Jump to content

MBAM and RR as only protection?


Recommended Posts

Good morning - I am a tech and have been faced recently with many Antivirus XP/VISTA 2008 FAKE_ALERT trojan infections on several different computers, each one having a full-blown and updated version of Norton, McAfee or Trend Micro. Yet the malware seemed to slip under the radar of all 3 and easily installed itself. Also, these resident security apps cannot remove the infection after a full scan.

Well... MBAM to the rescue!

So here's my question. Would the full, paid version of MBAM and RR Pro together be sufficient to protect a user's computer so I can dump the bloated Trend/Norton/McAfee apps?

My clients wonder (and rightfully so) what they are paying for if their computers are easily infected with these known bad guys.

Also, just curious - why can't these major players stop/remove a well known malware infection?

Thanks!

Link to post
Share on other sites

If you're really a tech then you should already know the answer. ;)

http://www.malwarebytes.org/forums/index.php?showtopic=5408

Nothing is 100% and your customers need a layered defense. I have seen various malware go undetected by MBAM and RR that is picked up by Avira, Kaspersky, etc., and the same can be said for any scanner out there. Most people don't understand HIPS, or better yet Limited accounts, so it is wise to build a nice layered "signature" scanner arsenal. MBAM paid w/ real-time will co-exist with most if not all AV's out there. If anything move your customers with Norton, Mcafee, Trend, etc. over to something with better detection/removal capabilities. I'd rather save my customer some money and move them to Avira free(takes <1 min. to block the nag screen) and sell them a copy of MBAM for $25 w/ lifetime updates. 9 times out of 10 they will get a nice performance boost as well since both apps use very little memory/resources.

Link to post
Share on other sites

If you're really a tech then you should already know the answer. ;)

http://www.malwarebytes.org/forums/index.php?showtopic=5408

Nothing is 100% and your customers need a layered defense. I have seen various malware go undetected by MBAM and RR that is picked up by Avira, Kaspersky, etc., and the same can be said for any scanner out there. Most people don't understand HIPS, or better yet Limited accounts, so it is wise to build a nice layered "signature" scanner arsenal. MBAM paid w/ real-time will co-exist with most if not all AV's out there. If anything move your customers with Norton, Mcafee, Trend, etc. over to something with better detection/removal capabilities. I'd rather save my customer some money and move them to Avira free(takes <1 min. to block the nag screen) and sell them a copy of MBAM for $25 w/ lifetime updates. 9 times out of 10 they will get a nice performance boost as well since both apps use very little memory/resources.

Very sound advice, EliteKiller. I agree with everything you've said.

Link to post
Share on other sites

Sorry to object but judging from my own experience Avira AntiVirs most definitely does not use "very little memory/resources". It's not a great resource hog like Norton but it's still not the lightest either. Around 70MB of Working Set and Private Bytes (according to Process Explorer) is not very little when compared to NOD32 for example, which in my honest opinion is the lightest antivirus software among those that are worth using.

If users are not novices, a HIPS based program will add a great layer of protection. If users aren't very familiar with such security software, then maybe a behaviour blocker might prove useful.

Just my 2 cents.

Link to post
Share on other sites

Sorry to object but judging from my own experience Avira AntiVirs most definitely does not use "very little memory/resources". It's not a great resource hog like Norton but it's still not the lightest either. Around 70MB of Working Set and Private Bytes (according to Process Explorer) is not very little when compared to NOD32 for example, which in my honest opinion is the lightest antivirus software among those that are worth using.

If users are not novices, a HIPS based program will add a great layer of protection. If users aren't very familiar with such security software, then maybe a behaviour blocker might prove useful.

Just my 2 cents.

FWIW I never stated that Avira was the lightest AV out there; that crown would probably go to Dr.Web. While NOD32 may consume less memory than Avira, almost anyone who has used Avira can vouch for its "lightness". Last time I checked Eset doesn't offer a free version of their AV, and ESS 3.0 is a step backwards and more of a black sheep (compared to 2.7). It's also worth mentioning that NOD32's on-demand detection rate takes a back seat to Avira.

Link to post
Share on other sites

FWIW I never stated that Avira was the lightest AV out there; that crown would probably go to Dr.Web. While NOD32 may consume less memory than Avira, almost anyone who has used Avira can vouch for its "lightness". Last time I checked Eset doesn't offer a free version of their AV, and ESS 3.0 is a step backwards and more of a black sheep (compared to 2.7). It's also worth mentioning that NOD32's on-demand detection rate takes a back seat to Avira.

I also never stated Avira is the biggest resource hog. I simply said it's not as light as many people claim it is. It is about average. Yes, I know ESET doesn't offer a free version but since no one said money would be an issue I mentioned NOD32. Maybe NOD32 v3 is the black sheep, I don't know, but I still find it generally better than v2. It still wasn't what I wanted it to be, but I found it OK nonetheless. I hade some problems with NOD32's stealth driver in some older v3 build but the bugs were fixed.

I'm not an expert by any means, but from what I've seen on my system Avira simply detects more false positives - some packed executables and stuff. Both NOD32 and Avira detect mostly "potentially dangerous applications" that are not directly a threat at all, but Avira has a bit more FPs. Which made me uninstall my antivirus program (NOD32) and now I'm running without one. I may not be an expert but still I think I'm educated enough to protect my system without an antivirus. Why? Well, in recent years my antivirus software has never detected anything other than some potentially dangerous software and some FPs. I've never had a real threat. Why keep a program that consumes resources (even if it's not much) and does basically nothing? I'm experimenting with MBAM as my only realtime protection (apart from my firewall) to see how much of an impact it has on my system.

Link to post
Share on other sites

A couple of quick notes . MBAM is designed at its core to fill in the gaps left open by antivirus software and cant be used alone if real security is the goal . NOD32 and Kaspersky seem to be the two AVs that I see most trusted security experts using and that has to be for a good reason . Antivir has always been my free AV of choice and is also used by a lot of trusted security experts . Keep in mind that AV software has one thing above all else that makes it critical to have and that is where it got its name , viruses . While MBAM can detect virus installers if one were to get through , we would not be able to unpatch compromised files or even detect them as this is job of your antivirus software . Virus type malware is not that common (thank god because the word format would be) but they will never actually go away because the concept of using existing (and often critical) files has nearly the same effect as a good rootkit in that detection and removal are both a big problem .

MBAM should have malware IP blocking soon and this will add another layer of solid protection but like the issue with MBAM and antivirus software this is not designed to replace a firewall . A firewall does many heuristic checks against network traffic . Our IP blocking will only deny access to known malware IPs in both directions so like with MBAM enhancing your protection by working against what the AVs miss , MBAM will enhance the protection of your firewall level protection without conflicting with or replacing your existing firewall software .

Link to post
Share on other sites

Also, just curious - why can't these major players stop/remove a well known malware infection?

The reasons are many but the critical ones are the "rules" AV software is bound by . AV software is forced to detect malware by examining file contents alone and while this usually works there is a lot of malware that rotates their obfuscation tricks so often that the AVs simply cant keep up . AV software also often does not work to undo system damage left behind by malware , an area that MBAM is very good in . MBAM does look at file contents but that is only one of many ways we can detect a file and this is why we can hit a lot of malware that the AVs miss . Lets say we detect an infection by 6 points of contact . If 5 of those were to change we would still detect that infection completely . If any of those 5 were file contents AV software would fail to detect the changed malware . MBAM also has many family specific checks it does to heuristically detect common but poorly detected malware that AV software cant even come close to matching .

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.