Does MalwareBytes for Mac protect against ransomware?

[sdorst]

Malwarebytes for Windows specifically protects against ransomware. I don't see that listed as a feature of the Mac version. Do I need a separate program to protect against ransomware?

[alvarnell]

The Mac version of Malwarebytes will check for the presence of all known varieties of macOS ransomware (there aren't very many). 

If you are concerned that some new variant might attack you, then check into RansomeWhere? (free) from Objective-See. It does give some false alarms as it's unable to distinguish between attempts to decompress as well as compress files, so you'll need to get used to that.

[sdorst]

Thanks! I already use RansomWhere? The false alarms always worry me a bit. I didn't know that the problem was that it sees decompressing as being the same as compressing. Now that I think about it that makes sense. Thanks!

The first part of your answer raises another question for me. My understanding has been that Malwarebytes works by detecting types of dangerous activity, rather than by detecting known dangerous applications. However, recognizing the presence of all known varieties of MacOS ransomware sounds like it is detecting dangerous apps. Have I misunderstood how MWB works?

[alvarnell]

Yes, I'm afraid you did misunderstand, to some extent. Malwarebytes for Mac scans primarily look for files in specific locations where known malware and PUPs have been previously known to be installed. Premium real-time protection examines new files appearing in certain locations to see if they match characteristics of known malicious installers or applications.

AFAIK, it does not yet monitor activity for suspicious activities associated with Malware, but I’m sure the staff will correct me if I am not up-to-date on that.

[treed]

You're right that we don't have any kind of suspicious activity monitoring yet, and a big reason for that is the potential for false positives. It's a bit difficult to get the average Mac user to install security software to begin with, because they've been told for so long that "Macs don't get viruses." (And they often still do today.) One of the worst things antivirus software can do is make a nuisance of itself, detecting things it shouldn't and wreaking havoc on the system.

We're definitely looking for techniques for doing behavioral detections on macOS, but want to be sure we get it right.

For now, all ransomware for macOS was an utter failure, so it doesn't seem anyone's too eager to repeat the attempt. Ransomware has a brief window to infect systems, and only a handful of the owners of those systems will actually pay the ransom. The more machines you infect the better, so Windows, with its higher market share, is a much juicier target. I don't anticipate there ever being a significant ransomware problem on macOS, unless the market share shifts significantly.

Just keep a good, up-to-date set of backups. If something changes in the future, and you get hit with ransomware, just erase the hard drive, restore from a backup, and go on about your business.

[sdorst]

Thanks for the clarification. So, if I understand correctly, Malwarebytes for Mac works essentially the same way as all other antivirus products for the Mac work - monitoring for known malicious files and programs by comparing them with a database. It's only the Windows version that works fundamentally differently. Is that correct?

[treed]

It's a little more complex than just comparing with a database, as there can be some complex search conditions in some cases. There's also a new feature in Malwarebytes for Mac 3.7 that provides some new process blocking technology.

[sdorst]

So, can you explain to me why Malwarebytes for Mac is better than other Mac antivirus software? Based on a recent Wirecutter article, I thought it worked fundamentally differently than the rest, but from what you're saying it sounds like the author was extrapolating from the Windows version to the Mac version, which was not really justified. From the user experience point of view, it is definitely different from Bitdefender and Sophos, which are the other two I've used. Sophos slowed my Mac down unbearably, and Bitdefender interfered with web activity of other programs, while MWB does neither of those things. It seems therefore that it must either be doing something better, or being less thorough.

I'm not trying to give you a hard time - just trying to understand.

Thanks for your time!

Stan

[alvarnell]

Although I've never used the Windows version, my understanding is that it shares much of the same philosophy as the Mac version, in that it does work differently from the majority of anti-malware software. The experience you have experienced with a couple of those older methods is based on their design to examine every file that they have access to and compare it against a massive signature database to see if there is a match. Signatures are primarily of two types, either matching a hash value (which works well for files that never change) or a string of characters, either hex or ascii, (best for files that have been slightly changed but still contain key strings). There have been some refinements over the years to improve accuracy, but that's basically the way they all work. Each vendor has their own format for signatures and naming conventions for the type of malware they match too, so not all will catch the same change as others do and will probably call it something else. As you have experienced, this takes an inordinate amount of time, CPU and RAM assets to accomplish and as new types and variants of malware are discovered, it can only get worse.

