Is Malwarebytes enough? Or do I need AV

[MIGUELTOBIAS]

Thanks for info

[pondus]

You already have AV ... windows defender + Malwarebytes  

[AdvancedSetup]

Hello @MIGUELTOBIAS and

Please read the following.

 

Thank

Ron

 

[Insomnimatic]

TL;DR will be included at the end of the post.

I know this thread is like a month old but the replies didn't seem extremely helpful except the link to the MBAM 3.0 announcement which sort of answered the question. So I'm creating this post to hopefully help. MBAM "could" replace a traditional AV but it doesn't include some of the helpful tools that many AVs do provide. If MBAM were to include tools such as a pre-startup scan, Sandbox mode, Sensitive Data protection, I would feel different about it.

Personally, I like to use an AV program along side of MBAM. This is mainly because I've been a user of MBAM for quite a few years (I think somewhere right between MBAM 1.0 and 2.0) and needed to have an AV to prevent other types of attacks/vulnerabilities that MBAM, at that time, did not protect systems from very well. Even though MBAM has improved greatly since then and has added more extremely useful tools, I still prefer to have an AV program on my systems that I can trust as much as I can trust MBAM to protect from Malware. There's still a lot of more tools or features that could be, and over time probably will be, added.

I personally don't care much for Windows Defender. It's a bit too basic and doesn't offer much in terms of flexibility, functionality or helpful tools.

Check a list of popular or well-known AVs and Google if MBAM and that AV work well together or not. (Not working well together would be, for example, MBAM not allowing a certain AVs tools/functions to work properly because MBAM detects the actions as a possible threat or vice versa)

After you check the compatibility, I would check to see what tools or services that AV offers that is not yet available through MBAM. I would only really check for tools or functions I would actually use, though. Just because the AV provides a tool, doesn't mean it will be all that useful,

Tools that I wouldn't recommend basing your decision on include but not limited to:

• Software Updater - Most programs offer an auto-download/update option, so this feature wouldn't really be worth the HD space and definitely not worth it to buy a subscription as it wouldn't be used much.
• Webcam Protection - Place a cover over the lens / unplug the camera. I mean yeah, you physically have to do something but it beats paying monthly to restrict access to your webcam
• Data Destroyer - Highlight the file(s) you want to delete in a file browser, press the delete key, Empty the recycle bin. Magic. NOTE: (Holding down the CTRL key as you click files allows you to select or deselect multiple files) This does do a better job than the recycle bin does but I feel like I would only end up using it once. That only time would be if I were to discard my HD and needed to make sure my personal information that was stored can't be recovered. If someone decides to take it from the trash or if I sold / gave it away, they wouldn't be able to get my bank info, passwords, ect.. (USEFUL ONCE PER HD)
• Any anti-tracking service - Most current web browsers have this feature built in you just have to turn it on. This tool would work in other programs that collect certain user data, though so it would be 50/50 if it's really useful. Just depends on if the web browser one is enough for you.
• Any tool or service that you wouldn't really use or need that often.

Tools that I would recommend basing your decision on include but not limited to:

• Real-Time Protection - I would say this is 100% a must have service when looking for an AV. I'm pretty sure most top AVs have this service included. This could be real time for Programs, Networking, Malicious code, URL/IP's. Just check the AVs info page to see which ones they offer. (MBAM does offer this) One of the best things about RTP is, after you do your first initial deep scan, you don't have to scan as often as you would without it. I'm not saying to never scan your PC thoroughly, just that you won't have to as often which will save a ton of time that you could be working on something, playing games or whatever you do leisurely on your PC.
• Ransomware Protection - After the Wannacry hit with its Zero Day exploit, I've been more cautious about Ransomware and decided this service was a must have. Even if you don't have a lot of stuff on your PC, or you wouldn't be seriously affected, you probably have personal information, irreplaceable files, folders, ect... that would be gone with no warning (unless you use a cloud service or store backups on USB Drives / Similar and transfer frequently). I record/write music, code and have other random PC based hobbies so a lot of what I work on is stored locally on my PC. I wouldn't be seriously affected by losing all those project files but it would be annoying to deal with and upsetting to lose past projects, unfinished projects or brand new projects. This tool pretty much just prevents for your files to be encrypted. (MBAM does offer this)
• Firewall Service - Yes, Windows and other OS's include a firewall with a copy of most of their OS's but you could have more flexibility or have a new feature that Windows Firewall does not offer. This isn't a must have but if it's flexible in it's usage, I would go for it.
• Quarantine - Pretty sure all AV's, including MBAM, include this. Sometimes it's better to quarantine an infection than to delete it from your machine. This would mainly be in the case of persistent Malware / Viruses that either you can't seem to delete due to the virus disabling your ability to including trying to kill it with a task manager OR you are able to delete the file, stop the process(es) and the virus just re-downloads / re-installs itself. At that point you would need to find the file it uses to re-download / re-install itself but in most cases, a full scan with MBAM would find that file. Some viruses could do this from the RAM instead of a separate file. The virus would store some code the the RAM that constantly check if the virus still exists on the system and if not, it would re-download/re-install itself. This used to be a lot harder to prevent and harder to stop but MBAM does scan the memory (RAM) for this type of malicious code.(MBAM does offer this)
• WiFi / Router Analyzer - This tool will scan your local network for vulnerabilities, exploits, connection issues and I believe they also check to see if your Router's Firmware is up to date. Not really a must have but nice to have when your network doesn't want to work correctly / an excellent alternative to the Windows Troubleshooter that never finds the issue, or if it does, it offers no solution.
• Sandbox - Awesome tool to check out a sketchy program in a safe environment. Sandbox mode allows a program to run but not install anything to your HD so you can make sure the file is safe before actually installing. Not a must have but the most beautiful tool you'll ever use when you want to see if a program is legit.
• Website Check - This tool is amazing for everyday use and it kind of goes in the real-time protection category, but this is usually a tool by itself and not bundled in real-time protection. This tool will block access to websites that have been blacklisted by the AV. These websites are usually ones that contain a virus/malware download, sketchy websites that throw those "new windowed" ads at you, it also blocks those new windowed ads as well as long as it's in their blacklist DB. I think it also redirects you, if you were type a URL slightly wrong, to the correct URL but don't quote me on that. Example (common mistake that a lot of people have done / still do is type google incorrectly. Some companies, including Google, will buy a domain name that is a common misspelling of their URL such as "gogole.com" "gogle.com" or "goole.com" (I don't know if they actually own these specific ones so please don't try those URLs in case they are sketchy sites...which I mean, they do look like a sketchy knock-off brand of google) and just redirect the user to the correct URL.) The AV that I use also has a "Website Rating" where it gives websites a safety rating based on users data that have been to that website and users input/feedback of that website.
• Pre-startup scan - This is a 100% must have especially if you are someone who is more prone to getting malicious programs / viruses. This tool allows the AV to take over just as windows begins to load. Windows loads enough to give the AV the functionality it needs to run but does not give malware, virus, worm, ect... a chance to start up. The reason this is helpful is the virus won't be able to defend itself in real time resulting in a complete deletion of its files, most of the time. Some viruses do something called "Piggybacking" on the AV so it won't be detected (Some AVs don't scan their own RAM usage, Files, ect.. or doesn't do a thorough scan of their own files that are being used by the program itself or the scanner, so the virus will use that to protect itself from the scan) and will easily hide from the scan. This prevents any piggybacking as well.

There are many more tools out there that are helpful and some that are not so helpful (Ok, maybe a lot that aren't helpful but more of a way to get just a couple extra bucks so you don't have to manually perform a task). Remember that depending on what AV you decide to use, some of these tools you may have to subscribe to while other AVs have it as a free tool. If you're going to just use a free version of an AV, only really pay attention to what protection services they offer in the free version instead of the tools since free tools are usually not the best or even useful. If you're willing to pay for your anti-virus, which depending on the AV honestly isn't much (usually between $30 - $50 USD per year roughly 8¢ -  12¢ per day depending on the plan and/or tools you decide to include), you will more than likely have a more enjoyable experience with that AV and feel / know your system is being actively protected from a wide range of threats and notifies you if anything seems fishy.

 

Well, I hope this helps if you decide to use an AV as well as MBAM. I haven't ever really went this in depth with choosing a product before so I may have missed some information that would be useful but hey, I tried.

 

TL;DR:

• Make sure AV you want is compatible to run at the same time as / won't interfere with MBAM vice versa.
• If you decide to use a free version, find an AV that has at least good protection tools. (Network, Real-Time, Scans, ect...)
• if you decide to use a paid version, check what services and tools are included in the package and think about how often / if you ever will use the tools or services you get with it.
• If the yearly subscription price ($30 - $50 USD Average which is like 8¢ - 13¢ per day) seems like it's worth it for the protection + tools that you will get and use, go for it.

Did not proof read. Tired. Don't want to. I'm sure this is fine.

[Insomnimatic]

Well, I was going to edit my previous post but It said I took too long editing so I can't edit it now but...

