Jump to content

Add BD detection to mbam.


Nazareno

Recommended Posts

Hi, I wanted to suggest you implement the virus signature of the bitdefender product. It has a high detection rate and is used by many antivirus programs. It is also very easy to implement. Well, my suggestion is tied to what the forum experts say. Thank you very much in advance. Best regards.

Link to post
Share on other sites

Greetings,

Back when I was employed by Malwarebytes I made this very suggestion (my preference was for Kaspersky at the time as they had the best track record back then for consistently high detection rates and I was familiar with the product having used it for quite some time at that point), however I think one of the main things holding them back (aside from the associated cost, of course) is that adding a full third party AV engine would really bloat the product, transforming what is currently an installation with a footprint of less than 100MB to one of several hundred MB's and it would obviously increase system resource usage in real-time as well, not to mention the fact that it would pretty much mean the end of official support for running Malwarebytes alongside other third party security solutions, including other AV products.  That last point is probably the biggest issue because Malwarebytes has always taken to the layered approach to security, meaning customers are free to select whatever combination of security products and tools they wish in order to better protect their systems from threats.  This means, for example, that any user running a modern version of Windows which ships with Windows Defender AV doesn't have to turn it off to get the full protection provided by Malwarebytes, and instead can keep it running to enhance their system's protection, and it also means that if they wish to add a third party AV solution such as the free version of Avast, Avira, AVG, Bitdefender, Kaspersky, Sophos or any other free or even paid antivirus solution, they are able to do so without having to worry too much about whether or not it might conflict with Malwarebytes in real-time.  There are a few advantages to this approach, not the least of which is that if a system is already compromised, the malware must disable both security solutions rather than having only a single point of failure; something that many users prefer just in case the worst happens.

Anyway, I don't want to say that this will never happen as things are always changing, but my guess is that at this time they are unlikely to decide to integrate a full AV engine into Malwarebytes, especially since the vast majority of modern threats are better dealt with using other less reactive measures such as the more proactive Exploit Protection and Web Protection in Malwarebytes Premium.

Link to post
Share on other sites

If Malwarebytes  were to ever use a standalone, definition-based Anti-Virus engine, it seems like something that would need to be an optional component... specifically, one that you could only turn on if you didn't already have a separate AV system active, but would be available as a backup in the event said AV goes down.

Link to post
Share on other sites

40 minutes ago, Solitario said:

So how does Qihoo 360 do? Thank you very much. Best regards.

I don't know, I've never used it.

35 minutes ago, Amaroq_Starwind said:

If Malwarebytes  were to ever use a standalone, definition-based Anti-Virus engine, it seems like something that would need to be an optional component... specifically, one that you could only turn on if you didn't already have a separate AV system active, but would be available as a backup in the event said AV goes down.

Yeah, but the trouble is they may be using an AV that doesn't register with Security Center/Action Center which MB couldn't detect, so in all likelihood if they did try to go this route they'd be forced to take the safest approach which would be to have it off by default and allow users to turn it on if they wish to, but the fact of the matter is that most normal users don't alter any settings so they'd not only never turn it on even if they really needed to, but they wouldn't even be aware that it exists as a feature.  This is the same reason they removed the trial checkbox from the installer because they found that no one was unchecking it during installation so removing it really made no difference except for the very small percentage of technical users who just wanted to run it in free mode all the time.  This is also the same reason we don't see too many complaints about settings, but when something in the main UI is changed or especially when there's an issue with the pop-ups that the program displays, users are sure to complain because those things are actually noticeable without having to go and look for them.  Most users just want an install-it-and-forget-it solution, so offering them more controls and options gives them no real benefit.  I value such things of course, but I'm far from the norm and I don't take such a technical approach to all types of applications on my system (for example, I seldom find myself tweaking the settings in Media Player or MS Office, but I'll spend hours securing my browser and configuring my security software).

Link to post
Share on other sites

@Solitario talking about qihoo 360, which uses avira and bitdefender engine, note that even if both of the engines are turned on with respect to qihoo owns engine , they still do not recieve complete (meaning 100% signature based detection). I do not know why, but on personally scanning of about 75000 samples of malware, qihoo enabled with both avira and bitdefender engine detected only around 40000 samples, whereas escan which only uses bitdefender engine detected around 63000 samples and emsisoft which again uses its own engine with bitdefender engine detected around 66000 samples.

So what I am trying to say here is that there might be some restriction provided by bitdefender even in sharing its signature based engine with other AV.

