Malwarebytes Anti-Ransomware Beta

Its up to you but once product is up and running and migrated with MBAM im sure it's going to be a very good.

 

Currently MBAR is nothing more than a rebranded CryptoMonitor (unsurprising as it is coded by the same person), and is about the worst choice that can be made when selecting specific antiransomware protection as it does not come close to HMPA, WAR, or even the native ransomware protection of BitDefender in actually protecting a system.

The reason for the poor performance of MBAR is easy to grasp- the mechanism of action that it uses is fatally flawed, and unless the product is totally scrapped and rebuilt from square one there is no reason to suspect that it will improve.

 

If you knew anything about Malwarebytes you would know this is not true with Malwarebytes. We've grandfathered EVERY single lifetime license when we moved to subscription and will AGAIN grandfather EVERY existing MBAM subscription to anti-ransomware for free. I bet you'd have a tough time naming a couple other companies that do that for their users.

This could not be further from the truth. Yes we acquired CryptoMonitor, but mostly to get Nathan to lead the project due to his experience. The actual code does not have a single line of code from CryptoMonitor and was developed from scratch (it was actually started before the acquisition of CryptoMonitor). Re: the comment about HMPA, WAR or BitDefender, if you actually knew what you were talking about you'd be laughing at your own comments. MBAM-ARW is much more advanced than any of those. Granted the shell (UI, etc.) we put together quickly to wrap around the technology so we could publish a beta is crappy, it is the least important aspect. Once we throw away that shell and it integrates into MBAM it will be a different story.

 

I stated nothing regarding MBAM if you'll notice. My comments were just about MBAR and its inferiority to other products that are specific for, or have modules specific to stop ransomware. Even a cursory test will quickly demonstrate that MBAR as currently coded will be outperformed.

And yes I do know what I am taking about and do not in any way find this to be a laughing matter.

 

pbust?

I was not implying that is what you were going to do, I was only asking and making a true statement about a lot of other companies.
I have been using MBAM for some years now and I was never one to actually pay for any software unless I thought it was worth. I also currently pay the yearly for MBAE. as you know I have spoke with you in e-mail about a few things and always found you to be professional and pretty darn quick with your responses.

CS are you going to make a video of MBAR when it comes outa beta?
oh that's right I forgot you are in Vegas for some months.

 

Wow, these are some serious claims.

Can you give a bit more technical information? Why do you think that it's more advanced than WAR and HMPA? I believe most anti-ransom tools that make use of behavioral monitoring are watching for suspicious activities of the file system, am I correct?

 

Sounds like the gauntlet has hit the floor! When are we going to see the HPMA vs WAR vs BD vs MBAR test? Let's throw VS into the mix, as well.

Volunteers (who know what they are doing), please. Let's walk the talk.

Questioning cruelsister's knowledge? Hmm..., good luck with that.

 

The thing is, it's a matter of how you define "advanced". If it is purely about behavioral monitoring, I'm guessing HMPA and MBARW are the most advanced. The problem is that WAR sometimes seems to be more effective, but that's because it's looking at other parameters, like if a file is signed or if it's trying to perform "process hollowing" and other stuff. I hope that developers will give some more info about the inner workings.

 

Cruelsister, you are more knowledgeable (or at least you really seem to be) than the average WSF member.
How come you write that MBAR is "nothing more than a rebranded" product/heap of code, which seriously needs to be "rebuilt from square one".

Didn't you notice that MBARW has been coded from 'square one' even before the purchase of CryptoMonitor, as pbust claims?
Do you question this claim about this particular MBAM product actually having been rebuild?
At some point, one wonders about some of the claims you make...

 

BinDiff can probably provide the answer.

 

a program to check the binary differences and map changes in logic flow will answer that question for sure

 

↑
"At some point, one wonders about some of the claims you make...
Click to expand...
BinDiff can probably provide the answer. "

ok you guys lost me again. what does bindiff have to do with CS remarks?

 

First off i would like to say that any opinions i may have in this comment does not reflect the opinions Malwarebytes may have.

Since you like to do these types of tests, I would encourage you to preform this "cursory test" with the latest version of MBARW It would be very informative to everyone here, and i think you will be quite surprised with how well it does, especially compared to products out on the market now. The BETA did take some unexpected time to get MBARW to its goal and fruition, but we are there now and even have much more to come!

I'm sure you know, i'm the creator of CryptoMonitor, and i can assure you not a single line of code from CM was used in MBARW.
You see, CryptoMonitor got to big, to quick for what i was expected. I was a lone developer who was simply creating a small/medium application to help and stop Ransomware, because there was nothing that was doing this at the time for your regular endpoint users. You could argue that there was some tools out, but it was quite clear they were not working. CM was even free at first with donations!
But because computer users were ready for a solution to this problem, CryptoMonitor grew larger than I expected, and thus I did my best with keeping up with it along with starting EasySync Solutions! Because i'm a developer and Security Analyst, and at the time wasn't much of a "business Guy", I was quite overwhelmed. So its quite hard to compare CryptoMonitor/EasySync to most larger companies

This is why, given the opportunity, I teamed up with Malwarebytes and brought all my Ransomware knowledge with me! Malwarebytes had a goal on point with what my goal was, stopping the on coming Ransomware Pain Train. They already had a plan and action in the works, and I was happy to come on board and help lead the Ransomware Team to where we are now and where we are going in the future. Because i finally had the resources and time with Malwarebytes, we could now take advantage of ideas and methods that i couldn't do alone with CryptoMonitor to make an amazing application that would stop Ransomware cold, and minimize FPs. This combined with Malwarebytes Excellent plans, has made a great product. The BETA was just that.. a BETA. It has fine tuned MBARW to a application i'm proud to say i had a part of creating, and will provide a unbeatable amount of protection when coupled with MBAM, which won't even require you to run another application!

