Jump to content

pbust

Staff
  • Content Count

    3,368
  • Joined

  • Last visited

Posts posted by pbust


  1. VB Scripting has been decomissioned by Microsoft some time ago due to the insecurities it introduces.

    In fact during all of 2016 Exploit Kits were heavily abusing outdated computers with VBScript in order to exploit machines and execute code remotely on them. It is advisable that you do not use any products or applications that rely on VBScript.

    Alternatively you can disable the VBScript enforcement technique in MB3 -> Settings -> Protection -> Advanced Settings -> Application Hardening, but it is probably safer to find an alternative to IDM that doesn't leave you more exposed to exploits.

     

     


  2. I think you got it the other way around. Now people that have not paid for MBAE can enjoy MBAE Premium features for free in the MBAE standalone beta. The "beta" concept is basically to denote that MBAE standalone will always be a step ahead of MB3, but not by much.

    As a previous MBAE Premium paying customer, your MBAE license key now works with MB3.

     


  3. Hello and welcome to the forum.

    MBAE does not discern whether the payload by an exploit or social engineering attack is good or bad.

    In this case the application is attempting to execute by having Chrome execute wscript.exe to run a script. This type of application behavior opens up a huge can of worms and security hole. I am amazed that HP is creating such insecure applications.

    You should be able to open MBAE, go to the Log tab, select the block and then click "Exclude".


  4. Known Issues for Malwarebytes version 3.0.6

    Last updated February 3, 2017

    • If you are running an earlier Malwarebytes version, and your upgrade to Malwarebytes 3.0.6 fails for any reason, simply uninstall the earlier version and then reinstall new version.
    • If mbae64.sys errors during installation, and sometimes, even a clean install won't remove it, you have in such case to use a FRST script to remove the Self-protection service and driver. Or they can be deleted both in Safe Mode. 
    • Under certain circumstances Web or Exploit protection will not start  for some systems.
    • There is a compatibility issue with Malwarebytes 3.0.6 and F-Secure Deepfreeze (either enable compatibility mode, or add Malwarebytes folders to F-Secure exclusion list)
    • There is an issue with imaging programs (such as Macrium Reflect) where large artifact files are left System Volume Information file if a backup is created with anti-ransomware protection enabled.
    • There is a conflict with BitDefender 2017 safe pay plugin.
    • Enhancements continue to be made to overall Memory and CPU usage and will be released subsequently.
    • For computers left idle in certain circumstances, scans can appear to be stuck on Heuristics Analysis when it has actually finished (Open and close the GUI for workaround).
    • If WMI services are off or disabled, the user will see a “failure to connect to service” error after installing.
    • In Spanish and some other few languages the user will not be able to edit or add a scheduled scan.
    • New scans don't reset "Threats Quarantined" counter on Scan Summary page.
    • When upgrading from 2.2.1 Managed Applications (Anti-Exploit) settings are not carried over but instead all Advanced Settings will be reset to the current defaults.
    • Any User Access Policy created in MBAM 2.x is not migrated when upgrading from MBAM 2.x to Malwarebytes 3.0; a new policy will have to be created.

  5. 1- This is still beta and we've had some minor issues with the IP/URL blocking which was fixed yesterday. That's possibly the reason some URLs weren't blocked.

    2- Testing URLs that point to malware is not real-world testing. Typically before a URL pointing to an EXE gets executed, it is tripped by either an Exploit Kit or a JavaScript downloader in a ZIP email attachment. These are the top 2 infection vectors nowadays representing pretty much the vast majority of prevalent malware. If the infection vector is replicated during the test (either visiting an exploit-rigged website or opening the ZIP from an email) these infection vectors would have been blocked by MB3 before the malware was downloaded.

    3- After the infection happened the tester didn't run a ThreatScan with MB3 which would likely have caught some of those.


  6. Existing Subscriptions

    I have a Malwarebytes Anti-Malware Premium or Malwarebytes Anti-Exploit Premium subscription. Will I get Malwarebytes 3.0 Premium subscription automatically?
    Yes. If you have an existing Malwarebytes Anti-Malware or Malwarebytes Anti- Exploit subscription, your subscription will be migrated to Malwarebytes 3.0 Premium automatically at no extra charge.

