Jump to content
Solitario

Feature request.

Recommended Posts

Hi, I'd like the mbam to have a Behavior Blocker added. Also that the complete signature bases are in the cloud and when we run out of internet that has a limited local databse.  Thank you very much. Greetings. 

Share this post


Link to post
Share on other sites

Greetings,

Malwarebytes actually already includes several signature-less behavior based protection components which are found in its Exploit Protection technology as well as its Ransomware Protection component, neither of which use signatures or databases for detections.  Malwarebytes also already uses cloud components in its signature-less anomaly detection component which allows Malwarebytes to use the cloud to analyze new and unknown files to help determine if they are malicious and to flag them if they are.  Malwarebytes of course also uses locally stored databases for its more traditional detection components which contain both traditional detection signatures as well as more advanced heuristics signatures which are capable of detecting many different threats using individual detection algorithms and file signature structural patterns.

You can learn more about the various layers of protection included in Malwarebytes 3 and how they work to protect your system by taking a look at the diagram and information found on this page.

Share this post


Link to post
Share on other sites

My suggestion would be to add one more module in mbam with BB and that it be for all types of malware. Thank you very much. Greetings. 

Share this post


Link to post
Share on other sites

The problem with that is, there really are no generic behavioral rules which apply to every type of threat, especially these days where the vast majority of attacks are a varied combination of threats including exploits, malicious scripts, downloaders and even file-less malware that doesn't use any executables.  Perhaps what you're asking for is a HIPS or something along those lines, however the unfortunate truth is that such protection tools have existed for several decades now and yet they still haven't proven to be substantially more effective than more traditional means of threat detection because the bad guys always find a way around whatever generic methods are being used to block them.  User Account Control which was introduced in Windows Vista has the same problem.  On paper it seems like a great idea, restricting permissions and requiring administrator approval to do anything that impacts any areas of the system which are restricted, however the bad guys immediately started building threats that didn't require administrative access, installing to locations where only normal user permissions were required, thus bypassing UAC completely.

A behavior blocker that attempts to detect all malware sounds like a good idea, but the problem is that with such a wide variety of threats and attack methods, actually creating one that is effective, somehow avoids tons of false positives, and remains effective against new types of threats isn't something that would be easy to build, assuming it's even possible (I've never seen one in all the years I've been around the security industry, though many have tried).  The real problem is that as soon as you make something that is super sensitive and super strict to try to catch all threats, you end up finding tons of false positives where it detects normal, safe software as malware, so you tune it down, relax its detection policies to avoid the FPs and then you find real malware that suddenly isn't detected any more because of the tuning you did to avoid the false positives.  So either you get a behavior blocker that blocks everything (including non-malware that shouldn't be detected), or you get a tool that plays it safe and avoids the false positives, but doesn't detect many real threats because it isn't strict enough and I have yet to find a behavior blocker that strikes the perfect balance.

The only thing we can realistically do is create modules and rules specifically targeting certain known malicious behaviors, the same way that Exploit Protection and Ransomware Protection do where they are specialized to attack only certain kinds of threats.  Other modules could be added in the future to detect additional kinds of threats, but what types of threats would those be?  Today there isn't the wide array of diverse attack methods that there once were.  There are no more file infectors or rogue AVs.  Keyloggers have become very rare, as have many other categories of threats.  Today it is mostly rootkits that install PUPs (Potentially Unwanted Programs) for profit, crypto-currency miners (Bitcoin miners etc.), tech support scams (which don't actually use malware in their attacks, just websites/browser pop-ups that try to convince you that you are infected when you aren't), and fake/junk browser plugins that pose as something useful (like Flash updates, Java updates, codecs, ad blockers etc.) that are adware/PUPs themselves, and the occasional password stealer (like the threats that try to steal Steam credentials etc.).  But a week, month, or year from now it could be totally different.  Up until recently ransomware was everywhere, but today there are very few ransomware families still out there because the bad guys have moved on now that the major security vendors have developed effective countermeasures to detect and block ransomware (like the Ransomware Protection in Malwarebytes).  Currently the combination of protection components in Malwarebytes do target the vast majority of known threat types, and the ones that aren't specifically targeted by a special module or component are covered by other protection modules (like Web Protection and the new Malwarebytes browser extension which is currently in beta).  If there were some specific classification of prominent threat that wasn't well covered by the existing protection technology in Malwarebytes, then the Developers and Researchers would create one that is, but this is not the case currently.  Right now there just aren't a wide variety of threats out there, and I think a large part of the reason why is because so many users are now browsing the web on mobile devices such as Android tablets and smart phones so a lot of the bad guys have abandoned Windows based malware because those threats won't infect users of those mobile devices, so instead they're now focused more on scams that don't use malware as well as malicious/PUP browser plugins that can install on any device where the targeted browser is being used (which is why so many of these PUP add-ons have been targeting Google Chrome, since it is by far the most commonly used browser, especially on those mobile devices).

The security world has changed because the majority of internet users are no longer on Windows PCs, so the bad guys have stopped targeting PCs directly as frequently as they used to and I only see this trend continuing as more users stop accessing the web through Windows machines and start using their mobile devices more and more.  It's the same reason there aren't a whole lot of threats that specifically target Macs or Linux machines because there aren't as many users of those types of devices.  It's not because those operating systems are inherently more secure than Windows, it's because they hold only a small percentage of the market share so the return on investment for the bad guys wouldn't be worth the cost, time and effort required to develop threats that target those operating systems/devices specifically.  This is also why the number of mobile threats has been increasing massively over the past few years while at the same time Windows malware has been reduced to just a few specific types of threats and attacks because the bad guys are going where the users are.

Share this post


Link to post
Share on other sites

Wow, thank you so much for your answer. My intention is that they create a BB as the Emsis*ft competition has it. That's why the first post that could be based in the cloud was the mban saving a small database locally. This way, when we are without the internet, the BB and the small database are enough to stop any kind of threat. 
If you want this issue can be given as resolved. I thank you again for your great answer. Thank you very much. Greetings. 

Share this post


Link to post
Share on other sites

You're very welcome :)

Yes, Malwarebytes actually has several locally stored databases of threats that include not only traditional detection signatures, but also more advanced heuristics algorithms that target entire families of threats as well as many new and unknown threats, and of course the signature-less behavioral protection components (like the Exploit Protection and Ransomware Protection components I mentioned earlier) don't rely on any signatures at all to detect malware/attacks.  Most of what Malwarebytes does works without an internet connection, however there are some components that do utilize the cloud for more advanced analysis.  Malwarebytes 3 as it is now uses a wide variety of layers to protect a system, some which use locally stored signatures, others that use the cloud, and others that use strictly behavior so unless the threats change drastically, there isn't much that Malwarebytes wouldn't be fully capable of detecting already as long as all of those components are active.  Even the Web Protection component uses locally stored databases of malicious servers and websites so it doesn't have to be connected to the web to work (though web access is needed to acquire updates of course).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.