As I said before, MBAM primarily looks for such files along paths where they are known to exist and can thereby ignore files in all other locations. This significantly reduces the amount of time needed for a scan as well as keeping the size of the signature database much smaller.

You can argue if you want that this is less thorough and that the older method will be able to figure out if a file has been moved to a different location where MBAM isn't looking. That certainly has happened, but it's a rarity and you have to ask yourself is it worth your time and the impact on your computer to be more certain of finding something new? Chances are good that the MBAM signature staff will be alerted fairly quickly to this new variant and be able to provide an rapid update for this new location before you get around to conducting your next scan. It's a trade-off that only you will have to decide what works best for your situation.

[sdorst]

Thanks for your detailed response! 

So, I understand why checking in fewer places would make scans quicker, and your point that a file being in a different place would be unusual makes sense. I don't really get why the signature database will be smaller with this method, though. Doesn't MWB still need to identify the same types of malicious files as any other antivirus program? Also, active protection would not seem to benefit from the checking-in-fewer-places approach, because it still has to check everything coming in to the system. What am I not understanding?

[alvarnell]

5 hours ago, sdorst said:

I don't really get why the signature database will be smaller with this method, though. Doesn't MWB still need to identify the same types of malicious files as any other antivirus program?

Yes, but it doesn't need lengthy signatures to do so. All it needs to know is in most cases is the path to known installed malware files.

Also, I believe MBAM still removes threats that are consider extinct these days. Other scanners seem to keep definitions that date back to the beginning of time in Mac malware history. If steps have been taken by Apple to make them ineffective or the servers that distribute and control malware have been taken off-line there is little reason to keep looking for them very long afterwards.

Quote

active protection would not seem to benefit from the checking-in-fewer-places approach, because it still has to check everything coming in to the system.

Active protection only needs to check in places where files are first introduced to our computer, primarily your download folder. And it doesn't need to look for anything but installers or applications that arrive there as none of the actual malware is installed or active on your computer at the time of their arrival.

It has always been very difficult to introduce files into the Mac System without requesting and receiving admin permission and with SIP enabled, it's considered to be impossible, for all practical purposes. There are still a handful of non-SIP areas of the System, but most still require elevated permissions and in any case can be quickly scanned if necessary.

[sdorst]

So it sounds like what you're saying is that MacOS does a pretty good job at protecting itself by design, and MWB adds an additional layer of protection for the few vulnerable spots. Is that correct?

Also, out of curiosity, what do MBAM and SIP mean?

I appreciate your help! Thanks.

[1PW]

Malwarebytes Anti-Malware

System Integrity Protection

[alvarnell]

7 hours ago, sdorst said:

So it sounds like what you're saying is that MacOS does a pretty good job at protecting itself by design, and MWB adds an additional layer of protection for the few vulnerable spots. Is that correct?

Yes I would have to say that recent versions of macOS do a good job of protecting itself, but not as much for the user and their environment, which is where MWB fills in. Apple has never paid much attention to Adware and they even allow Possibly Unwanted Processes (PUPs) in the App Store. The built in security measures (Quarantine, Gatekeeper, XProtect and Malware Removal Tool or MRT) have not been improved and kept as up-to-date recently as they have in previous years. I would refer you to the excellent blog posting that @treed wrote this week on the subject: https://blog.malwarebytes.com/101/2019/02/macos-protect-malware/.

[sdorst]

Interesting blog post. Thanks!

[brcd]

Talk about instructive and clearing up my confusion between various programs!  I now fully understand what MWB does and how it does it.  And reading the above referenced blog was equally instructive. One area of OS X not mentioned was sandbox which I read about somewhere, I just cannot remember where. Seems like between OS X and MWP a MAC is nearly impenetrable.  Thanks to all. 

[brcd]

Another question:  Running MWB; is MWB adware cleaner a necessity? Thanks.

[alvarnell]

42 minutes ago, brcd said:

is MWB adware cleaner a necessity?

Adware Cleaner is Windows only, so clearly not necessary.

You might be interested in the beta extensions for Chrome and / or Firefox, if you use either. That blocks ads that sometimes cause adware-like issues when browsing.

[brcd]

Thanks. That I did not know.