MBAM hoax?

Couldn't agree more. This witchhunt reeks of insecure fanboys who can't even interpret Google results properly, much less actually read them.

 

Why are we allowing qakbot to continue with his rantings? Everyone on this forum has used MBAM and love the results of it. If he has found something wrong with MBAM, let him to take it up with devs. Maybe he is doing some good by exposing a potential problem. Maybe he's a qak. I've used MBAM and have never been let down. It continues to improve and evolve as a top notch AM.

 

Marcin- dziękuję za świetny produkt, i przepraszam, że trzeba pogodzić się z kretynów.

 

Ok lets expand pros and cons of file pathway detection.

Cons
-Small F/p risk(no more than most other attack vectors used)
-Too simple (if something is easy how can it be any good afterall)
-spoof lolz see this topic and others started by the same poeple on the net.
-Can only be used where malware uses a static file pathway that is not used by any legitimate applications.

Pros
-Quick signature generation= faster escalation into the live database.
-0 hour protection from any potential malware using that variable again.
-100% detection rate on that variable regardless of how the malware is packed or encrypted**
-Still very effective as a lot of malware is still using static file pathways currently.

Personal observations on all methods used to attack malicious code-

**For years the AV vendors have struggled to deal with new malicious code as often the bad guys gives stuff a tweak serverside and escape being detected on the next version.Hence why the vendors are constantly playing catch up and 0 hour malicious code detections are not great.

Data/pattern strings detection can be killed with just a small automated mod server side

MD5 checkers groan as their databases swell out of all proportion because the amount of new malware MD5's being created is staggering and its impossible to track all.

At this point move the application database into the cloud...no one see's how big its got there lolz but your sold out of luck once internet connection is borked/filtered.

Personal opinion-
MBAM,SAS and any other vendor using file pathway detection are boxing clever

Those vendors that do not use this attack vector are weaker for it

 

It seems interesting that practically no one talks about the whitelisted names.

The way I see it, this is the weakness. Not malicious file names/file names out of place and paths.

I'll ask again: Can you imagne what would be like if every other antimalware application worked this way? It's pretty fair to say that the fight would be harder, no?

It's this nonsense whitelisting thing that I just don't get. Is this approach, whitelisting based solely on names, of any good?

This would be like Windows 7 AppLocker allowing me to block apps, but all it would take is to change names.

I made a question, but perhaps wasn't seen or not considered pertinent, but allow me to take my chance and ask again, to see if someone could answer me:

If I were to rely on MBAM to protect me, and if I happened to download a file - malicious file, which I obviously wouldn't know it was so - with the same name (even if just a coincidence) as one of the whitelisted names in MBAM, would MBAM flag it or let it pass all the way, despite normally having a detection for it?

That is my only question.

 

If we knew of it as we defined it QA would also work around the white issue.

If we did not know of it it would be missed either way.

In either case there is no effect for the user.

Keep in mind this a scanner issue only the PM would not be affected as these are not initial launch paths so if you are only interested in protection, then the white list wont have any impact.

I mentioned this earlier but as it is related I will mention it here again. When a malcoder wants to bypass security he looks at the collective landscape and tries to get by as much as possible. Picking a static path to try and bypass a small company would only make this infection more obvious to the collective security landscape thus this would be a poor choice. Instead they pick a few of the top market share apps and develop custom packing routines that will not be detected 0day. There is a second issue that makes exploiting this impractical. In the age where stealth is the goal overwriting legit software (what you would be risking to pull this) would not be stealth at all and could actually make the malware easier to remove with nothing more than reinstalling the affected software.

 

The vast majority of the hard to define malware does not have a static path so this would have no effect.

Initial drop points are also hard to predict unless you have the complete infection source so this just a backup anyway. If this was "how he worked" we would have failed every single MRG test ever and this is simply not the case.



I would like to put an end to this as it is a distraction so unless someone has more to add to the summation I am posting below, I think we have everything covered at this point.

Critics: You are not acting like an AV.
Us: Correct.

Critics: A very small portion of what you do is super low tech.
Us: Correct.

Critics: If I create a fictional situation there are slightly annoying yet harmless side effects.
Us: Correct.

Critics: What if new malware tries to exploit something?
Us: As we define it QA process fixes it.

Critics: Are you going to use static white forever?
Us: No, it is already being phased out.

 

Compare the number of malware files that create a C:\a file compared to legal and good programs that make a C:\a file.

 

Those of you who question the efficacy of MBAM are not looking hard enough.

Just go here:

http://malwareresearchgroup.com/malware-tests/

Start looking at test results. Look at different tests (go to "MRG Archive")

Look where MBAM beats full AVs quite often.

By whatever methods they use, they work.

End of story.

 

Scanner wouldn't detect it - as I have shown earlier for taskswitch.exe (Now removed from whitelist, but there are much other entries...)

This is no strong argument ("we know nobody who uses this way to bypass us,so there is no need to fix this weak point." Always reactive...)

MBAM is a good product, I like it especially for detection and cleaning of new roque threats, but here is a weakness (whitelisting by filenames...) and it has to be fixed, IMO.

If it all doesn't matter than why you have removed taskswitch.exe from whitelist? Only because I posted it as example?

 

As far as I can remember it was an empty directory C:\A (no danger at all!)

So if I rename killertrojan.exe to svchost.exe it won't be detected by MBAM? Wow

 

No, it would still be detected. The only time when you be correct is if the actual real svchost was replaced with malware as if we removed that we would brick the system Mcafee style. The trolling here is designed to make you think what you suggest here is true and unfortunately the moderators seem to be cool with this.

I am relatively certain that you know what phased out means and that when it comes to our users we will be putting them first over the trolling here. In reality (and I am sure you know this already) if this were a problem then it would be a problem.

