[Why Doesn't Malwarebytes Develop Their Own Offline Scanner?]

On 3/12/2019 at 1:18 PM, exile360 said:

Bingo, also with regards to Microsoft's licensing, I don't know why they made the change, but several years ago they started to prohibit the distribution of WinPE and at that time major vendors like Symantec/Norton, Acronis (makers of True Image) and many others had to stop distributing bootable tools based on WinPE.  You can find a discussion on this issue here and there are others on the net.

Basically Microsoft changed their EULA/terms for WinPE sometime back, and since making that change, they've made it impossible for any company to legally distribute tools based on WinPE to users/customers.  They could theoretically provide a tool to build a WinPE image for users, however the users would have to set up the WAIK/WinPE image themselves on an individual basis, and since not all users have access to a clean system to work from this presents a challenge.

And like that you added yet another reason to hate Microsoft to my growing list. I can't understand why Microsoft would do that. It doesn't seem to benefit them in any way, and it just hurt their customers that much more.

But you know what I also I don't understand? Why people code viruses and malware in the first place. According to an interview with an FBI agent that I read, the code for many virus and malware applications can be very complex! They can contain hundreds of lines of code that would take a single person MONTHS to code! I don't understand what they get out of that. Like you said, with ransomware, spyware, and trojans, at least the developer has a chance at making a significant amount of money either by stealing financial information or by stealing personal information and using it to acquire funds in the person's name. With that, at least they get compensated for their work in coding the software.

But with viruses and malware, they don't get paid at all. They spend all of their personal time coding an application that damages someone's operating system, and they get nothing in return. It's completely pointless! I just don't understand why malware even exists. It doesn't profit the coder in any way. 

[Why Doesn't Malwarebytes Develop Their Own Offline Scanner?]

On 3/12/2019 at 11:32 AM, Amaroq_Starwind said:

The Bitdefender, Kaspersky and Avira offline scanners use signature-based detection. They look for things that match a description. Malwarebytes look for things that are behaving weirdly, but when everything is asleep, it's much harder to tell if something is behaving weirdly.

Well, you mean Malwarebytes looks for things that are behaving weirdly providing the user has the "signature-less" options selected. If they don't, the Malwarebytes goes back to being signature based just like any other anti-virus software. So it's obvious that Malwarebytes has and maintains a signatures database. With that being said, they could use that for offline scanning.

[Why Doesn't Malwarebytes Develop Their Own Offline Scanner?]

5 hours ago, exile360 said:

It's likely mostly due to the fact that the scan engine in Malwarebytes really isn't a flat file scanner.  Many of the technologies it uses to detect threats, especially the nastier ones that you'd likely desire an offline scanner for in the first place, rely on technologies that require threats to be active as well as the current Windows installation (things like rootkit scanning, linking, heuristics etc.) and they've had great success so far relying strictly on more conventional means of getting the software to run even in hostile environments.

 

Other companies, such as Bitdefender, Kaspersky, and Avira scan for the exact same things using their offline scanners. So it should be possible for an offline Malwarebytes scanner to do this.

5 hours ago, exile360 said:

As for the possibility of an offline/bootable scanner, I don't know.  It's been discussed in the past many times, but since it's much easier to work from WinPE rather than Linux as it would be much easier to read/load offline registry hives and natively read the offline system's file structure, that would be the ideal solution, however Microsoft's recent restrictions regarding the use and distribution of WinPE make that much more difficult (they did look into it, however Microsoft made changes to their licensing preventing vendors like Malwarebytes from offering WinPE based solutions.

Do you know why Microsoft made changes to their licensing? What's the backstory on this? I'd like to hear more about this.

5 hours ago, exile360 said:

You never know though, maybe they will be able to offer some kind of bootable solution in the future, but only time will tell.  I haven't heard anything recently about it but that doesn't mean that it's completely off the table as they could be working on it or at least considering it behind the scenes.

I sure hope so. A Malwarebytes Offline Scanner would be pretty sweet. And another thing, I think it's a little unfair to compare the Malwarebytes of the past to the Malwarebytes of the present. Currently, Malwarebytes is the second largest anti-virus vendor in the entire world (by reason of market share). They have far more money, resources,  and engineers/developers than they did in the past. What would have been considered impossible in the past could potentially be within reach here in the present. 

[Why Doesn't Malwarebytes Develop Their Own Offline Scanner?]

7 hours ago, Amaroq_Starwind said:

I've requested this myself before, but there are issues. MalwareBytes doesn't have a license to package a Windows Preinstallation Environment, and porting Malwarebytes to Linux hasn't been achieved yet. Not to mention, it would be difficult to read the registry and filesystem of an offline Windows system and make any changes from Linux without potentially screwing stuff up. Now, if you wanted something that resided on your computer and booted before the rest of Windows did, you could try building a Native API application, but that wouldn't be entirely feasible for more than a few reasons.

So yeah, it would actually take a lot of time and effort to create, unfortunately.

Well, that's a bummer right off the bat. So just out of curiosity, how do other companies like Bitdefender, Kaspersky, AVG, and Avira do it? They seem to have no issues creating Linux scanners that have no issues reading and making changes to the registry and filesystem without screwing anything up.

[Why Doesn't Malwarebytes Develop Their Own Offline Scanner?]

For particularly nasty infections, the go-to cure is typically an offline scanner such as Windows Defender Offline, Bitdefender Rescue CD, or Kaspersky Rescue Disk. In fact, I see those products recommended even here in these forums. However, one thing I'm wondering is why Malwarebytes simply doesn't develop their own offline scanner? Then, people would be able to recommend a Malwarebytes exclusive program instead of constantly advertising for the competition. When it comes to offline scanning, you're literally a walking advertisement for other companies. Most versions of Linux are free and easily bootable from a USB drive or DVD, and you already have an entire signatures database and scanning software. So it I can't imagine it costing your development team too much time or effort to create. 

Come on guys, you can do it!