App Review Malwarebytes and HitmanPro vs some Worms

[cruelsister]

Second opinion scanners are an important part of a Home user's security setup; among the best of the best are Malwarebytes, Hitman Pro and Emsisoft Emergency Kit.

Although these products are indeed very good, in a video released some months ago I questioned their efficacy in malware infections caused by Scriptors such as Worms. Since then Emsisoft (earlier this month, actually) indicated that they would make their new products more effective in this area.

That being the case I thought I would revisit the topic and concentrate instead on both MB and HMP. Note that in this video:

1). The system was pre-infected by discrete worm samples.

2). None of the worms were anywhere near being zero-day; all have been in the wild for a few months.

3). No Worms were harmed in the making of this Video.

 

[SloppyMcFloppy]

So disappoint on both, and i thought HitmanPro can do ways better than Malwarebytes because it used BitDefender and Kaspersky signature. But it turn out both score below 2 which leave user a big vulnerable for blackhat, and they can fix this by just added them to the signature database. Thanks for the video.

Update: I submit this video onto Malwarebytes Community forum and this is what one of Malwarebytes moderator said.

daledoc1 Malwarebytes moderator wrote this.
"Until a Malwarebytes staff member or other forum expert has a chance to reply, no one security application can possibly target 100% of all known malware.
MBAM specifically does not target "historical" malware.
In fact, as explained here in the Research Center, malware samples older than 3 months are not targeted:
Quote
Disclaimer: We apologize, but we will not be adding corrupted files, archived/collections (Old sample(s) 3months + since file creation) or file infectors. Secondly, we will not add key generators, hacking tools, Joke applications, Casino applications or game cheats unless they contain malicious trojan code.
Such malware falls under the purview of the anti-virus/internet security programs, with their much larger databases.
I'm sure our more expert forum members and staff will have some additional feedback.
Thanks for reporting, "

Malwarebytes fail to detect and remove 12 worms. - Malwarebytes Anti-Malware - Malwarebytes Forum

 

[Rajat]

EEK or Norton Power Eraser would have done a better Job.

 

[omidomi]

It seem BD and K weak in detected worms

 

[daledoc1]

So disappoint on both, and i thought HitmanPro can do ways better than Malwarebytes because it used BitDefender and Kaspersky signature. But it turn out both score below 2 which leave user a big vulnerable for blackhat, and they can fix this by just added them to the signature database. Thanks for the video.

Update: I submit this video onto Malwarebytes Community forum and this is what one of Malwarebytes moderator said.

daledoc1 Malwarebytes moderator wrote this.
"Until a Malwarebytes staff member or other forum expert has a chance to reply, no one security application can possibly target 100% of all known malware.
MBAM specifically does not target "historical" malware.
In fact, as explained here in the Research Center, malware samples older than 3 months are not targeted:
Quote
Disclaimer: We apologize, but we will not be adding corrupted files, archived/collections (Old sample(s) 3months + since file creation) or file infectors. Secondly, we will not add key generators, hacking tools, Joke applications, Casino applications or game cheats unless they contain malicious trojan code.
Such malware falls under the purview of the anti-virus/internet security programs, with their much larger databases.
I'm sure our more expert forum members and staff will have some additional feedback.
Thanks for reporting, "

Malwarebytes fail to detect and remove 12 worms. - Malwarebytes Anti-Malware - Malwarebytes Forum

Hi:

Just to clarify:

As my signature block at MBAM forum clearly states, I am neither a Malwarebytes employee nor a forum Moderator.
I am just a home user and a forum volunteer.
The forum experts and staff members may have additional information on this subject.
Please be patient waiting for staff replies, as it is the weekend.

Also,

">>Having said that, if you have samples of possible malware for possible inclusion in the MBAM database, please read the sticky topics here and here, and then please post the requested information in the Research Center here.

"

Thanks very much,
daledoc1

 

[jamescv7]

For the statement of MBAM, its a highly acceptable that it focus on latest comprehensive threats which why their criteria is so strict but practical besides to detect where majority of AV miss.

It may happen for HerdProtect where the possible of detecting those Scriptors are very low too; the truth why AV's techniques are so obsolete thus BB/HIPS rely much on prevention.

 

[NZRADAR]

Hi there cruelsister, Thanks for all you're great and revealing work. I know you like Comodo Firewall with you're settings. However I am just wondering with all your tests if you are seeing desired responses improvements and admissions by AV, Security, Company's the need for a determined effort to address vbs scriptors and there familys. I see recent Emsisoft tackling them head on which is great. Do you have any impression of any other company's that are taking a second look at their products protection in this area, or conversely company's that seem to just put it in the too hard basket and palm it of to others to fill the gap. You're thoughts appreciated. , also maybe its not optimum to mention names "not sure about that though" but how you see things trending in this investigative work you are doing.

