Jump to content

Recommended Posts

Hello :)

I just read this thread here -> http://www.malwarebytes.org/forums/index.php?showtopic=6316

and I decided to play around with mbam... I had that little pest of amvo(what a PIA) some months ago.. anyways, I've created amvo.exe (empty text file) in system32 and as said, it was found by the quick scan. Now, I'm not criticizing this way (as stated in that thread, it's actually good to have more ways of killing malware) but what got in my head was, why when I right clicked on amvo.exe, and I picked "scan with mbam", it was not found as malware? :)

There's a difference in the quick scan and the right click scan or what?

Link to post
Share on other sites

It may be because of the way mbam uses it's definitions to detect threats (ie based on location of the file or placement in regestry etc.) and maybe when you do a right click scan it disregards the files location and just scans the file itself for malicious content, which would be good for packed malware not currently installed on the machine, but not so good for a fp file created by the user which actually contains no malicious content. This would be done so that quick scans were much faster than normal AS products that do a more thorough check of the files based on more than just location where the infection is known to reside on infected systems. In this case, where you created the fp in the location where that infection is normally installed, mbam's quick scan is tricked based on the criteria of filename/location, but the more thorough individual scanning of that file is not fooled because it checks the actual attributes and nature of the file itself. I could be wrong, but I've seen similar info on the nature of mbam's quick scan before. Now the obvious worry of course would be "What if MBAM removes a file with similar attributes that belongs to a legit program?" and my guess would be that the devs would come up with an alternate method of detecting that particular threat to avoid the fp of a legit file, or somehow check the file to verify it's part of that known-to-be legit program and not malware. I'm just guessing here, but all I've learned up to this point about MBAM tells me that this isn't far from the truth, esp. considering that MBAM used to get flagged for fp's quite often and maybe still does, but these fp's once reported are patched so fast it makes my head spin so I don't generally sweat it, and MBAM's rate of detection/removal of the nastiest malware on the internet just keeps on increasing.

Link to post
Share on other sites

Malwarebytes' Anti-Malware was never designed to scan single files. It is designed to run through it's quick scan to look for malware.

MBAM probably did not detect the file with the Right-Click->Scan File option because it did not load it's heuristics. I would believe that heuristics are only loaded during the quick and full scans.

Link to post
Share on other sites
Malwarebytes' Anti-Malware was never designed to scan single files. It is designed to run through it's quick scan to look for malware.

MBAM probably did not detect the file with the Right-Click->Scan File option because it did not load it's heuristics. I would believe that heuristics are only loaded during the quick and full scans.

How would heuristics(behavorial detection) help a integrated shell scan to detect an empty file or folder?

Something in the full scan engines is tripped by name

Link to post
Share on other sites
  • Staff

A few points here, first and foremost MBAM is NOT antivirus software and is not crippled by the same rules that make antivirus software (on its own) not enough to protect a system.

MBAM will detect malware with advanced tech like semi-polymorphic strings and IPH (the heuristic tech we created and currently are the only ones using it) down to old school tech and everything in between.

If a file has a 0% chance of being legit do you honestly want us to NOT detect it if it changes enough to evade strings and heuristics?

MBAM will detect %ROOTDRIVE%\lsass.exe, %TEMP%\winlogon.exe and %SYSDIR%\iexplore.exe no matter what the file contents are because there is no chance that these will be legit, are their people that would actually like us NOT to do this?

Above it was mentioned that the context menu MBAM scanner did not delete a file that quick scan did . The reason for this is that when you use the context menu scanner MBAM is acting more like an antivirus application in that for the most part only regular definitions are used (most heuristics that work on real infections are not used from the context menu).

We might extend the context memu scanner at some point but currently there are a few bigger projects in the works.

Link to post
Share on other sites
How would heuristics(behavorial detection) help a integrated shell scan to detect an empty file or folder?

Something in the full scan engines is tripped by name

If that empty file or folder matched a heuristics detection, then the context menu scan would not detect it. As Bruce explained, certain things are detected by name simply because files with certain names in certain places can never be legit.

BTW: Heuristics is not specifically behavioral detection, it is detection of unknown malware based on certain algorithms. These algorithms are whatever Bruce, Marcin, and the rest of the team come up with to make sure that malware cannot hide. Since certain files should never be in certain places, they have added simple heuristics to check for these oddities, and remove them.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.