Jump to content

MBAM v3 Test Results


Recommended Posts

First let me state that I will be performing a simple scan test using MBAM 3, Kaspersky Total Security and SuperAntiSpyware. I consider myself somewhat knowledgeable regarding AV issues on the PC but I'm far from an expert. Currently this test will comprise four steps where I will scan four drives on my desktop with the three applications. Initially I will start all three at the same time and wait until all three have completed before moving to the next step.

I'm interested in discovering the scan time for each application and what each discovers. I DO NOT have any investment in any of the applications other than having purchased them. I welcome constructive comments and suggestions.

  1. Step 1 - Scan C drive - Samsung SSD 840 EVO 500GB
  2. Step 2 - Scan R drive - this is one of my data drives WDC WD60EFRX-68MYMN1, SATA Gen3, 6 Gbps, SN=WD-WX31DC4CKS40, 6TB (RED Drive)
  3. Step 3 - Scan S drive - this is one of my data drives WDC WD40EFRX-68WT0N0, SATA Gen3, 6 Gbps, SN=WD-WCC4E1323843, 4TB (RED Drive)
  4. Step 4 - Scan T drive - this is one of my data drives WDC WD40EFRX-68WT0N0, SATA Gen3, 6 Gbps, SN=WD-WCC4E1294052, 4TB (RED Drive)

Currently I do NOT plan to include any of my seven backup drives which are installed in my tower and either directly connected to the MB or connected to a LSI SAS9211-8I 8 Port adapter card, this card is NOT in RAID mode, it is just performing the function to attach the drives directly to the MB. 

I will be using the system and daily backups may run during the scans, this may or may not impact the simple test.

System Info

  • CPU AMD Phenom II X6 1090T (6 core processor)
  • Windows 10 Creator
  • 16 GB RAM
  • Motherboard ASRock 990FX Extreme9 (CPUSocket)

Early results of step 1 

  • MBAM scan time 01:48:29, nothing detected
  • SuperAntiSpyware scan time 02:26:37, 421 Threats (Addware)
  • Kaspersky scan time (still scanning estimate 10 hours remaining), so far one threat found

 

MBAM, KasperskyTS, SuperAntiSpyware Scan 02 2017 0429.png

Link to post
Share on other sites

Thanks for the suggestions.

Can MBAM replace your antivirus software, possibly yes, look at https://forums.malwarebytes.com/topic/191650-malwarebytes-30-frequently-asked-questions/#comment-1077438

Ref "What you need to to first is find out what those 421 "threats" consist of. I'm guessing this is largely adware and tracking cookies." You are 100% correct, my bust! I meant to say that they are ALL adware, nothing else was found.

Earlier tonight I had to restart the Kaspersky scan. When I came back to my PC the scree was black but the PC was running. I was not able to get a screen image and the PC would only respond to the power button. Even the reset button was ignored. Normally I don't let my PC sleep or the monitors to go black but I do have scheduled hibernation. I did the power off, when the system rebooted I checked my Power settings and noticed that the monitors were set to go off after 15 minutes of no use but the PC Power was set to Never (this is what I had previously set). I changed the monitor to Never. After upgrading to Windows Creator LOTS of settings reverted back to what Microsoft sets as defaults, Oh thank you Microsoft for screwing me again!

The current Kaspersky scan looks like it is about 20% completed and states that about 13 hours are left.

