Malwarebytes 4.1 Test vs Malware

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

It's come a hell of a long way in 9 months - https://www.youtube.com/watch?v=9clWAlxZloI

👍︎︎ 4 👤︎︎ u/ilike2burn 📅︎︎ Aug 05 2020 🗫︎ replies

Captions

hello and welcome to the pc security channel today we'll be taking a look at malwarebytes premium version 4.1.2 as usual we will test it against quite a lot of malware ransomware see how it holds up now several months ago we did test malwarebytes version 4 when it first came out as the product was transitioning from being a complementary solution to a standalone full-featured av product and the results weren't well ideal since then malwarebytes have reached out to us and they mentioned that at the time they were integrating some of their newer engines so it was very much a transition product that we tested and they wanted us to give it another shot before we throw the kitchen sink at it though i just want to go over the ui because i think it's quite interesting on the home screen we have real-time protection scanner detection history with the components being web protection malware protection ransomware and exploit protection i like how you can turn each of these on or off individually if we go into settings there's quite a lot of interesting stuff in here you can play around with the notifications there is a game mode but if we go into security you'll see that there are quite a few new options here so for scan you can scan for root kits you can use artificial intelligence to detect threats but that means your scans may take longer i'm guessing this is some kind of static analysis system then you can also use expert system algorithms to identify malicious files this is turned off by default i'm guessing because again this is a new feature maybe once it's tested more can be fully integrated and be turned on by default malwarebytes can now register with the windows security center but if you want to use another product along with it you still can if you turn off this option it's not going to interfere with that now pups are always detected by default that's great exploit protection again very interesting module it says it can block potentially malicious email attachments for outlook desktop and then it also has a setting which says block penetration testing attacks i guess if you are in an environment where you're susceptible to these kinds of attacks it's going to be a very handy feature downline now if we go into advanced settings with exploit protection you will see that there's a lot in here in terms of application hardening advanced memory protection application behavior protection and a specific module just for java protection because it is that bad and it is nice to see that they are integrating a lot more components into this if done correctly these components could obviously help prevent zero day attacks but we'll see how effective they are now apart from security you can also tweak basic things like the theme you can go with light or dark you can change the background kind of reminds me of trend micro in this sense but overall i would say it's fairly well done i haven't noticed any issues with the ui navigation is easy and it's very simple if you don't want to mess with the advanced settings you can just leave it be now let's get started with the test so as usual we have our malik script to automate the testing process however i would like to mention that malwarebytes does a few things differently as in the way it detects applications typically there's a little bit of a delay due to the mechanism they use and it doesn't throw up the same errors that we typically get when executing malware on a system with another av in place so we have a slightly modified script to do this which is malix mb dot py and this of course is still located in the shared location so let's just head over there so as usual we will be running the attack from the network location however we will just have our files on a system location because for whatever reason some components don't seem to be checking files executing from z we will talk more about that after the test but as you can see we've got 972 items these are all relatively new malware this includes trojans pups as i said the kitchen sink and we're going to throw it at the system and see if malwarebytes is able to protect us and how effectively so before we get started i'd also like to show you that it is indeed up to date real time protection is turned on everything is good to go so let's get testing seems to be going as expected malwarebytes is popping up with its typical alerts in the meantime i will open up task manager so you can look at the cpu usage throughout see how much malwarebytes is taking up in terms of cpu and memory but hey you don't want to sit here all day so let's speed it up shall we [Music] [Music] [Music] all right looks like our test is complete we've executed all 972 files and the final proactive detection is 99.79 with only two misses these are very decent results and definitely a huge improvement over last time the test took about 18 minutes which is not too bad considering we did add in a small time delay between the samples because of the way we had to count proactive detection in this case resource usage was i would say fairly average now let's take a look at the system and see if we can find anything that's immediately off-putting i don't notice anything at least not in process explorer no signs of active malware here and we will go ahead and also launch auto runs see if there's anything lurking in the shadows oh it does seem we have something here so in current version run this is a registry entry that points to program data windows csrss.exe this is clearly a malware file let's see if it's actually present and it is so in c program data windows we have this one application which uh has an adobe reader icon and calls itself csrss.exe well can make up its mind whether it wants to masquerade as a system process or as adobe reader so it's got the icon of one and the name of another now we will do some second opinion scans before we actually go ahead and execute this again to see if it causes any system damage because it's not active at the moment i don't think unless it's injected itself into some system process i'm also going to do a scan with malwarebytes since there was a time when they were primarily known just as the second opinion scanner so we'll go ahead with this and at the same time i'm going to grab headman pro also an interesting thing to note while the scans are running is that malwarebytes alert window seems to have a little bit of an issue where it's not showing details unless i actually hit x and then they become visible for a second it's like minor gui glitch not sure if it's just because this is a vm and it's having some issues with the drivers but i just noticed it and i wanted to point it out both scanners are done and it seems like that's all we have on the system this driver of course is just a false