Jump to content

MBAM should scan...

IDKWatMNShouldBe
 Share

Recommended Posts

exile360

exile360

Posted
Posted

I'm not sure about PDF's, but archives like ZIP, RAR, ACE etc is a planned feature for a future version, though I don't know when.

PDF's that are malicious exploit security holes in Adobe Reader and Acrobat that allow them to execute malicious code. Most AV's already check for such exploits. It works similar to how malicious webpages try to exploit security holes in internet browsers like Internet Explorer and Firefox.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

For one reason, many of the packers are not open source so you can't just go grab their code and use it, others have license agreements that prohibit use in a commercial product.

That said one has to realize that we are not an Anti-Virus and that an archive on it's own cannot do anything as its not executable but has to work with another method to run it and that other method is what we detect and find and when possible if linked to an archive we remove that archive as well already. Use of an Anti-Virus program is what one should really rely upon for that type of detection. We are looking at adding some but only in cases that might help to improve our current detections not to replace your Anti-Virus.

Link to post
Share on other sites
nosirrah

nosirrah

Posted
Posted

In the late 90s/early 2000s there was a "we scan inside the most archive formats" battle between the AVs and this convinced a lot of people that this was a critical component to security. Malware cant execute until it is extracted at which point our protection module would stop it.

We may eventually add support for archive scanning but we have many priority protection projects in the works that will offer far better real world defense to complete first.

As far as non executable (pdf is the one mentioned above) files keep in mind MBAM protection already has 3 places to stop these even if the exploit is missed:

host site IP

remote site IP (usually exploit and payload are not on the same IP)

executable payload

Many AVs work hard at detecting exploits while ignoring IP blocking completely, this is why the combined tech is so good and is what we suggest.

Link to post
Share on other sites
exile360

exile360

Posted
Posted
well i dont wanna download the file then extract it, and what do u know, i just wasted my time download some malicous RAR or zip file!

That would be the case anyway, at least for downloading it. MBAM does not scan files as they're downloaded and likely never will as that would be a great way for it to conflict with antivirus software. Extraction would be the only extra step but considering the fact that even if MBAM did scan inside archives, it would have to extract them to a temp location (that's how AV's do this :)), it takes about the same amount of time, the way it is now simply requires a few additional clicks.

Link to post
Share on other sites
IDKWatMNShouldBe

IDKWatMNShouldBe

Posted
  • Author
Posted
That would be the case anyway, at least for downloading it. MBAM does not scan files as they're downloaded and likely never will as that would be a great way for it to conflict with antivirus software. Extraction would be the only extra step but considering the fact that even if MBAM did scan inside archives, it would have to extract them to a temp location (that's how AV's do this :angry:), it takes about the same amount of time, the way it is now simply requires a few additional clicks.

OOOPSSSSSSSSSSS, i was actually in a hurry and then i replied really fast. after i went off the site, i was thinking of what i said. MBAM cant block before a download! MY mistake. :angry:

anyways, right AFTER i download the file, it would be nice if i could manually scan it right then, and see if it is malicous instead of extracting.

and ive noticed that MBAM pro only blocks a downloaded file when it is started up. it would be better if when u download any type of file, it would scan in the background right away instead of waiting for the user just to run it.

Link to post
Share on other sites
mountaintree16

mountaintree16

Posted
Posted

Please feel free to correct me if I am wrong, Nosirrah & Exile or anyone else,

but to answer your question IDK, you CAN manually scan a file that you've downloaded. HOWEVER, the heuristics will NOT be functional with a manual scan on an individual file or folder.

Link to post
Share on other sites
exile360

exile360

Posted
Posted
it would be better if when u download any type of file, it would scan in the background right away instead of waiting for the user just to run it.

We can't, if the file is infected and your resident antivirus detects the same file, both locking/detecting it at once could cause them both to fail to remove it, or worse, a total system lockup forcing you to do a hard shutdown by pressing and holding the power button. For the sake for maintaining compatibility with antivirus software, we cannot scan files on access the way that antivirus softwares do, only on execution which is after they've already had a chance to scan the file.

Link to post
Share on other sites
IDKWatMNShouldBe

IDKWatMNShouldBe

Posted
  • Author
Posted
We can't, if the file is infected and your resident antivirus detects the same file, both locking/detecting it at once could cause them both to fail to remove it, or worse, a total system lockup forcing you to do a hard shutdown by pressing and holding the power button. For the sake for maintaining compatibility with antivirus software, we cannot scan files on access the way that antivirus softwares do, only on execution which is after they've already had a chance to scan the file.

ohh ok!

now i understand now. but what makes the pc to lock up?

Link to post
Share on other sites
  • Staff
screen317

screen317

Posted
  • Staff
Posted
but what makes the pc to lock up?
Think of it this way. Open a document. Now while it's open, try deleting the same document. You'll get an "Access Denied" error because the move operation (moving to Recycle Bin) would conflict with it being open in its current location. In this way, two processes are trying to access the file at once, so Windows throws up an error. Security software works a little differently, so if both try to scan (access) the file at the same time, Windows wont throw up the error, but the system will lock up as that kind of double access can't occur.
Link to post
Share on other sites
exile360

exile360

Posted
Posted

Yes, exactly as screen317 says. There isn't a 100% guarantee that it will lock up, but it is a likely outcome since security softwares use kernel level drivers and services to do what they do and such an event can cause kernel level instability (which is also one of the key reasons that a person should only install 1 antivirus software and why Malwarebytes' Anti-Malware is deliberately designed to work differently than antivirus software).

Link to post
Share on other sites
DarkSnakeKobra

DarkSnakeKobra

Posted
Posted
Yes, exactly as screen317 says. There isn't a 100% guarantee that it will lock up, but it is a likely outcome since security softwares use kernel level drivers and services to do what they do and such an event can cause kernel level instability (which is also one of the key reasons that a person should only install 1 antivirus software and why Malwarebytes' Anti-Malware is deliberately designed to work differently than antivirus software).

That makes sense.:)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.