Jump to content

How do I know Ransomware Protection is working


Recommended Posts

I'm running MalwareBytes 3.0 Premium with databases updated 4-5-2017, on win 7 laptop.

How do I know I actually have ransomware protection and that it is working.

Am getting nervous when I hear of increase in ransomware attacks.

Michael

 

Link to post
Share on other sites
  • Staff

Hello @BigMikey

Here is the easiest way to check if your Ransomware protection is turned on:

Open the MB 3.0 UI. Click on the Settings /Protection tab.

You should see that ransomware protection under Real Time Protection should be turned on for a premium licensed product:

 

Ransomware.jpg

Link to post
Share on other sites

@nikhils, We can all see the protection layers on....

How can we test them.... I have serval computers testing the IP protection part as you can read in HERE #64 and #65 but its not reliable so we really don't know if its working.

How about the anti-exploit part as I mentioned HERE.  In previous version we would get a notification that xyz app was protected when we launched it and had a tool to test the anti-exploit app.  In MB3 we get no notifications and testing with the tool is not working.

So the real question is this:  Are we actually protected?

Link to post
Share on other sites
3 hours ago, BigMikey said:

How do I know I actually have ransomware protection and that it is working.

Well... there's this...

An older v3, but probably close to what one might expect.

Link to post
Share on other sites

That is fine and all, but that is not real world testing... if you look at some of the dates on the samples he has they date back to 2016, remember Malwarebytes only goes after current stuff so some of those will not get caught...

I am not worried about it catching samples that I know are malicious from a folder I keep them in, I am worried about protection in the real world while surfing the next and actively using my PC. 

Link to post
Share on other sites
1 hour ago, Firefox said:

That is fine and all, but that is not real world testing... if you look at some of the dates on the samples he has they date back to 2016, remember Malwarebytes only goes after current stuff so some of those will not get caught...

Not real world testing? Tsk, tsk... Let's not overlook what was demonstrated. And "date back to 2016"? My that is prehistoric is it not? Setting such preclusions is normally the last refuge of a poorly coded application, and whenever you read such it's time to run for the exits. Be careful with your defense.

Just because a file is dated 2016 (or earlier) doesn't mean that clicking on that file, or its ilk, in an email attachment, or a website drive-by is of no worry. Or are you saying one can bypass MBAM detection simply by changing a file date back to 2016? Please no.

MBAM should have caught the file before irreversible damage occurred. You may choose to ignore this result at your own peril, but it would be remiss to suggest others discount the same. A newer video is planned over the next month. I suspect the results will be similar, and that there will always be deniers who do so at their own risk.

Link to post
Share on other sites

I am not denying the test... just saying that most users will not have a folder full of malware to test with.  If I speak for a common user (like my family members for example) they want to be surfing the net knowing that MB3 is there to protect them from the bad guys.  They want to be sure its doing its job, not because Malwarebytes says its doing its job, I want to know and see its doing its job by getting notifications, and having proper tools to test with.  Right now there are issues with the Web Protection Module not blocking correctly even with the IP test site.

Changing the date of a file does not do anything to deter Malwarebytes from detecting a file.  What I mean by old samples is that if the sample/malware is not seen in the wild any more, Malwarebytes removes them from their database (mind you the heuristics may catch it). 

As for email attachments, Malwarebytes does not scan incoming email attachments unless a user tries to open the attachment.  For me that is too late.  This is why I have my antivirus program, it scans incoming SMTP traffic.  The antivirus program is the first layer of defense.

 

Edited by Firefox
Link to post
Share on other sites
1 hour ago, Firefox said:

I am not denying the test... just saying that most users will not have a folder full of malware to test with.  If I speak for a common user (like my family members for example) they want to be surfing the net knowing that MB3 is there to protect them from the bad guys.  They want to be sure its doing its job, not because Malwarebytes says its doing its job, I want to know and see its doing its job by getting notifications, and having proper tools to test with.  Right now there are issues with the Web Protection Module not blocking correctly even with the IP test site.

Changing the date of a file does not do anything to deter Malwarebytes from detecting a file.  What I mean by old samples is that if the sample/malware is not seen in the wild any more, Malwarebytes removes them from their database (mind you the heuristics may catch it). 

As for email attachments, Malwarebytes does not scan incoming email attachments unless a user tries to open the attachment.  For me that is too late.  This is why I have my antivirus program, it scans incoming SMTP traffic.  The antivirus program is the first layer of defense.