Why would you delete 90% of what I said and then claim that its not a good argument? There is a lot more data there and if you want to disagree please take it on point by point. As I said above if this were a problem then it would be a problem. The simple fact of the matter is that what the trolling here suggests fails cost benefit analysis so badly that it has never happened and on the extremely off chance that it did, our QA process would fix it BEFORE those definitions made it to the user.

In short and as I have said many times now:

1. They don't do this because it would make their malware more obvious and easier to kill.

2. If they did we would know and fix it BEFORE the definitions made it to the DB so the exploit would fail.

 

I am going to try this again as we a few pages past new points being made.

I would like to put an end to this as it is a distraction so unless someone has more to add to the summation I am posting below, I think we have everything covered at this point.

Critics: You are not acting like an AV.
Us: Correct.

Critics: A very small portion of what you do is super low tech.
Us: Correct.

Critics: If I create a fictional situation there are slightly annoying yet harmless side effects.
Us: Correct.

Critics: What if new malware tries to exploit something?
Us: As we define it QA process fixes it.

Critics: Are you going to use static white forever?
Us: No, it is already being phased out.

And I will add this as well.

If there were a problem then there would be a problem.

 

So, you rather prefer not to alert the user, at all? I ask because you say that if the real svchost.exe is replaced wth malware, also with the name svchost.exe, then you won't even give the user a chance of knowing an infection took place?

It happens as nosirrah mentioned. But, imagine you happen to download a file from some website. You obviously got no idea it's malicious. If this file happens to have one of the whitelisted names (in MBAM), then MBAM won't flag it.

Not flagging a malicious file, because it has a whitelisted name?

And, MBAM team will fix the whitelisted name, before what? Before more users happen to become victims? Then, what happens if there's one more file that happens to have one of those whitelisted names?

And, here's a question to the MBAM folks. If there's no danger in this whitelisting thing, then please share with everybody (in your website) that MBAM has a list of whitelisted names, and that if people download any file with such names, even if they're malicious, they won't be flagged. Obviously, this implies sharing such names.

Again, if it's not such a big deal, then what I'm asking is a easy thing to do, as it won't provoke any problems to anyone, not even to MBAM team. It will actually help people avoid certain files, with certain names.

 

There will be a lot of other signs of trouble and these users end up in support. We are currently working on patched system file correction code so we will be doing one better.

No security vendor would post any of their decrypted DB in a public forum.

Furthermore (and I have already stated) this is a scanner issue only as the initial drop paths for malware (where the PM would stop these) is a completely different animal.

The rest of this has been asked and answered, please go back and reread what I have said.

 

Yes of course - you said it would be phased out, and so I can wait an recheck from time to time. But don't call all and everything trolling - be fair an bring arguments or not. I was fair & just pointed a thing out, which I was interestet in.

Of course I understand that it is a little bit confusing here cause the whole thread is - there are too much complete different things talked about here. So at least for me it was sometimes hard to follow and so if I missed some arguments regarding the whitelisting issue I apologize.

 

I was referring only to the trolling that actually took place in this thread and that its pressure will not encourage us to hastily take steps that would only hurt our users.

 

For the same reason I upgraded from a laptop with a i5 and vertex 2 to a sandy bridge laptop with 2 vertex 3s in raid 0.

 

Regarding filename whitelisting, we are in reference to the unmanageable MBAM internal db? One kept for important and Protected Windows key system files like ... Svchost.exe, Winlogin.exe, Userinit.exe, Services.exe, lsass.exe, explorer.exe, system.exe? ;p

Malware would need to replace these files that’s in their proper location in order for MBAM not to detect? Just so we are clear ... so much trolling, it is hard to really follow on this topic.

If you downloading, downloaded a file with those names, MBAB still uses signature checks except if you download them to or placed them on the root drive or in one of the system folders, then MBAM on-demand scan flags using generic infection type based on the filename.

 

ot posts removed.

MBAM is a good solid app that can only get better. Nothing in this thread detracts from it.

 

If you create a backup folder for system files they will not be detected. If you place the raw files in root for example they would be.

This is not an issue as the only reason to make copies is to have a backup. If you placed these backups in root malware could very will overwrite them there thus negating your backup so even without MBAM, this is simply not the kind of thing any knowledgeable user would do.

If your system files become replaced by malicious versions we will not remove them as this would brick your system. We are working on a way to fix these in future versions but it is a dangerous process that we will take our time implementing.

I am not 100% sure what you are asking in the last part but if you asking about downloading and destination folders there would not be an issue unless you deliberately chose to destroy your already installed software with incompatible software. For example if you downloaded turbotax and it was infected for some reason and you decided to have it overwrite photoshop in theory it could be missed but as you can see, this is not a real world situation. Even then you would have to know our DB and specifically try and match file paths exactly. Malware that installs via drive by install does not work this way and either IP block or PM would function normally. BTW, I selected these 2 applications as an example only because we all know of them.

 

Well I’m satisfied, thanks nosirrah.

 

Not according to result shown earlier in thread:- https://www.wilderssecurity.com/showpost.php?p=1897209&postcount=25

I have no problem with how malware is detected (even if only by name), but I do have a problem with any whitelist that does not use checksums/hash.


- Stem

 

Hi Stem,

Earlier when I ran some tests, I couldn’t reproduce SLE’s results, ... I renamed a password tool to ‘taskswitch.exe’ and it still picked it up .. as Password.Tool, perhaps the whitelisting is maintained by the regular databases and they now removed this here filename whitelisting.

 

They removed taskswitch.exe from whitelist right after i posted it - thats why you couldn't reproduce my issue. Believe me, there are more entries but they said they are working on it. So it's ok and would be just unfair if I post other filenames in public atm.