Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Why MBAM v3 doesn't detect eicar?


Recommended Posts

Hello @lock:

You and many others have asked this before in this forum.  Respectfully, the answer remains the same as below.  I'm sure you will agree, in the real world, actual MB3 performance will always be the very best test.

https://forums.malwarebytes.com/topic/193897-eicar-test/?do=findComment&comment=1088482
https://forums.malwarebytes.com/topic/192792-detection-ratio-5354/?do=findComment&comment=1083394
https://forums.malwarebytes.com/topic/198475-how-to-test-mbam/?do=findComment&comment=1112672

Thank you too.

Edited by 1PW
Link to post
Share on other sites

7 hours ago, 1PW said:

I'm sure you will agree, in the real world, actual MB3 performance will always be the very best test.

Hi 1PW,

Indeed , the provided answer seems to be logical, so I agree with the explanations.

About the "actual MB3 performance will always be the very best test" remained to be proved; for now I have a very good looking program (MBAM v3) running on my PC , but no detection yet, in the last 3 years. (beside websites)

 

Thanks!

Link to post
Share on other sites

  • Root Admin

I've not had a single one ever @lock because I know how to use my computer and how to practice good safe computing practices. Just like driving a car - no accident - don't have to use your insurance, BUT if you have an accident car or malware it's a good thing to have available to you.

 

 

Link to post
Share on other sites

4 hours ago, AdvancedSetup said:

I've not had a single one ever

Yes, but on three different PC and over 3-4 years?

So, no detection on eicar, no detection on anything else for 3 years, no test report from an independent entity , no....

Not very encouraging...

Link to post
Share on other sites

  • Root Admin

I've not had a single hit for an infection in 20+ years of computing except once, by accident, and I've used every major antivirus out there. Does that mean there are no threats, no infections, no virus out there? No, it means as I said before, I practice safe computing practices. If you're not visiting sites that may infect you, you're not downloading illegal software, etc then it's very likely you won't have any threats blocked. I'm not over on Symantec, Kaspersky, Avira, etc posting their product isn't working because I'm not getting infection attempts blocked.

If you're unhappy with the product we do offer a refund, simply contact the Helpdesk and they'll be happy to assist you.

Thank you

 

Edited by AdvancedSetup
Link to post
Share on other sites

56 minutes ago, AdvancedSetup said:

I'm not over on Symantec, Kaspersky, Avira, etc posting their product isn't working because I'm not getting infection attempts blocked.

Amen. Cuz this thread got me thinking about calling in and bad-mouthing my smoke detector. Never a peep from that device (unless the detector needs a new battery) even when I trolled it with pictures of a burning building.

Not every encouraging, lol.

Edited by Telos
Link to post
Share on other sites

6 hours ago, Telos said:

in and bad-mouthing my smoke detector

Will your smoke detector "beep" if you go with a cigar or other source of smoke close to it?

If "yes", that's it is called "testing"

Now, how can I "beep" MBAM?

Link to post
Share on other sites

7 hours ago, AdvancedSetup said:

If you're unhappy with the product

Is not about being happy or unhappy.

You are asking users to go to war (against viruses) with a gun (MBAM) which cannot be tested neither by the users nor by anybody else, and we have to rely on manufacturer specification, hoping that in a real situation the gun would fire.

Link to post
Share on other sites

3 hours ago, lock said:

Will your smoke detector "beep" if you go with a cigar or other source of smoke close to it?

Not equivalent. Eicar is isn't malware. Cigar smoke is real smoke.

3 hours ago, lock said:

Now, how can I "beep" MBAM?

That's easy. Go to MalwareTips or other malware sample sites and download Cerber, et.al. variants. Run them on your machine and "beep" MBAM.

When you buy an auto, do you ask the seller to test drive it for you? Of course not. you do it yourself.

