<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Malware Fighting – Best Practices

Published on
61,847 Points
12,347 Views
35 Endorsements
Last Modified:
Awarded
Editor's Choice
Community Pick

Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra)


Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”.

It’s kind of a no-brainer. “The following procedure works for me, so here is what I recommend that you do…”.

I believe that recommending methods that work for you (me) is exactly what Experts-Exchange is all about and it is the rule that I follow when posting advice.

When attempting to help one of our Members with a malware problem we need to be extremely cautious that any “My Way” advice is also consistent with the known best practices.

As Malware Experts, our first goal should be to identify which variant we are dealing with, and then provide the best known “safe” fixes to get the system cleaned and running properly.

The purpose of this Article is to discuss the procedures listed below. As in many areas of IT, there is often wide disagreement about “Best Practices” and I am hopeful that all reading this will join in a robust discussion of the topic.

This Article is the result of a lot of work by a lot of people. Unfortunately, the EE Articles process does not allow for "Multiple Authors", but this would have been impossible for me to put together without the extended technical advice of rpggamergirl and thermoduric.

Anyone even casually familiar with the Virus & Spyware Zones will know of "rpg" and her long history of providing superb advice to our members. "thermoduric" is less well-known but his work at the highest levels of creating malware fighting tools made his contributions invaluable.

Their contributions to the Article are shown in italics to allow credit where credit is due.

The main discussion points are:

1.  CURRENT TOOLS and SCANNERS
2.  SAFE MODE SCANS
3.  SLAVED DRIVE SCANS
4.  BootCD SCANS
5.  MANUAL REMOVAL OF INFECTIONS

ONLY USING CURRENT TOOLS and SCANNERS


Many of us have developed a “Bag of Tricks” through the years with our favorite Tools, Scanners, and other Applications. I think that all of us should be very careful to ensure that anything we recommend will first do no harm.

Outdated tools and scanners can be very harmful to current systems. A scanner developed for older Operating Systems might improperly modify a Windows 7 system file with the same name as an XP system file, with devastating (read BSOD) results.

A great example is “SDFix” (one of the greatest tools ever developed), that hasn’t been updated since XP SP2 was current. Although there are still limited uses for SDFix, improper use could possibly result in a non-bootable system.

If any tool in your “Bag of Tricks” hasn’t been updated in the past few days (not weeks or months), you need to give serious consideration to dropping it until it is updated.

In a recent discussion, two of the top Malware Experts (rpggamergirl and phototropic) put together some lists of outdated tools:

SDFix  -- last update 6th November 2009
Smitrem -- Last updated 11/12/2006
SmitfraudFix -- last update 11 June 2009
RogueScanFix -- Last update 22-March-2008
FixWareout  -- last update Sept 2005, author has withdrawn FixWareout.
VundoFix v7  -- last update 22 June 2008  
CWSShredder -- Since changing hands it is no longer effective against CWS.
ABout:Buster -- last update 21 May 2006. Was excellent removal tool for all variants of CWS.
About:Buster tool is gone, the Author is now developing Malwarebytes.

If you are still using (or recommending the use of) any of the tools above, you need to reconsider doing so.

Similarly, it is important to keep legitimate links to the tools you are recommending in your "Bag of Tricks".  With questionable sites having legitimate sounding names, there is some confusion over where to download certain tools.  It is therefore important to not only suggest the tool, but also to provide a good link.  By providing only known legitimate links you ensure that readers will get the most current version of the recommended tools with downloads they can trust.

Currently the most commonly used malware scanners are Malwarebytes (MBAM) and ComboFix (CF). These are developed and updated frequently (often several times a day) by very well known MS MVP’s and have been tested/vetted by many millions of users from all over the world.

As of the publishing date of this Article the sources below are known legitimate download links for these programs.

Malwarebytes:
Go here: http://www.malwarebytes.org

ComboFix:
Go here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and read the instructions for the proper use of ComboFix. There are two links provided for legitimate download sites.

Please note the caution message posted at the download link for ComboFix:

"You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer."

