re Try MBAM..." (in Ewido/AVGAS thread)

Hi.

"Try MBAM..."

I just did - against my test collection of nasties (harvested and caged on a disk).

Out of a possible 45 infected files, MBAM detected 1.
(cf Win Defender(17), A2(20), AVGAS(6)...)

(NOTE: I don't regard my tests as definitive, or anything more than a rough and general indicator of a program's effectiveness as a malware detector.)

On a scan of my PC, MBAM flagged up 10 alerts, including the prefetch files for Avast, uTorrent, A-Squared, CCleaner and MediaPlayerClassic.

Hmm...

kbr

 

And just how old is your test collection?
https://www.wilderssecurity.com/showpost.php?p=1197944&postcount=48

 

Hi.

The samples have been gathered from various sources, including P2P sources (eg, keygens), and the quarantine chests of several anti-virus and anti-spyware programs.

They range in nature from benign, but suspicious, to downright evil.

They also include the spycar files (www.spycar.org) and a Trojan simulator (www.misec.net/trojansimulator).

The age of the samples ranges from about 6 months to 12 days - collection date, that is; as to how old the included threats (or apparent threats) might be, I have no idea.

Nor have I analysed the detections beyond total numbers of files detected (i.e., I have not spent any time comparing what was found by which, or the nature of the 'malware' involved...)

As I said, I regard it as a very rough test, and am well aware that, for example, the one file detected by MBAM might well have been missed by all the others and, more importantly, be the only real serious security threat in the collection.

Similarly, I recognise that if I were to 'harvest' a collection of threats from the quarantine vault of, say, "CleanUpYerPC", then that application would be likely to score highly in any comparative tests

My intention is to provide myself with some means of comparing products. The makers all tell me that theirs is the greatest, and a reliable, independent source of comparative data for a wide range of products is not available.

An interesting score, for me, was that of Windows Defender, especially as none of my test pieces originated from Defender's quarantine folder.

Regards,
kbr

 

MBAM is bad at detection

 

I would go nuts after reading such test results, not even an individual detection rate of 50% and that is supposed to keep my system malware-free on a daily base ?
Serious or not, old or not, does it really matter ? Malware = malware.
I hope the total detection of 1+17+20+6=44 infections, left only 1 of 45 infected files alive, instead of 25.

 

I wouldn't worry too much: most things thrown up by a lot of anti-malware are, in my opinon, harmless. (The majority of tracking cookies fall into this category.) It is so easy to become paranoid about this subject.

Also, different programs detect different things in different ways; for example, my permanently running Avast 4.8 doesn't see the keylogger .exe in the collection, when scanning, but certainly jumps up and down if I activate it!

As I said, I use these things as a "rule-of-thumb" test to help me decide, for example, that SAS is better than (and therefore a good replacement for) Adaware SE...
And that A-Squared is the best free on-demand scanner that I've found, in terms of "sensitivity", but that the scanning results should be looked at carefully, because it's more likely to take out something important than, say, SAS.

For permanent protection I use Avast and SAS, as much for their moderate approach as anything.

I feel now that I shouldn't have referred to my test collection (and very simplistic use thereof), but merely have said that MBAM seemed not to offer me any more than SAS or Avast, both of which I am already familiar with.

kbr

 

MBAM has 7 ways it can detect malware and most of them require that an infection is real .

There are many dlls we will fail to detect if they are not installed because while the file may be very random in terms of file name , MD5 , strings ... it has a static GUID . Zlob is a good example , we have multiple levels of detection for this but if you take one of the dlls from the programs folder and place it on the desktop we wont detect it even though if its where it should be we will hit it by at least 4 different detection types .

If anyone wants to take a machine and infect it with current malware from exploits , codecs , cracks or whatever then test MBAM you will see a very different result .

 

So do you trust using MBAM for real malware removal as much as you would with SAS? Thanks

 

I cant answer that objectively because I make the defs for it .

I can say that I put in between 8 and 14 hours a day creating them and update between 2 and 10 times a day .

I will also say that I have no problem at all if someone wants to do a real world test . Scanning a folder of samples is not real world . Infect a system with malware that has existed for less than a week (more than 100 total MZ header files would be best) . Duplicate the drive a few times with acronis or ghost and then install , update and scan with MBAM and whatever other tools you want , each on their own fresh infected image so each has equal threats to contend with . That will show you the truth .

 

New member, long time lurker. This thread made me decide to register and post at long last.

nosirrah, thank you for all your hard work making a product that truly detects and removes pernicious infections. I clean up 150+ infected computers yearly. I found good reports on MBAM here and elsewhere, so I tried it. I have been using MBAM free since 1.10 and I am impressed. Your software meets my criteria for long-term installation on my customer's computers. It's nearly foolproof, the developers are accessible to anyone via web forums, it doesn't slow down the computer, has minimal false positives and it detects and removes currently circulating infections.

I'm no fanboy. I choose what works. I look for best-in-class. MBAM free stays on my customer's computers. I haven't been using it long, but I like what I see well enough to purchase a paid version for my test/cleanup box. Should the protection in the paid version meet the above criteria, I will recommend it to my customers.

Please try it with recent in the wild infections before you rip on it. MBAM free recently cleaned one of my customer's computers that was infected with multiple Smitfraud variants, Vundo, Zango, and a handful of other assorted Trojans running. The active parts of the junk were removed after a reboot. I was stunned, because in the past safe mode and manual registry editing would have been necessary.

