Memories

[IvanIvanovich]

After spending the entire afternoon and evening fixing computers all over town yesterday I now see that MBAM staff are telling us how they are making sure that this will never happen again.

The only problem with that is that is exactly the same as they said the last time it happened. It's only a couple of years ago that MBAM pushed another corrupt definition update. That time MBAM started to detect Windows system files as malicious and quarantined them causing thousands of machines to be bricked and having to have their backups restored.

The response from ´staff after that incident was that they were going to put in place testing procedures to stop anything like that ever happening again. We now see how much those promises were worth.

This used to be a good product that did what it was supposed to do, quietly and unobtrusively. It has now turned into a monster that needs constant babysitting.

The best version was the 1.75. It had no smileys, in any colour, and didn't try to hide all the "difficult" settings to please the eyes of those customers that don't like complexity. It was a good security product that did its job and provided the admin with the granular tools needed to set it up to work in the way he wanted.

Today's product won't even let you export a config file so that exclusions can be set identical on several machines, it won't let you turn off some notifications but not others, it won't let you handle your licences yourself but requires you to contact support and wait for weeks every time a machine is lost due to crash, and a bunch of other things that I can't be bothered to type but still nags me.

This product needs a reboot in order to get back to basics. Computer security is not about colourful user interfaces, it's about control!

[ParanoiaBoy]

i agree, but people will still defend them

[corkie]

Excellent post there Ivan. You know that in this business the goal posts are always moving and the longer a company is in it the bigger they get and the harder they become to deal with. It will be interesting to see where this leads.

[Durew]

30 minutes ago, IvanIvanovich said:

After spending the entire afternoon and evening fixing computers all over town yesterday I now see that MBAM staff are telling us how they are making sure that this will never happen again.

Sounds like you made some great income that day. I do hope they find a way to prevent it from happening again, its nature seems to be different from last time.
 

Quote

The only problem with that is that is exactly the same as they said the last time it happened. It's only a couple of years ago that MBAM pushed another corrupt definition update. That time MBAM started to detect Windows system files as malicious and quarantined them causing thousands of machines to be bricked and having to have their backups restored.

Don't give the staff nightmares again. ;-P

32 minutes ago, IvanIvanovich said:

The response from ´staff after that incident was that they were going to put in place testing procedures to stop anything like that ever happening again. We now see how much those promises were worth.

Truth be told, malwarebytes hasn't tried to remove genuine windows files form my PC. So it seems that promise was kept. The occasional false positive does occur but at a similar rate as other AV-software and I like the reporting system of MB. Even the latest big issue didn't remove anything from my PC and the problem was mitigated with exiting malwarebytes. Making the 'big issue' nothing more than 'inconvenient' to me but startling to those less well versed in computers.

33 minutes ago, IvanIvanovich said:

The best version was the 1.75. It had no smileys, in any colour, and didn't try to hide all the "difficult" settings to please the eyes of those customers that don't like complexity. It was a good security product that did its job and provided the admin with the granular tools needed to set it up to work in the way he wanted.

The new version does look less intimidating and I agree that that is a bummer. But luckily I got a lot more settings to mess around with now.

BTW wasn't it version 1.75 that bricked all those computers? (Not sure, was before my time)

36 minutes ago, IvanIvanovich said:

Today's product won't even let you export a config file so that exclusions can be set identical on several machines, it won't let you turn off some notifications but not others

True. I personally don't really need those features but there is a feature request forum... They actually look there and quite some suggestions have been implemented.
 

37 minutes ago, IvanIvanovich said:

won't let you handle your licences yourself but requires you to contact support and wait for weeks every time a machine is lost due to crash

Are we still talking about the home version? (I assumed this as this is the sub-forum for home users) I never had to contact support for license issue after a reinstall.

39 minutes ago, IvanIvanovich said:

a bunch of other things that I can't be bothered to type but still nags me

I'd advise to vent with a long list of feature request in the appropriate sub-forum.

40 minutes ago, IvanIvanovich said:

This product needs a reboot in order to get back to basics. Computer security is not about colorful user interfaces, it's about control!

The looks that should prevent those less well versed in computers from running away screaming in fear, can be somewhat dissuading. But beneath the layers of pretty their is more control than ever before (IMHO). The 'back to basics' is a bit vague to me. My first instinct would be to translate it to "go back to when you just did file-dectection",  a method that we know is insufficient these days thus this is unlikely what you mean. (But you can still use just the file detection if you want to.) Could you elaborate in what path Malwarebytes should follow in your opinion?

[IvanIvanovich]

@Durew

1. I also have about a hundred or so clients yelling at me to get their computers back up and quite frankly this isn't the reason I'm in this job - to clean up after someone else's mess.

2. Why not? They seem to have forgotten all about the lofty promises they made that this wouldn't happen again.

3. The promise was to test their updates before pushing them to customers. Don't try to muddle the waters like a politician, I hate politicians and it will only make me hate you as well.

4. Today's version has less control than version 1.75. No it wasn't that version that bricked Windows it was a bad definition update. 

5. That feature request have been made hundreds of times during the last few years to no avail. Staff is only interested in cosmetics not function.

6. Every time anyone with a lifetime licence loses their machine due to a sudden failure (MB, HDD, RAM) and require a reinstall from scratch the licence servers will deny their key telling them that it "has exceeded the number of installs allowed". It invariably means three weeks back and forth  with support with them forgetting to act about a dozen times for every email you send them.

7. I'd be very happy to tell the powers to be how to make a good product if they pay me a good salary. They had a good product that they trashed by being more concerned by looks instead of function.