 

[RmG152]

Nice review as always.

Maybe if you have some time can test Zemana, NPE vs this samples.

 

[cruelsister]

Radar- Generally speaking some companies have made changes shortly after a video was posted. Sandboxie was one that closed a hole that was demonstrated within 36 hours, Shade did virtually the same thing withing 24. A certain ani-ransomware application that I did a couple of hatchet-jobs on made some changes (like putting out anew builds and changing the advertisement on their webpage), but eventually made what was a paid application free and now seems to have ceased development of it. I'd like to think that the Emsisoft announcement (which is the only one so far that is Scriptor specific) was a reaction to my video of a few months ago that showed EEK also lacking but that may be going to far.

I really feel that the lack of effectiveness of a given product in detecting Scriptors is tied to their reticence to be viewed as a False Positive factory. Things like VB scripts are used routinely and legitimately all the time, and trying to distinguish between legitimate and malicious is somethings difficult- but as Emsisoft is telling us, not impossible by any stretch.

User- Thanks for spreading the word on the forums!

Doc- As I stated, although the samples aren't zero-day they aren't that old either; and i believe MB has made improvements in keeping definitions in their database for a longer period (used to be about 2 years if memory serves). But this quote is disturbing:

Such malware falls under the purview of the anti-virus/internet security programs

If that is indeed the case (and I suspected a response like this which is why the video starts out with the MB webpage) they should change advertising to reflect this.

And finally to Rajat- Power Eraser is of absolutely no value for Scriptors (trust me).

 

[daledoc1]

Doc- As I stated, although the samples aren't zero-day they aren't that old either; and i believe MB has made improvements in keeping definitions in their database for a longer period (used to be about 2 years if memory serves). But this quote is disturbing:

If that is indeed the case (and I suspected a response like this which is why the video starts out with the MB webpage) they should change advertising to reflect this.

Hi:

MBAM is specifically designed to provide layered, complementary protection against specific types of zero-hour and zero-day threats often missed by AV and IS security programs. It does not replace or substitute for such applications, as explained here.

Having said that, I am neither authorized nor qualified to address concerns about which malware samples need to be included in the database.
That is a determination only Malwarebytes Staff Members (the Research Team) can make.

If you have samples of possible malware for possible inclusion in the MBAM database, I suggest that you might want to please read the sticky topics here and here, and then please post the requested information in the Research Center here.

The Research Team will welcome the submissions and will gladly analyze them and to determine their suitability for inclusion in the malware database.



Thank you,

daledoc1

 

[upnorth]

Very interesting review and thanks again cruelsister. Some of the points made is also some of the resons why I personal have none of those 2 products installed and also don't use them. That being sayed it dosen't mean I never used them but nowdays I rather use other tools and settings and setups that's in the end is better anyway.

I do hope that Emsisoft will include there scriptprotection in upcoming versions of there EEK.

 

[SloppyMcFloppy]

Radar- Generally speaking some companies have made changes shortly after a video was posted. Sandboxie was one that closed a hole that was demonstrated within 36 hours, Shade did virtually the same thing withing 24. A certain ani-ransomware application that I did a couple of hatchet-jobs on made some changes (like putting out anew builds and changing the advertisement on their webpage), but eventually made what was a paid application free and now seems to have ceased development of it. I'd like to think that the Emsisoft announcement (which is the only one so far that is Scriptor specific) was a reaction to my video of a few months ago that showed EEK also lacking but that may be going to far.

I really feel that the lack of effectiveness of a given product in detecting Scriptors is tied to their reticence to be viewed as a False Positive factory. Things like VB scripts are used routinely and legitimately all the time, and trying to distinguish between legitimate and malicious is somethings difficult- but as Emsisoft is telling us, not impossible by any stretch.

User- Thanks for spreading the word on the forums!

Doc- As I stated, although the samples aren't zero-day they aren't that old either; and i believe MB has made improvements in keeping definitions in their database for a longer period (used to be about 2 years if memory serves). But this quote is disturbing:



If that is indeed the case (and I suspected a response like this which is why the video starts out with the MB webpage) they should change advertising to reflect this.

And finally to Rajat- Power Eraser is of absolutely no value for Scriptors (trust me).

