I thought you might like to know!, Your comments invited! :) Options

[~BD~]

(Firestorm70 @ 14.09.2008 13:20)]
I use a free program called MALWAREBYTES it's just a scanner and offers no real time protection but it can still remove malicious programs that KIS might have missed. There's nothing wrong with having something that gives a second opinion even if I believe KIS doesn't usually miss much.

Be careful, however, with what you let this program remove/quarantine!

It has the following detection methods:

1. registry keys (very often empty ones that were not deleted by your resident protection

2. MD5 checksums of a not so big malware-base

3. Files by name - yes, you heard that correctly; MalwareBytes also detects files by name. For example when I was playing with it, I planted a dummy txt file into System32 with the name amvo0.dll
It was immediately detected as
CODE
C:\WINDOWS\system32\amvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.

This, of course, is unacceptable for a program that wants to belong in a certain class!

KIS/KAV and other security programs of that caliber, able to distinguish between false and genuine threats, will most likely leave this file intact because it presents no real threat. However, in your opinion, MalwareBytes may look cooler and better because it found the dummy file and 'protected' you from a really nasty threat; an empty text file...

At the same time, detection by name alone may ruin your system as well!

p2u

[nosirrah]

A few points here , first and foremost MBAM is NOT antivirus software and is not restricted to antivirus techniques . These techniques are the reason antivirus software is not enough to protect your system .

MBAM detects malware through the following means :

MD5
unique strings
semi polymorphic strings
unique GUID linked dlls (and other executable components) (these are bi-directional)
unique load point to file (these are bi-directional)
IPH (unique heuristics we created and without giving anything away bypasses all current polymorphic blackhat packers and encryption and is also immune to randomized file names)
Unique file names combined with FP killing routines (we do not just do file name)
There are many more but I dont want to give to much away .


By combining cutting edge tech (like IPH) with old school tech and then everything in between we have been able to detect far more malware than some vendors who have been in the game more then 10 times longer than us .


Vundo uses random file names but we detect it at over 95% in real world infections . Stats like this are the real reason some people are getting upset .

[nosirrah]

Here are two more reason some people are getting upset . Here is what happens when you type "malware" into google , both google recommended searches and search results .

Attached File(s)

 1257.png ( 19.37K ) Number of downloads: 14
 3.png ( 23.54K ) Number of downloads: 5

 

[RubbeR DuckY]

This, of course, is unacceptable for a program that wants to belong in a certain class!

I know Ewido used to do this, guess what they are now, AVG. Just because we detect certain files by name, does not mean we suck. In fact, it means the quite oppositve. We hit malware on multiple levels, you only listed three. What about the other fifteen or twenty?

[~BD~]

...... you only listed three. What about the other fifteen or twenty?

I'm sure you recognise that I was the messenger, Rubber Ducky - it wasn't me who wrote same in the Kaspersky forums!

The author, p2u is, I believe, involved in computer forensics fwiw.

Dave

[Raid]

Hi BD,

Should computer forensics impress most of the developers here or something?
It's one thing to know how to run software it's another to actually code the stuff.

Don't get me wrong, the guy probably has extensive knowledge in various areas. But I don't agree with the statement that filename detection is necessarily a bad thing. It's part of a multi layered approach of malware detection.

[RubbeR DuckY]

Dave,

Thanks for clarifying that. Where was that posted?

[~BD~]

Dave,

Thanks for clarifying that. Where was that posted?

Hi Marcin

Your friend Bruce asked me that by PM!

It is here: http://forum.kaspersky.com/index.php?showtopic=84469

Review #13 #15 and #16 in particular

HTH

Dave

[JeanInMontana]

Malwarebytes is also an official ASAP member obviously this guy has a hard on for MBAM. Probably cleaned up some of his malicious code. The screen shots he is linking to are from March. Someone needs to slap some sense into him.

[~BD~]

Hi BD,

Should computer forensics impress most of the developers here or something?

I thought it might!

p2u once came to Jenn's BB (at my invitation). Maybe I should have mentioned that although he is Dutch, he can speak fluid Russian. He is also a classical pianist! In other words ....... I think he is quite clever and should not be rubbished!

On the subject (kinda!) I recently went here http://validator.w3.org/#validate_by_uri and typed in Jenn's web site address http://www.pqlr.com If you were to do the same I'd be interested in any comment you may have thereafter. Please PM or email me if you'd prefer.

Have a great weekend!

Dave

[GT500]

p2u once came to Jenn's BB (at my invitation). Maybe I should have mentioned that although he is Dutch, he can speak fluid Russian. He is also a classical pianist! In other words ....... I think he is quite clever and should not be rubbished!

He's Dutch, speaks Russian, and plays piano? And that's supposed to impress me? How does classical music make one an expert in how a security application should work? How does it qualify someone to advise in technical matters related to computers and software? Does speaking Russian make him a Microsoft MVP?

On the subject (kinda!) I recently went here http://validator.w3.org/#validate_by_uri and typed in Jenn's web site address http://www.pqlr.com If you were to do the same I'd be interested in any comment you may have thereafter. Please PM or email me if you'd prefer.

pqlr.com is a parked domain. If you are concerned about the content, then contact the company that parked it.

[Raid]

I thought it might!

p2u once came to Jenn's BB (at my invitation). Maybe I should have mentioned that although he is Dutch, he can speak fluid Russian. He is also a classical pianist! In other words ....... I think he is quite clever and should not be rubbished!

On the subject (kinda!) I recently went here http://validator.w3.org/#validate_by_uri and typed in Jenn's web site address http://www.pqlr.com If you were to do the same I'd be interested in any comment you may have thereafter. Please PM or email me if you'd prefer.

Have a great weekend!

Dave

Hi Dave.

I wasn't trying to blow off the talented russian. You do realize however, that he disected a really old version of mbam? v1.09, which didn't support many of the technologies we have now. I suspect if he were to do his testing against the recent version, he'd find it's a bit more complicated than he makes it out to be.

Specifically, mbam isn't an antivirus scanner, and so doesn't play by those rules. This allows us to catch many things by hueristics that others miss. And you don't have to take my word for this, a google search will show you.

Comparing antivirus scanning technology to mbam is like comparing a motor and an engine; One's electric and the other isn't. No fair comparison can be established. Each performs well in it's own environment.

I have nothing to say regarding the site, as I've told you many times, I really don't have time to explore sites unless said site might contain malicious scripts and/or trojan downloads.

Have a good weekend Dave!

[elero]

3. Files by name - yes, you heard that correctly; MalwareBytes also detects files by name. For example when I was playing with it, I planted a dummy txt file into System32 with the name amvo0.dll
It was immediately detected as
CODE
C:\WINDOWS\system32\amvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.

This, of course, is unacceptable for a program that wants to belong in a certain class!

I also read about this behaviour in the avira forum

[nosirrah]

I also read about this behaviour in the avira forum

If anyone is part of any of these threads I would be interested to get a reaction the the following question :

"vundo is randomly named and polymorphic yet MBAM detects it far more often then most AVs , how are they doing this with just file names and MD5s ?"

This is another good one :

"why is MBAM the only application that seems to have a handle on antivirus xp 2008 . it is randomly named and detected by next to no AVs on a regular basis , how are they doing this ?"

It would also help us if it was made clear that we are not an AV .

[YoKenny1]

If anyone is part of any of these threads I would be interested to get a reaction the the following question :

"vundo is randomly named and polymorphic yet MBAM detects it far more often then most AVs , how are they doing this with just file names and MD5s ?"

This is another good one :

"why is MBAM the only application that seems to have a handle on antivirus xp 2008 . it is randomly named and detected by next to no AVs on a regular basis , how are they doing this ?"

It would also help us if it was made clear that we are not an AV .

Do you have a reference for those statements?

I can't seem to find them.

[RubbeR DuckY]

Do you have a reference for those statements?

They were questions Bruce was asking.

[elero]

http://www.wilderssecurity.com/showpost.ph...amp;postcount=8

[RubbeR DuckY]

Posted back, guy is very misinformed.

[YoKenny1]

Posted back, guy is very misinformed.

Reminds me of of a Flame Warrior:
http://redwing.hutman.net/~mreed/warriorshtm/lonelyguy.htm