MBAM hoax?

I would like to point you to this post
http://www.anti-malware.ru/forum/index.php?showtopic=18301

According to this post, MBAM detect some files based on their names and path only!
Member of polish safegroup.pl also confirmed that by creating empty file called svchost.exe in windows directory. MBAM detected it as trojan-agent.

topic started by him on mbam forum could be find here
http://forums.malwarebytes.org/index.php?showtopic=88498&pid=447446&st=0&#entry447446

more info in polish under this link:
http://forum.safegroup.pl/viewtopic.php?f=44&t=4282&start=0#p113914

 

this is known for long time.

 

I know this Yaslaw...but thanks for the info in this place. The arguments are clear and this looks like a hoax ... but with such a reputation? What next step MBAM? What comment give you us?

 

Interesting... I wasn't aware of this. I need to pay more attention.

 

A good strategy for whatever one does.

Anyhow...
One would think a svchost.exe file anywhere outside of its proper locations would be suspicious (as C:\WINDOWS\system32, C:\WINDOWS\ServicePackFiles\i386 and C:\WINDOWS\$NtServicePackUninstall$ in XP) and should be detected in some manner. If not tagged as trojan-agent, logical IMHO, then as what??

If I saw svchost.exe in the root of my C: partition, I'd tag it as WTcensored!!!!

Looks to me like MBAM is doing its job.

BTW, there is no such thing as an "empty file."

 

Indeed it's very sophisticated method to detect files based on it's file name.
I'm sure that this is 6th generation cloud computing+super duper behavioral sonar system.

ehhh.. I'm dissapointed by this cheap tricks... for me there is no excuses. It's simply wrong

 

Perhaps because non-standard svchost.exes are usually trouble?

I'm really not understanding what the problem here is.

If Malwarebytes is a hoax,... then a lot of malware makers are in on it.

 

Can you name a situation where a user would legitimately want a fake svchost.exe?

 

Can you name other av that behave the same way?

And way it's wrong? I don't trust any security vendor that determine if the file is malicious or not by it's name.
Imagine that this could happen to legitimate files that are detected only because of this "rules"

 

We employ a wide range of strategies and tend to use the hammer that fits the job. Sometimes it is a per download polymorphic infection that is always randomly named, sometimes it is as simple as svchost.exe in a foolish location.

We do what needs to be done to keep you safe.

 

What legitimate files?

Trojans and other malware commonly install themselves outside of the system folder with legit sounding names, then set up various methods to have them run at system startup. It's great that Malwarebytes can detect these phony files, and it helps people who aren't capable of manually checking autoruns themselves.

Why does it need to be a fancy method of detection to be valid - when cleaning someone's computer by hand, I'd have removed the obvious fake svchost.exe as well, no matter what size explorer reported it to be.

Malwarebytes is 100% correct to detect this.

 

+1 THIS!!

 

OK. Dummy file.
But MBAM acts exactly the same while scanning svchost.exe digitally signed by Microsoft: http://forum.safegroup.pl/download/file.php?id=32&mode=view

 

Avast uses similar techniques (among many other things, of course).
But it doesn't directly alert on the file - instead, it just flags it as suspicious and optionally submits it to the virus lab for further analysis...

I think this is actually pretty common these days.

 

The only reason to have copies of svchost created by the user is to have a backup in case the real copy gets corrupted or infected. The same logic used in figuring out that svchost is a good file to backup would also dictate that %WINDIR% is a very poor location to put this backup.

Even in this fictional situation no harm takes place.

We do what needs to be done. We keep it safe and yes, do not go by 'the book' at times.

A lifetime license is also not by 'the book', its kind of our thing

 

Vlk with all respect.
I see huge difference with this approach. To detect a file as a Trojan and to take a prevalence, path, and so on to judge if the file is suspicious or not.

 

And here is an example of what can be wrong with such "filename" detection

http://www.samsungtomorrow.com/1071

 

Maybe all the good softwares use this too some degree.

Some cry hoax but do not understand the far bigger picture in the malware landscape.

File pathway detection is just one of many different attack vectors available to the good guys.

Dose not matter how the file is packed or encrypted..whether it has a million unique MD5's but if its pathway is unique then it is own3d from the moment it is written to disk

Talk about rapid 0 hour protection with that type of foo

It would be silly not to have as many tools available to get the job done as possible

 

Not surprised, but Now I see why other vendors have this big problem with False Positives!. Such practices are not recommended

 

I wasn't aware of it either.

I have SRP set up to stop any svchost.exe from running that isn't in the correct location so it is not a worry to begin with.

 

That was a 2 letter folder name, I would not have signed off on that.

We are talking about the most commonly used reserved file name in the history of windows malware.

We have only 2 rules when it comes to detection:

1. Is it safe?
2. Does it work?

Other companies may have additional rules, that is their choice.

 

No. That's why I use MBAM Pro!

I've been following this in other threads also. This C:\svchost.exe has been referred to as empty, fake and dummy and there's all sorts of wailing that MBAM snagged it. I'd break down in laughter (as in ROFL) if all this weren't so pathetic.

 

Yeah its odd...Malwarebytes is widely accepted as best in class yet these guys attack it for one of its many methods.

What gives...it get the job done and real good.

Are they secretly malware shills ?

Script kiddys going ape as they keep unloading their toys or maybe even jealous competitors/fanboys.

Eitherway the end results justify the means as they speak for themselves

 

Nice approach!! I follow a similar one, but with AppLocker, that in it's good days should work just fine. It isn't without its own glitches. lol

But, my surprise was more like Does MBAM only verify malware that way?. I mean, if it worked only that way there could be a malicious file replacing the original svchost.exe in C:\Windows\System32\

MBAM wouldn't beep, at all... considering that that svchost.exe is at the original location? That was my only surprise...

But, nossirah mentioned:

 

Ok - and how can you explain that malwarebytes also whitelists just by name, not per hash f.e. ?? If the malware has the "correct" name MWB is blind - that problem exists since years...

Example:
- TDSS Sample - detected see attachment 1
- Same file (see hash) only renamed to taskwitch.exe - MBAM detects it no more. see attachment 2

So if you really do "what needs to be done to keep users safe", change whitelisting by filenames.

Regards