Source:
Code:
https://www.reddit.com/r/antivirus/comments/1s6o3ip/malwarebytes_proving_to_be_a_disappointment/
Last edited by a moderator:
Malwarebytes proving to be a disappointment
- Thread starter Khushal
- Start date
- Status
Source:
Mhh anyone who tells you that the best antivirus is common sense, should be told that common sense tells that scripts should be blocked in user folders and lolbins should be blocked for standard user (in other words use SWH) besides your antivirus (being Avast Free of MBAM paid). I really don't see a use case for allowing these Microsoft business use misfits to run in home user setting.
I don't know if its me or not but there don't seem to be any content????
I would call it "common knowledge".
I do not particularly like Malwarebytes, but not sure what the author of the article is trying to say? AV failed to detect 1 virus, listed on github, so even missed by MS.
It tries to use PowerShell, easily blocked by policies or restrictions.
It tries to use DNS via UDP port 53 hosted on Cloudflare, again basic DNS security. Plus the link is blocked via malware filters or DNS.
Sure, AV failed to block it, but is like antibiotics, it should be used as the last resort. Malwarebytes is not exactly the best AV in behavioral detection, so it is to be expected.
P.S. I am glad, that System Informer still is not well known and that the name matters, if you would rename process monitor as cookie.exe, it would be undetected.
It uses fodhelper and sdclt as lolbins, time to add them to my collection.
It tries to use PowerShell, easily blocked by policies or restrictions.
It tries to use DNS via UDP port 53 hosted on Cloudflare, again basic DNS security. Plus the link is blocked via malware filters or DNS.
Sure, AV failed to block it, but is like antibiotics, it should be used as the last resort. Malwarebytes is not exactly the best AV in behavioral detection, so it is to be expected.
P.S. I am glad, that System Informer still is not well known and that the name matters, if you would rename process monitor as cookie.exe, it would be undetected.
Code:
badProcesses = [
'vmtoolsd.exe', 'vmwaretray.exe', 'vmwareuser.exe', 'vboxservice.exe', 'vboxtray.exe',
'wireshark.exe', 'fiddler.exe', 'procmon.exe', 'procexp.exe',
'x64dbg.exe', 'x32dbg.exe', 'ida.exe', 'ida64.exe', 'ollydbg.exe', 'windbg.exe',
'joeboxserver.exe', 'cuckoomon.exe'Scripts are tricky and most AVs do not detect pre-execution based on signature.
Either blocked on-execution by SRP/CLM or post-execution by behavioral analysis/firewall.
The success depends on how fast the behavioral analysis will react.
Either blocked on-execution by SRP/CLM or post-execution by behavioral analysis/firewall.
The success depends on how fast the behavioral analysis will react.
- Apr 28, 2015
- 9,457
- 1
- 85,294
- 8,389
Payload chances of being detected is higher, but not the script downloading the payload.
- Status
You may also like...
-
Do These 7 Things If You Got Fooled by the YouTube Ghost Network- Started by lokamoka820
- Replies: 0
-
-
Proton Pass response to unencrypted data in main memory
- Started by Ink
- Replies: 2
-
Amazon's charity donation program, AmazonSmile to be shut down
- Started by Ink
- Replies: 1