Malwarebytes products and reputation speaks for itself, and doesn't need much explaining. I was simply hoping to clear up any misconceptions there may be here. I will be releasing a unbiased video that shows all Anti-Ransomware products against 0 day ransomware very soon which should help some users here, and else where when trying to find a solution to Ransomware.

 

BinDiff is a program to detect the difference of two programs by comparing them on a binary level, it also makes a map of the logic differences. When something is just a rebranded program, 95% of the code is the same (only text literals representing the name of the program, images representing logo and colouring scheme of the GUI are different).

So comparing MBARW against CryptoMonitor through BinDiff could proof CS claim (only rebranded) to be right or wrong.

Great let the programs speak for themselves. I hope you will also include Bitdefender and Kapersky (free) anti-ransomware solutions and (besides MBARW) paid solutions like Cryptoprevent, HPMA and WInAntiRansomware.

 

Excellent. Show me always works better than tell me. When is it due to be integrated into MBAM?

 

Hopefully ZAL is thrown in there also.

 

Can you perhaps also give some more info about the inner workings of MBARW? Details are not necessary, but I would like to know if it watches for suspicious file system operations and for apps that are using "process hollowing" and other stuff to bypass HIPS.

ZAL doesn't use behavioral monitoring to block ransomware. So no need to test it, since tools like WAR, MBARW and HMPA are completely signature-less.

 

Please pardon my not taking part in this discussion very much as real life has intruded.

I used the term "recoded" previously. I did this just to be nice- obviously MBAR is different from CryptoMonitor in a number of ways,- so more properly I should have said that both are equally ineffective in stopping many ransomware strains (like I said, I was being nice). For proof of this one needs only to review a number of videos that have been published to demonstrating this statement.

But for those that have a VM and have neither the time nor inclination to watch YouTube, run a Petya, Satana, or a Putty (aka MirCop) against MBAR, then against HMPA. You will notice that whereas Erik (et al.) have reacted to current ransomware threats, MBAR has not. And I will not even mention Bart.

As to integration of MBAR into MB, the bar has been recently set much higher by a certain Russian developer (whom I am without doubt biased against); this product appears to be the best of breed in a number of ways although further analysis needs to be done (I hope to publish something about this prior to All Hallows Eve).

Finally, I would suggest that the MBAR coder spend more time on product improvement than casting dispersion on those who test the product without emotion or prejudice.

 

@cruelsister

Because a Russian developer is setting the bar, I rather have those published on All Saints Eve when you don't mind (All Hollows Eve is associated with Western Capitalism in Russia).

Thx Kees

 

Is this some new anti-ransom tool you're talking about? And about this whole discussion, so you're basically saying that MBARW is not as effective as other anti-ransom tools. I really hope that ZeroVulnLabs and DecrypterFixer can explain why they believe that MBARW should still be considered as more advanced. To be clear, I'm not picking any sides, I just hope the end goal will be even stronger tools.

 

FWIW & FYI, MBAR was coined for MB's obsolete Anti-Rootkit which never got out of beta.

MBARW has five letters, I know. But what can anyone do?

 

It'll be interesting to see how they'll market that re their free/paid model.

MBAM works only when you tell it to.

MBAM Premium adds workings in its running process(es). Except when the user chooses to disable them, of course.

Throwing MBARW into MBAM Premium makes sense.

Because what good does MBAM do for protection against ransomware unless you would stumble on or suspect a time delayed payload?

Which is what MBAM should be doing now, given the latest defs have been loaded.

Or with an MBARW component, MBAM would offer a clean-up attempt after the fact??

If MBAM kept its name, then MBAM Premium would need a re-name. MBAA: Anti-ALL!

If MBAM Premium kept it name, the MBAM would be... MBAP. Anti-Probably.

Or they could just roll back their thinking and keep both MBAMs and MBARW separate products. Gasp!

 

Instead just think of them in a nutshell as the tradition brought to the region by the pre-christian Rus Northmen.

 

Hello,

Malwarebytes Anti-Ransomware BETA 8, version 0.9.17.661, has just been released.
Announcement and download link: New version - BETA 8 - now available!

 

I will wait for some feedback, and perhaps I will give it a try. Looks like they have fixed a lot. BTW, I'm still waiting to hear from ZeroVulnLabs and DecrypterFixer about why MBARW is more advanced compared to other tools like WAR.