App Review Malwarebytes Endpoint Detection and Response (EDR) - Test and Review

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Content created by
RoxasDev

RoxasDev

Level 1
Thread author
Jul 1, 2017
18
Hello,

Today, fully test and review of Malwarebytes EDR.



Information : Sorry for bad english.

Test performed on : 05/01/2023

The company Malwarebytes offers us an EDR version of its flagship product which is equipped with several layers of protection including an I.A Machine Learning, protection against the brute force RDP for the Windows Server edition, a very reputable Anti-Exploit and an Anti-layerRansomware with Rollback to restore encrypted files.

Installing the Malwarebytes agent is done very simply by downloading a small MSI installer, once installed Malwarebytes EDR disables Microsoft Defender and goes into primary protection for the system.

In the Nebula console of Malwarebytes I made a policy or I configured Malwarebytes for maximum security

The Nebula console interface is only available in English at the moment but the interface is clean and clear

Malwarebytes in the console also offers a Sandboxing Analysis service, which allows to send in a sandbox to Malwarebytes manually to analyze an unknown file to know the behavior of the file if it is malicious or not a very good point for it.

On malicious links Malwarebytes is extremely effective all is blocked

On malicious PDF files on malware packs that will contact malicious links it’s the same all is blocked!

On older malware packs Malwarebytes is also very efficient and cleans the pack almost completely

On the 0day malware pack instead a malware will pass and inject all the Windows executables of the machine

We may note that despite the machine being infected the malware connection requests are blocked by the Malwarebytes web agent

Note that the EDR version and the consumer version of Malwarebytes are different and do not have the same detection technologies!

Performance: Malwarebytes EDR consumes a little too much RAM and CPU resources, we have peak consumption during 100% CPU analysis and 1 GB RAM consumed by the Malwarebytes service! A small optimization would be welcome for this EDR version.

Verdict and conclusion: Too bad for Malwarebytes EDR, even if the malware requests are blocked, the machine is still well infected and the machine must go through disinfection unfortunately, but Malwarebytes EDR remains a very effective security product and even highly recommended for companies! We encourage Malwarebytes to improve the disinfection process and improve the I.A Machine Learning technology to make the product even better!
 
Last edited by a moderator:

likeastar20

Level 8
Verified
Mar 24, 2016
373
Can you post a picture of the sandbox in action? Here's how the sandbox of BitDefender Gravityzone looks like

Edit1:nvm, found it
 

Attachments

  • Web_capture_24-12-2022_231215_cloudgz.gravityzone.bitdefender.com.jpeg
    Web_capture_24-12-2022_231215_cloudgz.gravityzone.bitdefender.com.jpeg
    1.2 MB · Views: 128
Last edited:
F

ForgottenSeer 97327

Malwarebytes staff also said when Malwarebytes 5.0 gets released to the public it will be equipped with different detection technologies. Glad to see them improving.
That is why I like Code Integrity Guard (CIG) of Windows Defender Exploit Protection. I don't have the link to the article anymore, but when EMET came out, there was a thread on an sysadmin website where admins added EMET to medium level integrity Windows (7) processes and shared information. I reckoned I could do the same for CIG for all windows processes running medium level integrity rights (taskhost, svchost, explorer, etc) and my Windows10 Pro runs and updates without problems.

When you use a third-party AV most AV's inject their DLL's into programs (for behavioral monitoring) so using CIG is impossible. When I run Kaspersky Free (y)or Bitdefender Free (y)I don't have this problem (CIG can be used as extra protection). With MBAM consumer version I can disable MBAE for Office and Edge, so it is also possible to use CIG for Microsoft programs and services. Deselecting MBAE protection also stops injecting the MBAE-DLL in those processes (y) which makes it possible to add another layer of protection.

This test confirmed (thanks @RoxasDev) confirmed that adding those extra settings to harden important system and easily attacked (medium IL) processes is well worth the effort. When I can''t use CIG (e.g. on my wife's laptop running Avast Free) I always enable "disable extension points" for critical Windows processes (and all Microsoft application programs).

1683182319729.png


Note: Disabling the option to inject a DLL into all programs using AppInit is also possible with GPO.
 
Last edited by a moderator:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
I don't have an ssl certificate yet.
I am waiting to have the necessary resources to buy an SSL certificate.

And there are more 100% free options.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top