Is Malwarebytes Pro really useful actively running?

Discussion in 'other anti-malware software' started by ratchet, Nov 24, 2013.

Thread Status:
Not open for further replies.
  1. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,906
    I purchased it on sale probably about a year ago more so as a donation as for need. I do that when I notice a software manufacturer allows usage of its product in some form or another for free. I often see MB being available as a public service for removal of ransom wares. I purchased Paragon Backup and Recovery 12 for the same reason, as I'd successfully used its free version(s) that are often available at GofTD.
    Even when Norton was flagging MB as Malware I never even paid any attention to the issue. Recently though I did discover an issue, easily resolved by setting MB's service Automatic (Delayed Start) as opposed to Automatic, that would freeze the desktop after AX64 and Paragon restores on a x64 W7 SP1 PC.
    Given that the issue is 100% resolved and that I've never had a malware infection, my question is kind of philosophical in nature. For example, if Norton were to miss something while actively online, could/would MB stop it?
    Thank You!
     
  2. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    Nobody can answer that question, but adding another scanner to the mix doesn't compensate another scanner's deficiencies. You'll probably end up with just another set of signatures, which are 99% redundant but have to be loaded into your memory as well. If files are about to be executed, they will have to be checked against that redundant signature set as well, further decreasing performance. That isn't too much of a problem with MBAM, as it scans on execution only, but why put another burden onto your system without any benefit.

    If I am correct, Norton relies a lot on file reputation, which means it tends to block unknown stuff without being dependent on a signature, just because it is unknown and not because it is a well known bad file. This can lead to issues with unknown benign programs but it's also a good zero-day defense mechanism. I think "if in doubt - deny" is actually a rather good method. It will certainly block more infections than another scanner and it shouldn't slow you down.

    If you want to look into the benefit of using multiple scanners, just look at AV-Comparatives and consorts. Multi-engine scanners are in almost all cases just as good as the best single engine products. A good example is Qihoo, which gets just slightly above Microsoft Security Essentials.

    Norton's file reputation system offers a much greater benefit than any additional scanner could. I see no need to run MBAM Pro in real-time, if you already have Norton.
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    The 99% redundancy is not true in the case of MBAM, MBAM focuses on what AV's are not good at, and doesn't try to detect what they're already good at. That is also why it is not advised by the developers to run MBAM Pro as the only realtime program. In other words, AV's are a broad-spectrum antibiotic while MBAM is a narrow-spectrum antibiotic which focuses on the bacteria still alive after the broad-spectrum antibiotic has been given.
     
  4. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    That's what the commercials are saying...
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    True, in reality it will be different, but it is still the goal of the product so redundancy will be lower than multiple realtime AV's or multi-engine AV's because it doesn't detect a lot of stuff that 'standard' AV's already do.
     
  6. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    Yes, but MBAM is not designed to be an exclusively complementary scanner, so there still is a lot of redundancy. They focus on the new stuff, so there will be less redudancy regarding old or no longer in-the-wild malware. Yet AV vendors also invest time and money to develop signatures for the new stuff, just because it's the heart of their business. So it boils down to the question who is quicker.

    If you take a file reputation approach like it's the case with Norton, being new and unknown doesn't come to a malware's benefit. On the contrary, it should be blocked just because of it. Then Norton reduces their signatures to new and in-the-wild malware as well.

    If you take a static file detection test, the addition of MBAM could yield a better result. But in terms of real-world protection, file reputation is a very good approach and preferable to any signature scanning. As the OP already deploys Norton, I am reluctant to see the benefit.

    MBAM has a very aggressive PUP policy (with the downside that it blocks complete installers of legitimate software and not the PUP only, so I have heard) and I don't know how Norton and/or it's file reputation handles these kind of scenarios.
     
  7. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    I think they should make an option in settings so that users could decide whether or not they want this policy to be applied.
    There are lots of FP reports on their forum and majority is just about PUPs.
     
  8. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    There is, you can turn PUP detection off if you want.
     
  9. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    I know there is an option for on-demand scan but I missed one for real-time protection. :doubt:
    Hmmm....will try again later today....
     