positive csrs.exe is the main thing and it's detected by both malwarebytes and hitman pro in addition malwarebytes also picked up something called trojan vbh and generic in leo app data program startup so a couple of items now we're going to go ahead and see what would happen if this were to execute let's say would malwarebytes still block it proactively because it could just be that we just have to trace on the system and it's completely dormant we'll just navigate to the location which is c program data windows and we'll go ahead and execute this file this is what should happen at startup and now it's blocked so what would have happened let's say if we did nothing is the registry entry would have likely caused it to start next time i restarted the system and then we would have gotten this alert and malwarebytes would have just blocked it so it's a tough one actually like i would say the results are just shy of a clean sheet the only case where the malware could have actually done something is if after this event malwarebytes is disabled by something else or the user decides to do it and then next time you restart boom active malware trojan exfiltrating data doing whatever it does but of course that is a very extreme scenario most likely as we saw it's going to be picked up by the real time protection next time as i said just shy of a clean sheet detection wise very good results but now i'm going to talk about one of the issues i encountered earlier when running this test and i'll demonstrate what i meant when i said certain components don't check certain locations so we're going to grab shade which i've made a dedicated video about in case you're curious and we'll just copy it into this shared location and first you know what we're going to copy it to the desktop so we've got shade ransomware on the desktop that's very well known caused a lot of destruction and havoc picked up by almost all engines we'll go ahead and execute it on the system and as you can see it is blocked immediately no surprises there that's what you would expect however if we execute it from here which is where i typically run these tests from as you can tell the malware is allowed to execute we still get a message from malwarebytes saying website blocked due to malware but this is just the command and control server communication being intercepted the process however is uh likely still running on the system and there you go it is running on the system malwarebytes not terminating it i don't know why so this is an issue that i've encountered we are working with malwarebytes to resolve it so it may or may not be relevant at the time you're watching this video might have been resolved already but it's just to give you a hint that this product is still developing and it's not yet rock solid in some ways but it's also very interesting as in it's got a lot of components now given that the product has dedicated modules i'm definitely going to try them out so we're going to disable malware protection just for a second and we'll try running some ransomware and see if it blocks it i'm just curious as to how these other components perform so let's just grab some stuff so let's just go ahead and try shade all over again this time without the malware protection what difference does it make first we get the typical website blocked alert due to trojan makes sense does ransomware protection or exploit protection ever come into play we shall see let's try some other stuff this is a relatively new ransomware variant black claw we'll go ahead and run it see if anything pops up the reason i'm curious is because i want to see as the malware tries to perform its malicious actions does malwarebytes get in the way somehow and it does there you go ransomware blocked ransomware detect and quarantine by real-time protection so it says the same thing and same with shade it looks like shade was detected and blocked too but unfortunately that happened after our data was encrypted let's check our documents again so i'll just try and open it just in case you know but no i was right data's gone and now we're going to go into settings and actually turn on some of the stuff that i think is very interesting so we'll use expert systems although i don't think this is going to play a part in the behavioral detection we will also turn on block penetration testing attacks and now we'll try to do the same thing so we're going to try to execute some ransomware on the system so let's say we get pew pewcrypt this is a bit of a joke in terms of ransomware but let's go ahead and try to execute it of course it's blocked as malware but now we're going to go back and disable that so it doesn't do that anymore so now with the malware protection turned off let's see if it's able to get to our files and it's not it's still blocked as ransomware which is interesting now let's go ahead and try something else let's try black claw again what i'm trying to see is if the penetration testing attacks module or something else is able to intercept the ransomware behavior on its own and prevent it from encrypting our files it is partially so as you can tell our data is not entirely affected it was only able to encrypt one file in pictures and the files and documents because these were very small files but i can understand if we had a lot more data it is being intercepted very quickly you might say well what's even the point of this why are you disabling malware protection essentially i'm trying to examine any other defenses that might be in play in case you know it fails for whatever reason maybe it's a new malware maybe it manages to get by because it's hidden in another file there's so many different techniques so i always like to look at different modules and how they perform independently in this case it does seem like even without malware protection malwarebytes is able to intercept certain types of malicious behaviors at least with some major ransomware samples so there you have it i hope you enjoyed this video the results are very interesting as far as i'm concerned i will be keeping a close eye on this product and i think it's definitely up there now so check it out if you're interested but let me know your thoughts in the comments below really curious as to what you think of it don't forget to like and share the video if you enjoyed it check out our website thepcsecuritychannel.com and feel free to get in touch if you'd like to work with us using the business form on the website this is leo from the pc security channel thank you so much for watching and as always stay informed stay secure

Info

Channel: The PC Security Channel

Views: 247,841

Rating: 4.9433413 out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, EDR, SIEM, best EDR, AI, Malwarebytes, Malwarebytes 4, Malwarebytes Review, Malwarebytes Test, Malwarebytes Test vs Malware, Malwarebytes Free, Malwarebytes Premium, Malwarebytes 4.1

Id: 83mviRGlfTU

Channel Id: undefined

Length: 15min 11sec (911 seconds)

Published: Wed Aug 05 2020