A little bit of why I'm going down this path. For the past several years my PCs have been running 24x7. Some days I spend as much as 18 hours on the PC, this of course does not make the wife happy and I've been trying to scale back. Also I've been monitoring the electrical usage on every breaker in my three electrical panels. One of the biggest users is my office and in an attempt to be more green I've scheduled my desktop to hibernate during periods of time that I normally would not be using it. Thus all of my backup applications run during the times my desktop, which provides HD storage space for all my system backups and data backups. Currently I have 11 drives in the desktop providing about 50TB of space. The drives that I'm scanning are the data drives, I don't plan to scan the backup drives. Recently my desktop was consuming 100% of the CPU the entire time it was running. I used the Task Manager and Resource Monitor to identify what were the major contributors to the usage. This took me down several rabbit holes and I was not able to quickly find a solution and it looked like it was going to take a lot of research to find a solution. At this point I ran Tweaking.Com Windows Repair and it did fix something. Currently with the Kaspersky scan running the CPU is bouncing between mid 50 and mid 70% which is much better than being pegged at 100%. Currently Kaspersky is consuming between 16-30% of the system (the scan is running). Without the Kaspersky scan at times I see Kaspersky consuming a huge chunk of the CPU but normally this is intermittent. I have numerous questions regarding how do I get better performance and so far all of the performance tips I've tried have not done anything for me. I have spent numerous hours researching this, possibly my skills are not good enough. Part of the problem is the way I use the PC, for me it is a tool. Almost always I have 10-30 applications running and I constantly bouncing between several of them and within an application I might have multiple windows open. Example when I'd doing research it is common that I will have several Word documents open, numerous Chrome windows, several Excel windows open, several Outlook emails open and whatever applications that help support my research. 

Just a bit more on trying to be green. As I said above, I schedule the PC to hibernate twice a day at 0200-1030 hours and 1730-2200 hours. I was expecting to see the electrical power for my office to drop to almost zero but this was not the case. This was because the UPS units were not being powered off when the PC was hibernating. Sorta good/bad news here. There is software that I can use that will power off/on the UPS units (this is the good part) but I can only schedule one cycle (this is the bad part). For now I will set it up for the 0200-1030 hours slot.

Time for bed! BTW Kaspersky now reports that 14 hours remains. Currently I scanning a 500GB SSD, I can imagine when I scan a 6TB drive it will take a few days. 

 

 

Link to post
Share on other sites

  • Staff

Just FYI, this test will not illustrate why we believe Malwarebytes 3.0 is capable of replacing AV protection because it's all after the fact.  We've discovered that most malware gets in these days via exploits, malvertisements, phishing/spam emails and similar tactics.  That alone makes our anti-exploit and web blocking capabilities essential in the equation with regards to full malware protection.  Infecting a drive and scanning it after the fact will only test our reactive definitions in the malware/rootkit scan engine, which is not nearly as proactive in our eyes for preventing most modern threats (it's essentially the same kind of dated approach used by most major AVs these days).

One of the primary reasons we're so confident in Malwarebytes 3.0 as an AV replacement or even just as a proactive solution to malware prevention is because of these additional modules we've added recently that target points much earlier in the attack chain before the malware has even been downloaded to the system.  It's all about prevention by limiting the attack surface and cutting off the most common attack vectors (like malicious ads and exploits that use the web browser, office software, email and similar means).

Link to post
Share on other sites

10 minutes ago, exile360 said:

Just FYI, this test will not illustrate why we believe Malwarebytes 3.0 is capable of replacing AV protection because it's all after the fact.  We've discovered that most malware gets in these days via exploits, malvertisements, phishing/spam emails and similar tactics.  That alone makes our anti-exploit and web blocking capabilities essential in the equation with regards to full malware protection.  Infecting a drive and scanning it after the fact will only test our reactive definitions in the malware/rootkit scan engine, which is not nearly as proactive in our eyes for preventing most modern threats (it's essentially the same kind of dated approach used by most major AVs these days).

One of the primary reasons we're so confident in Malwarebytes 3.0 as an AV replacement or even just as a proactive solution to malware prevention is because of these additional modules we've added recently that target points much earlier in the attack chain before the malware has even been downloaded to the system.  It's all about prevention by limiting the attack surface and cutting off the most common attack vectors (like malicious ads and exploits that use the web browser, office software, email and similar means).

I agree that this test will NOT illustrate that MBAM is capable of replacing AV, my intent is "I'm interested in discovering the scan time for each application and what each discovers." By discovering what each discovers might shed some light on MBAM replacing the AV and where MBAM could be improved.

So far my take-away is MBAM can scan MUCH faster than Kaspersky, e.g. 108 minutes vs about 21 hours (this is an estimate pending the complete scan) for Kaspersky. That being said if MBAM does not find stuff then being able to scan faster is no big deal. Another question that I cannot answer at this time is the find a false report. I'll have to do more research and possibly I can find an answer. This may be beyond my skills.  

