Jump to content

MBAM 3.0 and av-comparatives.org


Recommended Posts

  • Replies 111
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Traditional AV or not if we are told it can replace my existing AV program it should detect, scan and remove viruses as well as other traditional AV programs.  Don't get me wrong I am a big fan of MBAM and have been using the paid version for years.  I just need more convincing it can serve as my sole line of protection.  I realize you can still run MBAM along with your favorite AV program.  As an IT tech I have some customers with limited resources to spend on security apps I would love to be able to tell them MBAM is all they need now.

Link to post
Share on other sites

8 hours ago, nccomp said:

Traditional AV or not if we are told it can replace my existing AV program it should detect, scan and remove viruses as well as other traditional AV programs.  Don't get me wrong I am a big fan of MBAM and have been using the paid version for years.  I just need more convincing it can serve as my sole line of protection.  I realize you can still run MBAM along with your favorite AV program.  As an IT tech I have some customers with limited resources to spend on security apps I would love to be able to tell them MBAM is all they need now.

I believe there's a bit of misinterpretation going on here that I'd like to clear up.  First off, Malwarebytes 3.0 is not an actual antivirus and we have never said that it was.  What we did say and are continuing to say is that it can replace your antivirus software because our protection mechanisms (such as Malicious Website Blocking, Anti-Exploit and Anti-Ransomware) are more proficient at blocking/preventing infection when using the web than a traditional antivirus which relies mostly on signatures to attempt to detect and stop threats (the same signatures used for file scans, for example).

This also means that properly testing our protection is very different from the methods used by many organizations when testing AVs because most of them tend to rely on flat file scans of dormant executables sitting in a folder on the desktop, while much of our signature-less protection relies on detecting and stopping the actual behaviors of malware and malicious scripts/exploits etc. that get the infection downloaded and installed on the system in the first place, thus not only preventing the infection, but even preventing in most cases the infected file/installer etc. from ever reaching your system to begin with, thus trying to be the best at detecting those files becomes pointless and will always be less effective than stopping the malicious behaviors that get the infections onboard.

Now of course there are some tests which actually do replicate real world situations by visiting malicious URLs or running an email attachment for example which contains an exploit designed to get malware onto the user's system, and those are precisely the kinds of tests that we should excel at because they most closely replicate what users actually face when being attacked by malware online.

Flat file scanning/detection does not in any way replicate what users have to deal with in the real world and the actual situations and threats they face, perhaps with the only exception being PUPs (Potentially Unwanted Programs), which we should do quite well against also, even in flat file scan tests since we do still rely largely on heuristics and signatures to detect PUPs.

So the bottom line is, we claim that any user running our software alone should be safe online from becoming infected by malware, and that is what we believe is the most important thing for any security/anti-malware solution (AV or otherwise) to do.  Too many times we've seen users coming to us infected even though they were running a top ranked AV that always does well on the various AV comparison tests, yet they still get infected, we help clean them up free of charge, and they often end up purchasing our software to protect them after that because they see how effective we are in the real world.

But no one has to take our word for it, we offer a free 14 day trial so that any home user can give us a shot to see how we do.  Don't go trying to get yourself infected deliberately of course, as it would be irresponsible for any security vendor to suggest such a thing.  But do feel free to test us out and see if we're able to keep you safe using your computer as you normally would and of course if someone has experience in doing infection testing, feel free to try us out (again, using legitimate methods that actually replicate real world situations, not just scanning "zoos" of malware stored in a folder on a desktop because that doesn't give our Anti-Exploit, Anti-Ransomware, Website Blocking or much of our realtime heuristics capabilities a chance to be included).

I hope this information has been helpful.  Please let us know if there's anything else we can assist you with or any further questions we might answer for you.

Thanks :)

Link to post
Share on other sites

Thank you for that Samuel. Gives me, an ordinary user, an excellent explanation of what Malwarebytes 3 is all about.

I have been using Malwarebytes Pro for many years and had hoped that one day it might be the only security protection I would need rather than having to use another AV along with it. Now with version 3 that day has come and i have it installed on my PCs with no other protection. The app is running smoothly and seems to have no problems on my Win10 64bit PCs.

I am keeping a close eye on things at the moment but am sure that it is doing its job for this ordinary PC user.

