MBAM test

Discussion in 'other anti-malware software' started by ako, Aug 28, 2009.

Thread Status:
Not open for further replies.
  1. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    I tested MBAM with 10 malware. It stopped 5 with and only with its "IP protection" during connecting to the infected sites, but other pdf-exploits, trojans, and rogues went through.

    IP protection
    http://img269.imageshack.us/img269/8475/mb5d.jpg

    pdf-exploit
    http://img20.imageshack.us/img20/6876/mb2h.jpg

    Rogue (french :)
    http://img188.imageshack.us/img188/8094/mb3z.jpg

    Rogue
    http://img39.imageshack.us/img39/3900/mb4f.jpg

    I scanned first with Prevx. It found 7 different infections, including a rootkit. Then I scanned and cleaned with MBAM, rebooted and scanned again: clean.
    Prevx found still two malware files, but no active infection was present anymore.

    So: MBAM gives some real-time protection, but it is suprisingly low when compared to its good cleaning capabilities.

    P.S. Notice in figures, that Prevx real-time protection is still not working in my VM, showing green. Hopefully the reason is found soon.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    cool test;)
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Seven of the latest morphed installers for PC Antispyware 2010 scanned from MBAM's right click:

    PC AS.JPG
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Newish rogue - SaveDefense:
    MBAM hits this new rogue no probs but the point I want to make is that any and all blacklist vendors want any samples they don't hit.

    If you get your samples over to em detections/cleanups will be included asap.

    SD.JPG
     
  5. Zimzi

    Zimzi Registered Member

    Joined:
    Jul 10, 2005
    Posts:
    289
    It would be very interesting to test Threatfire with the same malware samples.

    If ako would be so kind to test TF for us or send them to me ... :argh:
     
  6. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    SaveDefense

    Looks nice, how much ?
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Have PM'd you the price StevieO. ;)
     
  8. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    If the guys creating the GUI for these rogues ever decided to go straight,they'd be in great demand from some legitimate vendors.:cautious:
     
  9. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    lol too true...
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    AFAIK SaveDefense is a well-recognized ROGUE. Google the name "savedefense" to see for yourself. I am puzzled as to why Franklin seems to be promoting a rogue software. Have I been misinformed?
     
  11. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    I thought MBAM was poor in detecting static files? Is this true?
     
  12. thathagat

    thathagat Guest

    but its IP protection does not seem to diferentiate b/w the good and the bad it blocks regardless....maybe its a new feature so it'll improve
    well...that's not the first time i've heard that.
    P.S.
    Ako ! thanks for testing
     
  13. progress

    progress Guest

    PCMag some months ago: However, the real-time protection in the $24.95 Pro edition just doesn't do the job. If I were rating the Pro edition, which promises both cleaning and protection, I'd probably give it 2.5 stars. Go ahead and add the free scanner to your security arsenal :)
     
  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    If you take into account the amount of installers just for one rogue floating around you will see that it's quite a job to keep up with them for all blacklist vendors.

    Even though the installer might not be hit straight up the install itself should be hit if the install path stays the same.

    Below are some of my sample installers for the rogue "Personal Antivirus" and trust me there are way way more out there with new morphs being released every coupla days.

    PA.JPG
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    bellgamin, I like these rogue apps as much as I like our politicians.

    Here's another newish rogue for ya.
    BD.JPG
     
  16. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    That BlockDefense looks very familiar :rolleyes: If only I could think where I've seen it. ;)
     
  17. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Ya seen one ya seen em all. Well almost. :D

    WB.JPG
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    TrustNinja o_O

    Trust.JPG
     
  19. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    SaveSoldier :blink: and there's more but I'll stop here as I don't want to bore you all to death.

    ss.JPG
     
  20. LagerX

    LagerX Registered Member

    Joined:
    Apr 16, 2008
    Posts:
    540
  21. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    Hi!

    I don't personally find TF too interesting.

    I never use local samples. I download them during testing or just visit an exploit site. This way I try to make sure they are real 0-day threats. After testing I usually delete that copy of VM.

    Anyway, such a test should give similar (good) results as Matt's at remove-malware. See http://www.youtube.com/user/mrizos
     
    Last edited: Aug 29, 2009
  22. ako

    ako Registered Member

    Joined:
    Nov 16, 2006
    Posts:
    627
    You are welcome! ;)
     
  23. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,635
    Location:
    UK
    In theory, that's how it should be, but unfortunately, in some instances when you send a sample, the analysts reply to say there's no malicious code in the file so it doesn't get added. I've had this with Kaspersky Lab a few times when submitting rogues although, to be fair to KL, they are adding detection for fraudulent programs as not-a-virus:FraudTool, so I don't know why they don't add the submissions to that category also.

    This is the issue that has come across in various threads when discussing the detection of rogues in general. Some anti-malware vendors are better than others at this game; others are taking longer to add them as it requires more analysis, especially if the file is said to be "clean".
     
    Last edited: Aug 29, 2009
  24. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Good grief! They are all soooo pretty. Ergo, they must be good AVs, right? Umm.. wrong. :cool:

    BTW, my attitude toward politicians is much the same as a fire hydrant's attitude toward dogs.
     
  25. BrendanK.

    BrendanK. Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    520
    Location:
    Australia
    Funny you put that up. I just came across another variant of that Rogue a few days ago. 0/41 on VT, and still today only 1/41 :)
     
Loading...
Thread Status:
Not open for further replies.