Jump to content
Cavehomme

av-test.org results

Recommended Posts

I've recently noticed that AV-Test have added Malwarebytes Premium to their testing schedule of AVs for Novemeber-December 2018. This might be old news for some of you, but I've not noticed a thread yet here.

https://www.av-test.org/en/antivirus/home-windows/windows-10/december-2018/malwarebytes-premium-3.6-184912/

Whilst the results could be better, especially on zero day, it's a way better result than in the SE Labs series of tests. Paired with Windows Defender and the Malwarebytes browser extension, it's a powerful approach to layered protection.

Share this post


Link to post
Share on other sites

Greetings,

You may find the info in this Malwarebytes blog article to be of interest as it was written to address the subject of their participation in testing at AV-Test.org, why they did it, why they believe they might not have done as well as some vendors and what it means.

Share this post


Link to post
Share on other sites
Posted (edited)

You're welcome :)

Yes, it's a very good article with some fascinating info.  By the way, just in case you were curious at all, you can learn more about how the individual components/layers in Malwarebytes Premium work to protect systems by thwarting malware/attacks at various phases of the kill chain/attack chain by reviewing the diagram and info on this page.  It also illustrates how nearly all of Malwarebytes' protection features work prior to the payload analysis phase that most AV/malware tests are centered around (things like blocking the source with Web Protection and defeating the exploits/malicious scripting etc. that attempt to download/execute malicious payloads to begin with through Exploit Protection etc.).

In that diagram, the only layers that actually go into action after the malware executable/payload/file has been downloaded are Anomaly Detection (the signature-less anomaly detection component which includes the cloud analysis/detection component), Payload Analysis (the Malware Protection component), and Behavior Monitoring (Ransomware Protection etc.) (and of course Remediation Engine, which is Malwarebytes' advanced threat removal technology such as DoR (Delete on Reboot) that kicks in once a threat has been detected along with the scan engine).

Edited by exile360

Share this post


Link to post
Share on other sites
18 hours ago, exile360 said:

You're welcome :)

Yes, it's a very good article with some fascinating info.  By the way, just in case you were curious at all, you can learn more about how the individual components/layers in Malwarebytes Premium work to protect systems by thwarting malware/attacks at various phases of the kill chain/attack chain by reviewing the diagram and info on this page.  It also illustrates how nearly all of Malwarebytes' protection features work prior to the payload analysis phase that most AV/malware tests are centered around (things like blocking the source with Web Protection and defeating the exploits/malicious scripting etc. that attempt to download/execute malicious payloads to begin with through Exploit Protection etc.).

In that diagram, the only layers that actually go into action after the malware executable/payload/file has been downloaded are Anomaly Detection (the signature-less anomaly detection component which includes the cloud analysis/detection component), Payload Analysis (the Malware Protection component), and Behavior Monitoring (Ransomware Protection etc.) (and of course Remediation Engine, which is Malwarebytes' advanced threat removal technology such as DoR (Delete on Reboot) that kicks in once a threat has been detected along with the scan engine).

That's a good reminder, thanks.

By the way, just installed MWB firewall, formerly Binisoft, very nice and easy and unobtrusive. Looking forward to it being improved and integrated into MWB Pro. Hope it will still remain the option of WD being the the primary AV with MWB as the extra layers + extra firewall layer on top of WF.

Share this post


Link to post
Share on other sites

Yes, if they do decide to integrate the firewall (which seems likely), it shouldn't interfere with Windows Defender/MSE at all so I expect them to continue to support keeping it active by default whenever Malwarebytes Premium is installed/activated.

Share this post


Link to post
Share on other sites
4 hours ago, Cavehomme said:

+ extra firewall layer on top of WF.

It is not an extra or an additional firewall. It just gives better control of the Windows firewall that is already included in Windows.

Share this post


Link to post
Share on other sites
10 minutes ago, Porthos said:

It is not an extra or an additional firewall. It just gives better control of the Windows firewall that is already included in Windows.

Hmm, perhaps that's been a bit pedantic? For me, an additional method to control WF is a "layer" 😉

Share this post


Link to post
Share on other sites
15 minutes ago, Cavehomme said:

Hmm, perhaps that's been a bit pedantic? For me, an additional method to control WF is a "layer" 😉

Personally, I use the Windows firewall as is. Just wanted to point out, Most 3rd party firewalls disable the built-in firewall and engage their own firewall system. 

Share this post


Link to post
Share on other sites

On a desktop behind a NAT Router with simplistic firewall capabilities or a NAT Router with a full Firewall implementation, I agree.  The Windows Firewall is just fine.

However...  On a portable system where you jump onto other people's networks, especially public ones, then I can see replacing the built-in Windows Firewall with a 3rd Party Firewall application.

Share this post


Link to post
Share on other sites
2 minutes ago, David H. Lipman said:

On a portable system where you jump onto other people's networks, especially public ones, then I can see replacing the built-in Windows Firewall with a 3rd Party Firewall application.

That is a good case for a 3rd party.

Share this post


Link to post
Share on other sites
1 hour ago, Porthos said:

It is not an extra or an additional firewall. It just gives better control of the Windows firewall that is already included in Windows.

 

25 minutes ago, David H. Lipman said:

On a desktop behind a NAT Router with simplistic firewall capabilities or a NAT Router with a full Firewall implementation, I agree.  The Windows Firewall is just fine.

