Advice Request Malwarebyte root certificate?

Mystic · Sep 8, 2022

Hello,

Does MB use root certificate to monitor and scan traffic in its Web protection components? In other words, does MB do man-in-the-middle to intercept traffic?

n8chavez · Sep 8, 2022

Mystic said:
Hello,

Does MB use root certificate to monitor and scan traffic in its Web protection components? In other words, does MB do man-in-the-middle to intercept traffic?

Yes it does, if you have web protection enabled. If not, then no it does not. But it needs that in order to scan encrypted traffic. What do you mean by "do" MitM attacks. Can it detect them? Yes, it can. How well is a different conversation.

Mystic · Sep 8, 2022

n8chavez said:
Yes it does, if you have web protection enabled. If not, then no it does not. But it needs that in order to scan encrypted traffic. What do you mean by "do" MitM attacks. Can it detect them? Yes, it can. How well is a different conversation.

Now most major security vendors use a root certificate to scan encrypted connection and that can decrease security as they break encryption. It is sad to know that MB, too, does the same.

What I mean by MitM is that the way those security vendors scan the encrypted traffic is that they do this kind of attack to scan the traffic.

You any vendors who do not install root certificates?

Scirious · Sep 8, 2022

Mystic said:
You any vendors who do not install root certificates?

If I'm not mistaken F-Secure doesn't install a root certificate.

Mystic · Sep 8, 2022

Scirious said:
If I'm not mistaken F-Secure doesn't install a root certificate.

Yes I confirm that neither F-Secure nor Emsisoft installs a root certificate.

Anthony Qian · Sep 8, 2022

I don't think MB uses MITM to intercept encrypted traffic. It uses a web browser plug-in to achieve that.

Other vendors that do not use MITM to scan encrypted traffic include F-Secure, Norton, McAfee, and Microsoft.

Nightwalker · Sep 8, 2022

Mystic said:
Hello,

Does MB use root certificate to monitor and scan traffic in its Web protection components? In other words, does MB do man-in-the-middle to intercept traffic?

No, it doesnt, it protects the system intercepting DNS queries, it doesnt break SSL like other solutions.

More info here:

Explained: the Malwarebytes Website Protection module | Malwarebytes Labs

Learn about the strengths and possible improvements of the Malicious Website Protection module that comes with Malwarebytes Premium.

www.malwarebytes.com

Mystic · Sep 8, 2022

Nightwalker said:
No, it doesnt, it protects the system intercepting DNS queries, it doesnt break SSL like other solutions.

More info here:

Explained: the Malwarebytes Website Protection module | Malwarebytes Labs

Learn about the strengths and possible improvements of the Malicious Website Protection module that comes with Malwarebytes Premium.

www.malwarebytes.com

So it seems that I have got things mixed up. According to this link, MB installs a root certificate and I thought that was for Web protection.

n8chavez · Sep 8, 2022

Really? This says otherwise, that Malwarebytes certainly install a certificate as root. Maybe things have changed?

Nightwalker · Sep 8, 2022

I installed Malwarebytes Premium 4 to check and it seems it actually installs a certificate (image below), but it seems to be different from what some security solutions do like Kaspersky.

Gonna check with Pbust to see how it interfers with SSL/TLS.

I use Malwarebytes and the web filter functionality puzzles me. As far as my research has found, antivirus engines typically use a proxy to intercept web requests which typically there would be evidence in the certificate used to encrypt the connection (ie the issuer certificate), however Malwarebytes is able to intercept web requests and doesn't show a custom certificate.

This has me confused cause my research so far has shown:

You have to use your own CA and certificates in order to decrypt the web traffic

You have to add it to your system and browser's trust stores for certificates

Malwarebytes however, doesn't appear to do any of the things above and is still able to intercept both SSL and non-SSL traffic. It intercepts traffic from every program.

I am mainly wondering how they do this? Presumably they use Windows Filtering Platform in order to do this, but in what way do they use it? I'd imagine there has to be some sort of configuration change, or something of the like in order to do this?

I wasn't sure whether or not to ask this on StackOverflow since it is to do with specific software and how it works, rather than specifically with coding.

How does Malwarebytes intercept web traffic?

I use Malwarebytes and the web filter functionality puzzles me. As far as my research has found, antivirus engines typically use a proxy to intercept web requests which typically there would be evi...

security.stackexchange.com

Local Host · Sep 8, 2022

Scirious said:
If I'm not mistaken F-Secure doesn't install a root certificate.

F-Secure does install root certificate unless you use Anti-Virus version hidden around the website.

upnorth · Sep 9, 2022

Local Host said:
F-Secure does install root certificate unless you use Anti-Virus version hidden around the website.

I'm curious, where exactly did you find that root certificate as I personal can't?

SeriousHoax · Sep 9, 2022

Nightwalker said:
I installed Malwarebytes Premium 4 to check and it seems it actually installs a certificate (image below), but it seems to be different from what some security solutions do like Kaspersky.

Gonna check with Pbust to see how it interfers with SSL/TLS.

How does Malwarebytes intercept web traffic?

I use Malwarebytes and the web filter functionality puzzles me. As far as my research has found, antivirus engines typically use a proxy to intercept web requests which typically there would be evi...

security.stackexchange.com

Can you try this? Make sure Kaspersky's HTTPS scanning is off (Since it seems you have it installed) and Malwarebytes web shield is on.
Now open a browser like Edge/Firefox. Open Process Explorer, right-click on the main browser process, eg: firefox.exe. (not the other child process) then go to Properties, click on Environment and check if you see anything like "SSLKEYLOGFILE".

Nightwalker · Sep 9, 2022

SeriousHoax said:
Can you try this? Make sure Kaspersky's HTTPS scanning is off (Since it seems you have it installed) and Malwarebytes web shield is on.
Now open a browser like Edge/Firefox. Open Process Explorer, right-click on the main browser process, eg: firefox.exe. (not the other child process) then go to Properties, click on Environment and check if you see anything like "SSLKEYLOGFILE".

I tried Malwarebytes with F-Secure installed and there is no "SSLKEYLOGFILE".

SeriousHoax · Sep 9, 2022

Nightwalker said:
I tried Malwarebytes with F-Secure installed and there is no "SSLKEYLOGFILE".

Okay in that case, looks like they don't do any HTTPS scanning.

Search

Search

Advice Request Malwarebyte root certificate?

Mystic

Level 4

n8chavez

Level 24

Mystic

Level 4

Scirious

Level 2

Mystic

Level 4

Anthony Qian

Level 10

Nightwalker

Level 24

Explained: the Malwarebytes Website Protection module | Malwarebytes Labs

Mystic

Level 4

Explained: the Malwarebytes Website Protection module | Malwarebytes Labs

n8chavez

Level 24

Nightwalker

Level 24

How does Malwarebytes intercept web traffic?

Local Host

upnorth

Level 68

SeriousHoax

Level 55

How does Malwarebytes intercept web traffic?

Nightwalker

Level 24

SeriousHoax

Level 55

You may also like...