Why Doesn't Malwarebytes Develop Their Own Offline Scanner?

[Captain_Obvious]

For particularly nasty infections, the go-to cure is typically an offline scanner such as Windows Defender Offline, Bitdefender Rescue CD, or Kaspersky Rescue Disk. In fact, I see those products recommended even here in these forums. However, one thing I'm wondering is why Malwarebytes simply doesn't develop their own offline scanner? Then, people would be able to recommend a Malwarebytes exclusive program instead of constantly advertising for the competition. When it comes to offline scanning, you're literally a walking advertisement for other companies. Most versions of Linux are free and easily bootable from a USB drive or DVD, and you already have an entire signatures database and scanning software. So it I can't imagine it costing your development team too much time or effort to create. 

Come on guys, you can do it!

[Amaroq_Starwind]

I've requested this myself before, but there are issues. MalwareBytes doesn't have a license to package a Windows Preinstallation Environment, and porting Malwarebytes to Linux hasn't been achieved yet. Not to mention, it would be difficult to read the registry and filesystem of an offline Windows system and make any changes from Linux without potentially screwing stuff up. Now, if you wanted something that resided on your computer and booted before the rest of Windows did, you could try building a Native API application, but that wouldn't be entirely feasible for more than a few reasons.

So yeah, it would actually take a lot of time and effort to create, unfortunately.

[exile360]

It's likely mostly due to the fact that the scan engine in Malwarebytes really isn't a flat file scanner.  Many of the technologies it uses to detect threats, especially the nastier ones that you'd likely desire an offline scanner for in the first place, rely on technologies that require threats to be active as well as the current Windows installation (things like rootkit scanning, linking, heuristics etc.) and they've had great success so far relying strictly on more conventional means of getting the software to run even in hostile environments.

That said, they did previously offer Malwarebytes Chameleon to get Malwarebytes running on systems where it was being blocked from installing/running by infections and while that technology has not yet been adapted to version 3.x, I do expect that if the need arises that they will do so to counter the infections targeting Malwarebytes.

As for the possibility of an offline/bootable scanner, I don't know.  It's been discussed in the past many times, but since it's much easier to work from WinPE rather than Linux as it would be much easier to read/load offline registry hives and natively read the offline system's file structure, that would be the ideal solution, however Microsoft's recent restrictions regarding the use and distribution of WinPE make that much more difficult (they did look into it, however Microsoft made changes to their licensing preventing vendors like Malwarebytes from offering WinPE based solutions.

You never know though, maybe they will be able to offer some kind of bootable solution in the future, but only time will tell.  I haven't heard anything recently about it but that doesn't mean that it's completely off the table as they could be working on it or at least considering it behind the scenes.

[jonoknojon]

Windows Defender Offline, ??

I use Windows Defender and it is always scanning, and has picked up incoming infections..
Do you (your company) use a decent "always active" antivirus tool, or purchase the fully active Malwarebytes version ??
As you seem to be "plagued" by incoming infections, then there are only a few options..

exile360 will correct me if I am wrong, as my Malwarebytes was purchased several years back, and still scans and updates......

[exile360]

Yes, they're referring to a bootable remediation tool for already infected systems.  Malwarebytes does not currently have such a tool however it has been considered in the past, and while I do not know as I have no access to any internal information, I haven't heard anything about any plans for developing such a tool at this time.  That said, if the need arises and they can come up with a reasonable solution then I'm sure they will develop something.  Right now there haven't been too many threats that would require such a tool thankfully as the worst threats are pretty much ransomware threats which a bootable solution isn't really suited for any better than any other tool since the main problem are the encrypted files more so than removing the threats themselves, and for that clean backups are always your best bet.

[Captain_Obvious]

7 hours ago, Amaroq_Starwind said:

I've requested this myself before, but there are issues. MalwareBytes doesn't have a license to package a Windows Preinstallation Environment, and porting Malwarebytes to Linux hasn't been achieved yet. Not to mention, it would be difficult to read the registry and filesystem of an offline Windows system and make any changes from Linux without potentially screwing stuff up. Now, if you wanted something that resided on your computer and booted before the rest of Windows did, you could try building a Native API application, but that wouldn't be entirely feasible for more than a few reasons.

So yeah, it would actually take a lot of time and effort to create, unfortunately.

Well, that's a bummer right off the bat. So just out of curiosity, how do other companies like Bitdefender, Kaspersky, AVG, and Avira do it? They seem to have no issues creating Linux scanners that have no issues reading and making changes to the registry and filesystem without screwing anything up.