So far in the Kaspersky scan it did find one object here are the details of what it found, actually it found this yesterday prior to the weird system issue I described above (monitor went black and I could not get it revived without powering off).

29.04.2017 22.59.56;Detected object (file) not processed;C:\HarddiskVolumeShadowCopy1\Libraries\Educ\Gnomonology-Introduction To 3D Studio Max\tools-ts2ft.rar//daemon406-x86.exe//SetupDTSB.exe;C:\HarddiskVolumeShadowCopy1\Libraries\Educ\Gnomonology-Introduction To 3D Studio Max\tools-ts2ft.rar//daemon406-x86.exe//SetupDTSB.exe;not-a-virus:WebToolbar.Win32.WhenU.a;Legitimate software that can be used by criminals to damage your computer or personal data;04/29/2017 22:59:56) - Kaspersky labeled this find as "Trojan.Win32.Scar.puuh"

FYI I used MBAM to scan the folder "Libraries\Educ\Gnomonology-Introduction To 3D Studio Max\" and reported a threat "Adware.WhenU"

I have no idea if the Kaspersky and the MBAM find are the same mainly because they labeled the finds differently.

It appears that MBAM is not able to scan the Volume Shadow Copy and obviously Kaspersky can. It would be super nice if MBAM could scan such. :) Because the file/folder is on one of my data drives it would have been discovered when I scanned that drive with MBAM.

Looking at the MBAM scan results it is not easy for me to get to the folder. It would be nice if I could right-click on the results entry and open the folder. If the file found is critical to the contents of the folder then I personally may want to delete the entire folder.

The problem file is a file in a RAR file. MBAM identified the RAR file whereas Kaspersky actually identified the file in the RAR file. Thus Kaspersky produced a more meaningful report (IMHO). I'm sure MBAM could be enhanced to produce a better report.  

Link to post
Share on other sites

  • Staff

Volume Shadow Copy is an archive created by the system.  No active file can be stored there so if an infected file does reside there, it's not infecting your system, and in this particular case it sounds like what you're dealing with is a bundled PUP (adware) which isn't actually a threat (even Kaspersky called it "not-a-virus WebToolbar..." and included the same phrasing "WhenU" meaning both positively identified the same vendor).  If you do a bit of checking on Volume Shadow Copy and what it is, you'll see what I mean.  Also, even if a process were running from that location, Malwarebytes would be capable of detecting it since we look at all processes in memory during scans, regardless of where the file may be stored so the files belonging to those processes get checked no matter where they are.  That means if a threat is active on the system, we'll be able to detect it unless it's specifically been added to our exclusions list.

Regarding archives yes, we only identify the archive.  I believe this is because our engine cannot disinfect an archive currently, it only deletes files, it doesn't unpack/remove individual contents/repack them but I see your point regarding more meaningful info.  The only way to learn which file in an archive is detected would be to unpack it to its own folder first, then scan that folder.  Then you'd know which file Malwarebytes is detecting specifically.

Edited by exile360
Link to post
Share on other sites

7 hours ago, exile360 said:

No active file can be stored there

I agree, not that I fully understand the Volume Shadow but it is reasonable that nothing is really stored there otherwise the size of the volume shadow would be super huge. Thus I assume that Kaspersky is able to follow some chain and look at the actual file. Good to know but I'm not going to worry about it now that I have a little more understanding of it.

I also now have a better understanding of MBAM in that it cannot dig into archive files of such. I can live with this and take the extra time to dig into the archive file.

I may have to kill the Kaspersky scan. Currently the scan has been running almost 24 hours and states that about 16 hours remain. Thus based on the current test my assumption is that Kaspersky has no idea as to how much time remains. It seems to report some number just to make the user feel good. The main driver behind the idea of killing the scan is that my system is now running at 100% and "Service Host: Task Scheduler" is consuming at least 40%. I've killed the service several times and within a min it is back hogging the system. This of course is impacting the scan as well as everything else on the system. However I do see that Kaspersky has now identified a total of 6 objects. 