"Using ComboFix"

If you need help with malware removal, then please create a question in one of our "Virus & Spyware" Zones (here)."

You should always post the log generated by ComboFix as a reply in the question where you were asked to run it. Your helper will analyze this log and let you know what they would like you to do next."

SAFE MODE SCANS


If your computer will boot to “Normal Mode”, then in all cases that is how you should attempt to make the repair.
(The following comments in italics are courtesy of rpggamergirl):

During a Safe Mode boot, most malware processes are not running and Malwarebytes' heuristic detection can't detect them.

Malware processes must be active while doing the scan so scanning in Safe Mode is not going to be as effective.

Malwarebytes’ Direct Disk Access (DDA) is not running so the detection of rootkits and other stealth hidden nasties in this mode is not optimized.

While malware processes are not active in Safe Mode, most rootkits are - so MBAM is disadvantaged and will miss detecting them.

Windows File Protection is not on in Safe Mode in Windows 2000/XP/2003 Server so any patched system files e.g. explorer.exe, winlogon.exe, userinit.exe that are deleted by the scanner will not be replaced.

Naturally, if the system will only boot to "Safe Mode", then you will have to run your scans that way. You should warn people of the inherent problems when doing so and let them know that they need to run a full scan in "Normal Mode" ASAP.


SLAVED DRIVE SCANS


When scanning on an inactive drive, the scanner often misses the loading points in the registry which can cause "error loading" pop-ups when the drive is put back to its original host. Worse case scenario, it may render the system unbootable if a bad file is removed while the registry value is still intact.
 
For example a particular infection that hijacks the value of "windows' in this key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems
"Windows"="basekwgb32.dll"
 
If the scanner deletes the bad "basekwgb32.dll" but does not restore the default value, when you put the PC back together it is guaranteed not to boot.

ComboFix is written so that it will not touch that file unless Recovery Console (RC) is installed for that same reason.
 
Windows File Protection is not used when scanning a non-active drive (as mentioned above) so if a crucial system file like userinit.exe or explorer.exe are infected the scanner will delete these files (no question asked) as opposed to just pointing out that these files are infected. Since WFP is not used, the deleted system files are not replaced and when you put the drive back, the user won't be able to login. If it is the explorer.exe that was deleted then explorer won't load leaving the user with no desktop icons/taskbar.

Malwarebytes is designed to be a disinfection tool for active malware on a running system and it is in normal mode where it is most potent.

BootCD SCANS


Is similar to slaving a drive (the drive is inactive):

The virus scanner's database on the BootCD is most likely outdated.
It can't create restore points (the system restore service is not running)
System File Protection is not on so the system could wind up with missing system files and broken configurations.
You get errors because registry values are not removed, so you still need to scan again within windows to remove redundant registry entries.


MANUAL REMOVAL OF INFECTIONS


That might work if the virus only has one file and one loading point and you don't reboot while you remove its loading point.

It is harder when dealing with an infection since it has multiple files and may have more than one loading point. Without knowing what the infection is and without knowing which files need to be deleted and which registry entries need to come off it can be complicated to the point of impossibility.

With random filenames it is difficult to know exactly which files to target unless you incorporate some diagnostic tools to find the exact files.

Some infections patch system files or create files to camouflage a system file or even create folders that are hard to differentiate from legitimate folders e.g. zero.access rootkit creates c:\windows\$NtUninstallKB6522$ among other files.
***********************************
 
In a recent discussion, one of our top EE Members (thermoduric) with many years working for one of the largest AV companies had this to say about “Manual Removal”:

I see there is also a propensity to recommend manual removal of malware. As someone who has worked in the AV industry as a Subject Matter Expert for many years, allow me to explain why doing so is both dangerous and flawed:

1. You cannot be sure you've removed the infection. Malware writers are also not stupid (unfortunately) and they nearly always include fail-safe features in their code to prevent manual removal. Such features include having stealth processes (processes that hook so deep into the OS they are able to be invisible) or injecting code into other running (often system) processes to act as a watchdogs that will re-infect a machine that is cleaned incorrectly. Such infections often need removal in a very specific way and often the steps must be performed in a very specific order and often requires the cleaning of processes that are running. Using its ability to hook into the OS an AV engine can prevent any infected running processes restarting until they have been cleaned on a system reboot.

