Exclusions on Mac client

[fwdIT]

Using the latest beta Mac client at the moment (Premium license)

I am wondering when the Exclusions option will be added to the Mac client as it is seemingly present on the Windows client (https://support.malwarebytes.com/docs/DOC-1130)

My backup software is making the RTProtectionDaemon using high CPU in normal conditions, probably even worse during a scheduled scan.

Looking at the settings window in above document for the Windows version of the client, we are missing quite some options and settings on the Mac version. Will the Mac version be extended to match the possibilities of the Windows client at some point? Or will it always be more limited?

I am looking for a good AV / malware client on Mac for a long time already, one with enough advanced tweaking so that I can limit its presence in CPU load while letting it scan specifically the areas I want to be monitored.

[alvarnell]

I am aware of a few such features that have been and will continue to be added to the Mac version, but I don't think you should expect all of them to be since the Operating Systems are very different with regard to the available attack vectors and locations in which malware can be installed. 

That being said, I believe the developer is aware of some issues involving backup software (it might be helpful to mention it by name here) and is actively working to overcome such problems. I'm curious as to exactly which of the Windows Setting you feel could be excluded in your setup to preclude that specific issue? The only two exclusions I see that would be applicable to the current version of Mac Malwarebytes are "File or Folder" and "Previously Detected Exploit" and I don't see how either would apply to backup software.

Certainly low CPU use has always been a hallmark objective of Malwarebytes for Mac and it's predecessors and I don't expect that to be relaxed as a high priority goal going forward.

[fwdIT]

Thanks for your feedback.

I am indeed aware of the different attack vectors due to it being totally different operating systems.I was kind of general in my wondering of settings on the Windows client being ported to the Mac client. The only one I would surely find useful today

[fwdIT]

sorry, seems a mistaken key combo posted my unfinished reply, continuing ...

The only feature I would surely find useful today already (without really looking into what is possible on the Windows client) is the Exclusions setting: File or Folder, Previously Detected Exploit but also Application / Process I would find quite useful

The brand / type of backup application does not really matter that much in my opinion. Being time machine, crashplan (in my current case) or restic (or even rsync cloning), if files get touched / read / written with realtime protection, the AV client will try to scan them. And with a large amounts of files, it will require any AV to take the needed resources of the system to be able to complete the task. From AV to AV it can still vary how many resources it needs but for large backups / syncs any AV client will take considerable resources.
It would be useful to be able to exclude the data flows which I consider thrustworthy so that the system keeps running smooth and the AV can take the resources it wants and needs to do scans of the areas I want it to concentrate on.

[alvarnell]

You may have a point about on-access scanning, but I have always been under the impression that Real-Time Protection only scans files that are new or have been modified. Touched or Read files should not be triggering a scan unless RT is a misnomer. 

I'm also under the impression the RT Scanning only looks at locations where malware has been known to be installed and does not watch your entire drive, so there are only a few folders that could be excluded and doing so would significantly reduce protection. Excluding Files or Folders outside of the ones being monitored would have no impact at all.

The type of backup plan could make a difference in that crashplan requires Internet Connectivity, which is the only type of Application that can be excluded for Windows. There are a few others that need Internet access, but most users use TimeMachine, CCC and SuperDuper! which do not. But even their, Malwarebytes for Mac is not involved in Internet data flow at all and I don't know of any plans to. There are separate extensions/add-ons for Firefox and Chrome under beta testing and there's a Safari extension in planning, but those are separate software programs at present.

[fwdIT]

And you also have a valid point, if for instance the checksum of a previously scanned file has not changed, it should not be scanned again when being read over and over. I hope the RT protection works like this for Malwarebytes.
Today I do see that during my crashplan backup, both processes take high CPU (also the RTProtectionDaemon), so they are seemingly interacting. I could dig deeper and loop over lsof to see if point processes access the same files at the same time, have not invested that much time in it.

