Jump to content

MBAM hoax?

pablozi
 Share

Recommended Posts

pablozi

pablozi

Posted
Posted

Hello everyone.

I've just readed very interesting thing on Anti-malware.ru forums.

It looks like MBAM is using file name and it's location to determine if it is malware or not.

For example:

tpfsM.png

I have created fake, empty svchost.exe file and placed it on C: drive.

And below result of the scan:

GL2nr.png

The same file placed on desktop or D: drive, scanned using the same malware database is CLEAN!!!

So I am asking - is MBAM fooling us?

Link to post
Share on other sites
pablozi

pablozi

Posted
  • Author
Posted

I wouldn't say fooling. There shouldn't be a svchost.exe in the root of your drive.

One of our developers may comment further..

There shouldn't be a svchost.exe file on my desktop too, but when placed fake file on desktop, MBAM says it is clean.

Quite strange isn't it?

Link to post
Share on other sites
  • Staff
shadowwar

shadowwar

Posted
  • Staff
Posted

Mbam uses a bunch of detection methods. This is part of our heuristics. There should not be a name svchost in that location so its detected that way. This allows detecting stuff that we may not have a file signature on. Malware loves to name files svchost.

Long and short we are not an AV and dont detect solely based on file signatures.

Link to post
Share on other sites
dallas7

dallas7

Posted
Posted
So I am asking - is MBAM fooling us?

No. They just fooled... you. :lol:

And if you opened that "empty file" with a hex editor, guess what? It's not empty. You yourself call it fake and you're faulting MBAM for flagging it? If you don't like that it's categorized as a tojan-agent then suggest a better type.

I'd come up with something a bit more descriptive myself (and unfit for polite company) if I spotted a svchost.exe file in the root of C: as would screen317 I'm sure!

MBAM worked just fine in this instance. I think... I could stand to be corrected.

Cheers.

Link to post
Share on other sites
  • Staff
nosirrah

nosirrah

Posted
  • Staff
Posted

We employ a wide range of strategies and tend to use the hammer that fits the job. Sometimes it is a per download polymorphic infection that is always randomly named, sometimes it is as simple as svchost.exe in a foolish location.

We do what needs to be done to keep you safe.

Link to post
Share on other sites
  • Staff
nosirrah

nosirrah

Posted
  • Staff
Posted
And why original svchost.exe, digitally signed by MS, placed in C:\Windows is also flagged as "Trojan.Agent"

Why would a digitally signed copy of svchost.exe be placed in C:\Windows?

http://www.google.com/search?q=%22C%3A\windows\svchost.exe%22&hl=en&num=100&lr=&ft=i&cr=&safe=off&tbs=

There is no reason NOT to detect %WINDIR%\svchost.exe.

Link to post
Share on other sites
ThreeGuser

ThreeGuser

Posted
Posted

Although I have once in the past assumed this, I was a bit shocked when I saw this earlier today.

I am not shocked about the detection of svchost.exe file (no matter the file) in different location rather than the one it should be, but I am shocked about the whitelisting by filename only. Wilderssecurity has even deeper thread re. this. Whitelisting this way should be avoided, it is quite unprofessional, IMO. It is dangerous and might be expoited by malicious code authors who have read these topics.

Link to post
Share on other sites
  • Staff
nosirrah

nosirrah

Posted
  • Staff
Posted

Although I have once in the past assumed this, I was a bit shocked when I saw this earlier today.

I am not shocked about the detection of svchost.exe file (no matter the file) in different location rather than the one it should be, but I am shocked about the whitelisting by filename only. Wilderssecurity has even deeper thread re. this. Whitelisting this way should be avoided, it is quite unprofessional, IMO. It is dangerous and might be expoited by malicious code authors who have read these topics.

Malwarebytes is a small fish when compared to the total security industry so any attempt to exploit this would not have any tangible gains for them. Malcoders concentrate on bypassing as many security applications as possible and as a result things like new custom packer technology is what we actually see.

That being said this is an older technique that is being phased out.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept