Jump to content

A few simple suggestions


Insomniac
 Share

Recommended Posts

As it is, I think MBAM is great, but there's a couple things that I think could be altered slightly to improve it further.

The first is the admin rights problem. I understand that the way MBAM is coded, it cannot update databases properly from a limited/standard user. As I run a standard user, I simply have the MBAM shortcut set to launch as admin, where it prompts me for the password and then works properly.

All I think should be changed is to have a popup box inform a user when they try and run it without admin rights. As it is, it reports 'database updated from xxxx to xxxx' with the numbers being identical. It still shows a download bar and acts as though it has updated. When I first tried MBAM I didn't realise this, and so for a week or so I'd been using it in this way, when finally the never-changing database numbers made me try it as an admin. Having a popup reporting 'you must run MBAM as an administrator for this function' or somthing similar makes this issue non-existant, without the need to code a way for mbam to update on a limited user. Spybot S&D already does this with it's immunize feature, which is helpful for new users and isn't as misleading as MBAM currently is when updating on a limited account.

Also, this is fairly minor but somthing that I noticed recently. On the Malwarebytes.org page, there are two buttons to download, one for the full version and one for the 'free trial version'. When I see 'trial version' the first thing I think is 'limited to 30 days' or somthing like that. Ie if I'm looking for an application for whatever reason and I see 'trial version', it makes me think of it as so severely limited that I usually won't persue it further. MBAM's free version is a 'complete' enough program that the name just doesn't seem to suit it. 'Free version' sounds like a complete, fully functional program that lacks a couple of extras found the the 'pro' version. 'Trial version' sounds like a very limited and much less useful version of a program. Perhaps this was changed to encourage more people to buy, but it just seems odd to me to call it a trial.

EDIT: Aha! Remembered what the other thing I meant to put here was. I've seen in some posts in the fp forums where MBAM has detected some customized settings that a user has added, but which could also be performed by malware. As it is at the moment, MBAM will report they are a trojan. Perhaps in a future version there could be a section in the scan log devoted to the settings that both users and malware often mess with, and mark them as a 'warning' rather than an infection. In this way, a user who sees MBAM flag somthing will be able to realize it was caused by them, but a user who doesn't know why it's been changed will be advised to let MBAM fix it.

For example, the edited settings that a user shouldn't change would still be read as an infection, but the settings that it's reasonable a user would modify could be called warnings and have a dialog explain what it means when they are flagged.

Link to post
Share on other sites

Is that true? No update in limited user account? :(

Yes. On default settings that is. Once you grant the "user" group permissions to write to MBAM's account folder (\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware), then the program updates just fine:

Shot has been taken on a virtual machine.

122lqbo.png

Link to post
Share on other sites

  • Staff
Also, this is fairly minor but somthing that I noticed recently. On the Malwarebytes.org page, there are two buttons to download, one for the full version and one for the 'free trial version'. When I see 'trial version' the first thing I think is 'limited to 30 days' or somthing like that. Ie if I'm looking for an application for whatever reason and I see 'trial version', it makes me think of it as so severely limited that I usually won't persue it further. MBAM's free version is a 'complete' enough program that the name just doesn't seem to suit it. 'Free version' sounds like a complete, fully functional program that lacks a couple of extras found the the 'pro' version. 'Trial version' sounds like a very limited and much less useful version of a program. Perhaps this was changed to encourage more people to buy, but it just seems odd to me to call it a trial.
This was supposedly going to be changed a while back, not sure what the hold up is, it's all of a couple of lines to change.

There is also a link on download.com that claims we're 64bit compatible and I've told Marcin about it too. Here:

http://download.cnet.com/Malwarebytes-Anti....html?tag=mncol

Hasn't been corrected yet. not sure if MArcin contatced them about it or not.

EDIT: Aha! Remembered what the other thing I meant to put here was. I've seen in some posts in the fp forums where MBAM has detected some customized settings that a user has added, but which could also be performed by malware. As it is at the moment, MBAM will report they are a trojan. Perhaps in a future version there could be a section in the scan log devoted to the settings that both users and malware often mess with, and mark them as a 'warning' rather than an infection. In this way, a user who sees MBAM flag somthing will be able to realize it was caused by them, but a user who doesn't know why it's been changed will be advised to let MBAM fix it.

For example, the edited settings that a user shouldn't change would still be read as an infection, but the settings that it's reasonable a user would modify could be called warnings and have a dialog explain what it means when they are flagged.

I beleive their trying to come up with better wording on some of these already.
Link to post
Share on other sites

  • Staff
Can anyone send me a PM with details? :) My wife shouldn't run with admin account :(
:)

Have her run in Sandboxie:

http://www.sandboxie.com/

So far the only thing that's ever gotten out on me was Virut. Backdoors-nope, Trojans-nope, DNS Changers-nope, Spambots-nope, Rootkits-nope, see what I mean? You'll just have to assure she uses it every time. No matter what she gets, excluding Virut, empty sandbox and it's all gone.

I use it ever day and have been for a long time now

Link to post
Share on other sites

  • Staff

Unfortunately probably not as certain tools/methods are reserved for corporate customers (they don't even tell me :( ). Honestly though, at least for your home computer editing the security on the folder as Raven suggested should be fine. In a corporate environment with mass amounts of PC's it's a different story because security concerns are quite different.

Link to post
Share on other sites

This would NOT be a Best Practice for a Corporate / Business computer. There are very easy ways to accomplish this without altering security.

