Go straight to action. (Suggestion)

[Nazareno]

Hello, I would like to suggest that MWB3 quarantine items that are static in the system. What do I mean by this? Very simple when I have a file with a malware until it doesn't run (Malware) MWB3 doesn't do anything. My proposal is that it detects and quarantines without running the viruses. Thank you very much in advance. Best regards.

[exile360]

Greetings,

I'm not completely sure what you mean, but Malwarebytes Premium actually does stop threats from executing in memory if that's what you mean.  The following is a brief breakdown of the various layers of defense in Malwarebytes Premium explaining how each works to protect your system:

Web Protection
Prevents access to command and control (C&C) servers and malicious websites.

Application Hardening
Reduces the vulnerability surface, making the endpoints more resilient. Proactively detects fingerprinting attempts made by advanced exploit attacks.

Exploit Mitigation
Proactively detects and blocks attempts to compromise application vulnerabilities and remotely execute code on the endpoint.

Application Behavior
Ensures applications behave as intended, preventing them from being leveraged to infect endpoints.

Payload Analysis
Identifies entire families of known malware by using a combination of heuristic and behavioral rules.

Anomaly Detection & Machine Learning
Proactively identifies unknown viruses and malware based on anomalous features from known good files.

Ransomware Mitigation
Detects and blocks ransomware from encrypting files using signature-less behavioral monitoring technology.

Linking Engine Remediation
Proprietary, signature-less remediation technology that identifies and thoroughly removes all threat artifacts associated with the primary threat payload.

Everything listed above before Ransomware Mitigation takes place before the threat enters memory (pre-execution/pre-infection); the Ransomware Protection component monitors all processes/threads in memory for ransomware behavior to stop ransomware before it can encrypt your data.  The Linking Engine is a part of the scan component which is used after the fact (as well as in the free version of course) for remediation purposes to remove an already present infection from the system.

If that wasn't what you were referring to or if there was something else which requires clarifying please let us know.

Thanks

[Nazareno]

Attached is a video where you can clearly see what I mean when I say that real-time protection should quarantine malicious objects without having to run them. Thank you very much.

 

[exile360]

That's the Ransomware Protection component I explained above being tested there.  It watches memory for ransomware behavior and stops the attack and quarantines the threat before it can encrypt your files.  Other attacks shown in that example were stopped even earlier by blocking the malicious servers where the ransomware was being hosted meaning the malicious executables weren't even able to get onto the system.

If you mean that Malwarebytes should target the malicious scripts shown in the example being run from the system's desktop, then no, that would be completely pointless.  The reason is that such files are literally nothing but text files and can be and are often changed on the fly by the bad guys to evade static detection methods, rendering such detection methods useless.  To understand why, please review the information found in this article.  It is a bit dated but still very relevant to the methods used by the bad guys to prevent their scripts from being detected.  Also note that the test shown in the above video is NOT how actual ransomware gets onto a system.  No user actually downloads and executes a malicious script file deliberately, as that is not how these attacks work.  What happens is the user visits a website, either one that is infected itself or a safe website that contains an ad that is malicious (a malvertisement) and the malicious site or ad attempts to execute an exploit to download and launch the malicious script (the file you see in the video being run from the user's desktop); at that point the Exploit Protection and Web Protection components in Malwarebytes would stop the attack long before it ever got to the point of the malicious script actually trying to execute in memory, so the testing method shown is not valid as it does not represent real-world conditions, but even then, as you can see from the results, Malwarebytes was still able to stop each attack and prevent the user's files from being encrypted by any of the ransomware attacks.  It was a good test for the Ransomware Protection component, but was not a realistic test of how these infections work in the wild and how the other layers of defense in Malwarebytes work to prevent infection, including those methods which prevent such scripts from getting onto the system in the first place.

[Nazareno]

Thank you very much for your reply. But with executables (exe) the same thing happens. There is no reaction from mbam. Best regards. 

[exile360]

It depends on the executable.  If it is being targeted by threat signatures or heuristics then it is indeed stopped from executing before it launches into memory and quarantined.  If you mean on-access, like when a file is downloaded or just sitting in a folder, then no, Malwarebytes won't detect that because doing so would cause conflicts with AV software, and since Malwarebytes wants to continue to allow users to run other security products in real-time alongside Malwarebytes Premium, they need to avoid making changes that would cause conflicts with an active antivirus.

[Nazareno]

Of course that was my suggestion, but if the developers of the program don't consider mbam as a real antivirus my suggestion doesn't make sense. Thank you very much for explaining how mbam works. Also my suggestion would be dangerous because having only one error in the signature database can spoil the operating system. Well, that's it. I thank you again. Best regards.

