MBAM hoax?

Discussion in 'other anti-virus software' started by yaslaw, Jun 30, 2011.

Thread Status:
Not open for further replies.
  1. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I don't think what SLE is doing can be put in the realm of trolling at all. He's calling to your attention what he feels is a big oversight in your product, and I feel he's being fair about it.

    The person speaking of "victims" on the other hand, you may have a valid point there. I guess only they know for sure whether they're doing it to intentionally get under your skin, or they're just overly dramatic.

    I think the title of this thread is extremely misleading. It creates the false notion that your product is unreputable, or rogue, which is not the case. It could unjustifiably do damage to your company. I think it should be removed if it isn't changed to something like "MBAM whitelisting oversight" instead.
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    :thumb:
     
  3. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    584
    Location:
    Moon
    +1
    +1

    @SLE are you IOBIT employee?
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Just to clarify it. (Because, I know this is meant to me.)

    My reply to nossirah had to do with his reply to me, and I'll quote:

    That's on post #82.

    My following reaction had simply to do with the fact that I personally see a problem with the file name whitelisting. Something that could be avoided if it worked differently. Or in other words, and as user Stem put it, using checksums/hashes.

    I got no problems of what so ever with whitelisting, as long as it isn't simply based on file names.

    But, all this could be avoided, from the start, if checksums/hashes were used, instead of file names.

    So, I only played along with the answer I got back. Therefore, I used the possibility of some random user downloading a file that happens to have the same name as one of those that are in the whitelist.

    I didn't say there are victims. But, I think of any possibilities that may happen, including to some of my relatives.

    Or, will anyone say with 100% certainty that there's not even 1% chance of any of them downloading some file that happens to have the same name. I'm not even talking about this whitelist thing being exploited. I never did. Just a mere possibility.

    The 1% is what I care about, not 99% that are covered.

    Someone seems this as trolling. OK. So be it.

    @ nossirah, the reason I got interested in this thread was because I got relatives using the free version of MBAM. That's my only concern.

    Oh, by the way... you called me troll, but you didn't answer what other means the free version has to counteract the file name whitelist?

    You didn't answer that.
     
  5. LODBROK

    LODBROK Guest

    Watch out Malwarebytes!! Exposed at Wilders... YOU'RE GOING DOWN NOW! :rolleyes:
     
  6. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    I didn't even look to see who said it, and I should have, because being familiar with some of your posts I'm certain that option #1 doesn't apply (troll). And now that you put it into context it explains #2 as well.

    I'm sorry if I offended you Moon. You're alright in my book.

    What I said in defense of SLE, and about the title of this thread still stands though.
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    A couple thoughts on this. First, starting topics with sensational or dramatic titles is a very common literary device. It's done in the press, on personal blogs and at all forums that I know of. Personally, I have never liked the more extreme examples, but, this one hardly reaches to the extreme. After all, the thread starter ended the title with a question mark. It's not a statement, it's a question. Second, you can't call this a topic about whitelisting anyway, since the original posts were about blacklisting by file name, not whitelisting. That came later. As someone said above, this thread turned out to be about a lot of different things.

    However, if the thread starter wants the title changed, we'll be happy to do so.
     
  8. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Don't slur me. ;) I'm a free person and not employed for any security software vendor.

    Not really, nevertheless I also think the title is nonsence at all.
    - Thread primary was about some "detections only because of filenames" and here nosirrah explained some things which at least I fully understand.

    - I jumped into this thread with a little different topic than the thread was original about - so someone can call me a hijacker - but not a troll. (and I don't really believe someone did so...but @luciddream ... thx for defense)
    So only I talked first about "whitelisting oversight" - cause it's a thing which wonders me since it got public in 2009. I thought that thread was adequate for asking about it. (And hey, I'm a long time wilders reader - now I registered just for this question)

    - Then I was wondering why only my "public example" was removed from whitelist - but nosirrah said they'll look into it and it's ok. I see no need for pressure and things take time. So I'm patient and will check again in a few weeks.