2. Most malware comes in many variants and each has a subtle difference either in terms of how they infect or the payload they deliver. How do you know this isn't a variant you are dealing with? If it is there is a good chance you will not remove all the infection.

3. If a machine has one infection it likely has many. Your manual process may very well remove the specific infection you targeting but how do you know where are not more infections that are running in stealth?

AV Engines use a blended approach to detect infection and are able to detect a vaster range of infection than you could hope to manually deal with. Yes, it is true that no AV engine can detect 100% of malware (there is always the chance of a zero day virus) but I can tell you this... if you know of a virus and think you know how to remove it I can guarantee 100% that so will all of the reputable AV engines. What's more, they will also know all the variants (save for zero day ones) and also know how to successfully remove and (often) repair.

The rules used by AV engines are created by very clever researchers who disassemble malware to discover exactly what it does and how to remove it. Unless you know how to do that and have first hand experience in this field I strongly suggest you heed the words of the Subject Matter Experts and avoid suggesting manual removal techniques.
***********************************

The above excerpt was copied with permission and I concur with his advice entirely.

SUMMATION


We’re here as Experts to provide the best advice possible to other Experts-Exchange members. With the help of each other we can ensure that we do the following:

1.      Stay current with our knowledge levels;
2.      “Do no harm”; and
3.      Stick with “Best Practices”.

As mentioned above, I encourage anyone reading this to offer their thoughts on any part of the discussion. I’ve said many times that I learn a lot more on EE than I teach and I am looking forward to learning more in the discussions with you about this Article.

NOTE:
Other EE Articles focused on fighting malware are listed below:


Mine:
MALWARE - "An Ounce of Prevention..."
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware
Rogue-Killer-What-a-great-name
Windows-Stability-Center
2012-Malware-Variants

rpg:
"Virut" - Malware continues to evolve
Viruses in System Volume Information (System Restore)
THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED
IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM
Can't Install an Antivirus - Windows Security Center still detects previous AV
HijackThis - Some Tips & Tricks
HijackThis reports missing files on 64-bit Systems
"Google Hijack" - Google Search Gets Redirected
Infected Router - Google Search Redirects Even on a Clean System
35
Comment
Author:younghv
  • 13
  • 6
  • 5
  • +9
39 Comments
LVL 28

Expert Comment

by:Run5k
Great article, Vic!  When it comes to malware prevention, detection, and removal, experienced professional advice is absolutely priceless.
0
LVL 38

Author Comment

by:younghv
Hi Tom,
Thank you for the vote and the comment.
Working with rpg and thermoduric on this was a real education.

0
LVL 47

Expert Comment

by:rpggamergirl
Looks great!
The information here are indeed the 'best practices' for virus/malware removal.
A Yes vote from me, :)
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

LVL 38

Author Comment

by:younghv
~rpg -
Thank you for posting and voting.
0

Expert Comment

by:johnbenj
Great piece.  thanks for writing it and sharing.

I'd love to see a piece written about BP's for stopping malware before we have to fight it.  
0
LVL 38

Author Comment

by:younghv
Hi johnbenj,
Thank you for the comment. As I  noted above, it was a group effort

Please read the following EE Article for some thoughts on "Prevention" (and don't forget to vote when you like an Article):
MALWARE - "An Ounce of Prevention..."
0
LVL 10

Expert Comment

by:Timothy McCartney
I can honestly say I considered myself a bit of a local 'pro' at removing malware, however in reading this article, I realize how much I didn't truly know. I've used many various methods of 'offline' scanning, but thanks to this I know that that method should only really be used in the event that a normal boot is not possible.  Thank again for the article!
0
LVL 38

Author Comment

by:younghv
tracerfett:
Thank you for the comments and the yes vote.