However...  On a portable system where you jump onto other people's networks, especially public ones, then I can see replacing the built-in Windows Firewall with a 3rd Party Firewall application.

Why would it be less secure using Windows Firewall on a laptop connected to a public network when Windows identifies and sets the new network with a profile of "Public"?

Why is this insecure and a third party firewall would be more secure? Genuinely interested.

Share this post


Link to post
Share on other sites
4 minutes ago, Cavehomme said:

Why is this insecure and a third party firewall would be more secure? Genuinely interested.

I would not be the best to explain the dangers that are "possible" @David H. Lipman could elaborate more.

Share this post


Link to post
Share on other sites

Because 3rd Party Firewall applications are not intrinsic to the OS they have greater functionality, reporting, granularity and capability.

 

Share this post


Link to post
Share on other sites
Posted (edited)

I don't know, to me, closed is closed, so as long as the firewall (be it the built in Windows Firewall, a WFP based front-end/replacement for the Windows Firewall using the same APIs, or a third party firewall) is keeping all the ports closed/stealthed as they should be and Windows has all the appropriate sharing/remote etc. protocols locked down/disabled (the Public profile configuration) then I don't see a real difference.  The big advantage, to me, of a third party/more granular firewall is for inside-out communications, i.e. greater control over the programs that communicate with the web.  The local network stuff that you have to be concerned with on a public Wi-Fi connection/network don't really translate to suddenly requiring a more granular firewall, at least based on what I've learned of such things.  The main thing is just keeping things closed/locked down to prevent other devices on the network from gaining access which should be fairly straightforward for any firewall and even Windows itself.

That said, if you're dealing with the class of hacker that can and does bypass those kinds of protections on public networks, no beefed up third party firewall is going to stop them any better than the more standard WFP stuff would, and anyway, since Microsoft themselves recommend that all firewall devs use WFP they are all going to be subject to the same kinds of potential vulnerabilities that might exist in the protocol regardless of how robust their implementation might be; at least that's my take on it.

Reference Windows Filtering Platform for more info.

The other threat is a man-in-the-middle attack where the attacker might try to alter traffic through DNS manipulation/packet manipulation and the like, but since that takes place outside your system, no firewall is going to aid you in dealing with those kinds of threats as it all comes down to the security of the internet connection itself and so tools like VPNs and DNS encryption protocols become much more important (i.e. TOR, VPN tunneling tools, proxies, encryption protocols like DNSSEC, HTTPS, and DNSCrypt etc.).

Edited by exile360

Share this post


Link to post
Share on other sites

This is why I love the CloudFlare DNS; on top of being extremely fast, your DNS queries are encrypted. So while it isn't a true VPN, it's still just a little bit harder to snoop on and interfere with.

Share this post


Link to post
Share on other sites
30 minutes ago, exile360 said:

I don't know, to me, closed is closed, so as long as the firewall (be it the built in Windows Firewall, a WFP based front-end/replacement for the Windows Firewall using the same APIs, or a third party firewall) is keeping all the ports closed/stealthed as they should be and Windows has all the appropriate sharing/remote etc. protocols locked down/disabled (the Public profile configuration) then I don't see a real difference.  The big advantage, to me, of a third party/more granular firewall is for inside-out communications, i.e. greater control over the programs that communicate with the web.  The local network stuff that you have to be concerned with on a public Wi-Fi connection/network don't really translate to suddenly requiring a more granular firewall, at least based on what I've learned of such things.  The main thing is just keeping things closed/locked down to prevent other devices on the network from gaining access which should be fairly straightforward for any firewall and even Windows itself.

That said, if you're dealing with the class of hacker that can and does bypass those kinds of protections on public networks, no beefed up third party firewall is going to stop them any better than the more standard WFP stuff would, and anyway, since Microsoft themselves recommend that all firewall devs use WFP they are all going to be subject to the same kinds of potential vulnerabilities that might exist in the protocol regardless of how robust their implementation might be; at least that's my take on it.

Reference Windows Filtering Platform for more info.

The other threat is a man-in-the-middle attack where the attacker might try to alter traffic through DNS manipulation/packet manipulation and the like, but since that takes place outside your system, no firewall is going to aid you in dealing with those kinds of threats as it all comes down to the security of the internet connection itself and so tools like VPNs and DNS encryption protocols become much more important (i.e. TOR, VPN tunneling tools, proxies, encryption protocols like DNSSEC, HTTPS, and DNSCrypt etc.).

Thanks Exile, I'm not an expert but I've used loads of 3rd firewalls over the years and I agree with you. Adding Binisoft / MWB to WF should deal with unsolicited connection attempts I would hope, but as you say, you can probably never be 100% sure in any scenario. Unless a person is a serious amateur or a pro, and configures their firewall very tightly with many rules, I cannot otherwise see yet a benefit to a third party firewall versus WF+Binisoft/MWB to the vast majority of users. I could be very wrong and I await any more explanations from any other user to highlight any issues.

Share this post


Link to post
Share on other sites
1 minute ago, Amaroq_Starwind said:

This is why I love the CloudFlare DNS; on top of being extremely fast, your DNS queries are encrypted. So while it isn't a true VPN, it's still just a little bit harder to snoop on and interfere with.

Yep, I use Simple DNSCrypt (which uses both DNSSEC along with the DNSCrypt protocol) for this very reason.  I also have it configured so that it randomly rotates between multiple DNS servers to disperse my traffic across multiple providers/routes thus further randomizing my traffic.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.