MRG Flash Tests 2011

Off topic but interesting testing...

http://www.youtube.com/user/eduardbarna

 

WTF lol...

 

New test today (3/12/11). Norton and VIPRE only AVs to PASS.
Emsisoft FAIL.

http://malwareresearchgroup.com/2011/03/mrg-flash-test-3122011/

 

So, Bruce, just how does MBAM manage to stay at the forefront on these tests? (And happily so...for me and many others...)

 

You know I cant go into a lot of details here but staring in 1.50 we made changes that made 0day detections far easier to pull off. We have always made strides when it came to prevention but the moves we made both on the research side and technology side in 1.50 were the biggest ever in a single update.

 

Something definitely changed. You scored 80% in 2010 (which is also very good) to 100% this year in the flash tests.

 

Thanks, Bruce. I didn't expect you to reveal any proprietary secrets, of course. ...

...but I'm very happy to have the additional protection afforded by that leap in prevention/technology. (And no apparent issues using the IP blocking feature in concert with ClearCloud DNS either.)

 

This is 15th keylogger (57.7%) in current MRG Flash Testing. Only 7 trojans, 4 rootkits. Why so many keyloggers?

 

These are the most critical 0day types of malware. Its not all that big a deal to get a 0day adware BHO that 2 days later is defined and removed but something the instantly starts sending keys and screen shots, after the fact defs are virtually pointless.

Think about it this way. If you went to a family member's house and on a PC used for financial transactions which malware classification would you be most alarmed to see?

 

Totally agree. Loggers (of any sort...key, clip, screen, etc) are my primary concern in terms of overall security.

 

It's quite dramatic (and encouraging) to see the way MBAM is out-performing SAS.
MBAM is flat hitting it out of the park, while SAS is failing more than 50% of the tests.

 

I would love to see Sandboxie in these tests.
I know some people say keyloggers can run inside SBIE, but imo, a properly configured sandbox (with tight start/run and internet access restrictions) will preclude loggers from doing their thing until the sandbox contents are deleted.

 

Not to detract from Malwarebytes' engineering and coding brilliance, I'm convinced their obsession, uh, devotion to database updates has much to do with the stellar performance of the realtime protection module in MBAM full (aka licensed, aka Pro).

I have one system that's online 24/7 and spends many of its 10-12 production hours accessing the WWW for current and historical content. As such, MBAM is set to check for updates every 15 minutes. Since I began using it in Jan 2010 (v1.45), the average has been 6 to 7 updates a day. For 2011 so far, it's about 9 a day. At times I've seen those updates roll in three or four times in a one hour period. I recall even on an occasion or two, the updates bumped two points - meaning that in the 15 minute interval I missed one. Some one over there is feverishly at work!

At a mere $24 for a lifetime license, this is the greatest bargain for this class of system protection. (Upon reading this, the Wilders Where's My Free Steak Dinner? rubes will bend in despair, poking in frustration with plastic forks at the by-product lunch meats on their paper plates.)

For the reasoning challenged who might ponder why I set the updates to 15 minutes it's... because I can.

Bruce, thanks for contributing to this thread!

 

I mentioned back in post 139 here that an MRG forum member is maintaining a spreadsheet compiling all the results, detections and scores at:
-https://docs.google.com/leaf?id=0BxamVvlZYmoyNmZhYTQ0MDEtMmY2OS00MzczLTg2MWEtOTU3Yzc2NDNmYjVj&sort=name&layout=list&num=50-
FYI & FWIW: it's still current.

 

Thanks for reposting that, LODBROK, as I had missed the earlier one.
Do you or anyone else know what the orange-colored PASSED (one each for Prevx and DefenseWall) means?

 

What does that make of the free version Because, if the free version isn't meant to detect malware, then I'll ditch it.

 

This is reminiscent of a conversation I was having with Bruce offline via PM just recently.

I happened to mention to him that if someone used the MRG results as a baseline, that pairing MBAM with the free antivirus of their choice would be both the most economical and most efficient choice in terms of addressing this avenue of malware prevention/protection.

This is not to say that the MRG tests (or any other) represent the end-all and be-all but that if one analyzes the data (and accepts its premises) that certain reasonable conclusions can be arrived at.

I voted with my analysis and my wallet and have no regrets in doing so.

 

Hi m00nbl00d... I'm sure you're joking, because of course the free version is meant to detect malware. Difference being that the Pro version can do it on-access instead of on-demand, and with more frequent updating. But you knew that.

 

The update is working great, thanks for developing such a stellar program.

 

I still say EAM should improve their keylogging detection, i'm talking about the BB.
That's just my personal opinion

 

Isn't it past your bedtime?

Well, for one it makes it the free version... free. And not realtime. And irrelevant (tho not classically off-topic) to this thread about 0-day threats.

Pretend that both versions of MBAM, by nature of the engineering and databases, can sniff out invisible toxic dust.

Consider MBAM full as an air filtration system on your house keeping toxic dust from entering your living room because you installed it correctly and have Mr. Otto Updadder stop by on a tight schedule making sure the latest and greatest filter is installed.

Consider MBAM free as a flashlight you grab and turn on and shine about your living room to make invisible toxic dust glow and as the vacuum cleaner you use to remove it. You have to think of using the flashlight and consider how Mr. Updadder's cousin (Mr. A. Schedular) fits in to that plan; if he skipped and you have to do it. And what's up since you had toxic dust all over your living room for a while.

 

As a matter of a fact, yes.

I do my efforts not to let the dust in.

 

You know, I have been watching the results for MRG Flash Test Project 2011 and avast's ultra weak 23% PASS rating makes me wonder if they haven't taken their eye off the ball in the detection department. It looks to me like they are overly focused on modules and options that don't seem to work, and in the process of adding more bells and whistles and rushing out their most recent version, they have dropped the ball where it matters big time... detection. If the MRG Flash Test results are not an exception to the rule, then I am not sorry that I removed their AV from my computers more than a month ago, although it wasn't for the reasons stated here. I'm not bashing, as I used avast for close to four years... and I hope they get back on track.

 

I read somewhere that the Orange pass = partially pass....

 

Usually means something like that the threat was able to install some files, but the threat never became active.