On personal note I am using bitdefender free (which uses exactly same signature, cloud, heuristic engine as that of its paid version, with same phishing and malicious website blocking technology) with malwarebytes premium.

 

Link to post
Share on other sites

44 minutes ago, exile360 said:

You may if you wish, however before you do I'd suggest reviewing the information in the controversies section of their Wikipedia article as it may have bearing on their trustworthiness.

Huh. Why would they switch out their AV engine between testing and the consumer product? Almost sounds like they're hiding something. Perhaps their own engine is intentionally designed to let some stuff through? *shrugs*

Link to post
Share on other sites

50 minutes ago, Amaroq_Starwind said:

Huh. Why would they switch out their AV engine between testing and the consumer product? Almost sounds like they're hiding something. Perhaps their own engine is intentionally designed to let some stuff through? *shrugs*

No idea, your guess is as good as mine, but my guess would be that maybe it's because they weren't happy with the results of the test using their own engine.  That's just speculation though, as I have no first-hand knowledge about them as I've never tried their products.

Link to post
Share on other sites

1 hour ago, rubberswip said:

On personal note I am using bitdefender free (which uses exactly same signature, cloud, heuristic engine as that of its paid version, with same phishing and malicious website blocking technology) with malwarebytes premium.

Hello, if you use BD Free with mbam it's because you don't feel safe only with malwarebytes and you're right. But in this forum I do not know what happens. Best regards.

Link to post
Share on other sites

 I am using BD because, there are some malwares/ viruses that malwarebytes does not targets. It is not that I do not love malwarebytes, and if I would not have loved malwarebytes I would not have used it. You need to understand there are some file extensions that malwarebytes does not target and to get yourself protected against those you need proper Antivirus.

As per my knowledge, malwarebytes does not target some viruses, .doc or script based files and many other extension types and this is where a need for Bitdefender comes in.

Link to post
Share on other sites

Actually it does target those types of threats, however it does so in a more proactive way.  Rather than relying on actually having seen a threat in the past as a signature approach would, Malwarebytes instead uses the much more proactive and more effective method of generically detecting the exploits that attempt to use such infected files (scripts, infected documents, as well as file-less malware for which there are no traditional signatures).

That is not to say that there's anything wrong with using an antivirus, and you're more than welcome to of course, but just to be clear, there are no threat types currently in the wild that Malwarebytes does not target; they just rely more on behavior based approaches rather than strictly signature based detection.  The big advantage is that Malwarebytes doesn't have to encounter a threat from an infected user or capture by a threat researcher before it can be able to stop a new threat/attack in the wild while this is not the case for a signature based approach.

Link to post
Share on other sites

3 hours ago, rubberswip said:

To add here, today's world is basically all about making money...

Very much this ^.  While there are some other motivations such as corporate and government espionage and terrorist cyber-attacks/cyber-warfare, the vast majority of threats and attacks are motivated by financial gain.  The days of playful college students/hackers creating viruses just to see how annoying they can be and how many systems they can infect just for the fun of it are over.  It's all about $ now, so for an attack/threat to be profitable, it must be dynamic enough to have sufficient shelf life that they don't have to waste additional time/effort/manpower on it every time an AV vendor adds a static signature to detect it.  This means that each time you see that infected binary/executable/malicious document/script etc., it is very likely that it is unique and has been configured server-side to morph/change in a semi-random manner so that no two samples are identical, thus evading static signature detection without requiring the bad guys to rewrite the code by hand each time the file gets uploaded to VirusTotal and/or captured by a threat researcher.  All of this can be automated with compilers, packers/encryptors and scripting tools so that the bad guys don't have to do anything by hand once it has been deployed except collect their data/financial details/credentials/ransom etc. once it starts rolling in from infected systems.  This is one of the big reasons the entire industry is getting away from static signature detection and moving towards a behavior based approach and relying more on technologies such as machine learning and advanced heuristics algorithms to detect threats, attacks and malicious activities.  Even many PUPs aren't static any more.  We've been seeing PUP installers that change each and every time you download the installer just to attempt to evade detection because the more systems they can get their junk installed on, the more money they get paid through the ads, modified search results and tracking data they harvest from users.  This too is all about financial gain.

It is unfortunate that we live in a world where people are willing to harm others in order to profit, but that's why the AV and AM vendors exist, to hopefully protect users from all the garbage that's out there today, but it's a job that's been getting more and more difficult with every passing day as the bad guys get smarter, attract more talent, and gather more finances to fund their attacks, so staying on top of it requires new technologies and methods far beyond what traditional antivirus products once offered (this is also why you see so many protection components/modules in most AVs these days, because the old static methods aren't very effective for protection any more).