     

    What will happen if I have both Malwarebytes Anti-Malware Premium and Malwarebytes Anti-Exploit Premium subscriptions?
    If you have both Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit, you will now have 2 Malwarebytes 3.0 subscriptions. If you don’t want the extra subscription, you can give it away to friends or family, or choose not to renew when you subscription term is up.

     

    I'm a business customer and I want Malwarebytes 3.0! When can I get it?
    Business customers using un-managed Malwarebytes Anti-Malware standalone can upgrade to Malwarebytes 3.0. The managed Malwarebytes 3.0 will be shipping for business customers by early next year. We’re very excited about some really cool endpoint protection management technologies we have in the pipeline for our business customers.

     

    What will happen to Malwarebytes Anti-Exploit Free?
    We will continue offering Anti-Exploit as a stand-alone perpetual Beta. This Beta of Anti-Exploit will include all Premium features of Anti-Exploit. New techniques will be added first to the Anti-Exploit Beta before for testing before they are integrated into Malwarebytes 3.0 Premium. Users who wish to continue using Malwarebytes Anti-Exploit only instead of Malwarebytes 3.0 will be able to do so through the use of this perpetual Beta.

     

    What will happen to Malwarebytes Anti-Ransomware Beta (Free)?
    We will continue offering Anti-Ransomware as a stand-alone perpetual Beta. This Beta of Anti-Ransomware will include all ransomware blocking capabilities. New techniques will be added first to the Anti-Ransomware Beta before for testing before they are integrated into Malwarebytes 3.0 Premium. Users who wish to continue using Anti-Ransomware Beta only instead of Malwarebytes 3.0 will be able to do so through the use of this perpetual Beta.


  7. Third-Party Testing & Antivirus Replacement

     

    I saw a Youtube video some guy recorded claiming that Malwarebytes Anti-Ransomware didn't detect ransomware

    In today’s quickly evolving world, revolutionary products are occasionally released, and that is what Malwarebytes Anti-Ransomware is... a game changer in the Anti-Ransomware field. One thing that hasn’t changed though is the methods used to benchmark Security products, and using an old technique on a new product never works with anything. Malwarebytes Anti-Ransomware uses advanced behavior detection that rely on real world scenarios, which is also why it works so well on real machines! In test environments like these, the user doesn’t perform enough “usage” of the machine to constitute what events Ransomware would normally perform, and in exchange changes the events that Malwarebytes Anti-Ransomware would normally detect! One very simple example in thousands of others is the lack of enough variety of files on the machine and lack of a spread out location of said files, this alone changes ransomware's behavior entirely. There are too many of these configuration details to list, and the only way to truly test Malwarebytes Anti-Ransomware properly is to use it on a real machine that has some usage under its belt. It should also be said that Simulators and Custom Ransomware tools to test security products also have the same limitations noted above.

    More info on ransomware here: https://www.malwarebytes.com/ransomware/

     

    What is an antivirus replacement, and how can Malwarebytes 3.0 replace my antivirus?
    Antivirus replacements utilize signature-less and behavior-based detection technologies to catch the latest and most relevant threats, as opposed to anti-virus programs that rely on large databases of signatures that can quickly become outdated and are typically ineffective against many modern threats. In combination, all of our technologies can replace antivirus if a customer wishes to do so. Over 50% of our home user customers have already replaced their Symantec, McAfee, etc. with Malwarebytes Anti-Malware Premium. We believe in layered defense and built Malwarebytes 3.0 Premium to provide the right mix of proactive and signature-less technologies to combat modern threats and zero-day malware. The combination of our Anti-Malware, Anti-Exploit, Anti-Ransomware, Website Protection, and Remediation technologies provides better coverage against modern and zero-day threats than the traditional antivirus companies that charge more for less effective protection.

    Traditional antivirus vendors have struggled to keep pace with rapidly-changing malware, especially ransomware and data breaches where 0-hour protection has become the only meaningfully-relevant protection. In today’s modern threat world, where professional malware writers make their living engineering new ways to bypass protection, it is more important than ever to utilize signature-less technology and layered security to provide the greatest possible chance of defense. It is just as important to provide comprehensive remediation capabilities to clean up active malware when all else fails.

