Jump to content

When does MWB warn of malware files?


Recommended Posts

I'm a bit confused as to how Real-Time Protection works - at least regarding detecting new malware files?

I'm testing a Premium Trial version of MWB on my Mac (using Catalina).

To test things, I downloaded the "Bundlore" malware file from the Objective-See malware library and unzipped the Bundlore.dmg file into a folder within my Downloads folder.

After doing this, MWB did not show any alerts, nor did a manual scan show any suspicious items.

Uploading the file to VirusTotal confirms that it is malware.

Would I have to (hypothetically) actually need to open the .dmg file and/or run the installer within it to prompt an alert from MWB?

I don't think I understand how or when Real-Time Protection is actually triggered: is it supposed to recognize malware files when they appear (via download, copy from USB, etc.)? Or does it only alert when a malicious process is actually launched and discovered in memory?

Why wouldn't a manual scan find a new, malicious file?

Link to post
Share on other sites

This is just a guess, so the staff will have to confirm when they get back to work, but Bundlore is very old (2014 or so) and probably is never or rarely found any more. In order to keep Malwarebytes for Mac fast and efficient, signatures for older malware that is considered to be extinct were never included or have been removed. I would encourage you to use much more current malware samples from Objective-See (the info often indicates when it was in circulation).

Link to post
Share on other sites

  • Staff

We do not directly detect that .dmg file at this time. However, we do block Bundlore installers (and do still continue to see them).

If you have the App Block component of Real-Time Protection turned on, try this: open the .dmg file, then double-click the installer. Assuming you downloaded this file via a mainstream browser like Safari, Chrome, Firefox, etc, this is safe, as it will have a quarantine flag. If we fail to block it, you'll still get a prompt from macOS asking if you're sure you want to open it, thanks to the quarantine flag, and can bail out at that point.

What you should see, though, with App Block on, is that Malwarebytes blocks that installer from opening. You'll see a message from macOS saying it failed to open the app, and a message from Malwarebytes in the Notification Center telling you we blocked it.

Link to post
Share on other sites

  • Staff

BTW, one other note... be cautious about testing stuff downloaded from malware repositories. Although we do still see Bundlore in the wild, a lot of the stuff in such repositories is very old and no longer relevant, because it's no longer found in the wild. For things we haven't detected in a long time, we'll eventually remove the rules from the database so as not to waste time looking for something that no longer exists.

Link to post
Share on other sites

On 3/4/2020 at 7:00 AM, treed said:

We do not directly detect that .dmg file at this time. However, we do block Bundlore installers (and do still continue to see them).

If you have the App Block component of Real-Time Protection turned on, try this: open the .dmg file, then double-click the installer. Assuming you downloaded this file via a mainstream browser like Safari, Chrome, Firefox, etc, this is safe, as it will have a quarantine flag. If we fail to block it, you'll still get a prompt from macOS asking if you're sure you want to open it, thanks to the quarantine flag, and can bail out at that point.

What you should see, though, with App Block on, is that Malwarebytes blocks that installer from opening. You'll see a message from macOS saying it failed to open the app, and a message from Malwarebytes in the Notification Center telling you we blocked it.

Appreciate the informative response(s)!

I'm using MWB on my daily Mac, so although I agree MacOS and MWB is 99.99% likely to prevent the installation of malware from an installer, I can't risk trying it just to prove that it works :)

Which leaves me a bit stuck. I've tracked down a number of MWB articles regarding the proper methods of testing it, all of which are beyond the abilities or time of even many enthusiasts. I appreciate that MWB seems to have evolved a newer, more efficient way of monitoring things. But as a representative consumer trying to decide between MWB and the usual competitors, might I suggest that your advertising and documentation explain in more detail when and what to expect should someone download and/or try to install malware? Most of us are likely to just download some test files, try a Scan, and assume it's not working when it doesn't find the installer file itself to be malicious.

Would it be fair to say that MWB doesn't really care about the zip, dmg etc. files containing a malware installer - but WOULD quarantine or prevent the creation of malicious files when running such an installer?

 

Link to post
Share on other sites

  • Staff

That is a fair representation of the current state of the software, yes. We don't scan inside compressed files (with the exception of compressed browser extensions), but would hope to block execution of installers found inside those compressed files and/or detect any files those installers might drop.

Of course, no such software can ever achieve 100% detection rates. Anyone who claims otherwise probably also has a bridge to sell you. :) So if you find something recent (as opposed to very old) that isn't caught, please let us know.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.