With no false modesty, I can tell you that 'rpggamergirl' is the technical genius around here for fighting malware. I was of the "Format/Reinstall" school of thought until I started working with her.

Here are some more EE Articles that you might enjoy:

Mine:
MALWARE - "An Ounce of Prevention..."
Basic Malware Troubleshooting
Stop-the-Bleeding-First-Aid-for-Malware
Rogue-Killer-What-a-great-name
Windows-Stability-Center
2012-Malware-Variants]

rpg:
http://www.experts-exchange.com/A_1009.html - "Virut" - Malware continues to evolve:
http://www.experts-exchange.com/A_1934.html - Viruses in System Volume Information (System Restore)
http://www.experts-exchange.com/A_1979.html - THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED:
http://www.experts-exchange.com/A_1995.html - IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:  
http://www.experts-exchange.com/A_2088.html - Can't Install an Antivirus - Windows Security Center still detects previous AV:
http://www.experts-exchange.com/A_2963.html - HijackThis - Some Tips & Tricks:
http://www.experts-exchange.com/A_3178.html - HijackThis reports missing files on 64-bit Systems:
http://www.experts-exchange.com/A_3299.html - "Google Hijack" - Google Search Gets Redirected:
http://www.experts-exchange.com/A_5327.html - Infected Router - Google Search Redirects Even on a Clean System
0
LVL 47

Expert Comment

by:rpggamergirl
BTW, just one little info to add regarding MalwareBytes' scan as I've seen many Experts advising a Full Scan.

When scanning with MalwareBytes all that is needed is a "Quick Scan" not a Full scan.
A full scan is not necessary and just a waste of time when trying to remove active malware infections because a Quick scan catches 99.9% of active malware that MBAM will detect. The other .01% are those locations of dormant traces e.i., contained in the restore points.

There is nothing wrong with Full scan, just takes time and not necessary.

0
LVL 23

Expert Comment

by:phototropic
At last...an article that can be linked to when experts offer suggestions which recommend drive-slaving, boot cd's, safe-mode scanning and the rest.  Thanks for that.

It's amazing how many reputable download sites are still offering outdated and potentially harmful apps which haven't been updated in years.  Recently Tech Republic published an article about removing rootkits. The expert author recommended two downloads: Combofix (edit: link corrected) - the original link was to a rogue site - and AVG AntiRootkit - which is still available via Cnet, despite not having been updated since April 11th 2007 !!!

http://www.techrepublic.com/blog/five-tips/five-tips-for-dealing-with-rootkits/272

This kind of thing really devalues the rest of the site, so Ee experts need to make sure they only post links to tools they have used recently.

Once again, many thanks for a timely and well researched article.
0
LVL 38

Author Comment

by:younghv
rpggamergirl:
Thank you for the additional information. As always, you bring a lot to the table.

phototropic:
As noted above, your information on out-dated tools was a valuable addition to this Article.
My 'alter ego' has posted a few times over at Tech Republic, normally just to debunk some of the absolute garbage that gets posted.

We should get them a free subscription to EE...just so they can post legitimate advice on their own site.

Thank you both for the comments.
0
LVL 47

Expert Comment

by:rpggamergirl
@ younghv,
Good article and discussion thread, :)

@ phototropic:
Cnet is one of the major download sites which also offers not so good apps, so I'm not sure about being reputable.
They also offer;
WinAntivirus
Spyware Cease
RegFreeze
AntiSpy and other non-recommended tools.

Rootkit scanners are not the same as antimalware or antivirus scanners which use virus definitions and need frequent updates, so most rootkit scanners don't have updates regularly and still not considered obsolete.
I think Rootkit Revealer's last update was in 2006.

In that article, apart from CF, I would've thought the author would include other rootkits scanners. There are many advanced rootkit scanners out there.
I wonder if the author on that site gets half of the ads' revenue like some site does, :)

0
LVL 23

Expert Comment

by:phototropic
"...Cnet is one of the major download sites which also offers not so good apps, so I'm not sure about being reputable..."