Maybe RT protection doesn't look for all files / folders on the entire drive but I suspect scheduled scans will. In such case, it is useful to be able to exclude Files / Folders. For instance VM disks since they can be huge and can have frequent changes for running VMs, it is pointless for an AV to spend time scanning them.
In general I would only have a very limited amount of files and folders I would exclude. So I am looking more for exclusions based on application / process. But an AV also needs to make sure malware doesn't play with such feature so that it can easily bypass detection.
I would for example exclude (in RT protection) the rsync binary (the one under CCC since the sync processes are mainly just rsyncs), restic binary, crashplan backup daemon, time machine, ...
It all depends on how RT protection works on this AV. I am a fairly new customer, bought the premium a few weeks ago after having tested many other solutions in the past years.
Bitdefender is for instance rated quite good (although I do not agree completely, support was unprofessional) but with time machine protection for instance on (recommended), it also blocks correct usage of tmutil which I script to cleanup backups older than X time.
So all AVs so far have good points but also bad points hence my search continues. It is not easy to find a solution with good protection, low footprint on the system and more advanced config possibilities which normal home users won't often use or need. Maybe I need to look in another segment
Do you have any idea if the Malwarebytes Endpoint Protection does have more controls as the home user mac client ?

[alvarnell]

Way past my bedtime, so I won't be able to fully respond tonight, so just a couple of comments.

Malwarebytes for Mac does not use a typical scanner approach to searching for malware. By and large it only looks for files with specific names in specific places where they are known to be installed. I believe there are a few exceptions where heuristics are used, but if the same file is renamed or moved to a new location, it generally won't be found without updating the database.

As far as I know, scheduled scans are identical to manual scans without the need for user initiation. Neither look at all files / folders on the entire drive.

I know nothing about Malwarebytes Endpoint Protection except that a different team is responsible for it's development and support.

[fwdIT]

Your answers and clarifications are much appreciated, thanks!

Have a nice night! (Belgium here, almost noon)

[treed]

Being able to add exclusions is not a feature that would be meant to be used for anything other than stopping detection of something you feel shouldn't be detected. That would not have any applicability to performance or scan speed.

What backup software are you using, and where is it saving backups? You mentioned Time Machine in connection with Bitdefender, but we have never seen any conflicts between Malwarebytes for Mac and Time Machine. (Further, we won't scan your Time Machine backups at all, and don't believe anyone should be. Third-party software poking at Time Machine backups is a good way to break them, and nobody should be doing that.)

[fwdIT]

treed, thanks for the feedback

the more info in this thread appears, the more I understand how this malware detection client works and how it differs from more traditional av solutions

the case I now have is with Crashplan (online backup). I overgeneralized my wondering of similar impact to other backup solutions
I do wonder what the impact will be on other cloud backup solutions which generate internet traffic (Google Backup and Sync, Arq, restic over ssh, ...)

from alvarnell's comments above I understand that backup client with local actions probably won't be affected by backup/sync solutions with internet connections do get investigated by Malwarebytes ?

[treed]

Your backups shouldn't be affected... but, depending on how the client works, it's conceivable there could be a conflict that could cause RTProtectionDaemon to use a lot of CPU. We don't monitor/scan everything on your hard drive, but if a backup program were to create a lot of large temporary files in a location that we do monitor, that could do the trick. I'm not aware of such a conflict with CrashPlan, though.

If you're seeing a problem with the RTProtectionDaemon process that only happens when CrashPlan is backing up, and stops if you temporarily disable CrashPlan, then I'd be very interested in getting more information.

[fwdIT]

Sorry for the delay on my reply, didn't have time yet to investigate it further.

Will do some more thorough investigation on what the process is doing when Crashplan is running.
I wanted to investigate further already this week when I saw CPU usage spiking but that was during the scheduled daily full scan which in any case uses a lot of CPU.

I changed the scheduled scans to weekly for now to limit the stress on my system's resources during the work week and to have timeframes in which I am sure there is no scheduled scan happening and where the CPU of the malwarebytes client goes up due to another process running.

Will keep you updated