However I don't think Marcin wants me to go into details in the forum.

I suggested that because I assumed we're talking about a home PC (a default assumption based on what the majority of discussions on this forum are about), and the OP never mentioned anything about a corporate environment as well, so I myself never considered this possibility. Still, I kind of doubt such a small alteration could be fatal even on a corporate/business system.

Link to post
Share on other sites

  • Staff

Contrary to what you may believe Tom, it is not just a few lines of code.
Regardless, it's certainly not difficult to do for someone of your ability and would eliminate confusion by users which is the only important thing.
Link to post
Share on other sites

  • Staff
SAS avoids this by using individual userdata folders for definitions, but this also creates the annoyance of having to update each user account individually

Right. Think about it this way. The user-account model groups your files by the user account that "owns" them. No account can touch another's files. This is the most basic implementation of filesystem security. Vista implements this correctly, and we want to comply with it.

Now, suppose you want ordinary "limited" users to be able to update definitions files for MBAM. Then you have to put the definitions files in locations that limited users can access. There are two ways to do this:

1) Put your definitions files in a single location that all limited users are given access to. This is fine so long as you trust your limited users. But most of the time, you don't. Suppose one user's account becomes compromised, or is malicious from the start. That user now has access to global files, can manipulate them at will, and essentially you have enabled an elevation-of-privilege attack. Bad.

2) Put your definitions files in each limited user's filesystem space individually. This requires each user to update definitions files individually, which is bad if you do not trust your users to remember to do this. It leads to definitions that are up-to-date for some users and not others, which becomes annoyingly inconsistent.

The remaining option is to require administrators to do all the updating, and write definitions files to admin filesystem space. This is the solution nearly every security vendor chooses.

Link to post
Share on other sites

  • Staff
Right. Think about it this way. The user-account model groups your files by the user account that "owns" them. No account can touch another's files. This is the most basic implementation of filesystem security. Vista implements this correctly, and we want to comply with it.

Now, suppose you want ordinary "limited" users to be able to update definitions files for MBAM. Then you have to put the definitions files in locations that limited users can access. There are two ways to do this:

1) Put your definitions files in a single location that all limited users are given access to. This is fine so long as you trust your limited users. But most of the time, you don't. Suppose one user's account becomes compromised, or is malicious from the start. That user now has access to global files, can manipulate them at will, and essentially you have enabled an elevation-of-privilege attack. Bad.

2) Put your definitions files in each limited user's filesystem space individually. This requires each user to update definitions files individually, which is bad if you do not trust your users to remember to do this. It leads to definitions that are up-to-date for some users and not others, which becomes annoyingly inconsistent.

The remaining option is to require administrators to do all the updating, and write definitions files to admin filesystem space. This is the solution nearly every security vendor chooses.

That's a great explanation, thanks for that.
Link to post
Share on other sites

How does a program like AVG go about this then? It seems to update fine from a limited user.

Even if it's impossible to change this for MBAM, it would be a big improvement to have a pop-up dialog inform a user that admin privliges are needed. It helps avoid confusion without needing to completely redesign how mbam does definitions.

Or how about a hybrid between these update types, or give the user the ability to decide (Of course, this would take more coding)

Ie if an administrator updates, it updates it for every user. However, if a user runs the update it will check to see if there is a new db version out, and download a copy specifically for that user. So if a user forgets to update they will still get updates when the admin does, but if they want to do it themselves they can do that too.

I don't know much about this sort of thing though so that is probably too complex or impractical.

Link to post
Share on other sites

  • Staff
Hi TeMerc,

Any chance you could elaborate a little on this. What variant of Virut, Sandboxie version etc?

Thanks :(.

That was a while back, in Sept. Not sure which version of Sandboxie I was running. I've still got the file if you want it. I can PM it to you if you like.
Link to post
Share on other sites

  • Staff
Thanks Tom, but no need, Oneder has kindly taken the time to test the file HERE.

Thanks again :D.

No worries, but of course, keep in mind the version I had of Sandboxie was not anything as current that's available now. Which version did he use? So it may not be a viable test unless done with an older version, before Sept 08

Also, does 'restricted' mean default Sandboxie?

Link to post
Share on other sites

No worries, but of course, keep in mind the version I had of Sandboxie was not anything as current that's available now. Which version did he use? So it may not be a viable test unless done with an older version, before Sept 08

Also, does 'restricted' mean default Sandboxie?

I would guess Oneder tested the sample using the latest version of Sandboxie. It's good news though to hear the file was contained successfully in his testing.

A restricted Sandbox would be one that has been hardened through the Sandbox settings, such as enabling the Drop Rights feature, restricting Internet access to certain programs, selecting what's allowed to Start/Run in the sandbox etc.

All the best,

RD :D .

Link to post
Share on other sites

  • Staff
I would guess Oneder tested the sample using the latest version of Sandboxie. It's good news though to hear the file was contained successfully in his testing.

A restricted Sandbox would be one that has been hardened through the Sandbox settings, such as enabling the Drop Rights feature, restricting Internet access to certain programs, selecting what's allowed to Start/Run in the sandbox etc.

All the best,

RD :D .

Oh, ok.

Well an older variant of Virut may or may not be the best test. Matter of fact, I think I may have a newer one I posted in the forums a week or two ago, I'll have to check it out.

As for the 'restricted' settings, which settings are those to change? Could you please detail them? I run it right out of the box so to speak.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.