Well, if you go to the Mbam site and try to download, you are sent to Cnet by default, so I guess that makes it sort of reputable...

The point about the AVG Rootkit scanner is that it no longer exists - if you click the Cnet downlooad link you are offered an installer for AVG 2011!!!  That's not really an advanced rootkit scanner...
0
LVL 47

Expert Comment

by:rpggamergirl
"...so I guess that makes it sort of reputable...,"

Maybe, though not necessarily, I call it business sense!
I've downloaded tools from Cnet a few times, sometimes going round in circles before actually able to download the file.
If a site doesn't do a good job in monitoring all of the files it has, well, "reputable" might not be the word I'd use but that's just me.


"The point about the AVG Rootkit scanner is that it no longer exists - if you click the Cnet downlooad link you are offered an installer for AVG 2011!!!  
That's not really an advanced rootkit scanner..."


I don't consider it as an advanced rootkit scanner, maybe I worded it wrong.
AVG Anti-rootkit may not be in Cnet but it's still available in other sites even the other major download sites like Softpedia and PCWorld, but I didn't think that was the point you're trying to make with your comment(below) maybe I just missed it.
"...and AVG AntiRootkit - which is still available via Cnet, despite not having been updated since April 11th 2007 !!!"

Anyway, regardless of its existence, I'm more concern about identifying a rootkit tool as outdated based on lack of current updates.
My reply was to address that a rootkit scanner can't be considered obsolete just because it hasn't been updated for a long time that's why I mentioned that rootkit scanners are not like antimalware/antivirus scanners that need frequent updates.
The same reason that Rootkit Revealer is still widely used even though it hasn't been updated for years.

Since we're in a discussion of stopping other Experts from giving the wrong advice of using obsolete tools, it's only fair that we should also give correct information, we make mistakes(who doesn't?) but we can at least try and be clear with our info.
Just my opinion.
0
LVL 23

Expert Comment

by:phototropic
My comments were intended to be rhetorical.  I was not aware that a rootkit scanner developed in 2007 and not updated since then would still be effective. I guess I just had a knee-jerk reaction to any tool that has not been updated for years being of little use. I know better now, so thank you for that.

The Tech Republic article is one of several by one of their staff writers which is not very helpful: run Mbam in safe mode; download Combofix from combofix.whatever; that sort of thing.  If the writer wanted you to use AVG Antirootkit because he/she used and recommended it, they would have linked to a site where the tool was available.

Once again, I know more today than I did yesterday.  Thanks for setting me straight.
0
LVL 47

Expert Comment

by:rpggamergirl
No problem.
I just hope I haven't offended you somehow, it's not my intention and I don't mean any disrespect.
Thank you for being so understanding.
0
LVL 23

Expert Comment

by:phototropic
You most certainly have not offended me!!!  You've helped to make me better at my job by getting me to focus on something I hadn't previously considered.  That's why I keep coming back to Expert's Exchange.

Thanks again.
0
LVL 27

Expert Comment

by:Jonvee
An excellent article, followed by an interesting and very useful discussion.
Thank you.
You certainly have my "yes" vote.
0
LVL 38

Author Comment

by:younghv
Hi Jonvee -
Thank you for the comment and the vote.
This Article has been modified at least 5-6 times since submission, based on input from other Experts. As you well know, malware fighting is a constantly changing business so please feel free to offer any thoughts/updates as needed.
0

Expert Comment

by:ptruswell
This is the best and most level-headed article on Malware removal best practice I have ever read.  My business partner and I have 37 years experience in supporting PC systems so we've seen a few!  Excellent work :-)
0

Expert Comment

by:ptruswell
...as a PS to the above, what's the current view on Spybot S&D?
0
LVL 38

Author Comment

by:younghv
ptruswell:
Thank you for the comments and the vote.

I used to be a real fan of Spybot and I know that a lot of folks still use it as part of their routine. I switched away from both Spybot and Ad-Aware about 2-3 years ago after trying Malwarebytes (MBAM).