Thanks @cruelsister, and i didn't type this " Such malware falls under the purview of the anti-virus/internet security programs". What in the world is going on?

 

[sunrise]

@cruelsister, why didn't you do a video on KIS, Q360 TSE (all engines) vs scriptors. Let's see how they fare too.

 

[daledoc1]

Hi:

Re: MBAM, a malware & security expert at MBAM forum has posted a reply to the thread over there:
Malwarebytes fail to detect and remove 12 worms. - Malwarebytes Anti-Malware - Malwarebytes Forum

(Malwarebytes Researchers or other staff members may have additional feedback.)

Thank you again,

daledoc1

 

[cruelsister]

Jade- Thank you for bringing up Qihoo- it is actually excellent against scriptors but does have a high FP rate because of this (if I used a traditional AV I would prefer a FP over a persistent malware infection, but that's just me). As far as the other product you mention, I will never refer to it, fair or foul.

 

[Davidov]

Thanks @cruelsister, and i didn't type this " Such malware falls under the purview of the anti-virus/internet security programs". What in the world is going on?

virus A-S antivirus .-)) adware S-Z malwarebytes.-)) distributed fairly

 

[hjlbx]

So disappoint on both, and i thought HitmanPro can do ways better than Malwarebytes because it used BitDefender and Kaspersky signature.

Current antivirus sorely lacking malicious script protections - except for Comodo, Kaspersky and Emsisoft. ESET HIPS should do it as well, but I have not tested it. The others I have tested.

Cannot rely upon signature detection of Evil.Script(s); need sandbox and\or controlled monitoring and use of interpreters (anti-executable of vulnerable processes).

Both Kaspersky Internet Security and Comodo Internet Security\Firewall HIPS (not AV engine) will block unknown scripts by default. Emsisoft will block script if it triggers Behavior Blocker.

In my testing, Comodo was decisively better than all other solutions against Evil.Scripts.

 

[daledoc1]

Current antivirus sorely lacking malicious script protections...<snip>

And MBAM -- which is not an antivirus -- does not target scripted malware, as explained here.
This may well explain why MBAM did not detect the files in the video demo.

Malwarebytes Anti-Exploit (MBAE) Free does protect browsers, browser plug-ins (and Java) from scripted malware; the Premium version can also be customized to shield most other internet-facing applications.
(There may be other, similar software applications that do so, as well. MBAE is mentioned only as an example.)

Thank you,

 

[upnorth]

And MBAM -- which is not an antivirus -- does not target scripted malware, as explained here.
This may well explain why MBAM did not detect the files in the video demo.

Malwarebytes Anti-Exploit (MBAE) Free does protect browsers, browser plug-ins (and Java) from scripted malware; the Premium version can also be customized to shield most other internet-facing applications.
(There may be other, similar software applications that do so, as well. MBAE is mentioned only as an example.)

Thank you,

https://support.malwarebytes.org/cu...malware-replace-antivirus-software-?b_id=6438

Odd behavior to actually advertise about something that a product does Not protect against.

 

[daledoc1]

Hi, @upnorth:

I'm not a malware expert.
I don't work for Malwarebytes (or their marketing department).
I don't craft their resource materials.

So, I am neither qualified nor authorized to debate matters.
Nor do I care to do so.

I will however point to THIS REPLY to the related post over at the MBAM forum, by a qualified, experienced malware expert.
He pointed out:

The "worms" were not defined. Either by family, type or how they exist ( manifest ) on a computer.

Worms are a kind of virus that autonomously spread ( self replicate ) via high level functionality or protocols.

An Internet worm spreads by using network protocols such as SMTP and NNTP.
An AutoRun worm spreads by using the AutoRun/AutoPlay facility associated with Read/Write media such as Flash Drives. <snip>

I guess it will be frustrating for all involved to debate the finer points of wording in Malwarebytes marketing or other materials, as well as the semantics.
The video test in this thread -- as I understand it from the replies here and elsewhere -- provides insufficient information to make firm conclusions about the specimens that were tested and the conditions of the test.

It's always the user's choice which security software applications to install and run on one's systems.
And I don't have any vested interest in either defending or bashing MBAM.

But to "test" MBAM (or any other security product) against a type of malware it specifically does not target will result in predictable outcome.

Cheers,

P.S. There is a "Comments and Suggestions" section of the MBAM forum here reserved for feedback about the product, the forum or other company materials and products. The staff members responsible for writing the KB articles, marketing blurbs and other content would be more likely to see and respond to your helpful feedback there, rather than here. <just saying>