Link to post
Share on other sites

It's almost officially war at this point... I wonder how long until even more drastic measures need to be taken to deal with threats... and by "more drastic", I mean going as far as trying to fight fire with fire. For example, if you can somehow find out who makes certain malware, and can find a way to deliver your own code back to their machines, you can completely cripple their operation with targeted malware of your own. But I don't think anyone wants to deal with the controversy of making a Counter-Malware that gets onto computers the same exact way actual Malware would.

Link to post
Share on other sites

Yeah, that wouldn't exactly be legal, even if you're doing it to proven criminals.  Malwarebytes does assist law enforcement though in attempting to capture and shut down criminals when they can, and they're always working with service/hosting providers to help them clean out the bad content from their servers (at least for the hosts who aren't known for ignoring abuse reports and permitting malicious/illegal content on their servers).

Unfortunately the bad guys are really good at covering their tracks and they'll often use anonymous servers and infected systems belonging to legit users as proxies for their efforts, and in recent years some have even resorted to using peer-to-peer networks and protocols to remain anonymous and prevent their infrastructure from being taken down.  That's also why so many of them now demand payment in Bitcoin and other digital currencies that can't be traced because it protects their identities from the authorities.

Link to post
Share on other sites

There's a website called Bitcoin Abuse which should help. I was also on the receiving end of a bitcoin-demanding ransom email, and the sender even had the balls to spoof my email address. Turns out they were just bluffing however, but that same bitcoin wallet was used to demand an $800 ransom from dozens of different "victims" (apparently very few people actually fell for it).

Still, I'm at least glad that Malwarebytes exists and is always on the case. They fight for the Users!

If signature-based detection is ever implemented, it should probably be cloud-based to keep the impact on peoples' systems light, and only be used to blacklist known bad programs from executing in the first place, along with informing the user that those programs are trying to do a thing.

Link to post
Share on other sites

Oh, Malwarebytes does already have signature based detections, it's just not the primary layer.  They also have cloud technologies, machine learning, threat structure heuristics to detect similar threats/files from known malware families, install pattern based heuristics, common spoofing method heuristics (fake MS digital signatures/certs/version info etc.), as well as all that behavior based stuff we've been talking about.

Here's a good breakdown of the technologies implemented in Malwarebytes Premium at the moment (I pulled this info from this page, but it applies to the consumer version as well):


Early Attack Layers (before payload delivery/before malicious file download):

Web Protection
Prevents access to command and control (C&C) servers and malicious websites.

Application Hardening
Reduces the vulnerability surface, making the endpoints more resilient. Proactively detects fingerprinting attempts made by advanced exploit attacks.

Exploit Mitigation
Proactively detects and blocks attempts to compromise application vulnerabilities and remotely execute code on the endpoint.

Application Behavior
Ensures applications behave as intended, preventing them from being leveraged to infect endpoints.

Pre-Execution (pre-infection/after payload delivery):

Payload Analysis
Identifies entire families of known malware by using a combination of heuristic and behavioral rules.

Anomaly Detection & Machine Learning
Proactively identifies unknown viruses and malware based on anomalous features from known good files.

Post-Execution (after malicious code enters memory, prior to full attack completion):

Ransomware Mitigation
Detects and blocks ransomware from encrypting files using signature-less behavioral monitoring technology.

Post-Infection (after infection, remediation phase):

Linking Engine Remediation
Proprietary, signature-less remediation technology that identifies and thoroughly removes all threat artifacts associated with the primary threat payload.

I excluded the Incident Response info as that only applies to the business product, at least for the moment.

Edited by exile360
Link to post
Share on other sites

The trouble is that one vendor's signatures are not the same as any others so it would require integrating their full AV engine, including its drivers, DLLs and any other components needed to decrypt, read, understand and use those signatures, as well as their cleanup/remediation engine which is also most likely proprietary, and this would also mean, as I mentioned before, that Malwarebytes would cease to be compatible with most other AV products.

So yes, I can suggest it to the Product team again if you wish, however it's been suggested many times in the past including by me back when I was still a member of the Product team, so one more request for it isn't likely to change their position as that's not the direction they're going in.  They're working to get away from relying on signatures and other less proactive protection measures in order to increase the capabilities and overall effectiveness of their products against real-world, new and unknown threats.  I'm not saying that it's impossible that they'll change their minds, I'm just not very confident that they will and wanted to explain why I believe that is based on what I know from my own experience.

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.