Malwarebytes Anti-Ransomware Beta

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Jan 25, 2016.

  1. Djigi

    Djigi Registered Member

    Joined:
    Aug 13, 2012
    Posts:
    554
    Location:
    Croatia
    Cruelsister test is on youtube...not so good results for MBARW

    Malwarebytes Anti Ransomware Beta 8 https://www.youtube.com/watch?v=NeDrsiflQt0
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What the hell, I wonder how this is possible.
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    We detected a bug post release which is causing this. The team is already working on it. Btw in the case of the detection but ransom notice being dropped in the Desktop, this is normal as ARW does not prevent (yet) the ransom notice or Desktop background change. Our priority for now is to prevent file encryption.

    Also it seems the VM only has a few documents, which is a less than ideal way to test an anti-ransomware technology that is behavior based (rather than static policy-based).
     
    Last edited: Sep 19, 2016
  4. Although true, you can't ask CS to do a regression test (that is your job), it is a 'cursory' pen test as you challenged her to do (so better :blink: )
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so it was a caused by a serious bug. You would think that your own developers would have spotted this, before the release!

    To be honest, I would be happy if it could save most of my files. If such a tool could spot the attack in its early phase, and gives an option to block the process from modifying files, that would already be quite good.
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Our objective is to prevent all file encryption, and eventually add a feature to recover the ones that got encrypted (as well as restore the system changes like desktop background and ransom notices). It is still beta and is under heavy development, so please be patient with us. We have some other cool new projects going on at the same time so our "speed" is suffering a bit.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Good point, but important files can also be protected with file/folder protection tools. And I rather have a behavioral monitoring tool that is able to notify me about a file encryption attack 100% of the time, even with some lost data.

    Sounds good to me.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    We await your first product to test
     
  10. guest

    guest Guest

    It's not that easy.
    If you monitor "the same routine", they simply change their behaviour/routine.
    :thumb:
    I'm curious, too.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm afraid you both missed the point. I was more or less trying to figure out why tools like HMPA and MBARW sometimes get bypassed. Is it because they try to stop encryption in the last phase of the attack? Perhaps developers can explain this.

    Just read about the way ransomware works, it's not magic. They all do the same, instead of directly encrypting files, they try to bypass HIPS with process hollowing, and they perform some other stuff to make it harder to recover files. So what if you simply block this, isn't that already enough?
     
  12. guest

    guest Guest

    Is it enough to block these things? Maybe.
    But if a new ransomware-variant comes out, sometimes "better/improved" detection-routines are needed:
    HMPA: "CryptoGuard v4.5 improves detection for ransomware doing partial encryption."
    MBARW: "New ransomware variants of DMA Locker, CryptoXXX and CryptoJoker are now detected"
    ...

    Edit: one of the main reasons:
     
    Last edited by a moderator: Sep 26, 2016
  13. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    I believe AV/AS tools get bypassed because the malware coders find new attack vectors.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I was specifically talking about anti-ransomware tools. Even HIPS sometimes get bypassed when new techniques are discovered by malware writers, like new code injection methods for example.

    Correct, but there aren't that many techniques that ransomware can use, that's why they perform the same routine. I believe tools like HMPA and MBARW will probably only monitor the second part of the attack, they purely try to prevent massive file modification, by monitoring the file system. But in theory you can already stop them in an earlier phase. If you block code-injection/process hollowing, outbound network access and the running of vssadmin.exe and bcdedit.exe, you probably have already neutralized most ransomware.
     
  15. guest

    guest Guest

    "in theory" ;)
    HMP.A can block code-injection/process hollowing, but i don't know if MBARW is able to do it too.
    Some variants doesn't even need to connect to the outside before they begin to encrypt files.
    If they were "Anti-Executables" then they could block it earlier.
    Blocking the second part of the attack can be sufficient as long as the attack is identified "in time".
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I say "in theory", because I don't do malware testing anymore. So I can't know for sure how ransomware exactly works, but I think it's safe to say that if you block certain routines in stage one, they will fail to work correctly. So in theory HMPA should already tackle certain ransomware variants when it blocks process hollowing. But like I said, I believe that HMPA and MBARW are more focused on behavioral monitoring of suspicious writes to the file system.
     
  17. ance

    ance formerly: fmon

    Joined:
    May 5, 2013
    Posts:
    1,360
    Where is Rasheed Antiransomware 0.01 beta? :D
     
  18. haakon

    haakon Guest

    Everyone already knew that 7930 of your posts ago. :argh:
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Couldn't you come up with a better name? :D

    https://www.wilderssecurity.com/threads/malwarebytes-anti-ransomware-beta.383333/page-12#post-2620520

    I actually explained in this topic how ransomware works (stage 1 and stage 2), but I can't know for sure how security tools try to tackle them, and why they sometimes fail. Please do some reading first before you come up with dumb and unfounded statements. :D

    But please do enlighten us, since you seem to be the malware expert. Can you perhaps tell me how WAR manages to stop ransomware, because the developers of MBARW think their approach is much more advanced. Can you tell me a bit more about the AI, or is it comparable to a "pimped up" anti-exe tool?
     
  20. EvjlsRain

    EvjlsRain Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    31
    Hi everyone, I would like to ask: is this tool still updated and equivalent to the antiransomware module on MB3 or not?
    The reason why I ask is when I tested MB3 with many ransomwares, it catched 100% (signatures) but when I disabled all modules and just left antiransomware protection on, it didn't catch any of the ransomwares, 0% efficacy

    thank you
     
  21. guest

    guest Guest

    I think the standalone version won't get any update anymore
     
  22. guest

    guest Guest

    The standalone version has been fully integrated into MBAM 3.0.
    But if you only need the Anti-Ransomware protection and not all other modules included with MBAM 3, you can continue to use the MBARW-standalone (as a perpetual beta, see below)
    @guest
    They continue to provide a standalone of Malwarebytes Anti-Ransomware as a perpetual beta:
     
  23. guest

    guest Guest

    Thanks I thought only MBAE was going to be perpetual beta
     
  24. guest

    guest Guest

    BTW in their forum the last beta is from September.
    So they haven't release a new beta after the final release.
     
  25. EvjlsRain

    EvjlsRain Registered Member

    Joined:
    Apr 26, 2016
    Posts:
    31
    I tested the app hours ago. After a few minutes, it automatically updated to the latest database and component package (5 minutes ago, they were lower numbers)

    Tested again several ransomwares I found on 14/01/2017 and some older ones. The result was so-so. Many bypasses unfortunately
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.