I forgot to mention that I did not want to recommend any certain AV because you should honestly look through a list of them and find the AV that seems like the right pick for you. Also you would know exactly what protection you are getting and you won't assume you're getting a certain kind of protection such as the WiFi/Router Analyzer, Firewall Service, Ransomware Service, ect.. which means you'll be more aware of what your system could be / is vulnerable to and would probably be a bit more cautious.

[MAM]

Hello, you can try this also https://www.emsisoft.com/en/software/eek/

MAM

[Utomo]

Not enough. until now Malwarebytes can not catch all. some are catch by the antivirus

I use both 

[Cavehomme]

I would be nice if MWB was sufficient, but it's not, far from it, according to the latest independent test by MRG Effitas and SE Labs. In fact, with such poor results especially with SE Labs, we really have to question the actualp rotection being provided by MWB. The vision is great, the implementation / execution of this vision is getting weaker as each independent test shows.

Can we have some informed response from MWB management here as to what is really going on here, because like many others, as a long time user, am getting really concerned about the quality and capability of MWB in fighting malware effectively.

By the way, I don't particularly like my label "New Member", having signed up 6 years ago in 2012, and being a user since before then, in 2009 or 2010 almost back at the start of this software.

Edited May 23, 2018 by AP2012

[exile360]

Before you put too much stock in such tests, you might want to take a look at this, this and this.

That second link shows live data in real-time that starts from the point you load the page (no historical/archived data) and only includes detections coming from Malwarebytes scans for detections that are actual malware (PUPs are excluded as are all real-time detections from Malwarebytes) from systems where a third party antivirus is active, meaning anything detected got past the antivirus completely and was then detected via a scan with Malwarebytes, which only uses Malwarebytes traditional threat signatures and basic heuristics algorithms (none of the newer, more advanced and more effective/more proactive signature-less components like Anti-Exploit, Anti-Ransomware and Web Protection etc.).

With regards to you still being ranked as a "New Member", that's just because the software used for these forums (IPS) ranks all regular members as "New" until they reach a certain number of posts regardless of how long they've been a member.  I understand that in many cases (including your own) it doesn't really make sense, but that's just how the forum software was programmed by its creators unfortunately.  I don't recall how many posts are required for your rank to change, but I'm sure one of the Admins here can answer that if you really wish to know the specifics.

Edit: Here's an example.  I loaded the page while composing this message, and within the last few minutes that it took me to write it, I've already got the following results:

Also keep in mind that statistically speaking, the number of users running each AV will impact the results so it isn't a 1:1 reference, just live data from real world systems and real world threats across systems around the world where scans are being performed with Malwarebytes.

Edited May 23, 2018 by exile360

[Cavehomme]

1 hour ago, exile360 said:

Before you put too much stock in such tests, you might want to take a look at this, this and this.

...

Also keep in mind that statistically speaking, the number of users running each AV will impact the results so it isn't a 1:1 reference, just live data from real world systems and real world threats across systems around the world where scans are being performed with Malwarebytes.

Exile, I appreciate the prompt response, thanks.

MWB is clearly quite effective and picking up omissions from AVs, but as AVs improve and now have several layers, I have to question whether Windows Defender plus MWB Pro is sufficient.

For example, looking at the MRG Effitas results, there are some big gaps in both applications, albeit WD has improved massively this past year. In a real-life situation, if some banking trojan should get on to my laptop which neither WD nor MWB detect, then I will be screwed and left penniless as my account is emptied. Some alternative solutions such as Avira, Norton and a couple of others scored much better on the range of tests. Even using something such as a virtual environment like Comodo and Kasperky might be the answer for banking, but those solutions come with the downside of complexity and more compatability issues than what I've experienced with plain and simple WD + MWB Pro.

It's the eternal conundrum we all face, which single tool or combination of tools is best to protect the user in specific scenarios. So far I want to keep with WD+MWB but on some PCs I'm using Norton or Comodo or Sophos Home Premium.  On one I've even got completely frustrated with Windows 10 issues that I've gone for Linux Mint recently.

I had hoped to consolidate all this variety with a simple solution of WD + MWB Pro across all of them, but then saw these SE Labs and MRG reviews, plus there was an abject failure of the MWB Sales department to be able to offer me a good enough pricing deal compared with the other solutions, and now I'm in limbo. I want to get out of this limbo situation asap, your reply has helped, but I need to consider further. Any other suggestions welcome. Thanks.

 

Edited May 23, 2018 by AP2012

[Cavehomme]

21 hours ago, exile360 said:

Before you put too much stock in such tests, you might want to take a look at this, this and this.