Link to post
Share on other sites

 

19 hours ago, exile360 said:

This also means that properly testing our protection is very different from the methods used by many organizations when testing AVs because most of them tend to rely on flat file scans of dormant executables sitting in a folder on the desktop

Dear exile360,

Thank you for your detailed and defensive explanation. As I said before , MBAM would refuse to participate in any testing , claiming that is somehow different, and you just confirmed that.

Have you recently seen the latest versions of major AV's providers? ALL OF THEM   have Malicious Website Blocking, Anti-Exploit and Anti-Ransomware. Yet , most of them have huge signature database , updated hourly, sometime more that 800MB!!! And they are in business for more than 15 years....

Of course the new MBAM 3.0 can claim to be alpha and omega, the only thing you need on your PC and at the same time to refuse to be tested, if this is the desired business model.

Unfortunately, the educated users cannot be fooled so easily.

Just my opinion.... 

Link to post
Share on other sites

We don't refuse to be tested at all.  In fact, there are currently plans being discussed right now to have official testing done by at least one or more of the testing organizations.  But I'm certain one of the requirements will be that the tests be realistic.

As for signatures and frequent database updates, we've still got those as well, however most of our 'signatures' are not your typical hashes and limited scope definitions used by most AVs; instead we use heuristics signatures and algorithms to detect entire families and classifications of threats, so 1 of our signatures does not equal just 1 detected/blocked threat/piece of malware, it equals many and we do have very frequent database updates which go out multiple times a day (usually more than 10 per day) and the only rules/signatures we ever remove from our databases are ones which either a) aren't detecting anything in the wild any more and therefore are obsolete due to that malware/family etc. no longer being found in the wild or b) when we've created a new heuristics signature/algorithm which renders a previous one/ones obsolete because it detects everything the old rule did and more.  I believe that that 800MB+ worth of definitions used by typical AVs contains a lot of defs for old/obsolete infections no longer found in the wild and no longer being used by the bad guys at all.  Think of it this way, do you really need a database which includes a ton of definitions designed to detect viruses that only infect Windows 98 and haven't been found in the wild for over a decade?  In my opinion that's a waste of space and a waste of memory and other resources.

And yes, while many major AVs have such additional layers, our own testing has shown us that they just don't seem to be as effective as the ones we've developed.  I've used several AVs alongside Malwarebytes over the years and I've always seen us block websites that my AVs would miss and our exploit protection has proven to be staggeringly effective.  As for our anti-ransomware, it too has proven to be quite effective at targeting and stopping this currently prevalent threat in the wild.  And it is the combination of all of these protection layers, both those which use signatures as well as those which are signature-less, that we believe renders current AV solutions unnecessary.

Now with all of this said, you don't have to take our word for it and if you believe that you still require an AV to be safe, then please do continue to use one.  As we always have in the past, we continue to build solutions designed not to conflict with other security products and version 3.0 is no different in that regard.  We aren't forcing anyone to abandon their AV and we welcome our users to continue to run them if they so choose.  All that we're saying is that we've finally developed a solution which provides sufficient protection to no longer require an AV in addition to it; something we could never claim in the past.

Edited by exile360
Link to post
Share on other sites

Thanks for the additional info exile360.  I feel a little more confident as to where MBAM positions itself.

For customers looking for the cheapest solution I will start installing MBAM with Defender.  For those willing to spend a little extra I will continue to install MBAM with Bitdefender AV Plus.

Link to post
Share on other sites

On 12/16/2016 at 9:14 PM, exile360 said:

As for signatures and frequent database updates, we've still got those as well, however most of our 'signatures' are not your typical hashes and limited scope definitions used by most AVs; instead we use heuristics signatures and algorithms to detect entire families and classifications of threats, so 1 of our signatures does not equal just 1 detected/blocked threat/piece of malware, it equals many and we do have very frequent database updates which go out multiple times a day (usually more than 10 per day) and the only rules/signatures we ever remove from our databases are ones which either a) aren't detecting anything in the wild any more and therefore are obsolete due to that malware/family etc. no longer being found in the wild or b) when we've created a new heuristics signature/algorithm which renders a previous one/ones obsolete because it detects everything the old rule did and more.  

That's one simple sentence, explaining how things work... ;) Nonetheless, thank you for detailing the inner working for MB 3.0...

I've been using MBAE Premium for 2-3 year and it is one of the layered protection on my desktops. The anti-exploit, similarly to EMET, prevents malware modifying memory buffers to exploit the system. I like MBAE and glad that it is part of the MB 3.0.