[exile360]

Fundamentally there's no real difference because either way the threat is prevented from executing, but this way Malwarebytes is able to avoid conflicts with other security software (including antivirus, but also others that use on-access detection methods).  Malwarebytes definitely isn't a traditional antivirus and the way it's being marketed is as an antivirus replacement, meaning that if a user wants to use Malwarebytes alone to protect their system they can, because between all of the various layers of defense provided in Malwarebytes Premium they should be safe online, even without a traditional antivirus running in real-time on their system.  Of course there's also the fact that more traditional signature based detection methods (which Malwarebytes does still use for some of its protection) aren't nearly as effective against modern threats in the wild because the bad guys are notorious for changing their infections too fast for such a reactionary approach to protection to be effective.  This is why Malwarebytes (along with most of the AV industry as well) has come to rely more on behavioral detection methods and other more proactive infection prevention measures that don't rely on threat signatures and databases because infections today have a very short shelf-life.

[Nazareno]

Thank you so much. We can give the subject as solved. Best regards.

[exile360]

You're welcome, and if you have any further feedback, ideas or suggestions please don't hesitate to let us know.

Thanks

[Nazareno]

Because of mabm's passivity, I got infected. I was only detected by threats when performing a personalized analysis. Please reconsider how mbam acts if you really want it to be an AV. Thank you very much. Best regards.

 

File: 2
MachineLearning/Anomalous.100%, C:\USERS\?\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7400HN0W.DEFAULT\CACHE2\ENTRIES\0772946FA485DDB3CCC77F3A4C8A468B40DA04A7, Delete-on-Reboot, [0], [392687],1.0.8155
Trojan.Downloader.NSIS, C:\USERS\?\APPDATA\LOCAL\TEMP\APAQ_V_0.ZIP.PART, Delete-on-Reboot, [8001], [575173],1.0.8155

 

[Amaroq_Starwind]

So basically, you want an "Aggressive Mode."

[Durew]

1 hour ago, Nazareno said:

Because of mabm's passivity, I got infected. I was only detected by threats when performing a personalized analysis. Please reconsider how mbam acts if you really want it to be an AV. Thank you very much. Best regards.

 

File: 2
MachineLearning/Anomalous.100%, C:\USERS\?\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\7400HN0W.DEFAULT\CACHE2\ENTRIES\0772946FA485DDB3CCC77F3A4C8A468B40DA04A7, Delete-on-Reboot, [0], [392687],1.0.8155
Trojan.Downloader.NSIS, C:\USERS\?\APPDATA\LOCAL\TEMP\APAQ_V_0.ZIP.PART, Delete-on-Reboot, [8001], [575173],1.0.8155

 

Was the infection active? MBAM is known for not caring much about dormant infection as they don't do anything.

Out of personal interest: you wrote "detected by threats when performing a personalized analysis", what is "threats" for a program/service? Could you tell more about it?

Regards,
Durew

[exile360]

Those items are both in temp/cache folders and don't appear to be active threats, so the computer was never actually infected if that's all that was there.  Clearing temp/cache should remove them, and obviously the scan detected and removed them as well, but it doesn't look like they were allowed to execute, otherwise they would have been detected by real-time protection.

I must reiterate though that Malwarebytes is not an antivirus nor have they ever claimed to be one.  They deliberately avoid on-access scanning to improve performance and avoid conflicts with other security products, including actual antivirus applications.  Adding on-access scanning to detect dormant traces pre-execution would do nothing to improve the protection provided by Malwarebytes, because as it is, as soon as a threat does attempt to launch in memory, it is detected, stopped and quarantined before it can actually enter memory and execute (basically Malwarebytes acts like a gatekeeper to your system's memory, checking each thread/process that tries to run before it is allowed to do so, and an infection that doesn't execute in memory cannot infect your system; it's just not possible because malware, just like any other software, needs to actually run in memory to do anything).

[Nazareno]

2 hours ago, exile360 said:

I must reiterate though that Malwarebytes is not an antivirus nor have they ever claimed to be one.

"Jubile your antivirus" says on the download site. Then I think you should behave as such. Best regards and thank you very much.

 

[Durew]

"Behave as such" or "being able to prevent live infections in equal measure" is the key difference here. At MBAM they don't seem to believe in fighting stuff that doesn't do anything so I don't expect them to add on-acces scans. In the FAQ (linked below), post 5, this is explained in more detail.

 

Personally I dislike this 'can replace'-claim so on my computer it functions as a companion AV/AM. My main AV does the on-acces scans.

Edited December 5, 2018 by Durew

[Nazareno]

Thank you so much. Best regards.

[exile360]

Correct, there is a big difference between an AV replacement and an actual AV.  A replacement is something that can be substituted for something else because it provides the same level of service as what it is replacing, though possibly accomplishing that through different means, and in the case of Malwarebytes specifically, it uses a variety of different protection layers to substitute for the protection provided by a traditional AV which not only replaces, but in fact often surpasses the level of security and protection provided by a traditional AV.  You can learn more about how Malwarebytes functions by reviewing the information and diagram found on this page as it breaks down the various layers of defense included in Malwarebytes Premium and how they work to stop attacks in their tracks throughout various phases of the kill chain.