MBAM test

I tested MBAM with 10 malware. It stopped 5 with and only with its "IP protection" during connecting to the infected sites, but other pdf-exploits, trojans, and rogues went through.

IP protection
http://img269.imageshack.us/img269/8475/mb5d.jpg

pdf-exploit
http://img20.imageshack.us/img20/6876/mb2h.jpg

Rogue (french
http://img188.imageshack.us/img188/8094/mb3z.jpg

Rogue
http://img39.imageshack.us/img39/3900/mb4f.jpg

I scanned first with Prevx. It found 7 different infections, including a rootkit. Then I scanned and cleaned with MBAM, rebooted and scanned again: clean.
Prevx found still two malware files, but no active infection was present anymore.

So: MBAM gives some real-time protection, but it is suprisingly low when compared to its good cleaning capabilities.

P.S. Notice in figures, that Prevx real-time protection is still not working in my VM, showing green. Hopefully the reason is found soon.

 

cool test

 

Seven of the latest morphed installers for PC Antispyware 2010 scanned from MBAM's right click:

 

Newish rogue - SaveDefense:

MBAM hits this new rogue no probs but the point I want to make is that any and all blacklist vendors want any samples they don't hit.

If you get your samples over to em detections/cleanups will be included asap.

 

It would be very interesting to test Threatfire with the same malware samples.

If ako would be so kind to test TF for us or send them to me ...

 

SaveDefense

Looks nice, how much ?

 

Have PM'd you the price StevieO.

 

If the guys creating the GUI for these rogues ever decided to go straight,they'd be in great demand from some legitimate vendors.

 

lol too true...

 

AFAIK SaveDefense is a well-recognized ROGUE. Google the name "savedefense" to see for yourself. I am puzzled as to why Franklin seems to be promoting a rogue software. Have I been misinformed?

 

I thought MBAM was poor in detecting static files? Is this true?

 

but its IP protection does not seem to diferentiate b/w the good and the bad it blocks regardless....maybe its a new feature so it'll improve

well...that's not the first time i've heard that.
P.S.
Ako ! thanks for testing

 

PCMag some months ago: However, the real-time protection in the $24.95 Pro edition just doesn't do the job. If I were rating the Pro edition, which promises both cleaning and protection, I'd probably give it 2.5 stars. Go ahead and add the free scanner to your security arsenal

 

If you take into account the amount of installers just for one rogue floating around you will see that it's quite a job to keep up with them for all blacklist vendors.

Even though the installer might not be hit straight up the install itself should be hit if the install path stays the same.

Below are some of my sample installers for the rogue "Personal Antivirus" and trust me there are way way more out there with new morphs being released every coupla days.

 

bellgamin, I like these rogue apps as much as I like our politicians.

Here's another newish rogue for ya.

 

That BlockDefense looks very familiar If only I could think where I've seen it.

 

Ya seen one ya seen em all. Well almost.

 

TrustNinja

 

SaveSoldier and there's more but I'll stop here as I don't want to bore you all to death.

 

http://blog.trendmicro.com/investigations-on-a-cybercrime-hub-in-estonia/
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/a_cybercrime_hub.pdf
Interesting read

 

Hi!

I don't personally find TF too interesting.

I never use local samples. I download them during testing or just visit an exploit site. This way I try to make sure they are real 0-day threats. After testing I usually delete that copy of VM.

Anyway, such a test should give similar (good) results as Matt's at remove-malware. See http://www.youtube.com/user/mrizos

 

You are welcome!

 

In theory, that's how it should be, but unfortunately, in some instances when you send a sample, the analysts reply to say there's no malicious code in the file so it doesn't get added. I've had this with Kaspersky Lab a few times when submitting rogues although, to be fair to KL, they are adding detection for fraudulent programs as not-a-virus:FraudTool, so I don't know why they don't add the submissions to that category also.

This is the issue that has come across in various threads when discussing the detection of rogues in general. Some anti-malware vendors are better than others at this game; others are taking longer to add them as it requires more analysis, especially if the file is said to be "clean".

 

Good grief! They are all soooo pretty. Ergo, they must be good AVs, right? Umm.. wrong.

BTW, my attitude toward politicians is much the same as a fire hydrant's attitude toward dogs.

 

Funny you put that up. I just came across another variant of that Rogue a few days ago. 0/41 on VT, and still today only 1/41