  10. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,906
    I'm glad I started this thread as I really wasn't aware how Mb or N worked. There definitely are no performance issues given 3570K CPU, SSD and 8 gbs of RAM and I haven't had any FPs so I'll probably keep Mb active, however, if you have any more insight I'd enjoy learning more. Thank you!
     
  11. chattycathy

    chattycathy Registered Member

    Joined:
    Nov 8, 2005
    Posts:
    226
    I have Malwarebytes Pro running and it helped me out yesterday. I had installed a video player and failed to notice that it was also going to install Pandora TV. I admit that was my fault for overlooking it. Well, Malwarebytes brought it to my attention. Every time Pandora TV tried to access the internet, Malwarebytes alerted me. This action made me research and find that I had mistakenly installed Pandora TV so I turned around and uninstalled Pandora. There have been other times that it has given me alerts about web sites, etc. so in my opinion, it is money well spent.
     
  12. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Its website blocking feature is one of the few that appears to work with a sandboxed browser, (Firefox in my case.)

    When I recently tested the web / surf protection of a few AV's, they did not block sites when the browser was supervised by Sandboxie but did when it wasn't employed.

    MBAM works in either instance and I value this functionality.
     
  13. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    nosirrah, I am looking for that option but can not find it.
    Can you help me?
     
  14. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,906
    Open the GUI/program and hit "Protection" and un-check that feature.
     
  15. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Where is it?
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      55.2 KB
      Views:
      454
  16. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Siketa, I may be wrong but I think you have to go to:

    Settings - Scanner Settings
     
  17. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Isn't that an option for on-demand scanner?
    I'm looking for the real-time protection option....
    I know I can select 'Ignore' in popup alert but I have auto-quarantine enabled.
     
  18. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Shouldn't we be arguing heuristic engines nowadays instead of beating the signature drum?
    In zero-day tests like from Effitas MRG, MBAM has almost always outperformed most AV's. Imao, it's not a question if MBAM will yield a better result.
    HitmanPro and Emsisoft are in the same category. (With Emsi also due to incorporated Mamutu tech; acknowledged).
    When you prefer file-rep do you mean info as in whitelisted/known clean file or as in "Less than 12.500 people have downloaded this. Continue? Yes/No"
     
  19. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    If that's the case, then like you, I don't know where that setting is either.
     
  20. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    Thanks anyway.
    I think there is no such option...that's why I made a suggestion in the first place.
    :)
     
  21. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    @Baserk

    I have gone through the last several reports by MRG-Effitas again and from what I have read, the major players are always at least on par with and often enough a tiny notch better than MBAM (Kaspersky, Bitdefender, Avast). Even Symantec is at least on par with MBAM.

    When I talk about file reputation, I am thinking about a combination of both points you wrote. I must admit that I am not too familiar with Norton in that case but I think the approach is solid, if it works as intended.

    Personally I prefer solutions like Sandboxie and AppGuard. In terms of realtime protection, my favorite is clearly EAM, because I can set the file guard to scan on execution only and of course there is the excellent behaviour guard, which's detection capability I consider to be the industry standard.
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    That is only because it's a system-wide IP blocker or blacklisting firewall. It doesn't integrate the browser with MBAM as many AV's do, you'll need Sandboxie exceptions (tzuk provides some templates in Software Compatibility).

    Separate extensions like BitDefender TrafficLight or DNS services like Norton's should work fine as well.
     
  23. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,092
    Location:
    Hollow Earth - Telos
    EAM does not look to good here..http://www.pcmag.com/article2/0,2817,2418329,00.asp
     
  24. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Yes, I'm aware of all this as a long time Sandboxie user...but even some of the AV's with compatibility settings still fail to block sites when the browser is run under the supervision of Sandboxie. (OA's web shield, EAM Surf Protection, 360, Panda, BitDefender, Baidu amongst others.)

    I've done it and checked this for myself. (As a result I can only speak to what happens on my own system.)
     
  25. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    You're right, several AVs perform (a tad) better in the last reports. I stand corrected.
     
Loading...
Thread Status:
Not open for further replies.