing COMODO Firewall with AppGuard really isn't necessary. In fact, it makes no sense. CFW will intercept a file in User Space before AppGuard. If the file is unknown to COMODO, then CFW will attempt to auto-sandbox the file. However, even if you want the file to run sandboxed, then AppGuard is going to block its execution and thereby prevent auto-sandboxing. To not interfere with auto-sandboxing, you have to lower AppGuard's protections to "Allow Installs" or "OFF." Only then can you run files inside COMODO's sandbox or Virtual Desktop. The same applies to combining CFW with NVT ERP - but you have the option to "Allow" in the ERP alert while running it in Alert mode. In ERP Locked Down mode, the same procedure as for AppGuard will be required.

I am of the opinion that these sorts of security software combinations are nothing but a needless usability hassle created by the user. How much of hassle it will be depends - mostly - upon how often the user introduces executable files to their system. If the system is essentially static, software kept up-to-date, then CFW and AppGuard will rarely block anything - if ever - since there is nothing that has been introduced by the user to the system that needs to be blocked. If the user constantly changes the system - continually introducing executable files to it - then that user will quickly tire of a CFW - AppGuard combo. Like nearly all things IT, the most influential variable is user computing habits. The user makes it much more complicated than what is required to sensibly protect the system. It makes a big difference in the overall usability index.

In CFW you can configure it to be complete default-deny (blocking both file execution & network access) if you so wish. If you configure it this way, then you might have to create some Allow exclusions - and that will depend upon what is installed on your system and whether or not all the safe\legitimate files are known to COMODO. If you configure CFW for absolute-blocking then, once again, AppGuard is pointless.

Between AppGuard and COMODO Firewall, you would be better off choosing one product or the other - and learning to use that product knowledgeably.

Thanks Then I guess I'll just stick with CFW and Windows 10 Defender.... That's about as light as I can get.