 

I agree with everything Firefox has said!  I want to KNOW it's working and not MB saying it is...prove it!

Robert

Link to post
Share on other sites

Well said Firefox. I have been chasing my tail with this software since December. My confidence in this program to match its claims has ebbed to almost zero. Just because the dashboard says it's working doesn't mean it is! Not allowing the program to be tested by a reputable organization is not a good look no matter what feeble excuse they provide. This program was released as stable five months ago and in my opinion, is only now only stable enough to be considered for beta testing.   

Link to post
Share on other sites
11 hours ago, Firefox said:

.Changing the date of a file does not do anything to deter Malwarebytes from detecting a file.  What I mean by old samples is that if the sample/malware is not seen in the wild any more, Malwarebytes removes them from their database (mind you the heuristics may catch it).

So are you saying that 2016 malware are too old and not being seen in the wild anymore? You gotta be kidding me. Malwares can survive in the wild for years after released even after there are definitions or heuristics that detects them. I'd agree if it is an overly old malware that can't do harm anymore but a ransomware is far from not doing any harm.

Doesnt matter if the script was sitting on his  desktop, if it were in a malicious website or email attachment  the user would be damned because Malwarebytes wouldn't stop that ransonware from running anyway. Doesn't matter if it is "old", the anti ransomware should catch it.

A 2016 piece of malware is too early to call it old and simply ignore it's threat specially if it is such destructive one as a ransonware.

Link to post
Share on other sites
12 hours ago, Robertiy said:

I agree with everything Firefox has said!  I want to KNOW it's working and not MB saying it is...prove it!

Robert

 

I have yet to encounter an announcement of any kind, anywhere reporting a Malwarebytes 3.0-protected computer as having been compromised by ransomware.

Rather than demanding "MB," as you call them, "prove it" - I would challenge you to prove it is NOT working.

This is a support forum, not a town hall. Feel free to use another product if you doubt its merits.

Link to post
Share on other sites
3 hours ago, axkazex93 said:

So are you saying that 2016 malware are too old and not being seen in the wild anymore?

Not exactly, I am not a malware analyst or in the research team or even work for Malwarebytes.  I can not tell you what is detected or what criteria they use to determine when a piece of Malware gets removed from their list. The point is to really test Malwarebytes we can't just go scan something we have saved in a folder.  True it would be nice to see Malwarebytes catch all the files in that folder, but the true tests are with a user just surfing the next and seeing Malwarebytes in action, blocking pages, drive by downloads and stopping malware in its tracks before it gets on my computer.

3 hours ago, lock said:

If you want to test Antiexploit, somehow Bank of Montreal website would trigger that:

https://www1.bmo.com/onlinebanking/cgi-bin/netbnx/NBmain?product=5

 What exactly do you get when you go to that page?  I went to that page and I get no notifications of a block?

1 hour ago, TheThornWithin said:

I have yet to encounter an announcement of any kind, anywhere reporting a Malwarebytes 3.0-protected computer as having been compromised by ransomware.

There are no announcements of any kind that you speak of, and I highly doubt the Malwarebytes team would publicly make an announcement of how their product failed and compromised a computer.  That being said, if you read though some of the topics in the Malware Removal Area I am sure you can find some where folks are/got infected while having Malwarebytes installed.

I by no means am saying that Malwarebytes is failing.... I just want a good way to test my protection... I for one know that right now the IP Protection is not working 100% on some of my systems.  Going to http://iptest.malwarebytes.org/ does not yield the correct results.  By going to that page, I should get a block notification and the appropriate site that tells me my protection is working.  It does not, I have to refresh the page in order to get the correct results.  Playing devils advocate here, what if I happen to get redirected to a site that is supposed to be blocked?  Is it actually going to block the page, or do I have to hit refresh to see if its actually supposed to be blocked? 

Link to post
Share on other sites

@lock, thanks for the screen shot.  As I had suspected my anti-exploit protection was not working correctly on my computer.

I have since then performed another clean re-install of the latest MB3 and I now get the same block your seeing on that site.

Link to post
Share on other sites

On mine it now blocks in IE and I get no blocks on that site in Firefox or Opera... my default browser is IE (Firefox and Opera are default installs no addons)

Link to post
Share on other sites
7 minutes ago, dcollins said:

VBScript (the exploit being blocked here) does not run on Chrome/Firefox/Opera,

Another reason I have not used IE since the Win 98 days.:rolleyes::P

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.