WHat is the difference between MBAM and an AV?

'Malware' is a general term, today AV's detect all kind of malwares, so you can consider MBAM as an AV, or better, consider modern AV's as anti-malware. There are some differences between MBAM and AV's though that doesn't make it feasible for MalwaerBytes to partake in AV-c etc. I try to point out what MalwaerBytes do, it might not be accurate so please correct me if I'm wrong.

• They only focus on online threats.
• They only focus on the more popular ones.
• They provide all kind of protection related to those threats.
  • Adding the websites hosting the malware to IP Protection list.
  • Adding the malware signature to the database.
  • Analyzing the malware's behavior and adding the necessary code to disinfect & cure the damage done by that malware(including registry).
• MBAM also does heuristic analysis.

So MBAM is like an AV with heuristic and IP blocking that only focuses on small number of malwares so MalwaerBytes have enough resources to provide maximum protection against the malwares they put in the database.

MBAM is a good complement to regular AV's, but it doesn't have any chance on AV-C due to small number of signatures.

Now to answer why those guys making video tests mainly use MBAM, if they mean MBAM is a substitute to the particular AV they're testing they're obviously spreading misinformation, if they mean just an AV is not enough then that's OK. Why they don't use e.g. Hitman Pro? Maybe because it doesn't provide unlimited free removal? Or it's not as popular as MBAM yet?

 

So, finally somebody who has a straight answer, I must admit I'm not so sharp like some of the antimalware experts around here, MBAM is used to check the ANTIMALWARE (spyware, adware,trojans etc) capabilities of a particular AV.

If that is the case, when people test AVs using MBAM as a yardstick they are ignoring the huge antivirus detection capabilities, which is the prime function of an AV. In TheIgster AVs "tests", it should be specified that viruses are not tested, and AVs like Karspersky and Avast have done well in the general malware department, no indication whatsoever about their detection potential facing virus threats.

 

I completely agree. The perception that one might have seeing all these video tests is that the AV tested will fare badly through the whole spectrum of malware. I also would like to emphasize the fact that my thread title is about methodology, it has nothing to do with MBAM which I know it is a terrific tool to clean badly infected computers.

 

AVs look for *.EXEs
MBAM scan registry, dll files
I was using MBAM with Eset SS
When i did a scan with MBAM , exe files were detected by Eset and other registry items and some dll files were detected by MBAM . SO FULL CLEANING

 

Again you are missing the big picture. These "tests" are using malware that is in circulation and infecting pc's worldwide. It's a multi-billion dollar industry scamming people. As previously stated most of the major AV's offer virus and worm detection, but they also claim to offer spyware, adware, trojan, rootkit detection/removal which is exactly what MBAM offers. Therefore when MBAM is picking up infections missed by <insert AV here> then it only shows that 1) nothing is 100% and 2) you need more than a single AV or AV suite to protect your pc.

 

In most of the Youtube tests I've seen, yes.

I don't know if I would agree that classic antivirus is really the prime function of antivirus software these days, though it most certainly was the original function. Classic viruses are such a small percentage of active threats these days that if that antivirus products have really branched out into anti-malware. The name just sort of stuck.

Here's some threat analysis stuff:
http://www.threatexpert.com/reports.aspx
and
http://www.viruslist.com/en/analysis?pubid=204792107
There's lots of sites that do that. I just put a couple in to illustrate that when you look at the prevalent threats very few are viruses. If AV software hadn't evolved into more general duty it would probably be close to irrelevant... some say signature based stuff, which is what most traditional AV still is at its core is already irrelevant.

So I look at it this way, if most of the common threats these days are worms and trojans and rogues and rootkits, and AV products claim to deal with these threats, along with classic computer viruses, and most people look to these products for protection from these threats, then I don't think it is unfair to test AV products against them.

But I think we also have to allow that these are just informal tests that folks do in their spare time. They choose the exploits they test because they are so prevalent and so easy to find. And they use Malwarebytes because it's fast and easy and has a good record for finding them in scans. It might not be the most scientific approach, but if one assumes that trojans/rogues/worms/rogues are the most common forms of malware out there, and the most likely to get on people computers (and it's an assumption that is not without some merit), then these tests are at least a quick and dirty look at what one might expect in a real-life situation.

Personally I'd like to see some testing against stuff that comes in by way of Acrobat Reader and Flash, since they are the primary attack vectors these days, and something more advanced used for rootkit detection since it's pretty common and not Malwarbytes specialty, but I understand that Acrobat and Flash stuff is harder to find, and rootkit scanning adds a decent chunk of time to the tests. Mostly I just find them fun to watch and get and idea of the products but not take the results too seriously.

 

You know for all I care, it is 5 years that I don't even get a tracking cookie on any of my computers, and even my Avira is used only on demand to check flash drives plugged in my computers. My original query was about a typical thread title that reads something like "AV tests " (obviously I'm referring to TheIgster's thread, and I'm not specifically criticizing him, as much as the methodology used).