    Prior to Malwarebytes 3.0, our software was intended to be layered together with a traditional antivirus. Malwarebytes 1.x and 2.x contained only two primary layers of defense (Malware Protection and Website Protection) plus remediation, none of which is fully signature-less. But in Malwarebytes 3.0, with the addition of the three signature-less anti-exploit layers and the signature-less anti-ransomware layer, Malwarebytes defense against real-world threats has finally surpassed that of the traditional AVs.

    We didn’t originally expect to draw this conclusion. But after we developed the anti-exploit, anti-ransomware, and other Application Behavioral Protection technology in Malwarebytes 3.0, our researchers tested our performance against the full landscape of real-world threats and found we offered our users more comprehensive protection at a better price with Malwarebytes 3.0 than by recommending you buy a separate traditional AV. So we did it.

    For our users who do prefer to continue using a traditional antivirus alongside Malwarebytes, by all means please continue to do so. Malwarebytes will always maintain compatibility with all major security software on the market, both free and paid. In particular, Microsoft’s traditional antivirus Windows Defender is included by default and for free with Windows 8 and 10, and is a useful additional layer alongside Malwarebytes 3.0.

    More info here: https://www.malwarebytes.com/malware/

    So in summary, our recommendations are:

    • If you would prefer to use only one security product, choose Malwarebytes 3.0 Premium. Based on our testing, Malwarebytes 3.0 alone provides excellent protection against today’s threat landscape.
    • If you would prefer to pay for only one security product, choose Malwarebytes 3.0 Premium and add a free traditional antivirus like Windows Defender (pre-installed for free in Windows 8 and 10). Malwarebytes installs alongside Windows Defender by default, so this is the default configuration in Windows 8 and 10.
    • If you would prefer to pay for two security products, by all means feel free to do so. Malwarebytes is compatible with all major security products on the market.

     

    Can Malwarebytes 3.0 run alongside Symantec or McAfee?
    Certainly! We built Malwarebytes 3.0 to be compatible with all major anti-virus software, even Windows Defender and Microsoft Security Essentials. In fact by default Malwarebytes 3.0 installs in compatible mode alongside Defender, MSE or third-party antivirus products.

     

    Since Malwarebytes 3.0 Premium can be considered an anti-virus replacement, will it register itself in Windows Security Center in order for Windows to recognize it as security software?
    We have designed an innovative approach that allows us to run both as a recognized and certified/compliant primary line of defense as well as a layered or complement to other third-party security applications. Malwarebytes 3.0 Premium will only register in Windows Security Center if there is a third-party anti-virus program registered (i.e. a non-Microsoft anti-virus program). If there is only a Microsoft antivirus registered and active, we will not register in Windows Security Center in order to preserve the benefit of layered security. If desired, users will be able to go into Malwarebytes 3.0 Premium Settings and change this behavior to force Malwarebytes 3.0 Premium to either “always register” or “never register”.

     

    Since Malwarebytes 3.0 Premium can be considered an anti-virus replacement, does it include a Firewall?
    Ever since Windows Vista the built-in Windows Firewall is strong enough from a security perspective. In fact, after Windows 7 SP1 many leading AV vendors dropped their proprietary firewall in favor of the built-in firewall with a UI front-end. At Malwarebytes we don't provide a UI front-end to the Windows Firewall, but we have been relying on the Windows Filtering Protocol (WFP) for our IP and domain blocking protection layer for years. Therefore for modern Operating Systems (i.e. Windows 7 and beyond) we don't recommend or require the use of a third-party firewall.

     

    How to test Malwarebytes 3.0
    It is important to measure how security products perform against real-world malware under real-world conditions. Traditionally, industry test organizations gather malware that is often 3+ months old, drop it in a folder on the desktop, and right-click it and scan. A modern test organization might actually try to execute some malware to see if it is blocked behaviorally, or download some malware from a static website to see if the download is blocked.  But unfortunately, most testers today do not take live malware less than 24 hours old, replicate the infection vector in its original context (exploit-driven or malspam), and evaluate how well vendors detect and block the original infection vector and 0-day threat. Admittedly, such a test can be time-consuming to conduct, but it is also far more real-world relevant, a better representation of the dangers that real-world users face.

