Advice Request Malwarebyte root certificate?

Please provide comments and solutions that are helpful to the author of this topic.

n8chavez

Level 16
Well-known
Feb 26, 2021
785
Hello,

Does MB use root certificate to monitor and scan traffic in its Web protection components? In other words, does MB do man-in-the-middle to intercept traffic?

Yes it does, if you have web protection enabled. If not, then no it does not. But it needs that in order to scan encrypted traffic. What do you mean by "do" MitM attacks. Can it detect them? Yes, it can. How well is a different conversation.
 

Mystic

Level 4
Thread author
Verified
Aug 25, 2022
141
Yes it does, if you have web protection enabled. If not, then no it does not. But it needs that in order to scan encrypted traffic. What do you mean by "do" MitM attacks. Can it detect them? Yes, it can. How well is a different conversation.
Now most major security vendors use a root certificate to scan encrypted connection and that can decrease security as they break encryption. It is sad to know that MB, too, does the same.

What I mean by MitM is that the way those security vendors scan the encrypted traffic is that they do this kind of attack to scan the traffic.

You any vendors who do not install root certificates?
 
  • Like
Reactions: dinosaur07

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Hello,

Does MB use root certificate to monitor and scan traffic in its Web protection components? In other words, does MB do man-in-the-middle to intercept traffic?

No, it doesnt, it protects the system intercepting DNS queries, it doesnt break SSL like other solutions.

More info here:
 

Mystic

Level 4
Thread author
Verified
Aug 25, 2022
141
No, it doesnt, it protects the system intercepting DNS queries, it doesnt break SSL like other solutions.

More info here:
So it seems that I have got things mixed up. According to this link, MB installs a root certificate and I thought that was for Web protection.
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
I installed Malwarebytes Premium 4 to check and it seems it actually installs a certificate (image below), but it seems to be different from what some security solutions do like Kaspersky.

qJRwUBS.jpg



Gonna check with Pbust to see how it interfers with SSL/TLS.


I use Malwarebytes and the web filter functionality puzzles me. As far as my research has found, antivirus engines typically use a proxy to intercept web requests which typically there would be evidence in the certificate used to encrypt the connection (ie the issuer certificate), however Malwarebytes is able to intercept web requests and doesn't show a custom certificate.

This has me confused cause my research so far has shown:

  1. You have to use your own CA and certificates in order to decrypt the web traffic
  2. You have to add it to your system and browser's trust stores for certificates
Malwarebytes however, doesn't appear to do any of the things above and is still able to intercept both SSL and non-SSL traffic. It intercepts traffic from every program.

I am mainly wondering how they do this? Presumably they use Windows Filtering Platform in order to do this, but in what way do they use it? I'd imagine there has to be some sort of configuration change, or something of the like in order to do this?

I wasn't sure whether or not to ask this on StackOverflow since it is to do with specific software and how it works, rather than specifically with coding.


 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I installed Malwarebytes Premium 4 to check and it seems it actually installs a certificate (image below), but it seems to be different from what some security solutions do like Kaspersky.

qJRwUBS.jpg



Gonna check with Pbust to see how it interfers with SSL/TLS.





Can you try this? Make sure Kaspersky's HTTPS scanning is off (Since it seems you have it installed) and Malwarebytes web shield is on.
Now open a browser like Edge/Firefox. Open Process Explorer, right-click on the main browser process, eg: firefox.exe. (not the other child process) then go to Properties, click on Environment and check if you see anything like "SSLKEYLOGFILE".
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Can you try this? Make sure Kaspersky's HTTPS scanning is off (Since it seems you have it installed) and Malwarebytes web shield is on.
Now open a browser like Edge/Firefox. Open Process Explorer, right-click on the main browser process, eg: firefox.exe. (not the other child process) then go to Properties, click on Environment and check if you see anything like "SSLKEYLOGFILE".

I tried Malwarebytes with F-Secure installed and there is no "SSLKEYLOGFILE".

f7pFyLC.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top