Nowhere it says that the malware samples are culled from various websites dealing only with adware, spyware and trojans. It is not obvious for the casual reader. But perhaps you are right, I'm one of the few guys here missing the big picture.

 

Osaban, have any of your computers [at home or at work] ever been hit by a ROGUE ANTIVIRUS? If your answer is NO, then you are a very lucky guy.

Nowadays, the MAIN vector of PC/laptop infections among computer users at home and at work are the ROGUE AVs. For example, in the past two weeks 8 people that work in my same department got their computers hit by Rogues [ Security Tool, Paladin Antivirus, Antivirus Soft, Intenet Security 2010]. Their computers at work were running Symantec Antivirus Corporate version 10.1 on Windows XP Professional SP-3 and IE7. Many of them asked how come my PC got hit by this nasty Trojan when it's running Symantec AV? [by the way, at work, our IT department have placed our Win XP Pro accounts in the Restricted Users group]

What does this mean? It means Symantec AV missed all these Fake AVs and so would have done any other corporate AV [McAfee or any other].

Rogue AVs are the MOST challenging kind of Malware I have EVER seen since I started using computers back in the 90's.
You are just browsing let's say CNN during a break at work and suddenly a pop-up window appears telling you that your PC is “infected”. If you are NOT savvy enough you end up clicking on that pop-up window and prompting a Drive-by-Download of a Trojan which in turn installs the Fake AV.

Why can't the traditional AVs keep up with the Rogues? Well, because there are TOO MANY variants of those Rogues being created at a rate of 10-15 an hour.

Example: I use ESET NOD32 4.2.35.0 on my computers at home. To help my AV to detect those Rogues, I usually surf shady web sites known to distribute Malware. I do that using Firefox 3.6+NoScript in a Sandbox running on Vista x86 SP-2 while doing this, I'm able to download Rogue AV samples and submit them to ESET to be added to their database. Do you want to know something? Sometimes, the very SAME URL/IP Address/Domain where I downloaded a variant of the Rogue “Security Tool” comes up with another variant of this same Rogue in about 20-30 minutes [different MD5].

So, how are the AV vendors going to cope with all this? It's really overwhelming.

This is where MBAM enters, to fill a niche where traditional AVs are WEAK.
That's why you watch people on YouTube or read reviews saying that MBAM is excellent fighting ROGUES and, since ROGUES are the main vector of infections at FACEBOOK, MYSPACE and TWITTER [ where an overwhelming majority of people with little knowledge about computers surf] that is a reason why MBAM is used to clean computers from Rogue infections.


I hope you have got the idea.


Regards,


Carlos

 

Zyrtec, I'm a lucky guy because I have a splendid family (I mean real people, not machines!). I haven't been infected in 5 years only because my systems are always virtualized.

I must say however, that even virtualized I've never ever had a pop up, or window asking me to execute anything unless it was intentionally prompted by my own doing. I'll admit, I don't visit shady websites, or actively look for malware. On the other hand I often use an extension with Firefox called 'Stumble upon' which searches for websites that have some kind of similarities to what I have elected as my areas of interest. It is risky surfing as you land on websites that are basically suggested by other people, and even in these particularly risky situations I've never ever had a hint about malware.

I have nothing against MBAM or any other scanner for that matter. My original contention was judging AVs in apparently absolute terms with a tool like MBAM which can only give a partial assessment about the performance of AVs vis-a'-vis threats like adware, spyware, rogues as you mentioned.

 

Because your thread title is "WHat is the difference between MBAM and an AV?"..hence most of the answers you got.

I don't see examples of MWB being used to "judge AV tests"....that doesn't even make sense. For someone to judge...it has to be a person able to make a decision. An object cannot judge something, it doesn't have a mind to make a decision. Judge in the courthouse, or judges voting in a competition.

I don't think MWB is BS, we use it frequently to clean PCs, so every day we get to see how it does vs other products. Vast experience has shown it to be the top product in this field. First, after many many years in the computer field, we're quick to realize the difference between "viruses", and current trends of malware....such as the popular roques/fake alerts. BUT...and think about this, some antivirus programs are pimping themselves as complete protection...INCLUDING all types of threats such as adware, spyware. Example...Eset being of the AV brands to first start making these claims. And early in the game they were strong in this area.

So "if" an AV vendor is making claims that their product in strong in all types of malware protection, including adware/spyware/trojans...they have clearly opened to the door for them to be compared against dedicated products in this area when it comes to this specific type of threat. And in my opinion, if an AV vendor claims their product can protect in this area, it opens the door for me to compare them to the best in this field.

