Jump to content

Can Malwarebytes detect inactive ransomware?


Recommended Posts

If ransomware infects my hard drive but remains inactive for days to weeks and subsequently is imaged on an air-gaped hard drive before becoming active, can/should MBAM 2.0 detect this infection if the image file is scanned?

If not, will this capability will be included in the upcoming release of Malwarebytes Anti-Ransomware?

Regards, Gyre

Link to post
Share on other sites

25 minutes ago, Aura said:

Hi Gyre :)

Malwarebytes will detect an inactive Ransomware if that file is scanned, and its definition is in Malwarebytes' database. As for your other question, you want to know if Malwarebytes supports the scan of .iso files?

Hi Aura,

Thank you for your response.

I was not referring specifically to .iso files, but to hard drive image files such as Macrum Reflect .mrimg or Acronis .tib files.  Would .iso files be an exception?

Gyre

Link to post
Share on other sites

Here is a reply crafted by one of our resident experts @David H. Lipman that perhaps may help you understand what MBAM will target

MBAM does not target script files. That means MBAM will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.
 
MBAM is not an anti virus application.  MBAM targets mainly non-viral malware.  The exception being a virus dropper ( a malware file that drops a virus and starts a virus infection but is not infected with the virus ) and worms ( such as Internet worms and AutoRun worms ).
 
MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.
 
A file infecting virus will prepend, append or cavity inject malicious code into a legitimate file.  Once infected, that infected file can further the infection by infecting other legitimate files.
 
On the other hand there are trojans that will prepend, append or cavity inject malicious code into a legitimate file.   However that file can not infect other files.  The infection stops with that targeted file.  These files are either deemed to be "trojanized" or "patched".  Since MBAM can not remove the added malicious code, at best MBAM will try to replace the trojanized file with a legitimate, unaltered, file.
 
 
I hope this broadens your understanding of what MBAM can not do and why MBAM is an adjunct anti malware solution that is meant to complement a fully installed anti virus application and not replace it.
 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.