Today is a slow day for me and date day with the wife. I will let Kaspersky scan today and hopefully complete the scan and then look at the Kaspersky findings. One of the six I have already researched (see the above).

More thoughts about my test.

  1. MBAM scan performance is super.
  2. SuperAntiSpyware scan performance is about twice as slow as MBAM and found a lot of adware.
  3. Kaspersky scan performance is the pits  but has found objects that "possibly" MBAM should have found (this is assuming MBAM is to replace Kaspersky). In reality MBAM would have found one of the Kaspersky objects when it scanned the actual drive that contained the file. Kaspersky followed some chain/path from the Volume Shadow file to the actual file on another drive. The other objects need research on my part at this time.
  4. I do have some mystery performance issue on my PC that I would like to resolve. At this time I'm not sure just where to start. 
Link to post
Share on other sites

2 hours ago, jgt1942 said:

SuperAntiSpyware scan performance is about twice as slow as MBAM and found a lot of adware.

Adware tracking cookies are harmless to the system.

 

2 hours ago, jgt1942 said:

but has found objects that "possibly" MBAM should have found (this is assuming MBAM is to replace Kaspersky). In reality MBAM would have found one of the Kaspersky objects when it scanned the actual drive that contained the file.

 
 
 
1

A respected member here @David H. Lipman Has a long post that explains MB a little better. I grabbed this one from another site because it was handy at this time. Did not want to a full copy and paste at the moment. 

https://www.bleepingcomputer.com/forums/t/641968/is-malwarebytes-3-considered-an-av/?p=4199138

The below is my personal view. I do not work for MB.

What also needs to be mentioned is Using an AV lets say Defender or any other AV,  when you download a piece of malware an AV if in the database will alert to it and take action. Malwarebytes does not act on a file till one of two things happen.

 

1- You run/execute the file.

2- You scan the file (if in the database) then it is detected.

Malwarebytes does this to not "catch" the file the same time as the AV would as to avoid conflicts. You would not want more than one program fighting over the same file at the same time.

In conclusion depending on the threat (file type, URL or exploit.) The AV or MB will catch it first and mediate. That is called layered security and is what Malwarebytes has been about since the beginning.

There is a lot more coming in the future with MB and I for one support it and look forward to the added protection methods that have been hinted upon in other posts. 

 No ONE solution can catch and mediate every threat. Malwarebytes is there to run alongside your preferred AV solution to catch what the AV might have missed.

 

Edited by Porthos
Link to post
Share on other sites

  • Staff

Correct, we do not detect EICAR specifically because it is not actual malware.  It's simply a test used by the industry to verify that your antivirus is active and the means which AVs use for detecting this file are frankly quite obsolete these days (generally by HASH or even targeting the specific string of characters/data contained in the file; both of which are so specific/targeted that they're virtually useless in the real world, especially now that threats tend to change on the fly and are polymorphic).  It's no different from our own test website which we use for testing our web protection feature.  While it is certainly useful for verifying that web protection is active/functional, it doesn't say anything about how effective that protection component actually is.

Edited by exile360
Link to post
Share on other sites

4 hours ago, Porthos said:

Adware tracking cookies are harmless to the system.

I agree!

 

4 hours ago, Porthos said:

A respected member here @David H. Lipman Has a long post that explains MB a little better.

Looks good, I'll have to read through this a few time to digest everything.

Kaspersky finally finished (reports that it took just over 23 hours (I failed to capture an image) and reported 96 objects. I looked at the report and everything reported is from the Volume Shadow. I did not look at these mainly because they are on other drives, e.g. the real file, and my intent is/was to scan my other three data drives. 

The problem I had earlier with "Service Host: Task Scheduler"  consuming my system seemed to resolve its self. However Outlook 2013 has stopped working and I need to send some emails. Thus I will reboot my system and see if I can get Outlook working correctly.

