Ransomware module not work against wannacrypt??

[ibus00]

if i disable malware module but antiranssomware ON and run wannacrypt virus from this youtube test the virus encrypt my files.

 

https://www.youtube.com/watch?v=k1Zx9XEMX7A

is not working antiransomware?? if new ransomware try to encrypt my files what will going happend??

i run this test in virtual machine windows 10 32 bit, malwarebytes mb3-setup-consumer-3.1.2.1733-1.0.160-1.0.2251.exe and updated

 

do the test yourself

[Firefox]

9 hours ago, ibus00 said:

if i disable malware module but antiranssomware ON and run wannacrypt virus from this youtube test the virus encrypt my files.

Hello and Welcome...

Malwarebytes has many modules for your protection that work hand in hand to protect you from malware including wannacrypt.  That being said, your test is not a real world scenario, most users will not have the executable file sitting in a folder ready for you to infect your computer.  MB3 modules would have protected you from getting the file on your computer in the first place.

Now to address your start of the test, you disable modules from Malwarebytes before running your test.  This is like getting in a car to test see how it handles getting into a crash, but before you do that, you are going to remove your seat belt to see how the car protects you in the accident.

[ibus00]

OK, i understand my test is not "real" but what if want to probe if i download a new ransomware and  the malware module miss, the second line of defense must be ransomware module, but if this module not detect encriptyng activity, there is something wrong?

[Aura]

Try to see it like this: Malwarebytes have 4 protection modules, which are Web, Malware, Ransomware and Exploit.

Now, how would Malwarebytes protect you if you were to download a file that turns out to be a Ransomware (like WannaCrypt)?

Web Protection Module: Blocks the connection to the host where the payload is downloaded from. Infection prevented. 

OR

Anti-Exploit Module: You're browsing the web, get it by a malicious ad (malvertising ad) which leads to an Exploit Kit (EK) but the Anti-Exploit module blocks the exploit. Infection prevented.

Now, let's assume that the Web Protection Module failed and the Ransomware got downloaded.

Malware Protection Module: Malwarebytes detects a newly created file on the system, scans it, finds out that it's a Ransomware and quarantine it. Infection prevented.

But what if the payload isn't in Malwarebytes' database? Let's assume this for the sake of our explanation.

Anti-Exploit Module: The payload gets executed and (like many Ransomware) tries to use an exploit to gain higher privileges, but the Anti-Exploit module detects it, blocks it and it gets quarantined. Infection prevented.

And last but not least, what if the payload doesn't use any exploit and runs in user-mode? Well...

Anti-Ransomware Module: Malwarebytes notices that a process is showing Ransomware-like behavior, blocks it, terminates it and quarantine it. Infection prevented.

So you have 4 lines of defence when you use Malwarebytes Premium, and some module can also kick in multiple times during the chain of infection in order to block the infection process at the beginning, or end (end being where the process is actually launched and does its bad stuff).

That's how I see it.

 

[lock]

1 hour ago, ibus00 said:

OK, i understand my test is not "real" but what if want to probe if i download a new ransomware and  the malware module miss, the second line of defense must be ransomware module, but if this module not detect encriptyng activity, there is something wrong?

Nobody tested MBAM independently so far, so there is no guarantee that one module or another is in fact working as described.

[Aura]

Quote

Nobody tested MBAM independently so far

There's tons of independent test of Malwarebytes around the web (from organisations such as AV-Test to simply YouTube videos).

Where would you get that from?

[lock]

10 minutes ago, Aura said:

There's tons of independent test of Malwarebytes around the web (from organisations such as AV-Test to simply YouTube videos).

Where would you get that from?

can you post a link from AV test, please?

[Aura]

Sure, if you need me to Google anything else for you, just let me know.

https://www.av-test.org/en/av-test/marketing/malwarebytes/

[lock]

25 minutes ago, Aura said:

Sure, if you need me to Google anything else for you, just let me know.

https://www.av-test.org/en/av-test/marketing/malwarebytes/

This is a test for MBAM 1.05, for Android, done in 2005 , which has no relevance with the ransomware module present in v3, which is the subject at hand.

But does feel good to be sarcastic , doesn't it?

[Aura]

Quote

This is a test for MBAM 1.05, for Android, done in 2015

Fixed.

Quote

But does feel good to be sarcastic , doesn't it?

Well, I answered your question the way it was asked. But to answer your question the way you want it answered then no, AV-TEST and AV-Comparatives haven't tested Malwarebytes 3 yet.

And to answer your question even more:

https://forums.malwarebytes.com/topic/192225-mbam-30-and-av-comparativesorg/?do=findComment&comment=1080896
https://forums.malwarebytes.com/topic/192225-mbam-30-and-av-comparativesorg/?do=findComment&comment=1081211

 

[Telos]

@lock Is this what you are looking for?

 

[Porthos]

@Telos Again where did the file come from and where was it executed from.  Again even though you don't actually turn off any protections, Running the already downloaded payload actually bypassed both the web blocking and the anti-exploit modules of Malwarebytes.  

Still NOT real world test.

 

[Durew]

Hi,

Here is a document outlining why MBAM only participates in certain tests. Most youtube video's show simplified testing-methods that do not give accurate results. As Porthos already pointed out. (In case you don't think testing agencies are not that stupid, I once read a report of MRG effitas that tested the capabilities of sandboxie against keyloggers.)

That said, I do agree with Iock that the number of tests that Malwarebytes participates in could and should be higher. I'd like to see the comparison between Malwarebytes and the competition in a fair match. I couldn't find it. CRDF seems to have tested MBAM, I can't find their site anymore though. I would welcome any links to a valid test of Malwarebytes 3.0 or 3.1

Regards,
Durew

 

 

Edited July 7, 2017 by Durew
Misspelling

[Telos]

14 minutes ago, Porthos said:

Still NOT real world test.

What if I receive the malware as an attachment to an email from a contact in my address book? And I unwittingly open it?

Even so, where is the real world test video? And why is the malware removal forum so active?

[Aura]

4 minutes ago, Telos said:

Even so, where is the real world test video? And why is the malware removal forum so active?

You'll notice that a lot of users posting in the malware removal section don't have Malwarebytes Premium installed, or even Malwarebytes at all  

[Porthos]

1 minute ago, Telos said:

What if I receive the malware as an attachment to an email from a contact in my address book? And I unwittingly open it?

That would be a real test.

MB would have the chance to do its job completely. It would probably block the payload being downloaded and executed.

4 minutes ago, Telos said:

And why is the malware removal forum so active?

Because most of those people are not using the premium version. Also if you look at many of the logs, Some users are actively pirating expensive software that also leads to malware in many cases.

 

[Aura]

Quote

Also if you look at many of the logs, Some users are actively pirating expensive software that also leads to malware in many cases.

This too. A lot of users that ended up being infected with CertLock downloaded a crack, activator, loader, etc. for Microsoft products (in most instances, something called Microsoft Toolkit Final). Who knows, maybe Malwarebytes blocked the install of their crack the 1st time, but the user chose to ignore the warning, tell Malwarebytes to stand down and install it anyway. Can you really blame Malwarebytes for that, no? There's no security system that is human proof, if the human allows (willingly) something to go through.

[Durew]

Hi Porthos/Aura,

I don't consider myself an expert in judging the validity of tests, thus I'd like your opinion on this report. It seems quite legit to me. The only protection bypassed is the exploit protection but as Telos mentioned, via social engineering ("legit looking email with important 'PDF' attached") an exploit is not always required for infection.

Could I have your view(s) on this?

Regards,
Durew

[Porthos]

8 minutes ago, Telos said:

What if I receive the malware as an attachment to an email from a contact in my address book?

Rule #1 of email safety. DO NOT open attachments from anybody without verifying that the sender actually sent it. I also scan EACH attachment with virus total as well. 

Email senders address can and are spoofed all the time.

It is not for the most part those attachments. It is the ones that say there are from a shipping company, bank or other company that NEVER send attachments to anybody that catch most people.

[Porthos]

5 minutes ago, Durew said:

The only protection bypassed is the exploit protection

 

5 minutes ago, Durew said:

("legit looking email with important 'PDF' attached")

Why do you think Adobe is one of the default protected programs in the anti-exploit module. 

[Durew]

4 minutes ago, Porthos said:

Rule #1 of email safety. DO NOT open attachments from anybody without verifying that the sender actually sent it.

 

From a security perspective I fully agree. From a practical perspective less so. When the boss of my lab sends out the report of last meeting she is not going to be pleased with sixty phone calls to verify authenticity whilst with only little inside knowledge someone could send a fake one a bit ealier than the real report.

 

Just now, Porthos said:

Why do you think Adobe is one of the default protected programs in the anti-exploit module. 

I was refering to the "important.pdf.exe" files with good looking logo 'n stuff. I have extensions visible by default, but most don't have that. And on my lesser days I may fall for it as well.

Thanks for you speedy reply.

Regards,
Durew

[Porthos]

5 minutes ago, Durew said:

I was refering to the "important.pdf.exe" files with good looking logo 'n stuff. I have extensions visible by default, but most don't have that. And on my lesser days I may fall for it as well.

In my opinion, Everyone should be using a fully supported (not just updates) OS. There only 2 that fit that. Win 8.1 and 10.   Both of those have Defender built in.

I troll the malware submissions form on a daily basis. Most of those files that are reported are detected by Defender so much that I am spending less time reporting the non-detected files because Defender grabs them as soon as I extract the zip file. 

 

[Telos]

1 hour ago, Porthos said:

Rule #1 of email safety. DO NOT open attachments from anybody without verifying that the sender actually sent it. I also scan EACH attachment with virus total as well. 

You and I do that. But few others. Big risk, and software heuristics should carry the weight of detection.

1 hour ago, Porthos said:

That would be a real test.

MB would have the chance to do its job completely. It would probably block the payload being downloaded and executed.

How is executing an email attachment different from running the file from the Desktop? Doesn't that have the same effect?

1 hour ago, Porthos said:

Some users are actively pirating expensive software that also leads to malware in many cases.

 

1 hour ago, Aura said:

A lot of users that ended up being infected with CertLock downloaded a crack, activator, loader, etc. for Microsoft products

That's a problem/thread in itself, and Malwarebytes should stand aside. If it is discovered that a system is running an illegal OS, pirated software, cracks, or keygens (for example by FRST scans), Malwarebytes should deny/suspend anti-malware support.

[Aura]

4 minutes ago, Telos said:

That's a problem/thread in itself, and Malwarebytes should stand aside. If it is discovered that a system is running an illegal OS, pirated software, cracks, or keygens (for example by FRST scans), Malwarebytes should deny/suspend anti-malware support.

Sending you a PM regarding this.

[Porthos]

1 minute ago, Telos said:

That's a problem/thread in itself, and Malwarebytes should stand aside. If it is discovered that a system is running an illegal OS, pirated software, cracks, or keygens (for example by FRST scans), Malwarebytes should deny/suspend anti-malware support.

That has been discussed at length. Malwarebytes is not the internet software police. Everyone including those users will still get help. 

 

3 minutes ago, Telos said:

How is executing an email attachment different from running the file from the Desktop? Doesn't that have the same effect?

In that video, the attachment was not run. They ran the already downloaded payload. Web blocking and anti-exploit did not have a chance to react.