Jump to content

Recommended Posts

Paid premium user of several dozen licenses for Malwarebytes, here.  Recently we've had an issue where our business customers email accounts become compromised, and they email us Word .doc files containing malicious macros.  Symantec, VirusTotal, etc., flag these items, but Malwarebytes doesn't see anything wrong with them, even when I manually scan the items in question.

 

I feel I may have chosen poorly by going with Malwarebytes.  How can I "beef it up" so that it also scans for these common malicious items?  Thanks!

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Malwarebytes' Anti-Malware ( MBAM ) does not target MS Office documents via signatures.  It will target the payload of malicious documents.  It will also use it anti-exploitation module to prevent the download and execution of the payload of malicious MS Office documents.

Please review the following thread as an example - New ransomeware - spawned by trickbot emotet?

Additionally, MBAM does not target scripted malware files via signatures.  That means MBAM will not target; JS, JSE,  PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.

MZ-binary.jpg

 

Edited by David H. Lipman
Spelling, Grammar and Clarification
Link to post
Share on other sites

Greetings,

Malwarebytes does not scan for these types of items, the reason being that it is far too trivial for the bad guys to modify malicious scripts/macros to evade detection (including using methods such as encryption as well as simply altering a script's content to re-order/change its commands sufficiently so that it is no longer detected by existing signatures).  This being the case, Malwarebytes instead relies on behavioral detection of items of this type since they are exploits so they should be detected by the Exploit Protection component in Malwarebytes Premium whenever the file attempts to execute/open the malicious macros/script in question.  You can find out more about how the various layers in Malwarebytes function to detect threats during the various phases of the attack chain by reviewing the information in the diagram on this page and you can learn more about why signature based detection of malicious scripts is a less effective countermeasure by reading the information found in this article.

To put it bluntly, signature based detection of modern threats, especially script based threats like exploits, malicious macros and the like, is an unquestionably futile effort and will fail just as soon as the bad guys catch on (which they do rather quickly as they have access to automated scanning systems similar to VirusTotal and the like for this very purpose), they'll make a quick change to their code and it will no longer be detected until the AV vendors capture samples of the new variant(s), after at least some users have already been infected by it, and after the AV vendors publish new signatures to detect the new variants.  This is a reactive approach to security that falls short of the standards that the Devs and Researchers at Malwarebytes hold themselves to which is why they rely on more proactive solutions like Exploit Protection more so than signature based components like the scan engine to deal with such rapidly evolving threats.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.