Documents and EndPoint Protection

[mygeeknc]

I had just submitted a malware sample of a new dropper for Emotet which was a DOC file. I was told that endpoint/mbam does not check any Word document files plus a host of other files. Is this true? 

 

That means MBAM will not target; JS, JSE,  PY, .HTML, HTA, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

[Porthos]

I asked the OP to post here.  I know the referenced items are not detected with the malware signatures in the home version. Does endpoint protection.use the same malware signatures?

I know that it up to exploit and web protection to block accessing the payload.

[exile360]

Yes, it's true, at least for the scan engine/Malware Protection component which is based on signatures.  This is because file types such as media files, documents and scripts are essentially nothing more than text files, and they are just as easy for the bad guys to edit, encrypt and obfuscate in any number of ways, even automatically in order to generate a different payload each time it is sent out/downloaded.  It is for this reason that Malwarebytes instead focuses on using Exploit Protection to guard against such threats since exploits are what are used to infect users from such file types.  You can learn more about why Malwarebytes does things this way (as well as why it is a waste of time/effort/memory/space for the AV/AM products that do use signatures to target such files/threats) by reading the information found in this article.

Basically what it boils down to is that it is far more effective to detect such threats/attacks based on their behavior rather than the files they use in order to attempt to dump a payload on the user's system (which is typically the purpose of such exploits/file types, including in the case of ransomware).

[mygeeknc]

I went back through all of the logs on OneView and it does appear the Exploit was caught by Endpoint Protection, it was trying to run a powershell command. 

[exile360]

Excellent, thanks for confirming that.  If there is anything else we might assist you with please let us know.

Thanks