Jump to content

Does UAC protect you against "drive by" malicious software attacks?


Recommended Posts

In Win 10, does UAC protect you against "drive by" malicious software, that would install itself, by itself, and encrypt my hard drive . . . even if I don't click on anything? . . . I had it off. I'll put it on level 3 of 4.

So, if UAC is on, you have Avast Free or AVG Free, and you run MB Free once per day, does that give you a decent level of protection?

Link to post
Share on other sites

Unfortunately no.  Most modern exploits such as drive-by attacks have been created in such a way that they avoid UAC by not escalating privileges high enough for a UAC prompt to be necessary.  They have a lot of tricks they use to infect systems and do their damage without having to trigger UAC.

I don't believe so, mainly because, to my knowledge at least, neither Avast! Free nor AVG Free offer any sort of extensive behavior based protection from exploits the way applications like Malwarebytes 3 Premium do.  Exploits, including drive-bys and similar attacks, are something we specialize in stopping thanks to our behavior based approach to protection that guards against threats like these and other attacks that exploit both known and well as unknown vulnerabilities in web browsers and other frequently exploited applications.

That said, if you simply cannot afford or do not wish to use the paid version of Malwarebytes, we do offer a standalone version of our Anti-Exploit as a free beta.  You can find out more and download it here.  Either way, given how prominent exploits are these days I would highly recommend getting some kind of potent exploit protection to help keep you safe online from these sneaky threats.

Link to post
Share on other sites

3 hours ago, exile360 said:

to my knowledge at least, neither Avast! Free nor AVG Free offer any sort of extensive behavior based protection

"Behavior Shield comes standard in all versions of Avast 2017, protecting you from zero-second threats, ransomware and other malicious programs"

https://blog.avast.com/behavior-shield-our-newest-behavioral-analysis-technology

Link to post
Share on other sites

Yes, I specified exploits, not any other type of threat.  Exploits work very differently from other kinds of attacks because they aren't malicious binaries themselves, instead they exploit holes in legitimate applications to execute commands that enable them to do things such as install malware, turn off security features (including antivirus, firewall etc.) and any number of other malicious actions.  That's what makes exploits so dangerous, because they can be so varied in what they do.  It's not the same at all as detecting a malicious file like a Trojan or worm or even ransomware.

Regardless of what else you use, I strongly advise you to get some kind of exploit protection.  I know from our own internal testing and information that ours is one of the, if not the absolute best available (especially for free), but there are others such as Microsoft's EMET that you can use instead if you don't wish to install Malwarebytes Anti-Exploit.

The reason I keep harping on this is because right now, and for some years now, exploits have been and continue to be the primary means of attack for so many infections and hacks.  In fact, I believe the only more common method than exploits right now is spam/phishing emails, but with a decent email filter which most email clients have built in, you can usually avoid most of that.  Exploits on the other hand require protection specifically designed to detect and stop them because they function by hijacking otherwise benign/safe/trusted software.

Link to post
Share on other sites

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It looks like they combined EMET into Win Defender, but it has since been integrated into the Windows Defender Advanced Threat Protection (ATP) service.

I see that Avast is slightly better than AVG, and both are better than Win Defender.

I'm currently using Win 10 FCU (1703), and Avast Free.  I try this, in combination with the MB Free Beta.  Thanks!

Here's how I determined this:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Microsoft bringing EMET back as a built-in part of Windows 10, 06/27/17 . . . https://arstechnica.com/information-technology/2017/06/microsoft-bringing-emet-back-as-a-built-in-part-of-windows-10/

Microsoft To Block EMET in Windows 10 Fall Creators Update, 08/14/17 . . . https://redmondmag.com/articles/2017/08/14/microsoft-to-block-emet-in-windows-10.aspx

AV-TEST - The Independent IT-Security Institute . . . Avast is slightly better than AVG . . . Avast and AVG are both better than Win Defender . . . https://www.av-test.org/en/antivirus/home-windows/windows-10/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Avast is slightly better than AVG

AV-Comparatives - Independent Tests of Anti-Virus Software - Detection Tests . . . http://www.av-comparatives.org/detection-test/

AV-Comparatives - Independent Tests of Anti-Virus Software - Real World Protection Test Overview . . . http://www.av-comparatives.org/dynamic-tests/