Link to post
Share on other sites

  • Root Admin

Off Topic: 50TB at home. Wow, that's a lot of data. Not sure what all you're storing, but if it's important to you then I'd make sure my home insurance covers the full loss of said equipment and data. I would also recommend you categorize your data and all critical data if possible has a duplicate copy in another physical location. I have about 25TB myself but only about 5TB that are critical to me and I have multiple backups of that data. However, a house fire, flood, earthquake, tornado, etc. could render all of my data useless. I only have a few GB stored offline in another location that is ultra critical to me.

Also, with the increase of encrypted data threats, if one were to bypass your security and get onto the computer and start encrypting data you could potentially lose all your data simply by having it connected when not really in use.

Just something to consider.

Backup Software


Cheers

Ron

 

 
Edited by AdvancedSetup
Link to post
Share on other sites

Ron, much thanks for the input and great link regarding backup. Like you "house fire, flood, earthquake, tornado, etc. could render all of my data useless", I'd be screwed. Currently I don't have any offsite backup. All of my "data" is on four drives (1) C - Boot drive 500GB SSD, (2) R - 6TB, (3) S - 4TB, and (4) 4TB. To backup the OS currently I use Acronis True Image 2017 and I'm also testing the Malwarebytes beta offering. To backup the other three drives I use Syncback Pro and have at least two copies of all data on the R, S, T drives. All backups are spread across 7 drives also installed in the tower. I agree and take the risk this is not the best option. In that I'm retired for the most part all of my business data is not as critical as in the past. All the other data music, audiobooks, woodworking, applications and such would be a royal pain (most likely impossible) to recreate. I could at least backup one copy to external drives that I could put offsite and just run the backup once a month. I'm in the very early stages of a move across country and when that happens I can explore other options.

The past few months I've been (1) trying to determine why my electrical bill is always so high, circuit breaker monitors have been installed and I need to analyze, (2) understand and resolve performance issue on my desktop, frequently one of the OS services will kick off and consume a huge portion of my CPU (at this time I cannot remember the actual service), (3) resolve Outlook 2013 issues (frequently Outlook will freeze and corrupt the PST file), possibly I should switch to something else but the unknown of switching is a big unknown, (4) I have numerous woodworking projects pending.

Regarding the PC issues, I have spent hundreds of hours researching and trying solutions so far nothing seems to resolve my issues.  

Link to post
Share on other sites

Regarding my simple test. I moved to the next phase, e.g. scan my 6TB R drive. Both Kaspersky and SuperAntiSpyware completed successfully but MBAM is hung (see the following image) and I cannot stop or kill MBAM. Currently I've run Kernel Outlook PST repair and I'm waiting for the save of the repair to complete and then I will reboot my PC. The following image was created yesterday so I could ensure MBAM was hung. I just looked at MBAM and the progress has not changed. 

I was just able to finally kill MBAM.

MBAM Scan R 01 Hung 2017 0504.png

Edited by jgt1942
Update action about ending MBAM
Link to post
Share on other sites

On ‎4‎/‎30‎/‎2017 at 10:11 PM, exile360 said:

Correct, we do not detect EICAR specifically because it is not actual malware

...but MBAM detects "mbae-test.exe" to prove that anti exploit is working , even though "mbae-test.exe" is not an exploit.

There is  a saying about "adding insult to injury..." 

Edited by lock
Link to post
Share on other sites

Personally, Considering what MB scans and detects and what it does not detect I think using any scan other than a threat scan is a waste of time in 99.9% of cases.

Malwarebytes does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

It is also not a historical scanner so to keep the database lean. That is why samples older than 3 months are not accepted.

Link to post
Share on other sites

22 minutes ago, Porthos said:

It is also not a historical scanner so to keep the database lean. That is why samples older than 3 months are not accepted.

In other words, MBAM is not and is never going to be an antivirus replacement....

Link to post
Share on other sites

7 minutes ago, lock said:

In other words, MBAM is not and is never going to be an antivirus replacement....

Let me fix that for ya.

in other words, MBAM is not at the moment but when the rest of the new tech that is coming down the road, is implemented  it can be an antivirus replacement...

There is more features/tech coming.

Edited by Porthos
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.