Jump to content

Is Malwarebytes Pro explicitly designed to work with AVs? 100 sure?

Cavehomme
 Share

Recommended Posts

Cavehomme

Cavehomme

Posted
Posted

I would like to draw the following support call to the attention of forum members to comment upon and perhaps clarify further with your own knowledge.

As we are mostly aware, on the MWB main site it states that MWB Pro "Works Well With Others - Cooperative functionality" and that's further mentioned by numerous people in these forums. It's one of the key reasons why I chose to use MWB Pro.

On my main PC with Win 7 HP I use MSE as my AV. I did have some performance issues last year when using simultaneously MSE and MWB Pro and eventually I reverted to KIS 2012. After a great start, after several months it got slower and I could not pin down the reason, but it's a common issue apparently. I then discovered 2 trojans after temporarily uninstalling KIS 2012 and doing an on-demand with MSE and so I decided to revert to MSE. I then tried MWB Pro, excluded each from each other, and found that the performance was excellent now.

During this period I went onto the MSE forums and saw that most MVPs and mods there recommend that no other realtime tool such as MWB Pro should be used alongside MSE because of the risk of the two potentially pausing or fighting over the same malware and thereby letting it slipping through. I was not too convinced that this could happen, but because MWB Pro is designed to work alongside AVs then I ignored such advice and thought that MS people were being overly-cautious or even ignorant of MWB Pro, but one day I thought I would give them the benefit of the doubt and that I would try and get confirmation from MWB.

A few days ago I contacted MWB Pro support to ask for re-assurances and some kind of explanation of how MWB Pro deals with malware. I wanted to understand how does it know when to intervene. If it is designed to work alongside an AV in my mind when MWB Pro sees malware it would need to ensure it is not going to jump on it until it knows that the AV is not dealing with it, or some other way of ensuring that it does not wrestle with the AV. When does it know when to pounce on it rather than leaving it to MSE or another AV to deal with and avoid the risk that it will slip through?

The answer was surprising. It does not ! That's how I read the support ticket. If that's correct, then it goes against everything that I have believed MWB Pro to be. I gave the support agent the opportunity to check his statement with his seniors to be absolutely sure. I have attached the long email chain to this post. Read the whole thing if you wish, but highlighted in red is the most pertinent part. I appreciate any explanatory comments from anyone including MWB Pro staff if they post here. I really want to be 100% sure about this issue.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

It is contraindicated to have two fully installed anti virus applications performing both "On Demand" and "On Access" scanning. You can however use one fully installed anti virus application performing both "On Demand" and "On Access" scanning and numerous additional "On Demand" scanners.

However MBAM is is not an anti virus application and is NOT designed to replace an anti virus application but to supplement anti virus applications. The actual file level scanning is but a subset of what an anti virus application will target. MBAM does not scan inside archive files (ZIP, LZH, 7z, CHM, Jar, RAR, etc) will not scan data files (PPT, RTF, XLS, DOC, PDF, etc) and not scan scripts (PHP, HTML, VBS, JS, etc.). MBAM does not target viruses (there are some exceptions such as virus droppers) and can not remove malicious code that has been; prepended, cavity injected or appended to a legitimate file.

Since MBAM changes with new versions and the various traditional anti virus vendors change with new versions as well there may be some alterations to operation and configuration changes to be made in both MBAM and the traditional anti virus product such that there is complete symbiosis.

There is a lot of confusion about this subject matter and faux information that is perpetuated. The fact is MBAM will successfully work with numerous (legitimate) anti malware products and its use broadens the prevention, detection and removal of malware on a given platform.

Link to post
Share on other sites
Cavehomme

Cavehomme

Posted
  • Author
Posted

....You can however use one fully installed anti virus application performing both "On Demand" and "On Access" scanning and numerous additional "On Demand" scanners.

Since MBAM changes with new versions and the various traditional anti virus vendors change with new versions as well there may be some alterations to operation and configuration changes to be made in both MBAM and the traditional anti virus product such that there is complete symbiosis

....The fact is MBAM will successfully work with numerous (legitimate) anti malware products and its use broadens the prevention, detection and removal of malware on a given platform.

Thanks for trying to give an answer. I am aware of the points that you make. Did you read the Support emails that I attached? The main point I was making is that as a result of my investigation and answers from B it seems that MBM Pro is quite successful in what it does, and any "symbiosis" as you say, but it's not by design according to the Support reply.

Link to post
Share on other sites
tedivm

tedivm

Posted
Posted

We do compatibility testing all the time- our QA team constantly goes through and checks to see how we work with other vendors. Besides simple testing we also have a number of design features that make us less likely to conflict with existing software. The way we detect threats is very different than AVs, which means conflicts should happen very very rarely. Even without that a simultaneous detection should not be an issue- if it did occur the user would simple have to tell one engine to ignore it so the other can remove it.