Virus Bulletin . . . Has a cool scatter-graph at the bottom . . . Why don't they show Win Defender? . . . https://www.virusbulletin.com/virusbulletin/2017/08/vb100-comparative-review/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Link to post
Share on other sites

Sounds like a reasonable assessment to me :)

I'm glad you've decided to install our Anti-Exploit Beta.  I'm certain you won't be disappointed.  We also currently have a free Anti-Ransomware Beta that is worth looking into if you'd like additional defense against ransomware, a class of threat that has become quite common these days and is particularly difficult to deal with if you have a lot of files that aren't backed up (regardless of whether you use the beta, regular backups are always a good idea, just make certain you don't keep the backup device attached to your system except when backing up/restoring data otherwise it could get messed up by malware too if you ever do get infected).

Link to post
Share on other sites

The Anti-Ransomware Beta says to only install on a "non-production" machine . . . Meaning that, it could really mess up your system, and you'd have to re-install - use at your own risk (01/25/16) . . . ? . . . Have there been any such user experiences?

Introducing Malwarebytes Anti-Ransomware Beta . . . As this is the very first beta we do encourage beta users to install the product in non-production environments for testing purposes only . . . https://forums.malwarebytes.com/topic/177751-introducing-malwarebytes-anti-ransomware-beta/

Link to post
Share on other sites

None that I know of.  As far as the warning goes, that's just the standard disclaimer we use for all of our beta/non-production software.  It's the "use at your own risk, this is a beta..." warning/info that you typically see when testing any beta software these days.

We're very careful about implementing our software in such a way that any changes can be undone, so even if it were to detect something that it should not as a threat, you'd be able to restore it from quarantine and exclude it from being detected in the future so no permanent damage would be done.

Link to post
Share on other sites

a.) Yes (the free version)

b.) nope, not even close unfortunately.

In addition to the capabilities contained in the betas, Malwarebytes 3 also includes our entire realtime malware detection engine which uses heuristics algorithms and detection signatures to detect/stop tons of malware which would otherwise not be detected.  It also has our web protection technology which uses our frequently updated block list of known bad websites that contain everything from malvertisements (malicious advertisements that try to infect you) to phishing sites as well as C&C (Command & Control) servers used by botnets for deploying threats and controlling infected systems.  It also contains our latest signature-less anomaly detection technology which is a behavior based malware detection technology designed to target new, unkown threats.  This new component is particularly exciting because of how effective it's shown itself to be in our internal testing so far, proving itself capable of detecting a very large percentage of 0-day/0-hour (i.e. previously unseen) malware that was not detected by any of our other protection or scanning components.

I'm not trying to sell you anything here, and the choice is obviously yours, but having the paid version of Malwarebytes, with or without another antivirus onboard, is a huge advantage when it comes to security.  It's a multi-layered defense suite that we're constantly working to expand in order to cover more and more threats and new attack vectors.

Now, with all that said, even without the paid version of Malwarebytes, what you have so far is still leaps and bounds above an antivirus alone and will go a long way towards keeping you safe online.  I'm just telling it like it is, and there are a lot of layers of protection included in the paid version of Malwarebytes.

Link to post
Share on other sites

Honest facts are what sell me, or eventually convince me that I need something.

I like that scatter graph that Virus Bulletin has (link mentioned above).  It would be interesting to see one of those for the MB programs (individual, and combinations), mentioned above, for the various attacks . . . it would also make me aware of what all the possible attacks are . . . for example, I usually don't click on ads or popups, so protection from that wouldn't be important to me . . .

Besides the PUP infection I got mentioned above, the only other recent "attack" I've noticed was that I was on an "Excel" help site, or "VB" help site, and out of nowhere, a tab in Firefox opened, the page had a red background, and it played the same sound as my alarm clock.  It had a rectangular "sign in" window (right, I'm gonna type something in there).  I had to use Task Manager to kill it - and Firefox.  I opened FF back up, and everything seemed ok.  No idea why Avast didn't stop that.  I think I might have had MBAM installed then too, Free Trial of the paid version.  I think it was from Mr. Excel, and I have seen it before:

https://www.mrexcel.com
http://www.vbforums.com

That must be a grand pop-up, lol.  I scanned with Avast and MBAM, nothing found, but I'm thinking I might like it if that were detected and blocked.

