Malwarebytes Anti-Ransomware Beta

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Jan 25, 2016.

  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,172
    Location:
    USA
  2. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,770
    Location:
    Mexico
    Congratulations! Felicitaciones!
    :thumb::cool:
     
  3. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    334
    I was going to try and test it but as a matter of standard practice on my side I usually test betas or new programs in a VM without an NIC and if nothing is found I 'might' try in on my live system. I suppose I could add an adapter for each OS XP-10 and 'activate' it online then remove the adapter, save a snapshot, etc (for every MBAR version?) but my initial feedback at this point would be that if you really want people to test it, don't require online activation just to enable the protection during the beta period :-/ That being said I understand many ransom softs won't work without being able to connect home and retrieving a key so it's only fair to expect the test machine to be online but I'm stuck in my ways.
     

    Attached Files:

    • MAR.jpg
      MAR.jpg
      File size:
      203.5 KB
      Views:
      157
    Last edited: Jan 25, 2016
  4. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,739
    Location:
    New York City
    Change the taskbar icon when protection is stopped.
     
  5. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    767
    Location:
    SW USA
    @ pbust
    I read that as MBAM and MBAE Premiums, without MBAR, will not detect and block the most dangerous of ransomware variants like CryptoWall4, CryptoLocker, Tesla, and CTB-Locker.
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,172
    Location:
    USA
    Most ransomware today is delivered via exploits. So if you have MBAE it will prevent most ransomware infections that use an exploit or drive-by infection vector.

    Of the ransomware that infects through a social engineering (i.e. non-exploit) vector, MBAM deals with it in two ways:
    1- Via its signatures and behavioral pattern updates, detecting the sample before it is able to run.
    2- Via its web blocking by preventing a running ransomware from contacting its C&C and downloading its encryption key, thereby preventing the damage (i.e. encryption) of the files

    However even with the above three layers there's still a chance that a ransomware might get through which (a) is delivered via social engineering, (b) not detected by MBAM rules and (c) contacting a C&C that's not blocked by the Web Blocker. For those cases MBARW is a proactive approach that will block ransomware without signatures or web blocking.

    Also some people might not have MBAE or MBAM installed but still want proactive protection from ransomware.
     
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Will it work on XP, and can it run in a snapshot that doesn't have MBAE installed on it, either?
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,172
    Location:
    USA
    It does not support XP for now.
    Yes it can run by itself without MBAE or MBAM.
     
  9. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Thanks.
     
  10. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,486
    Location:
    Poland - Cracow
    So...finally we know why CryptoMonitor (EasySync) has been abandoned...now is called Malwarebytes Anti-Ransomware. How MBARW is similar to CM?...has the same fatures or maybe some new?
     
    Last edited: Jan 26, 2016
  11. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    241
    Thanks for the info, Pedro. Looks interesting. I think I will also give it a try soon.
     
  12. SHvFl

    SHvFl Registered Member

    Joined:
    May 7, 2015
    Posts:
    542
    Too many different applications from malwarebytes. They need to combine all to 1 program because most don't want to run 3 different programs. At the very least anti-ransom and anti-exploit should be 1 program.
     
  13. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,016
    :thumb: :thumb: :thumb:
     
  14. anon

    anon Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    4,097
    +1 :thumb:
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,172
    Location:
    USA
    It's not CryptoMonitor. It's brand new technology from the ground up and we hired Nathan to lead the project due to his experience and knowledge of ransomware.

    For now it's just beta and we still need to finetune the core technology and add more features. We'll announce plans on how the final product format will look like when they are ready to be announced.
     
  16. daman1

    daman1 Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    770
    Location:
    MICHIGAN,USA
    Is it free for beta testers?
     
  17. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Great news that you're developing an anti-ransomeware product to compliment MBAM and MBAR. Perhaps eventually MBARW could be an optional module plugged into MBAM?

    As for Nathan you got the right man. He deserves a medal after the way he helped people on bleeping.com (or at least a case of Red Bull lol) :thumb:
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,172
    Location:
    USA
    He sure does deserve a medal! We're very honoured and happy that he decided to join Malwarebytes. It's a good match as he has the same ethics and same point of view of helping users above anything else.
     
  19. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,739
    Location:
    New York City
    @ZeroVulnLabs
    Two possible errors.
    1. Alerted on process ...........\Eset Smart Security\ekm.exe
    2. Nothing appears in quarantine.
    I will PM you the webpages I visited.
    ... PM sent.
     
  20. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    MBARW in action - even if it is a false positive. Heimdal.SecureDNS must have been scanning the page I was browsing on and triggered MBARW.
     

    Attached Files:

  21. Impet

    Impet Registered Member

    Joined:
    May 5, 2013
    Posts:
    896
    +1 :thumb:
     
  22. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
  23. haakon

    haakon Registered Member

    Joined:
    May 25, 2015
    Posts:
    767
    Location:
    SW USA
    @ Dark Star 72
    When did the remove/restart dialogue (Capture#26) show up? I don't think you would have selected Delete for Heimdal, did you?

    @ pbust
    The sequence doesn't make sense... A choice to Restore or Delete, but it's been removed?

    Anyhow, if one selects Restore is the item then in Exclusions? Can items be removed from Exclusions should that need materialize?

    Thank you.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Why a stand alone product? It must be part of MBAM. Do you really think people should run half of a dozen software to protect their system.
     
  25. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Capture#24 was the first pop up, I then opened the quarantine via the gui to see what was in there (capture#25). The capture#26 didn't show up for several minutes. As I was running under Shadow Defender there wasn't any point in rebooting to see what happened.
    The strange thing was that although Heimdal.SecureDNS.exe was removed to quarantine it was still shown as running in TaskManager and ProcessExplorero_O
     
Loading...