Link to post
Share on other sites

OK, please be civil.  We don't want anyone trying to infect their machines.  That said, I may have a safer solution which will still enable you to test your protection.  Simply grab a PUP from somewhere like CNET, MajorGeeks or one of the other free software download sites (most of them host at least some PUPs and/or bundled installers these days, unfortunately) and then scan it with Malwarebytes to make certain it is detected, but don't quarantine it, just cancel out of the scan results screan.  Once that is verified, try running the PUP installer and Malwarebytes should block and quarantine it, just make certain that PUP detection is set to treat PUPs as malware.

I went ahead and located one and verified it is detected.  Let me know if you need the download link.

Link to post
Share on other sites

But then again.... PUPs, like Eicar, aren't malware. As their name infers they are "probably unwanted", but as posters here have expressed certain PUPs, such s IObit Advanced System Care are desirable.

Someone's PUP is another's PWP.

Link to post
Share on other sites

You can simply download (but not install) the ask toolbar... and leave it in your downloads folder then run a Malwarebytes scan...  If you install it, Malwarebytes will also detect it and remove it, provided you have PUP settings to be treated as malware...

https://ask-com-toolbar.en.softonic.com/

 

Link to post
Share on other sites

Correct, just as with EICAR or any other test, all this will do is verify that Malwarebytes' protection is functioning (which is the purpose of any such test files anyway).

Here is a link for a PUP.  Also, the download page is blocked by web protection so you'll need to temporarily disable Web Protection in order to download it.  You may re-enable Web Protection once the download is completed.

www.wisecleaner.com/soft/WRCFree.exe

Link to post
Share on other sites

On ‎5‎/‎9‎/‎2017 at 7:23 PM, exile360 said:

Here is a link for a PUP

I run the PUP provided on Virus Total , see here:

https://www.virustotal.com/en/file/dfa812def62c467c91e0b15860092d3d81a75ddd1801f042e3e6ac48f44317fd/analysis/1494458706/

The detection ratio is 1 to 61. In other words, only MBAM detects the item as PUP, everyone else (60 AV's!!!!) did not consider the item as a PUP.

Something is fundamentally wrong here.

Link to post
Share on other sites

1 hour ago, lock said:

Something is fundamentally wrong here.

Agree. I have used Wise Free Registry Cleaner without issue. Calling it a PUP is over-reaching IMO. Inferring malware protection by testing against a benign program doesn't inspire confidence.

MBAM frequently identifies programs from Auslogics, IObit and Wise as PUPs without apology..

Link to post
Share on other sites

2 hours ago, lock said:

I run the PUP provided on Virus Total , see here:

https://www.virustotal.com/en/file/dfa812def62c467c91e0b15860092d3d81a75ddd1801f042e3e6ac48f44317fd/analysis/1494458706/

The detection ratio is 1 to 61. In other words, only MBAM detects the item as PUP, everyone else (60 AV's!!!!) did not consider the item as a PUP.

Something is fundamentally wrong here.

Yes, that doesn't surprise me in the slightest given our recent shift to being even more aggressive against PUPs than we were in the past (and even back then we were already far more aggressive against them than the AV vendors), not to mention the fact that we've acquired both JRT and ADWCleaner which have both long been the go-to tools for removing PUPs that no one else detects because that's basically all they focus on.

In addition to the info Ron posted above, here's specifically why we detect the product I linked you to as PUP (FYI, it's the same reason we started detecting Advanced System Care and several of PC Pitstop's products as well).  You can refer to our PUP information page as well as this blog article from Malwarebytes LABS for more info.  A quote from the aforementioned blog article:

Quote

Products that use registry cleaning and optimization as a feature to drive sales are considered Potentially Unwanted by Malwarebytes.

Edited by exile360
Link to post
Share on other sites

48 minutes ago, Telos said:

I'm unconvinced, but thanks for your concern.

Is that why MBAM blocked Wise registry cleaner (now I'm starting to sound like @lock, lol)?

Yeah, that's a big part of it.  False claims of improved performance and supposed "automatic repair of errors" etc. when the reality is, they're just removing dormant orphaned reg entries that make little (and usually no) difference at all.  Not to mention the fact that such tools have often been known to remove things they shouldn't, resulting in them actually causing errors and other problems with software and/or the operating system.  Such "tweaking/optimization tools" and "registry cleaners/error fixers" are typically just snakeoil, making absolutely no difference in system performance after having run them vs before doing so, and I can't recall too many times (if any, really) that I saw someone post about one of these tools actually solving a problem or fixing an error.  Sure, years ago back when software uninstallers were often really bad and would leave loading points behind for files that had been removed you could end up with the occasional "file missing" error or similar, and in those cases, assuming the reg cleaner actually finds it, it can remove the orphaned entry from the registry and eliminate the error, but I haven't seen any software leave behind such entries in years (not since the early days of XP).  So now all they're doing is removing things that really don't matter.  They're also incredibly inconsistent; something pointed out by Miekemoes in one of the links in the post Ron linked to above I believe.  I've never seen two of these tools detect the same entries/number of entries when run on the same system.  In my opinion that right there shows that what they're doing is far from an exact science and can really cause problems when they get too aggressive in order to bump their numbers up (more errors=more problems that need to be fixed, right?  So they have incentive to detect more things to persuade the user to pay for the privilege of having the tool "fix" it for them).  This is another reason why we don't detect tools like CCleaner, even though they do have a registry cleaner: they aren't charging anyone for it and they aren't throwing up big red alerts saying that there are "critical issues and errors with your system; purchase a license to have our software repair them immediately!".

It's borderline extortion to provide free scanning only to charge for repair/remediation.  Especially if all of those so-called "critical" errors that they've detected are really that serious.  But the truth is, they never are.  At best they're just harmless leftovers from previously uninstalled software or harmless browser cookies and temp files (the latter of which can easily be removed for free without installing any software at all through the built in functionality in your internet browser(s)) and "repairing" (i.e. removing) them has no real effect on system boot time or performance, even though such tools frequently claim that they do.

Last but not least, such tools are quite often bundled in with other, more desirable (and more useful) software, a practice that we always flag as PUP.

Edited by exile360
Link to post
Share on other sites

By the way guys, just one last thing about PUPs.  We completely understand that some of our users and customers will not agree with our PUP policies which is why they're classified as Potentially Unwanted in the first place.  That's also why we offer several options to modify how PUPs are dealt with, including whether or not they are even detected at all, providing an option to ask the user before taking action, and providing an exclusions interface to have Malwarebytes ignore individual detections:

 

PUP settings.png

Link to post
Share on other sites

9 hours ago, exile360 said:

We completely understand that some of our users and customers will not agree with our PUP policies

The issue with MB's PUP politics is that it is all or nothing. As a  example, WRCFree is benign. It installs nothing that isn't user initiated. Yet there are other more egregious PUPs that co-install the likes of Open Candy and telemetry monitoring unbeknownst to most users.

I use MBAM for malware/ransomware protection. But I do so completely on faith, believing (hoping?) that it will protect my systems. Seeing challenge tests against the likes of Cerber (et al) and worms would be enlightening. Here's one:

As things now stand, the MBAM's effectiveness is no more proven to protect PCs from these invaders than Excel offers.:wacko:
 

Edited by Telos
Link to post
Share on other sites

Great, they're testing protection in a way that no user in the real world will ever encounter these threats.  When was the last time you heard from a user complaining that they deliberately downloaded a .JS file and executed it only to discover that it was a loader for ransomware?  It doesn't happen.  The way that these files execute is normally through the user's web browser, and if these tests were conducted realistically, our anti-exploit protection component would have nailed them, but our exploit protection doesn't guard explorer.exe (the Windows shell, which is what is being used in the above tests to execute those files, not the active scripting component built into the user's browser as it would be in the real world).

This is a prime example of why such tests are pointless because they do not replicate real world situations.  Do some research (if you haven't already) and check out the technical articles about how ransomware works these days and how the threats get in and the methods being used.  And notice how frequently you'll read the word "exploit".  There's a reason for that, and tests like these (just like flat file scan tests and downloading malicious binaries to the desktop and executing them) don't even remotely resemble what actually occurs during a real attack event.

Edited by exile360
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.