Edit: Here's an example.  I loaded the page while composing this message, and within the last few minutes that it took me to write it, I've already got the following results:

 

Hi Exile,

Just to be clear, this map data includes missed PUPs? If so, then it's not entirely representative of real malware gaps and the adequacy of MWB. Yes PUPs can be "potentially unwanted programs" but they are not 'de facto' malicious malware. 

That said, the MRG Effitas test still shows MWB missing detection of 28% of PUAs/Adware, on top of an 18% miss rate on financial malware and 17% miss rate on ransomware, which is much worse than most other products. That's why I am trying to understand / learn what this map is actually showing, and on what basis is it generating data when the independent tests show that MWB is no longer as effective as it used to be, especially when I used to first use the product.

If you need the reference to the test, here it is: https://www.mrg-effitas.com/wp-content/uploads/2018/05/MRG-Effitas-2018Q1-360-Assessment.pdf

Thank you.

Edited May 24, 2018 by AP2012

[exile360]

No, actually that map/page excludes PUPs.  If it did include PUPs the results would probably be several orders of magnitude larger than what is reflected.  Only actual malware detections are included, and only detections from scans, nothing from any of the real-time protection components in Malwarebytes.

With regards to MRG and other tests, you have to understand that they are using a specific set of handpicked samples versus the live real-time data being pulled from our heatmap which shows real world results based on live threat detections.  It illustrates that results from a controlled test set of specific threats/threat types etc. isn't necessarily an accurate representation of how a product will perform in the real world against live threats and real world scenarios.

Edited May 24, 2018 by exile360

[Cavehomme]

9 minutes ago, exile360 said:

No, actually that map/page excludes PUPs.  If it did include PUPs the results would probably be several orders of magnitude larger than what is reflected.  Only actual malware detections are included, and only detections from scans, nothing from any of the real-time protection components in Malwarebytes.

With regards to MRG and other tests, you have to understand that they are using a specific set of handpicked samples versus the live real-time data being pulled from our heatmap which shows real world results based on live threat detections.  It illustrates that results from a controlled test set of specific threats/threat types etc. isn't necessarily an accurate representation of how a product will perform in the real world against live threats and real world scenarios.

Interesting, many thanks. I guess that another difference is between using MWB Pro/Premium versus adhoc scannng on free. I assume this heatmap shows the results of both versions?

Incidentally I do doubt the effectiveness of some tests out there, using VMs and not giving the antimalware solution the chance to operate and learn / map the normal user environment as a baseline which allows it to then make more accurate behavioural assessments, but MRG seems to be one of the more comprehensive testing organisations. That said, they only test the free not Pro version from what I can see. Not sure about SE Labs testing methodology.

Edited May 24, 2018 by AP2012

[Cavehomme]

By the way, the reason I bring this up is that our SOPs now require that on an annual basis various independent test results are reviewed and averaged before making a choice as to whether continue with a security product for another year of license or choose another.

[exile360]

Most of the results in the heatmap have to be from users of the free version of Malwarebytes since the Premium version would have stopped these threats and quarantined or blocked them from getting onto the system if its realtime protection was active which would prevent them from being detected by scans.  It was done this way to illustrate without any doubt that the resident AV has had a chance to analyze and stop the threats being detected by Malwarebytes and to show that they just didn't and that the threat was able to get onto the system to the point where a Malwarebytes scan was able to detect it.

[Cavehomme]

2 minutes ago, exile360 said:

Most of the results in the heatmap have to be from users of the free version of Malwarebytes since the Premium version would have stopped these threats and quarantined or blocked them from getting onto the system if its realtime protection was active which would prevent them from being detected by scans.  It was done this way to illustrate without any doubt that the resident AV has had a chance to analyze and stop the threats being detected by Malwarebytes and to show that they just didn't and that the threat was able to get onto the system to the point where a Malwarebytes scan was able to detect it.

Cool, thanks for the explanation.

[exile360]

You're welcome

It's an interesting subject and a difficult challenge to assess the performance of these products, especially with a threat landscape so varied these days with so many malware authors out there trying to develop new tricks to evade detection.  Given the complexity of how Malwarebytes functions in real-time, with so many different layers of defense operating at different points in the attack chain, it makes side-by-side testing rather difficult, so to play fair they had to step aside and let the AVs have their fair shot at the threats because many of the layers in Malwarebytes operate very early in the attack chain before any actual malware binaries are even present.  That's why only the results of scans were included and why they aren't showing any of the real-time threat blocks from Malwarebytes.