The team of developers at MBAM includes 12-15 current and former MS Security MVP's and these guys are fanatical about keeping their product current and ahead of the pack on all new variants.

To repeat what I wrote above, this Article would not have been possible without the enormous help from 'rpggamergirl' (brand new MS MVP in Consumer Security) and 'thermoduric', one of those programming geniuses who understand this stuff down to the bit level.

Thanks again for the comments.
0

Expert Comment

by:ptruswell
younghv:

Thanks for your response.  We also stopped using Ad-Aware some years ago but clearly it is time now to give MBAM a go as part of our regular routines in lieu of Spybot S&D which more often that not requires a second post-login/pre-desktop scan which commonly will take 90 minutes and more.  I think S&D is still effective to a degree, but I think the core engine is feeling very dated now and does require good familiarity with its Advanced control panel to get the best out of it.
0
LVL 38

Author Comment

by:younghv
Understood.

Spybot has reached the point of being a 'mature' product and at this point I often see developers forget what their primary mission is and their focus changes to bells and whistles.

I really like working with a raw version of a product that has a single focus of purpose. Enterprises that expand too much/too rapidly tend to really lose their edge (McAfee, AVG, AVAST, - not Symantec, they never had an edge -) and many others.
0
 

Administrative Comment

by:mbizup
Awarded Editors' Choice

mbizup
EE Page Editor
0
LVL 38

Author Comment

by:younghv
mbizup - My thanks to you and the other Page Editors who voted.

An early Christmas present!
Vic
0
LVL 40

Expert Comment

by:evilrix
+1 :)
0
LVL 38

Author Comment

by:younghv
Evil One!
Good to see your name up there.
Thanks again for all your contributions to this Article.
Vic
0

Expert Comment

by:ptruswell
Well deserved :)
0
LVL 28

Expert Comment

by:Run5k
Very well deserved, Vic!  Heaven knows how many times people like you and Rpggamergirl have saved EE community members from countless hours of troubleshooting by themselves.  Congrats!
0

Expert Comment

by:Sloupy64
Can anyone comment on CCleaner?
0
LVL 38

Author Comment

by:younghv
I've been a huge fan of CCleaner for many years but have become convinced that the Old Timer has a better product. Read about it here: http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

One critical bit of information for anyone is that some variants of malware will MOVE some of your files and folders into the "Temp" file directory. If you 'clean' the Temp folder, you will permanently delete those files.
0
LVL 10

Expert Comment

by:Timothy McCartney
Been using CCleaner for years. Excellent program that just keeps getting better. Piriform makes some excellent products.
0

Expert Comment

by:Sloupy64
Great info on all these posts, thanks everyone. as everyone knows there isn’t a product that will catch everything, Just my 2 cents, even with Mbam and a good AV software I find the reoccurrence of the same issue on the same  computer is very high, which tells me not even the best cleaner gets everything. For the time involved I still feel a wipe and reload is the best option

With that being said and at the clients request (not my recommendation) I find that the quicker you catch the issue the better chance you have to eliminate it. Its somewhat time consuming, but I will install update and run Mbam, check and update the current AV and run full scan, I also like house call by trend micro for a second opinion http://housecall.trendmicro.com/ and run a full free online scan , as I stated at the beginning if you have caught this early enough and after I have run these tool, I will run a system restore and go back at least 2 week..If you don’t catch it soon enough your restore files are damaged and you can’t use them.
Sorry so wordy but this has been my best effort to clean infected computer. Hope it might help someone else.
0
LVL 38

Author Comment

by:younghv
With the caveat that YMMV, I have been loading Microsoft Security Essentials plus MBAM Pro on every customer computer for almost two years - with not one single instance of re-infection.

While true that nothing is perfect, there are any number of steps the IT tech (and the user) can take to avoid malware infections.

More information in this EE Article: MALWARE - "An Ounce of Prevention..."
0

Expert Comment

by:ptruswell
I've just re-subscribed to EE after a few months lapse (yep - I have missed it!) to check this article again and ask another question about MBAM.  This is one of those common queries that never seems to quite get answered elsewhere so I'll give it a go here...