Signature is just that, a documentation of the known exploits. Its effectiveness is greatly dependent on the timely discovery of the new exploit/malware. Any signature based protection, including Malwarebytes solutions, is as good as its last update. Let's not pretend that the "heuristics signatures and algorithms" does not have any fallacy.

To a certain extent, this also applies to MBAE. That's due to the fact that technique for exploiting stack overflows, or memory buffer overflows, do evolve as well. For example, EMET 5.5 protects against 14 known buffer overflow techniques. That does not mean there are no other memory exploits out there, like #15 and #16, there could be some lurking around the web somewhere. EMET, MBAE may or may not prevent these new buffer overflow techniques.

With that said...

MB 3.0 is a great solution and certainly better than any A/V out there. Can you replace A/V with MB? Sure, but that's a personal choice. I am glad that Malwarebytes developed their products to be compatible with other security solutions on the same desktop. This allows layered security protection, which in my view a must nowadays...

Link to post
Share on other sites

15 hours ago, nccomp said:

Thanks for the additional info exile360.  I feel a little more confident as to where MBAM positions itself.

For customers looking for the cheapest solution I will start installing MBAM with Defender.  For those willing to spend a little extra I will continue to install MBAM with Bitdefender AV Plus.

You're welcome :) 

As for using Defender or MSE, do keep in mind that there is a performance issue between Microsoft's free AV and 3.0 that we're working on fixing at the moment which can cause system slowdown issues, particularly during system boot and especially during shutdown (sometimes shutdown is slowed to the point where it takes several minutes before the machine finally powers down and we've seen a few instances where it just hung the machine trying to shut down indefinitely, requiring that the machine be forced to power off via the power button).  We're working on this issue, but for now I'd recommend choosing a different free AV solution if you have a customer that requires one, such as Avast!, Avira or AVG; all of which should work alongside Malwarebytes 3.0 without issue.

3 hours ago, dont_touch_my_buffer said:

That's one simple sentence, explaining how things work... ;) Nonetheless, thank you for detailing the inner working for MB 3.0...

I've been using MBAE Premium for 2-3 year and it is one of the layered protection on my desktops. The anti-exploit, similarly to EMET, prevents malware modifying memory buffers to exploit the system. I like MBAE and glad that it is part of the MB 3.0.

Signature is just that, a documentation of the known exploits. Its effectiveness is greatly dependent on the timely discovery of the new exploit/malware. Any signature based protection, including Malwarebytes solutions, is as good as its last update. Let's not pretend that the "heuristics signatures and algorithms" does not have any fallacy.

To a certain extent, this also applies to MBAE. That's due to the fact that technique for exploiting stack overflows, or memory buffer overflows, do evolve as well. For example, EMET 5.5 protects against 14 known buffer overflow techniques. That does not mean there are no other memory exploits out there, like #15 and #16, there could be some lurking around the web somewhere. EMET, MBAE may or may not prevent these new buffer overflow techniques.

With that said...

MB 3.0 is a great solution and certainly better than any A/V out there. Can you replace A/V with MB? Sure, but that's a personal choice. I am glad that Malwarebytes developed their products to be compatible with other security solutions on the same desktop. This allows layered security protection, which in my view a must nowadays...

You may be correct regarding new exploits, however I very recently (a couple of days ago, in fact) brought up this very subject with one of our developers who works directly on many of our new technologies and he told me point blank that our Anti-Exploit module is 100% effective against all exploits, both known and unknown because of its very nature.  He explained that due to the way that exploits work, any so-called 'new' exploit would have to go through one of the methods/means that we've already got completely covered at this point (including any sort of buffer overrun type exploits etc.) so that there should never come any new exploits that we can't already detect and block.  I do not know first-hand if this is accurate or not, but he did sound pretty certain when he told me this and he's never been one to exaggerate in my experience (he's one of the first individuals I ever worked with in this company since I started here, and I even worked with him before I was an employee back when I was doing voluntary beta testing and reporting bugs) so if he tells me that our exploit protection is 100% bullet-proof, I tend to believe him.

Again, I don't have first-hand knowledge of this so I can't say with 100% certainty that what he claims is accurate, but I personally do believe what he's told me as it does at least sound feasible.  I mean if a buffer overrun attack always looks similar/the same in that it's a process trying to write into the memory of another process or outside of the memory space where it's allowed to write (I think that's how they work; I'm no expert on exploits either ;) ), then it makes sense to me that it would be possible to create something capable of flagging such actions no matter what as long as you're always watching the memory of all processes for any divergence in normal behavior.  If other exploit activities work along the same lines, then I could see it being the case that a flawless detection tool could be created as long as the 'rules' built into it are resilient and strict enough.  That's just my own speculation on the subject though, so if someone more knowledgeable on the subject contradicts what I've said, then I'd have to concede it to them unless one of our Devs or Researchers steps in with more technical info.

Link to post
Share on other sites

4 hours ago, exile360 said:

You may be correct regarding new exploits, however I very recently (a couple of days ago, in fact) brought up this very subject with one of our developers who works directly on many of our new technologies and he told me point blank that our Anti-Exploit module is 100% effective against all exploits, both known and unknown because of its very nature.  He explained that due to the way that exploits work, any so-called 'new' exploit would have to go through one of the methods/means that we've already got completely covered at this point (including any sort of buffer overrun type exploits etc.) so that there should never come any new exploits that we can't already detect and block.  I do not know first-hand if this is accurate or not, but he did sound pretty certain when he told me this and he's never been one to exaggerate in my experience (he's one of the first individuals I ever worked with in this company since I started here, and I even worked with him before I was an employee back when I was doing voluntary beta testing and reporting bugs) so if he tells me that our exploit protection is 100% bullet-proof, I tend to believe him.

Even the bullet-proof wests have limitations, defined by the size of the bullet...;)

What if the new exploit is not covered by MB 3.0, or by the MBAE? Buffer overflow exploits do evolve and new ones appear out of nowhere. For example, EMET 2.0 in 2010 had protection against six buffer overflow techniques. The current version 5.5 has protection against 14 buffer overflows, or eight new buffer overflow techniques in six years. MBAE probably follows similar path, in its initial version the software did not cover as many protection as it does now. The point is that there's no such thing as 100% "bullet-proof". Malwarebytes 3.x, a collection of previous products in one software package, might be bullet-proof at current time. And it might stay so until a "bigger-bullet" comes along. 

Please don't take me wrong, I do like Malwarebytes software and I use it. I just don't believe that the company should advertise 3.0 as "Makes antivirus absolete..."

Link to post
Share on other sites

You may be correct, and I asked a similar question when I was discussing this with the Dev, however what he expressed to me was that our means of guarding against such attacks somehow (I don't know the technical details myself) renders it impossible to infiltrate any sort of buffer overflow attack (or any other type of exploit).  Again, I can't speak to how accurate this is, but again, he seemed pretty certain and it didn't sound at all to me like he was saying anything like 'as far as we know' or 'as far as known exploits/methods are concerned'.  I do know that in the past we did have to adapt to new exploit attacks, just as EMET has, but from the sound of the conversation I had with him, he seemed pretty sure that no further updates would be needed going forward to cover any new exploits that might emerge.  I suppose only time will tell though, but I do hope that he is correct because that would be awesome :).

Link to post
Share on other sites

I have been following AV-Comparatives test reports for years.  They have several distinctive tests, from the file detection test, the real world detection test, malware cleanup, performance, retroactive, etc. Very interesting stuff ...

I have also been a fan of Malwarebytes for many years.

I think the direction that Malwarebytes are currently taking as far as malware detection reflects well the direction that malware has taken in recent years.  I believe that the real world test at AV-Comparatives would reflect that the majority of exploits are web based now, and Malwarebytes is well positioned to contain those threats.

At the same time, I feel it would be negligent to ignore the so called "flat file, dormant code" that malware can be distributed as.  A prudent PC user should keep a signature based file scanner running as a baseline detection scheme, along with layered defenses that are signatureless and behavior detection oriented.  The files that we download, the email attachments we save, all could contain dormant malware code.  Why should we wait until this executes to deal with the threat?  Better to scan the files and quarantine the known threats, at least!

Link to post
Share on other sites

On 12/22/2016 at 9:57 PM, Tinstaafl said:

At the same time, I feel it would be negligent to ignore the so called "flat file, dormant code" that malware can be distributed as.  A prudent PC user should keep a signature based file scanner running as a baseline detection scheme, along with layered defenses that are signatureless and behavior detection oriented.  The files that we download, the email attachments we save, all could contain dormant malware code.  Why should we wait until this executes to deal with the threat?  Better to scan the files and quarantine the known threats, at least!