Link to post
Share on other sites

Yep, sounds like a tech support scam site.  You can find out all about those here.  Unfortunately new scam sites pop up so frequently that it's difficult for us to block them all, however we are working on some new technology that should help greatly in that regard.  I wish I could say more, but unfortunately we aren't allowed to make any details about it public just yet, but rest assured we do have something impressive in the works to deal with these and several other classes of web based attacks.

Regarding testing such as that done by VirusBulletin and similar organizations, we don't generally put too much stock in them only because the tests they perform tend to be somewhat unrealistic.  For example, they'll often test by downloading and executing malicious executables directly or scanning a folder with dormant droppers/executables, however this is not how modern infections work at all.  Real world threats use some other mechanism to infiltrate the system first, then download the malicious payload (the executable(s)) to infect the user.  This includes exploits (which is one reason I've been saying it's so important to have a good defensive layer against exploits), another is infected websites which host exploits (meaning website blocking+exploit protection would both have a shot at blocking it), and then finally the download of the malware (again, our web blocker would hopefully block it), and if it gets passed those layers, our malware protection would analyze the file as soon as it attempts to execute into memory where it would be checked by our primary threat signatures, our heuristics as well as our anomalous file detection layer I mentioned earlier.  After that, assuming the threat has made it this far, it still must contend with our behavior based ransomware protection, so if it is a ransomware threat, chances are very slim indeed that it's going to get through.

There's also spam and phishing through email which has become very common these days, and again, should largely be covered by our exploit protection, though the other layers offer protection from it as well, depending on the content of the malicious email message (i.e. malicious URLs, embedded scripts, malicious file attachments etc.).

From that stage of course, if something does get in, you still have the scan to fall back on (though that component is obviously available in the free version as well) which will use threat signatures and heuristics to attempt to detect and remove any active threats from the system and while it does use many of the same signatures and heuristics as our malware protection layer, it also includes rootkit scanning as well as other technologies specific to scanning such as our Linking technology which has the ability to detect and remove the entire installation of an infection based on the detection of as few as a single trace (for example, if we miss the entire threat installation with our normal signatures etc., but nail a single file or registry entry created by the threat, our Linking engine can discover and catch the rest of the threat based on that one detection; it's very powerful stuff).

While I don't have a precise one to one analog for the information presented on VB, we do have several whitepapers, infographics and other information freely available here which you may find useful.  There's information there about the latest threats, more about our layered approach to security as well as further info about our products and how they work to protect your system, your privacy and your data.

Edited by exile360
Link to post
Share on other sites

. . . sounds like a tech support scam site

I see that MrExcel was hacked . . . http://www.mrexcel.com/details-of-data-breach-at-mrexcel-com/

E-mails and passwords were exposed online, they asked me to change my password . . . but it appears to be a valid site . . . I didn't know about scam tech support sites, thx . . . I never got any answers to my questions, there, though, so I don't think it's the greatest help forum.

. . . VirusBulletin and similar organizations, we don't generally put too much stock in them only because the tests they perform tend to be somewhat unrealistic

It seems like their test must have some benchmark value, though.

. . . I don't have a precise one to one analog for the information presented on VB, we do have several whitepapers, infographics and other information . . .

A hundred articles there.  I'd like to go through all of them, but don't have the amount of time needed to do so.

I'd just like to see a snapshot of how the MB programs hold up, individually, and in combinations, in order to make a decision of what will work in my situation.

It doesn't matter to me if you do the test, as long as you say that you're honest about the results.

Link to post
Share on other sites

They do have some benchmark value, certainly, but what they're typically measuring is a product's ability to detect an infection during a specific phase of the attack chain, generally the final phase just before infection of the endpoint occurs.  They don't account for the several phases that take place much earlier in the process and they only account for specific kinds of protection; generally the more traditional kind which has been proven to be ineffective against 0-day/0-hour threats because the bad guys perform the same kind of testing with their malicious binaries to see if any of the major AVs are detecting them yet, and if they are, they tweak and modify them until they aren't any longer so that the users of those products won't be immune to their attacks.

I'm far more interested in the more proactive protection components which aren't being tested, such as exploit protection and other behavior based/signature-less solutions because that's where a product can really shine when it comes to preventing threats at 0-day/0-hour.

