Jump to content
Ninehundred

Is Malwarebytes Premium for Business appropriate for a File Server?

Recommended Posts

We've been long-time users of Malwarebytes. Our typical usage has been to deploy to desktops and laptops. This past weekend we purchased another license and deployed it onto a corporate File Server. This morning during a staff meeting the question was raised about whether or not the product is suitable for use on a File Server? Can someone confirm or deny this use case? If it is deemed appropriate to protect a File Server, we'd appreciate a reference to the technical materials that describe the benefits.

We've been reading various blogs an articles on the Malwarebytes website, and it seems they are distinguishing anti-virus and anti-malware. That anti-virus is signature-based, whereas anti-malware is behavior-based. But we cannot find details about what specific behaviors the software watches for and catches. This makes it challenging to evaluate whether or not it is suitable to protect a File Server.

The Malwarebytes description of the differences between anti-virus and anti-malware is also somewhat confusing. If Malwarebytes is strictly behavior-based, why does it perform a whole disk scan? Wouldn't scanning files at rest imply it is signature-based as well?

The deeper we dig into this topic, the more questions we seem to uncover. Most of them revolve around a more precise explanation of exactly what Malwarebytes is doing. What is it looking for, and what is it protecting against? I understand there is a reluctance to reveal too much information for fear of arming the criminals and protecting Malwarebytes' corporate advantage, but without more technical details I can't see how a system administrator can evaluate the product use cases.

Share this post


Link to post
Share on other sites

Greetings,

Malwarebytes uses several different methods and layers to protect systems, many of which are behavior based, and a few which are signature based.  It also uses heuristics detection methods and algorithms as well as cloud components to detect new and unknown threats.  You can learn more about the various components of Malwarebytes by reviewing the diagram and information found on this page.

As for the differences between Malwarebytes and antivirus, it basically boils down to how Malwarebytes detects threats.  While it is true that Malwarebytes does use some more traditional detection methods such as hashes and threat signatures to recognize malware file patterns, this is actually a very small component of what Malwarebytes does and most of its protection and detection components rely on more advanced methods to detect threats.  With that said, Malwarebytes is not an antivirus but is positioned as an AV replacement and may be used instead of a traditional antivirus.  Since the modern threat landscape is so different now compared to how it used to be, traditional AV detection methods are insufficient for protecting devices on the internet from today's attackers and threats, and Malwarebytes is a response to those changes in the cyber-security industry and has been built from the ground up to be effective against modern threats and attack vectors including exploits, ransomware, scams/phishing, Trojans, rootkits, PUPs (Potentially Unwanted Programs) and much more using the methods described in the link provided above rather than relying on more traditional file hashes and signatures as its primary method of detecting threats; this is one of the key ways that Malwarebytes differentiates itself from a traditional antivirus application.  That said, Malwarebytes is in fact designed to be compatible with an active antivirus application so that if you prefer to also use a traditional antivirus or other security software alongside Malwarebytes, you should be able to do so without any issues.  In fact, many Malwarebytes customers run the free Microsoft Windows Defender/Microsoft Security Essentials alongside Malwarebytes to function as a secondary layer of defense against malware.  While this is not a requirement, it is an option should you desire to have additional layers of defense for your systems/devices.