Every_single_day we're dealing with rogues on clients, it's gotten to the point where I'm so busy, I don't have time to make it to all clients, and to be honest I'm often talking to come clients on the phone walking them through steps on removing some of the malware that I know have memorized in my head on how to clean. The same rogue that's been out for many months and I've removed many times....the AV product is STILL not detecting, but MWB picked up and is detected a day or so after this new rogue came out....you start to raise your eyebrow at your favorite AV product not detecting it MONTHS after this variant has been in the wild. I mean..seriously, if I, a human being, can have it memorized..and be able to walk average end users in removing it over the phone...why the flipping F can't the AV product have defs for it months later? I'm very familiar with new variants coming out many times a day, and MD5s, but when the rogue name is the same, when the directory it makes is the same, when the .exe file in that directory is the same name...come on now AV product..wake up and smell the coffee.

Bottom line...MBW is (if not the) one of the best products in this particular area of threats....fast emerging rogues. They pick up where AV products that claim to protect in this area fail. They're doing a great job. And wow...free too? Heh.

 

Relevance? I have a family of real people too!

 

If MBAM can manage to detect rogue AVs, then why are ESET, NORTON, etc behind the curve? Is it lack of resources? May be someone should consider licensing MBAM DB and merging it with their own.

 

That's the million dollar question. Why do AVs seem to miss malicious files that MBAM is detecting, files which are affecting thousands of users each day.

I'd say Kaspersky, a-squared, prevx are all great at rogues as well. And for on-demand, hitman pro.

So some are realising the importance of adding these rogues everyday. To make tests fair, maybe a scan with MBAM + kaspersky, or MBAM and prevx would be beneficial to see what damage was done after smaller tests. Hey, but MBAM is free, so the praise is well deserved.

 

Hi,

What I still find very hard to understand is how come MBAM creates only ONE signature per Rogue AV and even when Rogue AV writers keep changing the MD5 of their creations, MBAM is still able to wipe out those offenders whereas traditional AVs need a brand NEW signature per each variant of the Rogue AVs? Strange...isn't it?


Thanks

Carlos

 

you need to check it out MBAM forums section, only deticated to submitting only rogues and suspicious file. people are crazyly submitting all those samples.so it is collective effort like two hands clapping so good sound is producing. i really like that kind of product to use.

 

Hmm a little trolling maybe?

 

Hi,

And, you think they are going to give away their recipe for the competition to know how they do it? LOL

But my question still stands: How come ESET, AVIRA, AVAST!, McAFEE, KASPERSKY and other AV vendors need to issue a NEW signature for every variant of the very SAME Rogue [e.g.: “Security Tool”] whereas MBAM can easily recognize the Rogue [.exe ]installer even when it's disguised under a different MD5?

My question is not about how MBAM does it, it's about why these AV vendors can't do something similar. They wouldn't let Rogues to slip through and infect computers if they do the same. With nearly 100 variants of the same particular Rogue released every single day how many signatures would the AV vendors need to issue daily or hourly to keep up with this kind of threat?

Get my point?



Carlos

 

No one is trolling here. At least not me. That's not my style and people who hang out here should know it.
I don't want to get my posts deleted or threads locked by Ronjor, JRViejo or LWM.


Thanks,


carlos

 

I'm not referring to you my friend. The original poster.

 

Okay. No offense taken then.


Regards,


Carlos

 

From what I have seen MBAM has excellent heuristics, maybe they don't need daily updates for each rogue when they can write a generic detection.

On top of that their IP blocker can wipe out the malware before it even has a chance to install.

 

rogues themselfs are not on the top10 must-have samples for AV analysts, im pretty sure that to them, they aint much to worry about.

and in some ways, i have to agree, Most of them are non-malicious and Most usually come with working un-installers, so i doubt they are the big worry for virus analysts.

... Im pretty sure there are much bigger fish to fry.

& I think this would probably be a similar reply from them.

Software like MBAM might be good at detecting this sort of thing, but its detection is really rather poor on the whole, and there is quite a few false alarms from it too.

 

Are you serious?

How would you consider a software that locks your [.exe ] extensions and virtually stops you from running anything on your PC posting fake messages like this one [just an example: “winword.exe is infected with the worm xyzxyz. Please purchase the full version of “Rogue AV xyz” to get full protection”]...so it doesn't even allow you to open your Word processor.
I've seen that many times, computers being held as hostages until you purchase a deceiving product that claims to do something it doesn't.

Besides, those Rogues are blended threats. They usually don't install alone by themselves but come bundled with Vundo, TLD3 rootkit, TDSS rootkit, Koobface worm, and who knows what else.

To me, Rogue AVs are very, very, very malicious. Period

Thanks.

Carlos

 

I can't believe I'm reading this on a security forum.
Yesterday I worked for 2 hours to get rid of a rogue on someone's machine. IE was hijacked, and he could go nowhere on the internet.
The same scenario 2 weeks ago on someone elses computer. The thing was rendered useless.

 

I agree, Rogue AV programs can do a LOT more than just annoy you with fake warnings. But we're veering off the subject. The answers received in this thread are about as good as it is going to get in explaining why MBAM is used sometimes in AV tests. MBAM is a second opinion and that's it.