As for how MB holds up on its own and in combination, as long as it is compatible/doesn't conflict with whatever other product(s) you might be using for protection, then obviously having more layers of defense is better, at least in theory.  The only catch I can think of would be if any of the added layers are unnecessary, but assuming you're using a free AV like  the built in Windows Defender or Avast!, AVG, Avira or one of the other free ones then the cost financially is the same regardless.  So that is what I would advise if you want to get the best layered solution possible.  Use a free AV alongside Malwarebytes 3 Premium and you should have your bases as well covered as they can be.

Anyway, I'm checking with our Product team to see if we have any specific metrics/testing alongside different products and with/without other products to give you a good measure of our performance, but in the meantime I think these are likely the most relevant to what you're after:

https://go.malwarebytes.com/ROILayeredSecurity.html

https://go.malwarebytes.com/BusinessCaseforLayeredSecurity.html

https://www.malwarebytes.com/pdf/infographics/BreakingTheAttackChain.pdf

https://www.malwarebytes.com/images/articles/why-layered-security-is-important/the-importance-of-layered-security.pdf

I'll post back with any info I get from the Product team.  I know that getting more testing metrics is something we've been working on, I just don't know if any of it is done yet, but if it is I'll get it to you here so that you may review it.  In the meantime I believe the above items will help you to better understand what I've been talking about regarding our layered approach to defense, the attack chain and how using multiple layers can do much to keep endpoints safe in this complicated world of blended online threats and attacks.

Link to post
Share on other sites

No, nothing like that to my knowledge, and the trouble is, if we did have one it would obviously be biased since it would be us performing the testing so the results couldn't be trusted to be fair.

That said, there are some threats missing in that list such as file-less malware, scripting attacks, exploits, tech support scams among others, all of which are more common today than most of the threats they list, perhaps with the exception of ransomware and adware and grayware (both of which we classify as PUPs).  It mentions rootkits, but doesn't mention how they are detected or why they are there.  These days a rootkit is never installed alone and that's been the case for years now.  The current crop is being used to install and protect PUPs for the purpose of generating constant revenue for the bad guys since they get paid for every successful PUP installation and/or click from the user's browser on some advertised content being pushed by a PUP browser add-on or similar product.  Likewise, with exploits they are never alone either.  They are a means of getting some other malware onto the system, which could be anything at all including ransomware, a rootkit or any combination of other threats and annoyances.

My point is, most threats today are blended.  They very seldom fall into just one category, so judging any protection product based on its efficacy against just one type of threat is pointless because it doesn't give you the bigger picture of just how likely an attack of any kind is to be successful against your system when protected by that product.  This is why we think of threats as attack chains and focus on being proactive in that we try to stop an attack at as many phases of the attack chain as possible, starting with the source (web blocking) and going through all the various phases right down to the malware attempting to execute on the system (our malware protection, heuristics and behavior based protection layers).

I'll give you another example of why I believe this is a flawed approach.  While we see plenty of vendors claiming to offer realtime/behavioral protection against rootkits, I've never actually seen one that really had anything like that.  For example, what Kaspersky calls their rootkit protection is actually nothing more than an automated/scheduled background scan of he filesystem that kicks off every so often to check for the presence of any rootkit activity on the disk, meaning the system must already be infected by a rootkit for it to detect anything (our rootkit detection works the same way, which is why we make no claims to it being a part of our realtime protection and all controls for activating and using it are stored under our scan settings).  It may be possible that there are ways to intercept a rootkit during the infection/installation phase, but that would go more into the realm of HIPS and flagging anything that touches system files, tries to install drivers or tries to modify the boot files of a system (MBR/VBR etc.), yet many legitimate applications do the same things (many backup programs used for protection of data modify the boot files and tons of software, including AVs themselves install drivers, even hidden ones that are technically speaking rootkits, though they obviously aren't using those drivers for anything malicious, they're just using those hidden methods to defend themselves better against attacks from hackers/malware).

So to sum up, it's really a matter of whether I believe that what we are offering is sufficient protection to keep an endpoint from getting infected by any form of malware/PUP and the answer is yes, I do.  However, because we would be hypocrites if we prevented our customers from using other layers of defense, we still continue to design our products to work alongside AVs and other forms of protection software just as we always did when we viewed Malwarebytes as a complimentary protection product.  So we don't prevent our customers from installing an active AV or other protection product and we continue to test regularly for compatibility with every major AV that we can to ensure compatibility and good system performance.