MBAM isn't hype. It's fast and efficient.

Keep up the good work, nosirrah and Rubberducky. Thanks again.

 

Hi, sbcc

I concur your assessment on MBAM's free version, an excellent free scanner indeed.

Please let us know your experiences with its paid version, because I like to have a second opinion. Sometimes, long wait and eager expectation do not produce a rosy garden. Its understudy status may have to remain as is for a longer while, before being eligible for a promotion.

 

Classy answer.

Your hard work will pay off, and already has for the user community.

 

SBCC - Welcome to the forum. I'm using MBAM as my on demand AS, along with SAS real time.

 

Thanks for the welcomes.

I'm going to wait until this issue is fixed before I get the full version:

false positive in RegNow downloader

Hopefully, it won't take too long. I'm looking forward to testing it.

 

Go ahead and purchase it but skip the Regnow download if you are concerned about the download mgr and the FP. You can then download it direct from MajorGeeks and register it under the Protection tab.

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

If you click "The Authors Site" link then you'll get the Regnow download mgr, but all other mirrors host the latest MBAM setup file.

 

I have to agree with MBam working. Until today I haven't ever been disappointed with Eset. My wife somehow grabbed this new Vundo rip-off and Eset missed it. It wouldn't even detect it on a full scan with unwanted/unsafe option detected. I tried this MBam and it cleaned it all out. I had several cases of Vundo, Malware.Trace, Trojan.Agent, and a few others that all came from the same package. MBam had the definitions for them since January 08.

I'm very disappointed that Eset isn't doing anything for these types of threats and that you all took down your 'hijack this' threads for spyware help. It probably won't catch all these exotic spyware threats but it did get the really big nasties that are popularly a problem.

 

FWIW, a friend of mine became infected with some malware.

I suggested he tried SAS, MBAM, A-Squared. Only MBAM found anything and it cleaned up his PC nicely. No problems since.

The malware was
Rogue.EvidenceEliminator

 

Ya, so true.

I am testing EE, and MBAM's on demand scanner found 150 entries infections.

So sophisticated, eh? SAS, SpySweeper, A-squared are asleep ?

I moved all infections into ignore list. The joke of the day !

Mind you, MBAM's sibling--rogue remover also singles out EE as such. Not a surprise at all. Luckily I am using the mirrored copy of MBAB.

 

Why would you even try Evidence Eliminator? That product has a terrible history. They have engaged in spam, false positives, browser hijacking and more in the past.
See: The Evidence Eliminator Documents
And: ee-sucks
for some past history regarding EE.
MBAM should detect it, why don't the others?

 

To answer your questions:

Why do I ever try it ?
How do I know its value w/o even touching it ? Rumor mills do not affect me at all, I need first hand hard evidence.

Why don't others do the same ?
That is exactly the centre of my puzzle.
Why do SAS, SS and other peers (to MBAM) not rush to endorse its findings.
You tell me, perhaps ?

Have a nice one, I do not wish to start a war here. Just sit back and chew my questions.

P.S. I am a happy user of MBAM free version , but its maverick-style, aggressive deviation approach has worried me, hoping they are not digging their own grave by doing these.

 

I for one would never touch it.....EE that is.

 

Hi,

During tea time, I looked at the two links you provided, I found these:

the first one, another E3(or 3E) criticized EE, it seems to me that one rival tries to take EE to the cleaner.

The second one, all data are referred back to 2003 or earlier, that is five years ago, man !

I CALL IT , th ancient history in cyberscience, man. Another cup of black tea, please.

 

From what I am told the problem with Rogue.EvidenceEliminator was real. EE was not installed at the time but huge amounts of data was being transferred on his internet connection. He initially used NoAdware and this detected the same rogue file as MBAM but could not clean it. MBAM did clean it and his internet connection is back to normal.

In this case MBAM appears to have done a good job.

 

Hi,

Thanks for the additional info.

I am testing EE, it seems to do the job; I also use East-Tec eraser as a standard for comparison.

EE did not make any Internet-outbound connection, because PCT firewall did not alert me any --or seeking my permission.

Your friend did not have EE installed when the data leakage thru Internet occurred. Can we say EE is not at fault ?

Testing with EE is so far so good. Any suspicion regarding its integrity is my foremost concern. Hoping you understand that.

 

Hi Perman.

I'm not trying to start a war either. It's green tea with honey and lemon for me today. I've been home with the flu for the past two days and maybe I'm coming across as cantankerous. Sorry.

Yup, those links are old. Yup, Radsoft wants to sell their own product, certainly they are biased, no argument there. The other link is also old. I'm not going to dig up more of them. I was simply trying to point out that the software has a checkered past.

A knowledgeable acquaintance tested EE and noted among other things that it left easily recoverable files. This was a while back, maybe 5 years ago or so and probably on Win 98/FAT. More old anecdotal evidence, I know. I have had to remove an EE drive-by home page hijacking full of scare tactics for someone else as recently as 18 months ago - but to be fair that could have been a reseller. Hence my questioning why it isn't detected as a rogue by the other products and as to why it should be considered test-worthy now.

I certainly appreciate that you want to see for yourself and not rely on rumors. I'm very curious as to whether files and usage tracks can be found with recovery software. If you do test this aspect would you please share your findings?

On another note, I'll get the full version of MBAM when I feel better and start a different thread about my experiences. Thanks for the response. I wish you pleasant and trouble free testing!