While usefulness of A/V is rather limited nowadays, it is still catching viruses, blocks URLs, etc. Certainly, Malwarebytes has a more advanced protection, but it's not "fool-proof". Layered protection should be on everyone's list, especially when the A/V is still catching viruses. From my recent A/V log:

 

av protection.jpg

Link to post
Share on other sites

On 12/25/2016 at 3:09 PM, dont_touch_my_buffer said:

While usefulness of A/V is rather limited nowadays, it is still catching viruses, blocks URLs, etc. Certainly, Malwarebytes has a more advanced protection, but it's not "fool-proof". Layered protection should be on everyone's list, especially when the A/V is still catching viruses. From my recent A/V log:

 

I agree.  However I no longer purchase the AV "Security Suites" or "Total Security" package as some call it.  I just get the basic AntiVirus and then MBAM along with it.

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • 3 weeks later...

https://forums.malwarebytes.com/topic/196567-can-malwarebytes-30-replace-anti-virus/

Firefox

  • Forum Deity
  •  
  • Firefox
  • Trusted Advisors
  •  
  • 15,368 posts
  • Location: USA

Hello and Welcome

I would still run an antivirus program myself, as Malwarebytes really is not a full fledged antivirus program.

Edited by deucy14
added link related to material posted
Link to post
Share on other sites

On ‎12‎/‎18‎/‎2016 at 9:02 PM, nccomp said:

Thanks for the additional info exile360.  I feel a little more confident as to where MBAM positions itself.

For customers looking for the cheapest solution I will start installing MBAM with Defender.  For those willing to spend a little extra I will continue to install MBAM with Bitdefender AV Plus.

That's my current set up, been running that for years,  they play very nicely together and haven't had a infection in years!

Link to post
Share on other sites

Exile360 stated:

Quote

As for using Defender or MSE, do keep in mind that there is a performance issue between Microsoft's free AV and 3.0 that we're working on fixing at the moment which can cause system slowdown issues, particularly during system boot and especially during shutdown (sometimes shutdown is slowed to the point where it takes several minutes before the machine finally powers down and we've seen a few instances where it just hung the machine trying to shut down indefinitely, requiring that the machine be forced to power off via the power button).  We're working on this issue, but for now I'd recommend choosing a different free AV solution if you have a customer that requires one, such as Avast!, Avira or AVG; all of which should work alongside Malwarebytes 3.0 without issue.

Why is this not in the Know Issue thread for MB 3??

Looks like a serious problem  since MB3 will not auto disable Defender when installed. Your customers should have been made aware of this from the start. It also concerns me that this is the first time I have seen this statement. A lot of people running Windows 10 use Defender.

Why was this product released with so many problems and then no one is told about the problems.

My faith in Malwarebytes is going down hill every time a problem like this is not revealed to its customers.

Hide the problems but tell everyone that MB 3 is all you need. Shameful. :excl:

Jim  

 

Link to post
Share on other sites

8 minutes ago, Phone Man said:

Exile360 stated:

Why is this not in the Know Issue thread for MB 3??

Looks like a serious problem  since MB3 will not auto disable Defender when installed. Your customers should have been made aware of this from the start. It also concerns me that this is the first time I have seen this statement. A lot of people running Windows 10 use Defender.

Why was this product released with so many problems and then no one is told about the problems.

My faith in Malwarebytes is going down hill every time a problem like this is not revealed to its customers.

Hide the problems but tell everyone that MB 3 is all you need. Shameful. :excl:

Jim  

 

Agreed! There is a windows profile issue that they seem to not want to acknowledge also.

Link to post
Share on other sites

Could it be it that conflict was not known between MB 3 and Defender ?  Or is that too naive ?

I used the two together for a number of weeks on a laptop, even with MB 3 marked in my Control Panel / Action Center  as being on board. 

Windows 8.1

Version 6.3  (Build 9600)

Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz 2.60 Ghz

64-bit Operating System, x64 based processor

Link to post
Share on other sites

 

Apparently room for difference in opinion / style of operating :

 

https://forums.malwarebytes.com/topic/196567-can-malwarebytes-30-replace-anti-virus/

Firefox

  • Forum Deity
  •  
  • Firefox
  • Trusted Advisors
  •  
  • 15,368 posts
  • Location: USA

Hello and Welcome

I would still run an antivirus program myself, as Malwarebytes really is not a full fledged antivirus program.   [ my--deucy14-- use of bigger font for attention to this statement ]

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.