That said, I have passed on the graph you provided as an example and asked if we have any resources similar to that which might illustrate our efficacy and I'll let you know what I hear back.

Link to post
Share on other sites

Sounds good, thanks . . . I'd like to see some kind of graphics that let me know why I need more than the free version, or MBAE and MBAR.

Maybe have the top 5 or 10 current attack paths of the month, and indicate how each MB product handled it

1.) on-the-fly

2.) with a scheduled, automated scan

3.) when one got around to doing a manual scan

Link to post
Share on other sites

Given how frequently malware changes, I don't know how much value such a graphic would truly provide for you, because within a few months the most common attack vectors would be likely to have changed, meaning you paid for a year of protection based on data that at best, was only truly relevant for a few months at the most.

What I will tell you is this: we are always watching what the bad guys are doing, and one of the reasons we have so many layers is because they keep changing tactics and because modern attacks are almost always blended threats, utilizing multiple forms of malware/attack vectors and whenever we see a shortcoming in our product against the latest tactics and methods being used by the bad guys, we either implement the necessary changes in our existing protection components to make our product proficient at detecting it proactively, or we develop and integrate a new module that does.  That's why Malwarebytes 3 has so many layers, because each one has proven itself against the most common methods of attack since Malwarebytes was founded and it made sense to include it because of that.

In fact, I know of several modules in development right now, some of which are already in the early beta phase of testing which we plan to roll out in the future because we found some very useful methods of proactively stopping several types of attacks and malware, and we're already discussing others that aren't even in development yet.  We're always working to stay ahead of the bad guys, and aren't resting on our reputation at all.  We want to be the best and let our performance speak for itself and let our customers attest to our effectiveness by telling everyone they wish that we have done a good job of keeping them safe online.  Artificial tests in labs don't really prove much, if anything.

That said, we do have some commonly detected items here, so that will at least give you some idea of how we're doing.  That said, I don't see any exploits in the list, and I know for a fact that we detect a lot of those as exploits remain one of the most common methods of launching an attack these days, so these detections must only be coming from the file and scan based components of Malwarebytes 3, not our web blocker or exploit protection.  It also has no data on our recently activated anomaly detection component; something nifty that one of our Developers cooked up to detect unknown malware files which has proven to be quite effective against 0-day malware unknown to our other components.

Link to post
Share on other sites

By the way, I wanted to thank you for this conversation.  It's inspired a lot of neat ideas for me that I'm now discussing with the team as possible ways to further improve our effectiveness, so regardless of what you finally decide, I just wanted you to know that it has potentially helped us to do even better in the future just by getting my wheels turning :) .

Link to post
Share on other sites

Hey no problem, I've learned some things here, too, I appreciate it.

I see that MB acquired AdwCleaner . . . https://www.malwarebytes.com/adwcleaner/

Malwarebytes Acquires AdwCleaner, 10/19/16 . . . https://press.malwarebytes.com/2016/10/19/malwarebytes-acquires-adwcleaner/

That would be another program to show on the scatter-graph.

I don't think "MBAM Free" or AdwCleaner provide "real-time" protection, so that's a distinction to make note of on the scatter-graph . . . This would be in contrast to "MBAM Paid Version," MBAE, and MBAR

Every month, the scatter-graphs should be updated to reflect MB's defense against the current threats.

So, if I didn't have the paid version of the software, then I'd have a better idea of what I have to watch out for . . . and eventually figure out why I need the paid version

 

Link to post
Share on other sites

Yes, we acquired ADWCleaner and also JRT (Junkware Removal Tool), both of which are free scanners for PUPs.  We have integrated many of the detections in those tools into Malwarebytes already (for both our realtime protection and scanner), however they do still cover some items that we have not yet been able to integrate due to the fact that doing so would require some engine changes in Malwarebytes, but eventually we do plan to fully integrate all of their detections.

As for MBAR, while the vast majority of what it covers is also covered by the rootkit scanning component in Malwarebytes, some recent rootkits have required some rapid changes in order to be able to get our tools to run, so that is one difference between MBAR and MB3 currently.  That said, we do eventually migrate changes in MBAR over to Malwarebytes as MBAR is basically our testing platform and rapid response tool for emerging/recent rootkits (very similar our standalone betas for our other tools/products which are also a part of MB3, like our Anti-Exploit and Anti-Ransomware).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.