Avira free found Trojan JS but Endpoint Protection No !!!

[Scolette]

Hello. I had a computer infected with a usb key with the virus js / Agent.1592 (name Avira) and Endpoint protection found nothing. My computer has been infected. Neither Malwarebyte premium or adwcleaner found the virus. I had the same problem with avira free and with this software my computer was protected. How is this possible? Thanks for your help.

[David H. Lipman]

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

PS:  JS/Agent is not a virus.  It is a trojan.

[Scolette]

Thanks David.

So Malwarebyte Premium and Endpoint Protection do not protect as well as we can hear! I am a Malwarebyte reseller and so I am frustrated with your answer. 

In my case, any solution ? with the money earned (40 € per computer) I can buy an external hard drive, install veeam agent and I will be quieter

[David H. Lipman]

MBAM is still an adjunct and is not a anti virus application replacement.

 

 

[Scolette]

 

Yet Malwarebyte announced that since v3, the protection is complete and replaces an anti-virus.

Edited November 25, 2017 by Scolette

[KDawg]

I have brought this to the attention of our research team and we can expect more information shortly

[TonyCummins]

On 11/25/2017 at 7:37 AM, David H. Lipman said:

MBAM is still an adjunct and is not a anti virus application replacement.

 

 

That's certainly very concerning to me as it was touted to me by my sales rep AND plastered all over the web and Facebook that it IS an antivirus replacement!!

[KDawg]

This is a non Executable file type which we do not detect.

I have discussed this issue with our research team has added the run file to now be detected.

Additionally if Anti-Exploit was enabled on the machine it would have prevented this at execution.

[IT_Guy]

You guys really have to get your message together, half these threads say that it IS an Anti-Virus replacement and half say it IS NOT an anti-virus replacement until someone lets them know what other MWB agents/documents say.

Just send out an internal Email, "Per our published documentation, Malwarebytes Endpoint Protection is an anti-virus replacement software. Please stop telling our customers that it is NOT an anti-virus replacement software."

Then maybe sticky it to your watercooler/coffeemaker/top of this forum.

[djacobson]

@IT_Guy and @TonyCummins, the first person that replied is not staff, they are a user just like you guys, with their own experiences and opinions, but they were correct in that the ANTI-MALWARE portion does not detect JS and other scripts. This is something we've been open about for the entire time Anti-Malware has been around.

Script protection is the domain for the newer ANTI-EXPLOIT part of your protection, @Scolette, make sure all of your product pieces are fully engaged and operational for your applicable groups/policy, if you need assistance with that, that is certainly something we can help you check. @KDawg is correct in that the Anti-Exploit portion would have hit on this JS script if it had been invoked. Remember that Anti-Exploit doesn't scan, it is behavior based and needs to see the run and hooking attempt for its action to take place. A scan would be done via the Anti-Malware portion of the product, which cannot "see" that the JS is malicious before it is ran, due to what it is made to look for and how. I hope that makes sense. I can try to expand on that if needed. Also keep in mind that ADWCleaner is an aggressive browser hijack/ deep PUP remediation tool, a JS doesn't fall within its abilities, unless that JS infection also happened to add a ton of search "tools" to your browsers as part of its overall payload, it would pull those out of your browsers for sure.

The MB3 and MBEP products are AV replacements, caveat being when all pieces are in place, not just MBAM or MBAE, etc, this is why MB3 and MBEP have all our products / technologies built into a single, multi-faceted program, instead of separate programs, like they are in the older MBES product versions.

Now with that said, it is still a good practice to have an AV in place. And there is good reason to do that, more layers in the net to catch things! Plain and simple. If you need help getting the AV you've chosen to work with our products, we will always help you do that.

[CHall]

@djacobson, that was a wonderful explanation of your product and its components. I have a better understanding of the software now than I ever had before. Thank you.

Regarding working with other AV products, I brought up in another thread topic that MBEP was interfering with our ControlNow AV and was informed that they both use something in Windows that can't be shared when running Web Protection, and that one or the other has to be turned off for Web Protection. I accept that, however, the interference with ControlNow has to do with the endpoint not being able to update ControlNow's virus definitions, which is part of their AV product, not their Web Protection product. As I said in that other topic, I have to restart the Malwarebytes Service to stop and reset its "memory leak" to get the endpoint to resume virus definition updates with ControlNow AV. If you have any input or help with that issue, working alongside our other AV, I'd appreciate it.

[djacobson]

@CHall I remember you mentioning it in the event viewer post. That's the Windows BFE service conflict. You are having those other symptoms still after choosing which web real time? Are there any mutual process exclusions in place between your MB and Controlnow? I imagine you may have gone over that in your ticket though, no?

[Scolette]

@KDawg 

Exploit protection est bien activé.