8. There is far less control in this version than there should be, and indeed is in many competitors. I have AV-suites that have been able to export settings for more than 30 years now! It's not censoreding rocket science. It's basic common sense.

Edited January 28, 2018 by IvanIvanovich
typo

[TempLost]

I agree about the need for the capability to export settings - I've raised this request before.

[IvanIvanovich]

12 minutes ago, TempLost said:

I agree about the need for the capability to export settings - I've raised this request before.

So have I, multiple times over multiple years. So far no one has listened.

[Durew]

@IvanIvanovich thanks for your reply.

52 minutes ago, IvanIvanovich said:

1. I also have about a hundred or so clients yelling at me to get their computers back up and quite frankly this isn't the reason I'm in this job - to clean up after someone else's mess.

That sucks. I had a bit brighter outlook on your situation: lots of clients who were grateful that you helped them, not constant yelling. I hope that you will be able to enjoy the fun parts of your work again soon.

 

55 minutes ago, IvanIvanovich said:

The promise was to test their updates before pushing them to customers. Don't try to muddle the waters like a politician, I hate politicians and it will only make me hate you as well.

I'd rather stay in engineering than move to politics. I can only say that I did see the promise more narrow than you did and expected that something would slip through regardless of procedures. (Since I don't have the literal source and stuff I can't say who is right and it sounds way to much like finding out would include acting like politicians and lawyers.) Especially when you push updates as often as MB. But I do now better understand your point of view. When you take the promise broader than I did they did break their promise as it was an update that wrecked stuff on a big scale.

1 hour ago, IvanIvanovich said:

4. Today's version has less control than version 1.75. No it wasn't that version that bricked Windows it was a bad definition update.

A bad definition update in the time that version 1.75 was the most recent, I intended to say. But that detail aside, I don't recall at the moment what control 1.75 offered that 3.3.1 doesn't. Could you mention some examples of control the 1.75 version offered that the 3.3.1 version does not? Or is this more a 'relative to other AV software' perspective, where, compared to other AV-software at their respective times, Malwarebytes offers less control?

1 hour ago, IvanIvanovich said:

Every time anyone with a lifetime licence loses their machine due to a sudden failure (MB, HDD, RAM) and require a reinstall from scratch the licence servers will deny their key telling them that it "has exceeded the number of installs allowed". It invariably means three weeks back and forth  with support with them forgetting to act about a dozen times for every email you send them.

That surprises me as I never ran into this problem. I guess I was lucky or my situations were just differed in some crucial detail. Maybe @celee can help improve this. Three weeks of mailing back and forth for something that sounds as a quite trivial task sounds like a real pain whilst it shouldn't be. Celee might ask for times, dates, ticket number etc. to allow her to find the problem in her systems.

1 hour ago, IvanIvanovich said:

I'd be very happy to tell the powers to be how to make a good product if they pay me a good salary. They had a good product that they trashed by being more concerned by looks instead of function.

Though I personally believe that 1.75 is inferior to 3.3.1 in an absolute sense I do worry about how they match up with other these days and suspect they used to be further ahead of the curve in the old days. Sadly, I've been unable to find a lot 'recent-ish' reliable tests of MB 3.3. I didn't expect a description that is so detailed that it would be reasonable to ask a salary for it, but maybe they will pay you to help out https://jobs.malwarebytes.com/ they are looking for some people in quality assessment and it would seem they could use some help there.

1 hour ago, IvanIvanovich said:

There is far less control in this version than there should be, and indeed is in many competitors. I have AV-suites that have been able to export settings for more than 30 years now! It's not censoreding rocket science. It's basic common sense.

It seems the export function is a bit more important to people than I thought (found the feature request topic) and as I know at least some AV's offer it I agree it should be added, perhaps should have been. I still have trouble understanding what control you have lost and what control you are looking for. I fully agree that having good control over AV-software is important but, at the moment I don't really see what control would be more required. At the moment I'm stuck at a 'warn me when this specific protection layer is turned off', setting that could be added. Could you elaborate on what control you are missing?
(When I compare with Emsisoft I found it had a bit more options but only because it had different features.)

Regards,
Durew

[exile360]

They already do have automated testing in place since the last major FP incident, which was precisely what was promised and the resolution that was implemented.  The problem with that is, an automated FP check will obviously not flag any sort of memory leak/performance issue resulting from a corner-case bug like the one that occurred today.  This bug was most likely the result of some bug in the code where, if a specifically written block entry in the database is included, it causes the service to fail to load the database into memory properly resulting in escalating RAM usage until the system runs out of resources.  It's not something anyone would even think to test for (or expect to even be possible) until it has already occurred/been discovered, which was precisely what happened yesterday when the bad database got published.  So now the Devs have likely implemented an automated check to scan the block database for any errant lines containing the specific string/block entry that is known to trigger this issue, and if found, notify the Research team and block the update from being published.

As for live user testing prior to being published, with an issue like this it is quite likely that no one would have noticed it, especially if running a system with a fast CPU and a substantial amount of RAM (8GB+).  Unfortunately, that would have been a very subjective thing to notice, and while one could argue that perhaps both a low-end and high-end (and perhaps even some mid-level) systems be used for such hypothetical testing, I'd again argue that unless an event like this had been predicted in advance (again, a corner-case which had never occurred prior to this), there would be no way to predict that such testing measures would be necessary to spot any potential issues.

So really, the main problem with this issue was that there was no automated way to spot it/test for it without being aware of the bug that caused it prior to the event occurring, which wouldn't make sense since, if the team were already aware that this issue could occur, they would have published a fix for it long before this update that triggered it ever got published.  It had to be an oddball corner-case issue that got past QA and Dev and thus no one was looking for it until it had already actually happened.