Jump to content

Allow exception for 'HackTool' type


Mord

Recommended Posts

Hello,

Much like you can disable detection / "protection" from PUPs and PUMs, I would like the ability to disable detection and "protection" from the type 'HackTool.' In all cases so far that MB 3.0 has forcefully removed 'HackTool' type from my computer it was something I did NOT want either detected or removed. MBAM 2.x was much less intrusive in this regard.

I don't want to have to add a file and/or folder exception or disable real-time protection to get around this. I'd just like the ability to add an exception for anything considered a 'HackTool' and/or the ability to disable detection for such. The best solution IMO would be, like you can for exploit types, be able to add exceptions that use either regex or simple asterisk type filters for "malware" types. So for instance I could add an exception for: "HackTool*" and that would satisfy my situation. 

Link to post
Share on other sites

I doubt that this will be implemented, particularly in the Home product, as the vast moajority of home users do not use hacktools of any kind.

Obviously, if it is for business products, then that would fall in the business product line help.  And for those of us like yourself and me as well, our only recourse will be to continue to use file / folder exceptions.

My supposition is (for one) that it would be too easy for malware to change that setting and then remotely run a hacktool that would allow malware propagation on a system.  Again, for you and I, that would not be an issue, but if a regular home user were to also exclude hacktools, then get infected, MB would have a rash of complaints.

Similarly, if they made the product somewhat extensible so that we could add our own filetype exclusions, it would be too easy to exploit by a third party on home users' systems who are not technically savvy enough to be using hacktools in the first place, again leading to a possible rash of infections.

Link to post
Share on other sites

I agree with John L. Galt's assessment and will also add that even in a business, and especially larger enterprise environment one could be inviting trouble in creating such an extensive exclusion, even if they know what they're doing as I could easily imagine some voracious network worm working its way through such a network unchecked were such an exclusion allowed and unless there were some other means of flagging the activity, the bad guys could quickly get a foothold in pretty much the entire network and most or all of the connected endpoints which could spell major disaster (and possibly huge losses of data and time) for the company, not to mention the cleanup that would have to be done to take care of it and secure the network and all endpoints again.

Worms can be nasty things, and I've seen evidence based on recent reports from friends of mine who work IT in business environments that they are still a class of threat which is alive and well.  In fact, I recently got a report of a particular worm whose primary function was simply to install tons of PUPs on every system that connected to the network and to spread to every new network each infected endpoint connected to.  While that's not much of a risk to data, it sure is a hassle to clean up all those endpoints and deal with all those support calls from the affected users, especially for cases where the company allows BYOD.

Link to post
Share on other sites

  • 4 weeks later...

Surly you can just add them in exclusions? or uninstall mbam and then reinstall. Not sure why you'd be hacking on a windows machine anyway lol surly linux would be a better option kali, parrot ect for vulnerability testing maybe I am wrong I'm still learning all these many things so please do correct me if I am wrong.

Link to post
Share on other sites

I just analyzed a Java Banload that included NirSoft's OutlookAddressBookView utility.

If a end-user uses these tool's they must exclude the folder they have them in. 

Flagging these types of utilities as PUPs, HackTools, or by another detection name is quite apropos.

A banket WhiteListing or and end user enable/disable toggle would be foolhardy.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.