[Captain_Obvious]

5 hours ago, exile360 said:

It's likely mostly due to the fact that the scan engine in Malwarebytes really isn't a flat file scanner.  Many of the technologies it uses to detect threats, especially the nastier ones that you'd likely desire an offline scanner for in the first place, rely on technologies that require threats to be active as well as the current Windows installation (things like rootkit scanning, linking, heuristics etc.) and they've had great success so far relying strictly on more conventional means of getting the software to run even in hostile environments.

 

Other companies, such as Bitdefender, Kaspersky, and Avira scan for the exact same things using their offline scanners. So it should be possible for an offline Malwarebytes scanner to do this.

5 hours ago, exile360 said:

As for the possibility of an offline/bootable scanner, I don't know.  It's been discussed in the past many times, but since it's much easier to work from WinPE rather than Linux as it would be much easier to read/load offline registry hives and natively read the offline system's file structure, that would be the ideal solution, however Microsoft's recent restrictions regarding the use and distribution of WinPE make that much more difficult (they did look into it, however Microsoft made changes to their licensing preventing vendors like Malwarebytes from offering WinPE based solutions.

Do you know why Microsoft made changes to their licensing? What's the backstory on this? I'd like to hear more about this.

5 hours ago, exile360 said:

You never know though, maybe they will be able to offer some kind of bootable solution in the future, but only time will tell.  I haven't heard anything recently about it but that doesn't mean that it's completely off the table as they could be working on it or at least considering it behind the scenes.

I sure hope so. A Malwarebytes Offline Scanner would be pretty sweet. And another thing, I think it's a little unfair to compare the Malwarebytes of the past to the Malwarebytes of the present. Currently, Malwarebytes is the second largest anti-virus vendor in the entire world (by reason of market share). They have far more money, resources,  and engineers/developers than they did in the past. What would have been considered impossible in the past could potentially be within reach here in the present. 

[Amaroq_Starwind]

The Bitdefender, Kaspersky and Avira offline scanners use signature-based detection. They look for things that match a description. Malwarebytes look for things that are behaving weirdly, but when everything is asleep, it's much harder to tell if something is behaving weirdly.

[exile360]

1 hour ago, Amaroq_Starwind said:

The Bitdefender, Kaspersky and Avira offline scanners use signature-based detection. They look for things that match a description. Malwarebytes look for things that are behaving weirdly, but when everything is asleep, it's much harder to tell if something is behaving weirdly.

Bingo, also with regards to Microsoft's licensing, I don't know why they made the change, but several years ago they started to prohibit the distribution of WinPE and at that time major vendors like Symantec/Norton, Acronis (makers of True Image) and many others had to stop distributing bootable tools based on WinPE.  You can find a discussion on this issue here and there are others on the net.

Basically Microsoft changed their EULA/terms for WinPE sometime back, and since making that change, they've made it impossible for any company to legally distribute tools based on WinPE to users/customers.  They could theoretically provide a tool to build a WinPE image for users, however the users would have to set up the WAIK/WinPE image themselves on an individual basis, and since not all users have access to a clean system to work from this presents a challenge.

[Captain_Obvious]

On 3/12/2019 at 11:32 AM, Amaroq_Starwind said:

The Bitdefender, Kaspersky and Avira offline scanners use signature-based detection. They look for things that match a description. Malwarebytes look for things that are behaving weirdly, but when everything is asleep, it's much harder to tell if something is behaving weirdly.

Well, you mean Malwarebytes looks for things that are behaving weirdly providing the user has the "signature-less" options selected. If they don't, the Malwarebytes goes back to being signature based just like any other anti-virus software. So it's obvious that Malwarebytes has and maintains a signatures database. With that being said, they could use that for offline scanning.

[Captain_Obvious]

On 3/12/2019 at 1:18 PM, exile360 said:

Bingo, also with regards to Microsoft's licensing, I don't know why they made the change, but several years ago they started to prohibit the distribution of WinPE and at that time major vendors like Symantec/Norton, Acronis (makers of True Image) and many others had to stop distributing bootable tools based on WinPE.  You can find a discussion on this issue here and there are others on the net.

Basically Microsoft changed their EULA/terms for WinPE sometime back, and since making that change, they've made it impossible for any company to legally distribute tools based on WinPE to users/customers.  They could theoretically provide a tool to build a WinPE image for users, however the users would have to set up the WAIK/WinPE image themselves on an individual basis, and since not all users have access to a clean system to work from this presents a challenge.

And like that you added yet another reason to hate Microsoft to my growing list. I can't understand why Microsoft would do that. It doesn't seem to benefit them in any way, and it just hurt their customers that much more.

But you know what I also I don't understand? Why people code viruses and malware in the first place. According to an interview with an FBI agent that I read, the code for many virus and malware applications can be very complex! They can contain hundreds of lines of code that would take a single person MONTHS to code! I don't understand what they get out of that. Like you said, with ransomware, spyware, and trojans, at least the developer has a chance at making a significant amount of money either by stealing financial information or by stealing personal information and using it to acquire funds in the person's name. With that, at least they get compensated for their work in coding the software.