Preamble:
rpggamergirl (on 2011-08-06 at 04:23:39) commented regarding the effectiveness of MBAM Quick Scan versus Full Scan which is advice I have followed.  Quick Scan still does indeed very quickly (comparatively) detect and remove malware seemingly very effectively; sometimes prompting for a reboot, which I personally find re-assuring as the application is clearly getting to grips with RAM resident/active infection.  Following this, the proof for me of the effectiveness of the malware removal process by MBAM, is when computer performance is restored and all other manifestations of the attack have gone; I sometimes still use hijackthis.exe as a quick check for any unusual entries :)

Question:
If all the above is true (as I believe it is), why buy Malwarebytes? I assume someone has!

Being globally accepted as such an effective tool one wonders why Malwarebytes make their MBAM product available as a 'Free' edition, especially when 99%+ of its effectiveness is found in the Quick Scan aspect of this free version.  MBAM Free Edition allied with Microsoft Security Essentials (also 'free') and a few keywords/domains/sites in our router's exclude list (freely put in by me), help keep our computers in tip-top condition.

I guess we're just fortunate to have the benefit of EE and many year's experience as Windows users (now counting decades) + the knowledge of how to use the above tools.  Possession of a hammer is not enough, you have to know how to use it otherwise the results can be painful!  It does make you wonder though; the Symantecs and Network Associates of this world are legitimate businesses making (what I imagine are) vast amounts of money through sale of their Internet security products.  So what of Malwarebytes Corporation whose products I never see on the shelves of the big UK computer retailers?  I assume that their money is made in the corporate and business sectors, as clearly the domestic sector will always settle for 'free'.

As a footnote I should say that I ask the above because I don't want to see the demise of another good product (MBAM) through what could be regarded as over-generosity by the parent company!

Good to be back :)
0
LVL 38

Author Comment

by:younghv
Glad you're back and you pose a great question. In fact, I am in the middle of helping a member with a problem right now and trying to explain to another "expert" why the Pro is better that the free.

In the simplest terms, "Prevention beats Repair".

MBAM free is a great tool for identifying and removing infections after the fact, MBAM (Pro) is a great tool for preventing the infection in the first place. It is running 'on-access, 24/7' protection for the system it is on.

I seem to recall seeing MBAM Pro for sale on NewEgg.com not too long ago, but may be mistaken. All of the major anti-malware companies started by giving away their products for free; with Norton being the possible exception and McAfee (NAI) being possibly the greatest success story.

Hmmm..."Prevention vs. repair"... sounds like a great title for an EE Article.

(http://www.experts-exchange.com/Digital_Living/Software/A_1958-MALWARE-An-Ounce-of-Prevention.html)
0

Expert Comment

by:ptruswell
Succinct and to the point @younghv; it is easy to forget that malware does have a mission, and in the time between infection and removal (which in some cases can be months if not years) that mission will be meeting its goals, be they to compromise data/identity/security/passwords etc etc.

When asked about Internet security I always respond by saying that all software solutions of this type are your second line of defense, the first being the human user; but when it comes to recommending products its a  case of "...well how many walls did the Romans usually build around British cities to defend them?  Answer: one."  I guess therefore that MSE+Win Firewall is the wall and MBAM is the moat!  Too much security technology is in my experience as bad as too little.

I am trialing MBAM Pro alongside MSE now.
So what am I on the look out for?...
Infection?  No.
Downturn in performance?  Yes.
So far so good :)

Prevention vs. Repair ...a great title indeed! :)
0
LVL 32

Expert Comment

by:Blue Street Tech
+1 :)
0

Featured Post

Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Join & Write a Comment

Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This is Part-2 of Learning to use the Power of Mailwasher Pro so if you haven't watched Part-1 yet, I urge you to do so before watching this video. Click this link to watch Part-1 (https://www.experts-exchange.com/videos/56638/Learn-to-use-the-POWER…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month