Malwarebytes for Chrome vs Malwarebytes Premium detections

[Aura]

Pretty sure it has been asked before, but just in case it it hasn't, I'll ask it. Also, might be a good idea to sticky that answer at the top to prevent confusion in the future.

If a website is blocked by Malwarebytes for Chrome (or even for Firefox), should we assume that it would be blocked by Malwarebytes Premium via the Web Protection module as well? For instance, I tried to access a phishing website that showed as clean on VT (I know, detections aren't in RT, yadi-yada) but it was blocked by the extension. I didn't report it. Should I report it in the Newest URL or IP Threats section for Malwarebytes, or should it also be blocked in the program?

Edited June 19, 2018 by Aura

[exile360]

The browser extension has several behavior based blocking components and additional heuristics which are not built into the Malwarebytes 3 Web Protection component (they can't be because they must be able to access the pages/content from "inside" the browser to see it/detect it and the Web Protection component operates from the network stack at the same level as the Windows Firewall) so there will definitely be cases where sites are blocked by the browser extension that are not currently in the Malwarebytes 3 Web Protection database(s).

So if you identify a site being blocked by the browser extension(s) that is not blocked by Web Protection alone (and of course assuming it is not a false positive) then yes, you may report it to the Research team so that they may look into adding it to the MB3 Web Protection block list/black list.

This is one of the big advantages of this new technology.  It provides additional blocking capabilities and works hand in hand with the Web Protection component in Malwarebytes 3, enhancing what it can do (though it's not required to have both, though more malicious content is blocked if you do have both obviously).

I hope that answers the question, but if it doesn't just let us know.

[ParanoiaBoy]

i think i've just had a false positive with the MB's chrome extension blocking Discord on browser, meanwhile nothing popped up  from the MBAM3 Web Protection.

How do i report it?

[exile360]

Just create a topic in the Chrome extension beta forum and the developer will take care of it.  You can start a new topic there by clicking here if you wish.  Since the extensions don't really rely on databases much, they have to tweak the code and/or whitelist the site to eliminate the FP.  It's not exactly like MB3 where the Research team just has to remove an entry from the database so the Devs will have to take care of it (this is also how it works for the signature-less anomaly detection component in MB3 which relies on machine learning so the Researchers always have to forward those reports to the Developers for adjusting detections).

[dcollins]

@ParanoiaBoy you already did the right thing by replying to the existing topic. We're looking into this.

[ParanoiaBoy]

alright, thank you guys ??

let me know as soon as possible, if you can 

[exile360]

On 6/16/2018 at 9:24 PM, Aura said:

Pretty sure it has been asked before, but just in case it it hasn't, I'll ask it. Also, might be a good idea to sticky that answer at the top to prevent confusion in the future.

If a website is blocked by Malwarebytes for Chrome (or even for Firefox), should we assume that it would be blocked by Malwarebytes Premium via the Web Protection module as well? For instance, I tried to access a phishing website that showed as clean on VT (I know, detections aren't in RT, yadi-yada) but it was blocked by the extension. I didn't report it. Should I report it in the Newest URL or IP Threats section for Malwarebytes, or should it also be blocked in the program?

No, not necessarily.  As I mentioned in my previous post, the extensions rely more on signature-less behavior  based detection, so they are able to block new/unknown malicious sites that Web Protection won't until the Research team becomes aware of them.  It also blocks certain categories, such as some ads and tracking servers that aren't targeted by the Web Protection component in MB3.  The extensions are designed to work in tandem with the Web Protection in MB3, however they can also function separately without it.  When used with it, they can speed up browsing when web blocks from MB3 occur because they act sort of like a local server, speeding up the lookup (you'll often notice a delay in your browser when a site is blocked by MB3; this delay practically vanishes when using the browser plugins if the block was triggered by your browser and the block page tends to load much more quickly).  So the browser extensions are standalone tools that serve a somewhat similar purpose but accomplish it in a very different way which makes them more proactive, at least against specific types of sites such as tech support scam sites, clickbait sites and certain other categories of threats, plus their targeting of additional items not normally blocked by MB3.  At the same time, other malicious sites that can't really be blocked behaviorally because they're not obviously different in any meaningful way (other than hosting malware, obviously) from normal websites need to be included in a database/block list like the tech in MB3's Web Protection component (for example, malicious C&C servers or just sites that are hosting malware binaries or exploits but are structurally/behaviorally no different from any normal/safe site).