    IMO MBAM is a great tool, a good addition to classical AVs, esp. when it comes to detection and cleaning new threats. And yes I think they should fix all known "weak points" even if atm there is no malware which uses such methods to bypass MBAMs scanner. Keep the vector as small as possible.
     
  9. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    You can access the inner working of any security app and use that info to create fictitious situations where undesired results happen.

    It does not happen in the real world as every app works differently and that one trick would be useless in the big picture.

    TDL4 sucks because the AVs as a whole were terrible at blocking it, not because little old MBAM does not play by AV rules.

    You guys can continue with this if you want but I have work to do against things that actually affect our users and the AVs do not detect.
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    It may not be that simple. If svchost is changed/replaced by malware, you can't just delete it, and perhaps not even just replace it with the legit version.

    There may be more to it than that, and it's their job after all :D
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I understand where you're getting at, but I didn't mention any svchost.exe file. Not in my latest posts, anyway. I did mention it, initially, but only regarding the possibility of the original file being replaced. But, that doubt is gone now. (Allow me to rephrase it, possibility.)

    But, to be honest I don't remember whether or not svchost was one of them (whitelisted names, that is), or if svchost only had to do with the same file name out of the original place.

    According to user SLE there appears to be more whitelisted names.

    Just to clarify, I'm not discussing file name and paths, or in other words blacklisting by file name and paths. My initial doubt, considering the title of title of thread was whether or not it was all MBAM was doing. Which, I must say would have been a complete surprise by me.

    But, as soon as the blacklisting thing was clarified, I never touched that specific matter. My only interest was/is the whitelisting implementation, after it was brought up to discussion.

    According to user SLE there appears to be a few whitelisted names.

    Anyway, I wasn't thinking of svchost, only about downloaded files, which could result in whatever else scenario. But, that's another talk. I do not wish to go further in this discussion.

    I do get your point, though.
     
  12. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,726
    Location:
    Canada
    SLE is right, there are more, but these are being slowly phased out like Shadowwar and nosirrah had mentioned, ... as people discovers these and report
     
  13. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    This is completely incorrect.

    We are phasing them out as it is safe, we only removed the one posted because it could have been removed a while ago as it turns out.

    There is no malware exploiting anything and there wont be as this wont affect Avira, Avast, KAV, Norton, Mcafee, Bitdefender, AVG.........

    Does anyone here honestly think we are a big enough fish that doing R and D on this for be bad guys would in any way help them? You guys talk like we are the only name in security that matters and if they find a way to exploit us they will strike gold.

    It would cost them time and $ and in the end they would have a super obvious trojan that breaks existing software.

    I know this is a great diversion from all the AV failings that allowed the TDL4 botnet to be built but if you think criminals care about a useless corner case that would in the end only make their malware detected more quickly then you are not focusing on reality, a reality of failed AVs that allows us to do things differently and succeed where they could not.

    In the end there have been years of this not being an issue even though the malcoders have been well aware. I watch them build new cryptors. I watch them change social tactics. I watch them do many things that affect ALL security vendors.
     
    Last edited: Jul 3, 2011
  14. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    @nosirrah: Beside all the TDL4 panic marketing which so many seem to do these days when I go with your argumentation one question I have: Sense of whitelisting is to prevent fp's - ok. But why filenames and not hashes in whitelist? Only because it's easier and cheaper or do I miss some point - and why than nearly all other vendors use different approaches that are not so easy ?
     
  15. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    I can only say this so many times. As it is proven safe to do so things will transition to a different system.

    There currently is no issue as their is nothing but detriment to the malcoders, this is useless data to them.

    Fiction will not make us rush to fix a non issue for a few people that like saying the same thing over and over online.
     
  16. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    THX for answer, don't really understand but have to accept.;) I hope you will be right.
     
  17. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Okay, and with that we're going to bring this thread to a close. I think that Malwarebytes has provided sufficient answers to explain their position and those asking the questions have explained their concerns. There is nothing to be gained by circling around it anymore. Let's move on.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.