We know that mbam is not an antirivus - but WHY?

[jadejagwire]

First, I know the official stance that mbam is not considered an AntiVirus and you should always have a standard antivirus program running alongside mbam.

However, why is this the case?

Here is my findings over the years:

#1
Most antivirus programs slow the computer down.

 

#2
There are some viruses that will get through pretty much any antivirus, free or paid, no matter what antivirus you have installed.

#3
There are a LOT of viruses that will get through an antivirus undetected, but mbam will easily catch them

#4
I have seen viruses that get past both the antivirus and get past mbam, but I have NEVER EVER seen a virus that is caught by an antivirus program but is NOT able to be caught by mbam.


In other words, I have never seen a case where a regular antivirus provides protection that mbam was unable to provide.

Mbam doesn't catch everything, but anything that can get past mbam will likely also get past your regular antivirus as well.

So, why use an antivirus program?  Other than slowing the computer down more, what will the antivirus program actually accomplish?



 

[daledoc1]

Hello and :
 
For starters, anti-malware and anti-virus applications target different types of threats, with different databases, and offer different types of protection technology, as well as  different features.

For example, MBAM targets ONLY certain types of zero-hour and zero-day threats that are often missed by the anti-virus.

The anti-virus typically uses a much larger signature database against a range of file types that MBAM does not target.

And anti-exploit software, such as MBAE, provides another layer of protection to supplement both of them.

 

Here are some links to comprehensive and authoritative resources about personal computer security, including explanations about the complementary role of the anti-virus and the anti-malware applications:
 
Specifically:
http://www.bleepingcomputer.com/forums/t/587149/i-use-kasperskymalware-bytesanything-else-i-should-do-to-stay-safe/#entry3795700

 

And these, many of which contain links to additional information and resources:
 

Answers to common security questions - Best Practices

The complexity of finding, preventing, and cleanup from malware
So how did I get infected in the first place?
How did I get infected?
List of well known antivirus products
Six tips to help you stay safer online

 

I'm sure our forum staff and experts will have additional explanations and information for you about this.

 

Thank you,

[David H. Lipman]

jadejagwire:
 
Your post has all the trappings of the "virus" misconception.
 
All viruses are malware but not all malware are viruses.  The fact is in Today's environment viruses play a small role in the vast malicious activity arena.  The vast majority of malware seen Today are trojans.  The major differences in viruses and trojans is the ability to autonomously spread.  That means a virus can infect other files that can in turn infect other files.  A virus can infect a computer and that computer can infect another computer or an infected computer can use a third party carrier, such as a Flash drive, and infect another computer.
 
MBAM is not an anti virus application and does not replace an an anti virus application.  MBAM is an adjunct, complimentary, anti malware application.
 
In its role as a adjunct, complimentary, anti malware application it has limitations in aspects that the anti virus application performs its role.
 
MBAM does not target script files. That means MBAM will not target; JS, PY, .HTML, VBS, VBE, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target document files such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.

Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).

MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as;  TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.
 
MBAM targets mainly non-viral malware.  The exception being a virus dropper ( a malware file that drops a virus and starts a virus infection but is not infected with the virus ) and worms ( such as Internet worms and AutoRun worms ).
 
MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file.  That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code.  An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state.  Which may or may not return the file to its original, non infected, checksum value.
 
A file infecting virus will prepend, append or cavity inject malicious code into a legitimate file.  Once infected, that infected file can further the infection by infecting other legitimate files.
 
On the other hand there are trojans that will prepend, append or cavity inject malicious code into a legitimate file.   However that file can not infect other files.  The infection stops with that targeted file.  These files are either deemed to be "trojanized" or "patched".  Since MBAM can not remove the added malicious code, at best MBAM will try to replace the trojanized file with a legitimate, unaltered, file.
 
Where a traditional anti virus application is weak, MBAM is strong.  Today's malware is much more complex than 10 years ago.  When we saw the Melissa virus ( I-Worm via SMTP  ), Lovsan/Blaster worm (  I-Worm via RPC/RPCSS @ TCP port 135 ) etc, they were distributed for the effect, damage and bragging rights.  Today's malware is more sophisticated in that it is "all about the money".  Malicious actors use malware to profit from.  Either by stealing, distribution affiliation revenue, data exfiltration, personal identification impersonation, etc.  To effect that the malicious actors don't want the victim to know that their system was compromised or they are so blatant about it by generating advertisements,  Yesterday's malware was simple and less obtrusive.  Today's malware is very intrusive and makes numerous modifications to the Operating System.  Those numerous modifications to the Operating System is where the traditional anti virus application does poorly and where MBAM specializes.
 
MBAM is not a historical anti malware solution.  That means it will not target old malware.  It's intent is to target 0-Day malware.  Malware that is infecting computers Today with malware found in-the-wild, Today.  That means that something like the BugBear which infected years ago will not be targeted by MBAM.  Malwarebytes will actually cull their signature database for malware that is no longer seen in-the-wild Today.  It is why Malwarebytes requests samples that are submitted for detection consideration be no older than 3 months old.

[Tabvla]

David, thank you for the detailed information on the various flavors of Internet nasties.

 

In terms of your definition would you then classify Windows Defender (not MSE) as both an Anti Virus and an Anti Malware product?

 

Windows Defender uses two separate databases - a Virus Definition Database and a Spyware Definition Database.  I never could quite understand why this was the case.  However, having read your Post carefully it does seem to clarify why MS have separate databases.

 

T.

 

[David H. Lipman]

You answered you own question.

[daledoc1]

You answered you own question.

 

And it depends on the OS platform, does it not??

 

In Windows Vista and 7, "Defender" is just a (weak) anti-malware application. On those platforms, it is NOT an anti-virus.

 

In Windows 8/10, Windows Defender is both an anti-virus and an anti-malware application, as it is essentially "MSE" (Microsoft Security Essentials) with a different and confusing name.

 

Cheers,

[David H. Lipman]

Don't forget the Malware Removal Tool ( MRT ) that runs every month.

 

They all use the same Engine that was derived from the Microsoft purchase of GeCAD RAV which subsequently became Microsoft Live Anti Virus.

 

The are three parts to every anti malware software.  They are the Kernel/GUI, Engine and Signatures.  Sometimes the Kernel/GUI and the Engine are combined.  Such as with a Command Line Scanner.  However what malware is detected and removed will be dependent upon the Engine and Signatures. Microsoft has fragmented Microsoft Live Anti Virus into what is now Security Essentials, Windows Defender and the Malware Removal Tool.

[Porthos]

Also to add to Davids post...Giant anti-spyware. It was a great program till MS neutered it and renamed it Windows Defender. The first one not what we know in 8/10 today.

 

https://en.wikipedia.org/wiki/GIANT_AntiSpyware