I tested MBAM with 10 malware. It stopped 5 with and only with its "IP protection" during connecting to the infected sites, but other pdf-exploits, trojans, and rogues went through.

IP protection
http://img269.imageshack.us/img269/8475/mb5d.jpg

pdf-exploit
http://img20.imageshack.us/img20/6876/mb2h.jpg

Rogue (french :)
http://img188.imageshack.us/img188/8094/mb3z.jpg

Rogue
http://img39.imageshack.us/img39/3900/mb4f.jpg

I scanned first with Prevx. It found 7 different infections, including a rootkit. Then I scanned and cleaned with MBAM, rebooted and scanned again: clean.
Prevx found still two malware files, but no active infection was present anymore.

So: MBAM gives some real-time protection, but it is suprisingly low when compared to its good cleaning capabilities.

P.S. Notice in figures, that Prevx real-time protection is still not working in my VM, showing green. Hopefully the reason is found soon.

cool test;)

Seven of the latest morphed installers for PC Antispyware 2010 scanned from MBAM's right click:

211645

Newish rogue - SaveDefense:
-{ Quote: "File setup.exe received on 2009.08.28 22:23:22 (UTC)
Result: 5/41 (12.2%)" }-
MBAM hits this new rogue no probs but the point I want to make is that any and all blacklist vendors want any samples they don't hit.

If you get your samples over to em detections/cleanups will be included asap.

211646

-{ Quote: "That's what happens when you rely on a black-lister/behaviour-blocker. 5/10 is probably about right. " }-

It would be very interesting to test Threatfire with the same malware samples.

If ako would be so kind to test TF for us or send them to me ... :argh:

SaveDefense

Looks nice, how much ?

-{ Quote: "SaveDefense

Looks nice, how much ?" }-
Have PM'd you the price StevieO. ;)

-{ Quote: "SaveDefense

Looks nice, how much ?" }-
If the guys creating the GUI for these rogues ever decided to go straight,they'd be in great demand from some legitimate vendors.:dry:

-{ Quote: "If the guys creating the GUI for these rogues ever decided to go straight,they'd be in great demand from some legitimate vendors.:dry:" }-

lol too true...

-{ Quote: "SaveDefense

Looks nice, how much ?" }-AFAIK SaveDefense is a well-recognized ROGUE. Google the name "savedefense" to see for yourself. I am puzzled as to why Franklin seems to be promoting a rogue software. Have I been misinformed?

I thought MBAM was poor in detecting static files? Is this true?

-{ Quote: "It stopped 5 with and only with its "IP protection" " }-
but its IP protection does not seem to diferentiate b/w the good and the bad it blocks regardless....maybe its a new feature so it'll improve
-{ Quote: "So: MBAM gives some real-time protection, but it is suprisingly low when compared to its good cleaning capabilities." }-
well...that's not the first time i've heard that.
P.S.
Ako ! thanks for testing

-{ Quote: "
So: MBAM gives some real-time protection, but it is suprisingly low when compared to its good cleaning capabilities.
" }-

PCMag some months ago: However, the real-time protection in the $24.95 Pro edition just doesn't do the job. If I were rating the Pro edition, which promises both cleaning and protection, I'd probably give it 2.5 stars. Go ahead and add the free scanner to your security arsenal :)

-{ Quote: "I thought MBAM was poor in detecting static files? Is this true?" }-
If you take into account the amount of installers just for one rogue floating around you will see that it's quite a job to keep up with them for all blacklist vendors.

Even though the installer might not be hit straight up the install itself should be hit if the install path stays the same.

Below are some of my sample installers for the rogue "Personal Antivirus" and trust me there are way way more out there with new morphs being released every coupla days.

211658

-{ Quote: "AFAIK SaveDefense is a well-recognized ROGUE. Google the name "savedefense" to see for yourself. I am puzzled as to why Franklin seems to be promoting a rogue software. Have I been misinformed?" }-
bellgamin, I like these rogue apps as much as I like our politicians.

Here's another newish rogue for ya.
-{ Quote: "File setup.exe received on 2009.08.29 07:48:41 (UTC)
Result: 4/41 (9.76%)" }-

211659

That BlockDefense looks very familiar ::) If only I could think where I've seen it. ;)

-{ Quote: "That BlockDefense looks very familiar ::) If only I could think where I've seen it. ;)" }-
Ya seen one ya seen em all. Well almost. ;D

211660

TrustNinja :wacko:

211661

SaveSoldier :blink: and there's more but I'll stop here as I don't want to bore you all to death.

211662

-{ Quote: "Ya seen one ya seen em all. Well almost. ;D

211660" }-
http://blog.trendmicro.com/investigations-on-a-cybercrime-hub-in-estonia/
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/a_cybercrime_hub.pdf
Interesting read :thumb: :-\

-{ Quote: "It would be very interesting to test Threatfire with the same malware samples.

If ako would be so kind to test TF for us or send them to me ... :argh:" }-

Hi!

I don't personally find TF too interesting.

I never use local samples. I download them during testing or just visit an exploit site. This way I try to make sure they are real 0-day threats. After testing I usually delete that copy of VM.

Anyway, such a test should give similar (good) results as Matt's at remove-malware. See http://www.youtube.com/user/mrizos

-{ Quote: "
P.S.
Ako ! thanks for testing" }-

You are welcome! ;)

-{ Quote: "MBAM hits this new rogue no probs but the point I want to make is that any and all blacklist vendors want any samples they don't hit." }-In theory, that's how it should be, but unfortunately, in some instances when you send a sample, the analysts reply to say there's no malicious code in the file so it doesn't get added. I've had this with Kaspersky Lab a few times when submitting rogues although, to be fair to KL, they are adding detection for fraudulent programs as not-a-virus:FraudTool, so I don't know why they don't add the submissions to that category also.

This is the issue that has come across in various threads when discussing the detection of rogues in general. Some anti-malware vendors are better than others at this game; others are taking longer to add them as it requires more analysis, especially if the file is said to be "clean".

-{ Quote: "bellgamin, I like these rogue apps as much as I like our politicians." }-Good grief! They are all soooo pretty. Ergo, they must be good AVs, right? Umm.. wrong. 8)

BTW, my attitude toward politicians is much the same as a fire hydrant's attitude toward dogs.

-{ Quote: "SaveSoldier :blink: and there's more but I'll stop here as I don't want to bore you all to death.

211662" }-

Funny you put that up. I just came across another variant of that Rogue a few days ago. 0/41 on VT, and still today only 1/41 :)