But with viruses and malware, they don't get paid at all. They spend all of their personal time coding an application that damages someone's operating system, and they get nothing in return. It's completely pointless! I just don't understand why malware even exists. It doesn't profit the coder in any way. 

[exile360]

2 hours ago, Captain_Obvious said:

Well, you mean Malwarebytes looks for things that are behaving weirdly providing the user has the "signature-less" options selected. If they don't, the Malwarebytes goes back to being signature based just like any other anti-virus software. So it's obvious that Malwarebytes has and maintains a signatures database. With that being said, they could use that for offline scanning.

That's not entirely true.  Even Malwarebytes' so-called 'signatures' in their databases aren't the same kinds of signatures used by most AVs; instead, they're composed almost entirely of heuristics patterns used to detect known threats and additional variants of those threats, and some even target entire families and classifications of threats.  That said, a big part of the issue is that many of them rely on using items' locations as an aspect of how they are detected since the Researchers also take into account how each threat installs itself onto the systems it infects, but when scanning an offline system it wouldn't see those locations as it should when the system is active.  It makes adapting the scan engine to offline scanning quite tricky.  It's not necessarily impossible, but without WinPE it is a challenge since it cannot read an offline Windows system and registry hives as though they were online/native.

2 hours ago, Captain_Obvious said:

And like that you added yet another reason to hate Microsoft to my growing list. I can't understand why Microsoft would do that. It doesn't seem to benefit them in any way, and it just hurt their customers that much more.

But you know what I also I don't understand? Why people code viruses and malware in the first place. According to an interview with an FBI agent that I read, the code for many virus and malware applications can be very complex! They can contain hundreds of lines of code that would take a single person MONTHS to code! I don't understand what they get out of that. Like you said, with ransomware, spyware, and trojans, at least the developer has a chance at making a significant amount of money either by stealing financial information or by stealing personal information and using it to acquire funds in the person's name. With that, at least they get compensated for their work in coding the software.

But with viruses and malware, they don't get paid at all. They spend all of their personal time coding an application that damages someone's operating system, and they get nothing in return. It's completely pointless! I just don't understand why malware even exists. It doesn't profit the coder in any way. 

Virtually all common malware today (as well as PUPs) are used to generate income, either directly through theft of credit card information and other financial info, or through extortion as with ransomware.  The more indirect threats such as those that simply steal personal info, collect this data to compile and sell on the dark web.  Other threats, like PUPs, are installed to generate revenue through clicks/ads etc.  The vast majority of these are financed by organized crime though some do come from independent hackers and hacker groups.  There are also threats that target specific things like Steam credentials, email addresses/address books (for future spam operations and phishing attacks).  There are also threats that take control of infected computers to employ them as parts of botnets for mass spam/phishing attacks on others as well as DoS (Denial of Service) attacks against websites and organizations (businesses, governments etc.).

There are more advanced threats, most of which are more nefarious and far more stealthy in nature and these have a different purpose.  They are threats such as APTs and the like which have been developed to infiltrate specific targets to acquire specific information/access to specific systems/data such as government secrets, corporate secrets and blackmail of high profile individuals.  Such threats are not typically found in the wild frequently and can be either financed by organized crime, high level hackers, but more often than not are the product of unscrupulous corporations and rogue governments who seek to steal from and/or spy on others (for example, Stuxnet, the CCleaner APT event, the threats found on nuclear power plan systems in various countries, NSA and FBI malware used for mass surveillance programs as well as specific/targeted investigations of potential criminals and suspect terrorists etc.).  These threats are not widespread (at least as far as we know) and therefore aren't often captured by threat researchers and so no one really knows just how much of this kind of malware is out there and how pervasive it might be.

When it comes down to it though, it is almost always about money, either directly or in a more roundabout way for virtually all threats faced by typical home users and most businesses today, and these are the threats most focused on by AV/AM software like Malwarebytes and others in the industry.  Almost no one specializes in the other types of threats I mentioned simply because they are so seldom seen and few would even begin to know what to look for or how to look for it since they often employ previously unknown techniques and as of yet unexposed 0-day exploits.

The point is, virtually all of these criminal organizations/malware authors are very well financed and seek to profit from the threats they create in some way and in fact they are typically better financed than most AV/AM companies which is one of the challenges faced by threat researchers as they are pretty much always outnumbered and outgunned, so they must use clever forward-thinking tactics to try and outsmart the bad guys and shield systems from attack.  Technologies like the excellent Exploit Protection in Malwarebytes come in very handy in this regard, both stopping known exploit behaviors as well as hardening many critical components and areas against known and unknown exploit attacks.