This isn't to say that problems don't ever occur, but when they do we get them cleared up very quickly.

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

OK, Here is what I have seen, Bad file is found by both products- File is stopped- I instruct MBAM to Quarantine and Instruct MSE to clean computer. MBAM got the file and when MSE tried to clean it was already gone -----File not found.... :P

Link to post
Share on other sites
exile360

exile360

Posted
Posted

OK, Here is what I have seen, Bad file is found by both products- File is stopped- I instruct MBAM to Quarantine and Instruct MSE to clean computer. MBAM got the file and when MSE tried to clean it was already gone -----File not found.... :P

How on earth did you manage to get them both to hit a file at the same time? I've been running MSE since it was in beta and I've never seen it hit something at the same time Malwarebytes Anti-Malware did. It always hit the threat first, and if I allowed MSE to remove it, Malwarebytes never saw it.
Link to post
Share on other sites
Firefox

Firefox

Posted
Posted

I have had them both hit at the same time as well. If I had a folder with say a virus file on it that MSE did not know about it yet, and I did a scan with Malwarebytes and Malwarebytes touches that folder and file by scanning it, then MBAM will detected it as well as MSE. I have seen this happen on some computers I have worked on that had some keygens on them.

Hope that makes sense excile.

Link to post
Share on other sites
Cavehomme

Cavehomme

Posted
  • Author
Posted

Since I am an exclusive MSE/MBAM combo evangelist, All items I come across are reported to MBAM and MSE if not detected.

Do you do extra scans with a third on-demand scanner to check that nothing has slipped through due to a theoretical / potential clash between MSE and MWB?

Link to post
Share on other sites
Cavehomme

Cavehomme

Posted
  • Author
Posted

We do compatibility testing all the time- our QA team constantly goes through and checks to see how we work with other vendors. Besides simple testing we also have a number of design features that make us less likely to conflict with existing software. The way we detect threats is very different than AVs, which means conflicts should happen very very rarely. Even without that a simultaneous detection should not be an issue- if it did occur the user would simple have to tell one engine to ignore it so the other can remove it.

This isn't to say that problems don't ever occur, but when they do we get them cleared up very quickly.

That's helpful, thanks. It's a pity that I could not get this basic information from your support desk and instead ended up wasting time going in circles and getting frustrated.

In terms of design features and "The way we detect threats is very different than AVs" - Is there any of the methodology, in general terms, that can be shared with us, without compromising the security of the product?

Link to post
Share on other sites
exile360

exile360

Posted
Posted

In terms of design features and "The way we detect threats is very different than AVs" - Is there any of the methodology, in general terms, that can be shared with us, without compromising the security of the product?

Yes. The realtime protection module in Malwarebytes Anti-Malware detects threats on execution, not on-access the way that antivirus software does. This means that a threat has to actually attempt to execute/run in memory, not just be downloaded to your computer, before Malwarebytes Anti-Malware's realtime protection will detect the threat.

Antivirus software works differently. It detects items on-access, meaning it analyzes files as they are downloaded to your computer or accessed by other programs.

This means that if Malwarebytes Anti-Malware's realtime protection detects a threat, it should be after your antivirus has already had a look at the item and failed to detect it. If your antivirus detects a threat and removes it, then Malwarebytes Anti-Malware will not even see the threat because it would have been removed long before the threat actually tried to run in memory.

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

Do you do extra scans with a third on-demand scanner to check that nothing has slipped through due to a theoretical / potential clash between MSE and MWB?

Because of my experience I already KNOW the file in my email attachments are bad before I report them. I report them to make the product better for all of us.

You can also scan individual files here

https://www.virustotal.com/

I am also a fan of the eset online scan for a second opinion for a total system scan.

Link to post
Share on other sites
Cavehomme

Cavehomme

Posted
  • Author
Posted

Yes. The realtime protection module in Malwarebytes Anti-Malware detects threats on execution, not on-access the way that antivirus software does. This means that a threat has to actually attempt to execute/run in memory, not just be downloaded to your computer, before Malwarebytes Anti-Malware's realtime protection will detect the threat.

Antivirus software works differently. It detects items on-access, meaning it analyzes files as they are downloaded to your computer or accessed by other programs.

This means that if Malwarebytes Anti-Malware's realtime protection detects a threat, it should be after your antivirus has already had a look at the item and failed to detect it. If your antivirus detects a threat and removes it, then Malwarebytes Anti-Malware will not even see the threat because it would have been removed long before the threat actually tried to run in memory.

That's very clear and very helpful, thanks. It gives me a lot of confidence in using the product realtime now.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept