Ransomware module not work against wannacrypt??

[Durew]

34 minutes ago, Porthos said:

They ran the already downloaded payload. Web blocking and anti-exploit did not have a chance to react

I seem to be missing something. How does anti-exploit prevent an attached executable (disguised as a more legit file-type) from being executed? As no software vulnerabilities are used I don't see when it would trigger.

To return to the MRG Effitas report (https://www.mrg-effitas.com/wp-content/uploads/2017/05/MRG-Effitas-360-Assessment-2017-Q1_wm.pdf). It uses windows 10. The premise of downloading and trying to execute a malicious file doesn't seem unreasonable. (As discussed before with the e-mail attachment scenario.) Does the report look like a valid test to evaluate MBAM 3?

I hope someone can give me some insight here.

Regards,
Durew

[Porthos]

33 minutes ago, Durew said:

It uses windows 10. The premise of downloading and trying to execute a malicious file doesn't seem unreasonable. (As discussed before with the e-mail attachment scenario.)

With Win 10 in the real world, Defender would be on as well and I am sure they disabled it during these tests. I would love to see someone do tests without disabling a Win 10 security feature.

This test was done less than 2 months after release. I would love to see it tested now.

[Telos]

1 hour ago, Porthos said:

That has been discussed at length. Malwarebytes is not the internet software police

There's a difference between policing and reporting the user, and taking the moral ground and denying support.. No one suggested reporting offenders, but rather let's not enable their crimes. Seemingly MB has little qualms about the latter.

[dcollins]

2 minutes ago, Telos said:

There's a difference between policing and reporting the user, and taking the moral ground and denying support.. No one suggested reporting offenders, but rather let's not enable their crimes. Seemingly MB has little qualms about the latter.

It doesn't really have to do with enabling crimes, but rather keeping our users protected. What if a virus finds a way to either deactivate windows, or trick a piece of software into thinking it's deactivated? If that user couldn't use MB3 on that machine, they're now unprotected, infected, and can't get cleaned up. There's a lot of implications that come into play when we start disabling protection based on symptoms of a machine, especially if those machines are/could be infected

[Porthos]

Just now, Telos said:

Seemingly MB has little qualms about the latter.

That is true and company policy. The issue is we can NOT prove HOW or WHOM loaded the pirated programs. Could have been a friend or even a paid repair shop that installed the software. (happens all the time). We are not allowed to call them pirates and deny support for a malware issue.

 

[Telos]

59 minutes ago, dcollins said:

There's a lot of implications that come into play when we start disabling protection based on symptoms of a machine, especially if those machines are/could be infected

My comment was about denying forum disinfection support, not crippling or disabling machine protection or MBAM. Sorry if I was unclear.

We're way off topic here, so I'll leave MB's piracy policy (or lack of policy) drop on this thread. There's a reason for why it is what it is, and that's a topic for another thread (or another forum) 

Meanwhile back to ransomware... here's one approach that works for those non-real world tests...

 

[lock]

5 hours ago, Porthos said:

@Telos Again where did the file come from and where was it executed from.  Again even though you don't actually turn off any protections, Running the already downloaded payload actually bypassed both the web blocking and the anti-exploit modules of Malwarebytes.  

Still NOT real world test.

 

We are not talking about web blocking and anti-exploit modules, we are talking about ANTI RANSOMWARE module , which is supposed to protect the user against ransomware-like behavior. 

I was able to run (and encrypt files) on my PC with Wannacry virus from You tube and I got ZERO reaction from the antiransomware module of MBAM.

At this point , I concluded that the antiransomware module is a pure marketing item and MBAM relies on the other modules to provide (some sort of) protection .

[Porthos]

5 minutes ago, lock said:

MBAM relies on the other modules

NO ONE EVER SAID it didn't. MB IS a TOTAL package. take it or leave it but cease the constant trolling, please.

And there is also some more tech on the way. But has not been activated yet.

 

[lock]

8 minutes ago, Porthos said:

NO ONE EVER SAID it didn't. MB IS a TOTAL package. take it or leave it but cease the constant trolling, please.

And there is also some more tech on the way. But has not been activated yet.

 

As a paying customer (I have 5 lifetime licenses) I believe I deserve an answer!

MBAM v.3 has 4 distinct modules, which can be activated / deactivated individually, so NO it is not a TOTAL PACKAGE; In a total package, you will have all shields / modules amalgamated without the possibility of disabling any of them (see BitDefender free)

Each module has a distinctive name and is supposed to perform a certain function.

If I want to test Web protection, I will access a particular malicious website and expect a trigger from this module ( not from another module)

Following the same logic, if I want to test the antiransomware module, I execute a ransomware and I expect a trigger from that particular module.

Well, I did not get anything from the antiransomware module, so seems to be logical to conclude that it is  a marketing item only.

Feel free to prove me wrong and find anywhere on the internet a test in which the aniransomware module of MBAM offered real protection against any type of ransomware.

Thanks!

 

[Porthos]

11 minutes ago, lock said:

As a paying customer (I have 5 lifetime licenses) I believe I deserve an answer!

@exile360 @Ried

 

[Telos]

1 hour ago, lock said:

Each module has a distinctive name and is supposed to perform a certain function.

+1 One upon a time... not long ago... MB's Anti-Ransomware was a standalone product... As is MB's Anti-Exploit's continuing standalone beta today.

and here...

https://blog.malwarebytes.com/malwarebytes-news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

The fact that MB's Anti-Ransomware was rolled up into v3 shouldn't diminish it's protection.

Edited July 7, 2017 by Telos

[KenW]

I purchased Malwarebyte years ago on reputation, not what "tests" show. I got hit, a few months ago, because of my goof, not because MBM did not work.

I believe security program vendors test their products. Otherwise no one would purchase them.

[TheThornWithin]

8 hours ago, Aura said:

You'll notice that a lot of users posting in the malware removal section don't have Malwarebytes Premium installed, or even Malwarebytes at all  

I have Malwarebytes 3.0 Premium installed and I've been waiting patiently for assistance for almost a week.

[lock]

38 minutes ago, KenW said:

on reputation

What "reputation"???? Like word of the street?

 

40 minutes ago, KenW said:

I believe

well , as long you "believe", everything will be OK

[Durew]

Hi all,

I'd like to make a few remarks on some things stated.

8 hours ago, lock said:

What "reputation"???? Like word of the street?

Basically, yes. There are many fora out there, like bleepingcomputers and wildersecurity where security nuts gather and talk. Malwarebytes has quite the reputation there. As addition to an existing AV though, AFAIK.

15 hours ago, Porthos said:

With Win 10 in the real world, Defender would be on as well and I am sure they disabled it during these tests. I would love to see someone do tests without disabling a Win 10 security feature.

As Porthos seems to support. Using MB without AV is not something I recommend either. Whether MRG effitas did or did not disable windows defender I don't know.

 

12 hours ago, lock said:

In a total package, you will have all shields / modules amalgamated without the possibility of disabling any of the

Except that Malwarebytes must be able to work alongside other anti-malware/anti-virus software. Especially anti-exploit stuff is bound to cause conflicts and as such it is desirable to be able to turn parts of the protection offered by Malwarebytes off. (Some only wanted the anti-exploit as they have their other bases covered and didn't want to dedicate more resources.) A lot of people are/were asking to allow this without continuous warning. As such I consider this argument invalid. Better, I prefer to have the ability to tweak a program.

Back in the time when the modules were fully separated a lot of people asked for an integrated solution. (Guess what happened when they listened tot he community...)
Malwarebytes uses layers security. Although I agree that the anti-ransomware module does not seem on par yet, the case that is build that malwarebytes is more than the sum of its parts. That the anti-ransomware part would be breached would not mean that another layer wouldn't have stopped it somewhere in the infection chain. This makes accurate testing of the system as a whole difficult.
For me, malwarebytes is only one of the security layers on my PC. Due to it's compatibility issues with sandboxie and the presence a few other security layers, malwarebytes doesn't do much. As such I cannot say much about its efficiency. It is hard to judge one layer if the collective holds off everything it faces. (AFAIK of course)

 

12 hours ago, lock said:

a test in which the aniransomware module of MBAM offered real protection against any type of ransomware

https://www.mrg-effitas.com/wp-content/uploads/2016/07/Zemana_ransomware_detection.pdf
They even made second place. Not bad considering the testing procedure.

 

9 hours ago, TheThornWithin said:

I have Malwarebytes 3.0 Premium installed and I've been waiting patiently for assistance for almost a week.

Sometimes someone slips through. The described procedure is "If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know. " I suggest you send one a kind reminder.

I hope this clarifies, feel free to ask I you have any questions left.

Kind regards from a home user,
Durew

[lock]

36 minutes ago, Durew said:

Except that Malwarebytes must be able to work alongside other anti-malware/anti-virus software. Especially anti-exploit stuff is bound to cause conflicts and as such it is desirable to be able to turn parts of the protection offered by Malwarebytes off. (Some only wanted the anti-exploit as they have their other bases covered and didn't want to dedicate more resources.) A lot of people are/were asking to allow this without continuous warning. As such I consider this argument invalid. Better, I prefer to have the ability to tweak a program.

I agree that is a good idea to tweak the program, but...

- If you disable anything in MBAM you will get an exclamation mark in on the tray's icon, which will mask any other potential issues.

- this was not provided for tweaking, but rather to outline MBAM potential; a real tweaking is when you can choose which "shields" to install (see Avast!), without displaying any warning.

[Porthos]

35 minutes ago, lock said:

If you disable anything in MBAM you will get an exclamation mark in on the tray's icon, which will mask any other potential issues.

Guess you did not take the time to read the release notes.

Added setting to turn off ‘Real-Time Protection turned off’ notifications when protection was specifically disabled by the user

 

Also available on the main site for non-forum users.

https://www.malwarebytes.com/support/releasehistory/#malwarebytes-premium

Edited July 8, 2017 by Porthos

[lock]

51 minutes ago, Porthos said:

Guess you did not take the time to read the release notes

Yes, I missed that

[Firefox]

2 hours ago, lock said:

- this was not provided for tweaking, but rather to outline MBAM potential; a real tweaking is when you can choose which "shields" to install (see Avast!), without displaying any warning.

This is not the case with only Malwarebytes... many security products (I can't vouch for Avast as I don't use it myself) such as my Symantec Endpoint Protection will allow you to disable components... I can disable any layer I want, however doing so, I get warnings that not all features are enabled, my 'green' status bar goes to 'red' and the shield in the tray also changes.

Fully Protected Status

Individual Components

  

Warnings

 

Edited July 8, 2017 by Firefox