What have I gained with MBAM 3

[Peter2150]

I've been testing MBAM gainst live malware (in a VM  of course)   The latest is the Goldeneye Ransomware.   So far everything I've tested including Golden Eye has been as effectively stopped by MBAM 2 as MBAM 3, wo what is the gain?

[unknownname09000]

The biggest thing for me is that I only have to run one single program and keep track of one single license. previously I had to run MBAM, Anti-exploit, and Anti-Ransomware. I much prefer only having to deal with my antivirus of choice and MBAM. 2 programs, 2 licenses, done.

[Peter2150]

Your missing the point.   With the testing I've done you could have accomplished the same thing with just MBAM 2

[TempLost]

Yes, but but Malwarebytes v 3 (when they eventually get the bugs out of it) promises to offer several layers of protection in addition to those in v 2. So it seems pretty much a no brainer - nothing to lose and perhaps much to gain by upgrading to V 3 (when they get the bugs out!). 

[AlexSmith]

@Peter2150, if you haven't already done so, I would recommend seeing the following topics in the Malwarebytes 3.0 FAQ sticky post in this section. That should answer your question around the benefits of Malwarebytes 3.0.

• What is new in Malwarebytes 3.0
• Anti-virus replacement

If you still have any additional questions that are not covered, please post them.

[Peter2150]

But you are still totally missing the point of the question.   I  know it offers additional layers of protection, but what is the point if MB2 already detects everything.

[Peter2150]

Hi Alex

 I  know all about MB3 I've been testing it and have reported bugs.   BUT if I test against something nasty like Goldeneye ransomware, and MB2 catches it just as well as MB3  what have I gained with MB3?

Pete

[Porthos]

4 minutes ago, Peter2150 said:

 what have I gained with MB3?

MB2 will not be supported down the road.

[Durew]

Hi Peter2150,

MBAM2 is not fool proof. see this test report: https://www.mrg-effitas.com/wp-content/uploads/2016/11/MRG-Effitas-360-Assessment-Q3-2016.pdf
As such, most people prefer to have mutliple layers so the failure of one does not mean getting infected. MBAM3 provides (some of) these layers.

I hope this clearifies.

Regards,
Durew

[AlexSmith]

41 minutes ago, Peter2150 said:

But you are still totally missing the point of the question.   I  know it offers additional layers of protection, but what is the point if MB2 already detects everything.

 

37 minutes ago, Peter2150 said:

Hi Alex

 I  know all about MB3 I've been testing it and have reported bugs.   BUT if I test against something nasty like Goldeneye ransomware, and MB2 catches it just as well as MB3  what have I gained with MB3?

Pete

@Peter2150, I don't think I was missing the point of your question. Your question is effectively asking "why do I need Malwarebytes 3.0 if Malwarebytes Anti-Malware 2.x can detect and remove X?" correct?. If I am getting it wrong, then please clarify where I am messing up.

If I am understanding it correctly, then the answer to your question is that there is more involved with protecting and fighting against malware than reactively scanning for file infectors in a VM environment like you tested. I know it's going to sound like I am repeating what has been said before, but Malwarebytes 3.0 brings you the additional proactive protection users need while also improving our existing technologies in to a single application. For example, here are few tangible benefits (not all of them, just some quick examples):

• Faster malware scan times
• Proactive signature-less protection against exploits in common applications
• Proactive signature-less protection against ransomware
• Can be run along side other security applications or as a standalone with integration of the Windows Action Center/Security Center

With that being said, here is a recent thread with a response from our staff related to Malwarebytes 3.0, testing, and real-world scenarios that may help provide even more context.

• https://forums.malwarebytes.com/topic/192225-mbam-30-and-av-comparativesorg/#comment-1080896

If you still have questions, please keep them coming. After all, we are here to help!!

Edited January 10, 2017 by AlexSmith

[mbam4ever]

1 hour ago, TempLost said:

(...) v 3 (when they eventually get the bugs out of it) promises to offer several layers of protection in addition to those in v 2. So it seems pretty much a no brainer - nothing to lose and perhaps much to gain by upgrading to V 3 (when they get the bugs out!). 

^The gain in bugs got me back to 2.x... Nevermind running faster, I'll give another try to 3.x once it learned how to walk without falling

[Peter2150]

Hi Alex

 

Thanks for the detailed answer.

 

Pete

[Peter2150]

Hi Alex

I am now responding and asking more questions, and it actually is a  simple question.   Has the ransomware module actually been real time tested.   Also if the answer is yes could you provide any actual proof it works.

 

Thanks,  

Pete

 

Oh and please don't use the word vectors in your answer.

Edited January 18, 2017 by Peter2150

[shadowwar]

The main problem is you are testing with something known already to us. So the same signature is being used on both versions.

Test with a ransomware mbam 2 misses and mbam3 anti ransomware should in theory stop it based on behaviour and execution and not using a signature.

Also testing with mbam 3 is not your standard testing. Its tuned to how infections occur in the wild. Just scanning a file with mbam 3 wont alway yield a detection result. The in the wild infection attempt has to be duplicated for anti exploit or anti ransomware modules to work in mbam 3. Just scanning a file these modules wont come into play as its not a real world infection attempt. Basically it shuts the door on infection attempts from the wild.

[Peter2150]

Hi Rich

Everyone makes the same assumption so let me explain how I tested.

1.  I am using real live malware(in a VM) and running it againt several products, but in particular MB3. With the exception of  some scripts  and scr files it has detected everything.

But the real test using 22 pieces of malware

Turning off ransomware and exploit protection the malware module stop all samples except on scr file.   Excellent  MBAM indicated it was malware protection blocking

But:

Turning off everything except Ransomware and nothing was blocked, nothing.  So where is the extra layer

[mrtee]

Sorry to intrude in your conversation but I have a question, if MBAM operates on actions (execution) and not on signatures why does it scan files to find malware?

[Peter2150]

No intrusion.   mrtee, just pretend you didn't read that answer.  They have a really bad script writer generating answer.  You can scan anything, even single files and it does a pretty decent detection job. In fact in same case I deactivate my key and just prescan files and it does great.

[shadowwar]

38 minutes ago, Peter2150 said:

But:

Turning off everything except Ransomware and nothing was blocked, nothing.  So where is the extra layer

What wasnt blocked. Are you physically executing the ransomware against the anti ransomware component? Are you running it from the location as it would of been seen in the wild? Like temp?

If this is all true if you can pm me the md5 of the sample i could take a look and see why. We do have some updates coming out in a few days for some new variants to the anti ransomware and anti exploit modules. This is the advantage of mbam 3 in that we can update engines without having to release a whole new version. 2,x and earlier the engine isn't upgradeable to adapt to new threats without a whole new version.

All these modules are designed to work together in three. What one module may miss the others should hopefully catch.

 

For example say you get a nemucod script emailed to you.

Anti exploit module would stop it from downloading the payload.

If it gets by the anti exploit module and its a ransomware payload then that module should get it on behaviour.

If none of this happens then the main engine kicks in to try to stop it.

 

This is also assuming not running in free mode but either trial or paid.

 

 

 

Anti ransomware works on an executable file only. If it detects ransomware behaviour it only kills that file. The main engine is what can clean up the traces.

 

Mrtee , Mbam works on actions and signatures. Layered approach as described above.

 

 

Edited January 18, 2017 by shadowwar

[Peter2150]

I didn't keep track of the sample, and I can find one.   Flip the coin over.   Can you and she me  one that works.

[shadowwar]

Sorry i am not allowed to give out malware.

[Peter2150]

Can  I PM you the sample?

[shadowwar]

Sure.