Why did Malwarebytes miss something that Norton Anti-virus detected?

[Outlier]

Is it possible that Malwarebytes Anti-Malware can miss something that Norton Anti-virus picks up?  I did a Malwarebytes scan and it found nothing.  Then I did a Norton Anti-virus scan (Full Scan) and it picked up two viruses:  0288377485.ord.pdf.exe located in c:/windows/temp/cc15a1.tmp and e m s ( 320950286501108 ).pdf.exe located in c:/windows/temp/cc37cf.tmp

The database for Malwarebytes Anti-Malware was up-to-date.  Is it because it only does a partial scan?  Note, I'm using Malwarebytes Anti-Malware 2.2.1.1043 (but again, the database was up-to-date).

[pondus]

NO security program have 100% detection or zero false positives, if they did there would not be a malware problem

There is also a number of filetypes Malwarebytes does not target, you may read this  https://forums.malwarebytes.com/topic/200089-undetectable-malware/?do=findComment&comment=1120724

 

[exile360]

2.x lacks several capabilities included in 3.0 so that may be why it was missed.  Even with an up-to-date database, the engine in 2.x is not capable of detecting all of the same threats as 3.0 because of new enhancements we've made.  Our Threat scan should check all temp locations because it's a common place that malware likes to install/hide so that shouldn't be the issue.

[Outlier]

If I try the 14 day trial of Malwarebytes 3, and then decide to just go with the free service, are those free services the same services we're getting now with Malwarebytes Anti-Malware 2.2.1.1043?  

Can anyone explain how Malwarebytes 3 work?  Is it anything like the Cryptoprevent program where it denies permission to sensitive areas of your computer unless you allow it?  What if I change my computer?  Can I take the Malwarebytes 3 with me to my new computer?  And can it be used simultaneously with Norton Anti-Virus?

[exile360]

OK, the scanner in 3.0 is not the same as in 2.x first off, so even in free mode there are differences in what 2.x can detect compared to 3.0 (things beyond just the new protection features in 3.0 Premium).

As for Cryptoprevent, no, it does not work like that, however it does have an anti-ransomware component which behaviorally detects ransomware among other methods (it also uses heuristics algorithms and a few other types of defensive/detection layers to target ransomware).  Beyond that, it also has exploit protection, standard malware protection (which uses signatures, heuristics and algorithms to target malicious files and executables as well as PUPs and the like), malicious web blocking (to block access to/from malicious websites, malvertisements, command and control servers for botnets etc.) and yes, you can transfer a 3.0 Premium license from one computer to another and you may run it in realtime alongside Norton if you wish (we deliberately test alongside many AVs to verify compatibility).

[Outlier]

When I did a Google search for "Malwarebytes reviews", the first result that shows up is from pcmag.com  http://www.pcmag.com/article2/0,2817,2455505,00.asp  For cons, it says "No real-time protection. Missed older malware samples in testing. In testing, some files reported as quarantined were still present."  How do you respond to that?  Is this article referring to the free version or paid version?

[Telos]

No real time protection refers to the free version. See the comparison here:
https://www.malwarebytes.com/trial/#trial

[Outlier]

Ok thanks.  By "real time" protection, does Malwarebytes 3 check every website as you click on it, every program as you install it, and every email that you receive before you get to read it?

How about the other things that the writer wrote like "some files reported as quarantined were still present."  Is this accurate or is that an outdated article?

[Porthos]

11 minutes ago, Outlier said:

By "real time" protection, does Malwarebytes 3 check every website as you click on it,

in the paid version it will block known bad websites.

 

11 minutes ago, Outlier said:

every program as you install it,

in the paid version

 

11 minutes ago, Outlier said:

and every email that you receive before you get to read it?

No, it does not scan email.

 

A respected member here @David H. Lipman Has a long post that explains MB a little better. I grabbed this one from another site because it was handy at this time. Did not want to a full copy and paste at the moment. 

https://www.bleepingcomputer.com/forums/t/641968/is-malwarebytes-3-considered-an-av/?p=4199138

The below is my personal view. I do not work for MB.

What also needs to be mentioned is Using an AV lets say Defender or any other AV,  when you download a piece of malware an AV if in the database will alert to it and take action. Malwarebytes does not act on a file till one of two things happen.

 

1- You run/execute the file.

2- You scan the file (if in the database) then it is detected.

Malwarebytes does this to not "catch" the file the same time as the AV would as to avoid conflicts. You would not want more than one program fighting over the same file at the same time.

In conclusion depending on the threat (file type, URL or exploit.) The AV or MB will catch it first and mediate. That is called layered security and is what Malwarebytes has been about since the beginning.

There is a lot more coming in the future with MB and I for one support it and look forward to the added protection methods that have been hinted upon in other posts. 

 No ONE solution can catch and mediate every threat. Malwarebytes is there to run alongside your preferred AV solution to catch what the AV might have missed.

 

Hopes this answers some of your concerns.

Porthos.

Edited May 1, 2017 by Porthos

[Outlier]

8 hours ago, Porthos said:

Malwarebytes does not act on a file till one of two things happen.

1- You run/execute the file.

2- You scan the file (if in the database) then it is detected.

Thank-you for the info.  I did do a Malwarebytes threat scan before the Norton Anti-virus scan.  But I recall that before I did the Norton "full scan", I did the Norton "quick scan" and that did not detect anything either.  It is only when I did the Norton "full scan" that it detected those 2 files in the windows/temp folder. 

Anyway, I take it that the paid version of Malwarebytes automatically scans your computer whereas in the free version you have to do it manually?  What's the recommended frequency of scans?  Once a day?

When you visit a website, you mentioned Malwarebytes checks the url against known bad websites.  But if the site is not in the database, does it do anything proactively to check the site for malicious scripts or malware?

[Porthos]

1 hour ago, Outlier said:

What's the recommended frequency of scans?  Once a day?

Up to you but the default in the paid version is once a day.

 

1 hour ago, Outlier said:

But if the site is not in the database, does it do anything proactively to check the site for malicious scripts or malware?

No, It does not.

[Outlier]

I just read the thread you posted above and it explained the importance of having both anti-virus software like Norton (which would proactively check a website for malware as you visit it (or supposedly it does that), as well as a program like Malwarebytes (which deals with malware in a much more specialized manner than regular anti-virus programs). 

By the way, I've seen that forum before from www.bleepingcomputer.com  Alot of people seem to refer to it.  Is that officially associated with Malwarebytes or is that a separate forum?

[Porthos]

7 minutes ago, Outlier said:

Is that officially associated with Malwarebytes or is that a separate forum?

Separate

[exile360]

One thing I'd like to add here.  There have been a lot of comments regarding web protection and malware protection, which is fine, but our exploit protection is far and away the most proactive component in the paid version of Malwarebytes.  It doesn't rely on signatures or databases and doesn't need to know the source to stop an attack.  For example, if you have an email containing an attachment which is actually a malicious document containing an exploit, Malwarebytes should block it.  If you visit a website which has been hacked or is simply malicious and contains exploits, Malwarebytes should stop it before it infects your system even if the site isn't in our database.  Our exploit protection is how we deal with malicious scripts and the like which attempt to execute exploit code in order to get malicious payloads onto systems to infect them and by stopping the attack so early in the process, the infection is stopped in its tracks before it has the chance to drop malware files onto the system.  At least that's the idea, and given how frequent exploits are being used these days, it's quite an effective one.  Exploits are being used for not only standard malware such as Trojans and the like, but also ransomware and other more specialized threats and attacks.  This also means that even for files which aren't scanned by our anti-malware component, if they contain exploit code then they should be prevented by our exploit protection.