Malwarebytes targets different behaviors and threats with each layer of protection.  The Web Protection component blocks all connections, both incoming and outgoing to/from known malicious servers/websites and even some entire hosts/hosting providers (for known malware-friendly hosting providers) while the Exploit Protection component monitors key applications known to be frequently targeted by exploits for any sort of exploit behavior, especially web-facing applications like web browsers as well as media players and office applications which are often the target of exploits via Trojanized scripts, documents and media files.  It also applies hardening to key OS components to defend against common exploit attack methods and behaviors.  It is by far one of the most proactive protection layers in Malwarebytes.  The Ransomware Protection component monitors all processes and threads in memory to look for ransomware behavior, including the modification and deletion of data as well as the attempted encryption of data in order to catch ransomware in the act before it can encrypt your data.  The Malware Protection component uses a combination of traditional threat signatures, advanced heuristics algorithms and cloud based Machine Learning and live threat intelligence to detect both known and new/unknown threats that attempt to execute in memory.  The scan engine also uses those same methods that are used by the Malware Protection component in addition to scan-specific technologies such as the advanced Linking engine that can take a single trace detection/file and extrapolate a multitude of additional detections throughout the system in the registry and on disk to detect further components and traces of an infection or malicious application to apply comprehensive detection and remediation of threats, and if enabled, the rootkit detection component in the scan engine will check for both known and unknown rootkits/bootkits on the system and attempt to remediate them, including attempting to repair commonly damaged OS/system components and services that are often the fallout of such infections that most security applications fail to detect or repair during their detection and remediation routines.

With regards to your file server specifically, unfortunately I do not know, and we will have to wait to hear from a member of the Malwarebytes staff on that, but in the meantime I hope I have been able to help answer some of the questions you had about Malwarebytes and how it works.

Share this post


Link to post
Share on other sites

Hello @Ninehundred

The information provided by @exile360 above is correct.  For more information of the different layers of protection that are used by Malwarebytes, you can check out page 19 of the cloud Admin guide, which goes into a little more detail about the different layers of protection.  Specifically for use with a file server, your team should be using our cloud product, Endpoint Protection.  

Cloud Admin Guide: https://support.malwarebytes.com/docs/DOC-1802

Warm Regards,

Share this post


Link to post
Share on other sites

I appreciate you taking the time to reply, but I'm afraid this answer will not do.

We've looked over the materials you referenced and even read the entire chapter on Endpoint Protection, pages 18 - 24.  Those settings address controlling applications that run and perform actions. A File Server does not RUN programs. It stores files. I can't see how 'behavior-based' protection can be applied to a File Server which acts as a repository of files.

Most of the files on a File Server are data. There are virtually no executables.  My reading of Malwarebytes materials suggests it focuses it's attention on executable analysis and does not concern itself with data files. I could be wrong, but I assume it will not attempt to scan Word or Excel files for malware in the form of scripts and macros?

Share this post


Link to post
Share on other sites

If it is a Windows OS based server then it is a non-dedicated server.  Non-dedicated servers such as Windows server is often compromised because of the Insider Threat when the role as a File Server is abused  by administrators who install unapproved software and Browse the Internet.

Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files via signatures.  That means MBAM will not target; JS, JSE,  PS1, PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents via signatures such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 and later specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these file types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.  This includes file names that use Unicode Right-to-Left Override to obfuscate an executable file extension.

MZ-binary.jpg

 

Share this post


Link to post
Share on other sites

Keep in mind that the comments above from David H Lipman only apply to the Malware Protection and scan engine components of Malwarebytes; documents and media files are targeted extensively by Exploit Protection as I mentioned above.  The same goes for any scripts executed through a browser, and this is also how file-less malware is targeted (a form of attack that cannot be targeted using traditional signatures or file based heuristics since there are no files to detect, only behaviors).  To better understand why Malwarebytes takes this approach, please refer to the information found in this article which explains the point very well.  It is for this reason that Malwarebytes focuses on application hardening and behavior based detection for exploit and script based malware because it is trivial to bypass signature based detection of any form of script based attack whereas changing binary/executable malware to do the same is far less trivial.

It is true that if you are looking for a solution that explicitly focuses on data integrity, that Malwarebytes is not focused on this type of defense, however there are additional components in Malwarebytes Endpoint Protection and Response as well as Malwarebytes Incident Response (which lacks the Endpoint Protection components included in the former) including Endpoint Isolation and Rollback and Remediation should be more suitable for this purpose, because if any data on your file server becomes corrupted by a malicious actor you should be able to recover from the incident and use the Flight Recorder/Timeliner application to analyze any attack to help track down the source of the threat/incident.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.