Limited Scanning of folders on Mac version

[LJG500]

I understand that part of the reason the Mac version only scans a limited number of folders/files is that it is considered unnecessary on the Mac OS to scan and monitor changes on all folders. However, most, if not all competitors offer the option of a full system scan and I am assuming monitor all folders for changes. 

Is it possible for a user to inadvertently download a malware/adware package, grant the app file permissions and have malware distributed to folders that are not scanned by Malwarebytes- thereby rendering the package ineffective against this threat. 

For example, I installed Filezilla recently. I believe the package I installed was not bundled with malware as some of their packages have been in the past. Malwarebytes allowed the install. Assuming the app was not on MB's app block list and assuming it was granted file permissions- could it distribute its malware to locations that MB is not monitoring? Either rendering it in a latent form or allowing it to operate in folder locations outside MB's scanning capabilities. 

[exile360]

I'm not terribly familiar with the inner workings of the Mac OS version of Malwarebytes, however if it is anything like the Windows version, then the location malware tries to run from is basically irrelevant because it checks all common system loading points as well as all processes and modules loaded into memory, meaning that even if a threat were running from an unorthodox or previously unseen location where Malwarebytes' default scan doesn't check, it would still be detected because the threat would have to run in memory and use loading points to be able to run on the system and perform any malicious actions.  The only possible 'miss' under these circumstances would be a dormant piece of malware (i.e. inactive, such as a download the user never actually opened/executed) which was stored in an unusual location, but even then, as soon as anyone tries to launch the file Malwarebytes will check it before allowing it to enter memory and will of course monitor any actions it takes assuming it is allowed to/is not blocked immediately.

Again, this information pertains specifically to the Windows version as I do not have intimate knowledge of how the protection and scanning function for the Mac OS version so the info above may not apply.

[treed]

I can't go into great detail on how the scan engine works, because we don't want to give too many details to the bad guys who might also be reading.

That said, FileZilla was never the problem, it was their installer, which I see that they seem to no longer be using. That installer had adware bundled into it. Malwarebytes for Mac would block that installer from executing no matter where it was located on disk.

Of course, there is always going to be new stuff that nobody detects. That's inevitable with any antivirus software. We work hard to stay on top of the bad guys, and even ahead of them when possible, but there are going to be misses. Anyone who tells you their antivirus software is 100% infallible and will catch everything, including currently unknown future malware, is lying to you. So it's a matter of trust. Who do you trust to protect you, and to be by your side helping if something gets through the defenses?

[LJG500]

4 hours ago, exile360 said:

Hi Exile 360,

Thank you for your response. It is clear and addresses all of my points. I just want to say that it is rare to encounter this caliber of response on any typical forum.

Ideally malware would be identified where it is stored and before it executes. Let's say Malwarebytes (MB) failed to initially catch the malware (Zero Day threat). Later it is added to its threat signatures. If the file is stored in a location the MB doesn't scan it will not be quarantined.

If this threat should for whatever reason execute- Malwarebytes in this scenario would be playing catchup- intercepting the risk- but possibly after it is starting to do damage- instead of in its latent state. 

I am somewhat of a novice in these areas. Is my scenario reasonable? I am not trying to split hairs- but trying to understand why alternative solutions would be able to scan all folders and what the benefit of that might be.

Thanks...
----------------------
I'm not terribly familiar with the inner workings of the Mac OS version of Malwarebytes, however if it is anything like the Windows version, then the location malware tries to run from is basically irrelevant because it checks all common system loading points as well as all processes and modules loaded into memory, meaning that even if a threat were running from an unorthodox or previously unseen location where Malwarebytes' default scan doesn't check, it would still be detected because the threat would have to run in memory and use loading points to be able to run on the system and perform any malicious actions.  The only possible 'miss' under these circumstances would be a dormant piece of malware (i.e. inactive, such as a download the user never actually opened/executed) which was stored in an unusual location, but even then, as soon as anyone tries to launch the file Malwarebytes will check it before allowing it to enter memory and will of course monitor any actions it takes assuming it is allowed to/is not blocked immediately.

Again, this information pertains specifically to the Windows version as I do not have intimate knowledge of how the protection and scanning function for the Mac OS version so the info above may not apply.

 

[LJG500]

44 minutes ago, treed said:

I can't go into great detail on how the scan engine works, because we don't want to give too many details to the bad guys who might also be reading.

That said, FileZilla was never the problem, it was their installer, which I see that they seem to no longer be using. That installer had adware bundled into it. Malwarebytes for Mac would block that installer from executing no matter where it was located on disk.

Of course, there is always going to be new stuff that nobody detects. That's inevitable with any antivirus software. We work hard to stay on top of the bad guys, and even ahead of them when possible, but there are going to be misses. Anyone who tells you their antivirus software is 100% infallible and will catch everything, including currently unknown future malware, is lying to you. So it's a matter of trust. Who do you trust to protect you, and to be by your side helping if something gets through the defenses?

Hi Thomas,

I appreciate your response. But it seems like Exile 360 got to the heart of my question (at least on the Windows platform). But since your response was more product focused and about trust- than can you take the scenario I just gave Exile 360 and at least address it- particularly in the context of competing products that can scan all folders. I purchased Malwarebytes- reluctantly because I am new to the Mac and felt that malware was less of a risk on the M1 Mac then a Windows PC. On the other hand, I am now under the impression that malware is a sufficient threat to the Mac OS- that an anti-malware solution is justified. Memory wise, MB does have a lighter footprint then competing solutions- but I still can't quite understand why an all folder/selective scan option would not be beneficial.

[alvarnell]

AV solutions that scan all folders must compare every file encountered to a huge signature database which will take hours, sometimes all day to accomplish. Of course with Big. Sur's untouchable System Disk, there is nothing to be gained by scanning it as no malware is able to install itself on that disk, so that does reduce the time slightly.

Zero day infections rarely, if ever these days, involve installing the exact same known malware file in a different location. When such tactics are used it involves a change in the signature and/or the file name so all anti-malware scanners require an update to it's database in order to detect it. Infections that are defined as zero days are almost always a completely new approach to infecting with little if any code that has been seen before. Non-zero day infections are mostly different variants of the original and do use some of the same code and files as previous versions, so they are easier to detect without significant database updates.

With regard to Malwarebytes, there are a few features that monitor behavior looking for processes that are commonly used to keep the malware runnning persistently or to hide files from the user. Those are aimed to prevent new malware, either new or variant, from infecting and/or performing malicious activities until they can be positively identified as malware.