    For exploit and drive-by download testing in particular, the challenge is compounded because exploit kit writers actively try to fingerprint tester machines to avoid running in those environments.  If a lab machine is fingerprinted by a threat, they often will decline to infect. Exploit kit writers err on the side of paranoia, so setting up an effective exploit testing rig is very challenging, and a mistake can lead to a tester’s IP being blacklisted or the malware not running at all in the lab machine.

    Some of the ways exploit kit writers detect lab machines are by looking for signs of known virtualization (VirtualBox or VMware Tools installed, or timing attacks), an absence of everyday applications installed, or the presence of known testing tools (Fiddler, Wireshark).  Exploit kits also tend to trigger only if the HTTP referrer looks like it comes from a real-world source (Google, Bing), and only once for each public IP address. These restrictions have made it much more difficult to test effectively.

    Detailed instructions for how to set up a valid test lab are available at https://malwarebytes.box.com/s/ct1xck9f7hphaeuj9nbhq9xxt4ayd6tk

    Exploit attacks should be replayed using packet captures from Wireshark (.pcap) or Fiddler (.saz).  Exploit captures for testing can be obtained from Malwarebytes (https://blog.malwarebytes.com/malwarebytes-anti-exploit-itw), or from a third-party source like VirusTotal Intelligence using search terms like type:”pcap”, tag:”cap”, or tag:”exploit-kit”.  Other third-party capture sources are listed in the instructions document above.

    Malspam, social engineering, or spear-phishing attacks or payloads should be executed or triggered directly from an email client or webmail interface, as a real user would do.

    It should be noted that most of the leading third-party testing organizations who belong to the Anti-Malware Testing Standards Organization (AMTSO) do not test by replaying exploits, and the few ones that do, only do so for a few set of samples because of the difficulty of exploit testing. The vast majority of third-party scoring is done by scanning files on disk and executing them, without replicating the infection vector.

     

    Why doesn’t Malwarebytes detect EICAR?

    According to the European Expert Group for IT-Security (EICAR) organization, the EICAR test file is a plain string of ASCII characters which can be opened with a regular text editor. EICAR asserts that antivirus products should detect any file that starts with the EICAR strings, which are the following 68 characters:

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    Detecting the EICAR strings doesn’t mean anything in terms of proving a products’ real-world effectiveness against threats. This experiment merely proves that the antivirus product can use a pattern-matching signature and trigger against a DOS file (not a Windows PE file) whose content starts with the above EICAR string.

    At Malwarebytes we employ over 7 different prevention layers. Each layer has a specific objective in terms of disrupting threats at different stages of the attack chain. Most layers are signature-less and are designed to protect against the real-world threats our researchers observe in-the-wild, ensuring Malwarebytes customers are protected against prevalent and relevant threats.

    The detection or lack thereof of the EICAR test file is not representative of how our different vector blocking and payload prevention techniques work, both in pre-execution and post-execution phases of the attack. The MBAM engine does not need to deal with scripts because our anti-exploit, web blocking and application behavior engines are much more effective at disrupting script-based malware and exploits without relying on signatures. Most anti-virus products have to rely on signatures to detect and block script malware, which is exactly what you DON'T WANT your antivirus to do. There are many more obfuscation and signature evasion techniques available for script droppers than there are for binary malware. Therefore relying on signatures to detect script droppers or files like the EICAR test file, is actually damaging to your security. The fact that your security product detects EICAR with a signature should be a reason for CONCERN instead of success. Most modern script-based droppers and attacks are obfuscated anyways, so using signatures on scripts (like those signature detections for .JS ransomware droppers regularly found in VT) is largely useless and easily bypassed as compared to other protection approaches like those found in MB3.

    An EICAR detection proves that a product is able to use pattern-matching signatures and detect a type of threat that may have been prevalent and relevant over 2 decades ago. According to EICAR, a batch file that reads in another file and displays an “alert” message if it finds the EICAR string would qualify as a virus detection product.

    So in summary, MB3 already incorporates world-class, next-generation anti-malware technologies. Our combination of signature-less and rules-based layered approach is far more effective than using AV signatures. Malwarebytes is able to prevent 0-minute threats and attacks without updates, even script-based, file-less, and other advanced attacks . We won’t detect EICAR because EICAR is not representative of either today’s threat environment or security needs.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.