Jump to content

I thought you might like to know!


Guest ~BD~
 Share

Recommended Posts

(Firestorm70 @ 14.09.2008 13:20)]

I use a free program called MALWAREBYTES it's just a scanner and offers no real time protection but it can still remove malicious programs that KIS might have missed. There's nothing wrong with having something that gives a second opinion even if I believe KIS doesn't usually miss much.

Be careful, however, with what you let this program remove/quarantine!

It has the following detection methods:

1. registry keys (very often empty ones that were not deleted by your resident protection

2. MD5 checksums of a not so big malware-base

3. Files by name - yes, you heard that correctly; MalwareBytes also detects files by name. For example when I was playing with it, I planted a dummy txt file into System32 with the name amvo0.dll

It was immediately detected as

CODE

C:\WINDOWS\system32\amvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.

This, of course, is unacceptable for a program that wants to belong in a certain class!

KIS/KAV and other security programs of that caliber, able to distinguish between false and genuine threats, will most likely leave this file intact because it presents no real threat. However, in your opinion, MalwareBytes may look cooler and better because it found the dummy file and 'protected' you from a really nasty threat; an empty text file...

At the same time, detection by name alone may ruin your system as well!

p2u

Link to post
Share on other sites

  • Staff

A few points here , first and foremost MBAM is NOT antivirus software and is not restricted to antivirus techniques . These techniques are the reason antivirus software is not enough to protect your system .

MBAM detects malware through the following means :

MD5

unique strings

semi polymorphic strings

unique GUID linked dlls (and other executable components) (these are bi-directional)

unique load point to file (these are bi-directional)

IPH (unique heuristics we created and without giving anything away bypasses all current polymorphic blackhat packers and encryption and is also immune to randomized file names)

Unique file names combined with FP killing routines (we do not just do file name)

There are many more but I dont want to give to much away .

By combining cutting edge tech (like IPH) with old school tech and then everything in between we have been able to detect far more malware than some vendors who have been in the game more then 10 times longer than us .

Vundo uses random file names but we detect it at over 95% in real world infections . Stats like this are the real reason some people are getting upset .

Link to post
Share on other sites

  • Root Admin
This, of course, is unacceptable for a program that wants to belong in a certain class!

I know Ewido used to do this, guess what they are now, AVG. Just because we detect certain files by name, does not mean we suck. In fact, it means the quite oppositve. We hit malware on multiple levels, you only listed three. What about the other fifteen or twenty?

Link to post
Share on other sites

...... you only listed three. What about the other fifteen or twenty?

I'm sure you recognise that I was the messenger, Rubber Ducky - it wasn't me who wrote same in the Kaspersky forums! :angry:

The author, p2u is, I believe, involved in computer forensics fwiw.

Dave

Link to post
Share on other sites

Hi BD,

Should computer forensics impress most of the developers here or something? :angry:

It's one thing to know how to run software it's another to actually code the stuff. :lol:

Don't get me wrong, the guy probably has extensive knowledge in various areas. But I don't agree with the statement that filename detection is necessarily a bad thing. It's part of a multi layered approach of malware detection.

Link to post
Share on other sites

Hi BD,

Should computer forensics impress most of the developers here or something? :lol:

I thought it might! :angry:

p2u once came to Jenn's BB (at my invitation). Maybe I should have mentioned that although he is Dutch, he can speak fluid Russian. He is also a classical pianist! In other words ....... I think he is quite clever and should not be rubbished!

On the subject (kinda!) I recently went here http://validator.w3.org/#validate_by_uri and typed in Jenn's web site address http://www.pqlr.com If you were to do the same I'd be interested in any comment you may have thereafter. Please PM or email me if you'd prefer.

Have a great weekend! :)

Dave

Link to post
Share on other sites

p2u once came to Jenn's BB (at my invitation). Maybe I should have mentioned that although he is Dutch, he can speak fluid Russian. He is also a classical pianist! In other words ....... I think he is quite clever and should not be rubbished!

He's Dutch, speaks Russian, and plays piano? And that's supposed to impress me? How does classical music make one an expert in how a security application should work? How does it qualify someone to advise in technical matters related to computers and software? Does speaking Russian make him a Microsoft MVP?

On the subject (kinda!) I recently went here http://validator.w3.org/#validate_by_uri and typed in Jenn's web site address http://www.pqlr.com If you were to do the same I'd be interested in any comment you may have thereafter. Please PM or email me if you'd prefer.

pqlr.com is a parked domain. If you are concerned about the content, then contact the company that parked it.

Link to post
Share on other sites

I thought it might! :angry:

p2u once came to Jenn's BB (at my invitation). Maybe I should have mentioned that although he is Dutch, he can speak fluid Russian. He is also a classical pianist! In other words ....... I think he is quite clever and should not be rubbished!

On the subject (kinda!) I recently went here http://validator.w3.org/#validate_by_uri and typed in Jenn's web site address http://www.pqlr.com If you were to do the same I'd be interested in any comment you may have thereafter. Please PM or email me if you'd prefer.

Have a great weekend! :lol:

Dave

Hi Dave.

I wasn't trying to blow off the talented russian. You do realize however, that he disected a really old version of mbam? v1.09, which didn't support many of the technologies we have now. I suspect if he were to do his testing against the recent version, he'd find it's a bit more complicated than he makes it out to be.

Specifically, mbam isn't an antivirus scanner, and so doesn't play by those rules. This allows us to catch many things by hueristics that others miss. And you don't have to take my word for this, a google search will show you.

Comparing antivirus scanning technology to mbam is like comparing a motor and an engine; One's electric and the other isn't. No fair comparison can be established. Each performs well in it's own environment.

I have nothing to say regarding the site, as I've told you many times, I really don't have time to explore sites unless said site might contain malicious scripts and/or trojan downloads.

Have a good weekend Dave!

Link to post
Share on other sites

3. Files by name - yes, you heard that correctly; MalwareBytes also detects files by name. For example when I was playing with it, I planted a dummy txt file into System32 with the name amvo0.dll

It was immediately detected as

CODE

C:\WINDOWS\system32\amvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.

This, of course, is unacceptable for a program that wants to belong in a certain class!

I also read about this behaviour in the avira forum :angry:

Link to post
Share on other sites

  • Staff
I also read about this behaviour in the avira forum :angry:

If anyone is part of any of these threads I would be interested to get a reaction the the following question :

"vundo is randomly named and polymorphic yet MBAM detects it far more often then most AVs , how are they doing this with just file names and MD5s ?"

This is another good one :

"why is MBAM the only application that seems to have a handle on antivirus xp 2008 . it is randomly named and detected by next to no AVs on a regular basis , how are they doing this ?"

It would also help us if it was made clear that we are not an AV .

Link to post
Share on other sites

If anyone is part of any of these threads I would be interested to get a reaction the the following question :

"vundo is randomly named and polymorphic yet MBAM detects it far more often then most AVs , how are they doing this with just file names and MD5s ?"

This is another good one :

"why is MBAM the only application that seems to have a handle on antivirus xp 2008 . it is randomly named and detected by next to no AVs on a regular basis , how are they doing this ?"

It would also help us if it was made clear that we are not an AV .

Do you have a reference for those statements?

I can't seem to find them.

Link to post
Share on other sites

  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.