First let me start by saying that ComboFix was
never meant to be used as a general purpose malware scanner like Malwarebytes' Anti-Malware, Zemana AntiMalware, SuperAntispyware, AdwCleaner, etc which scan individual drives, different folders, the registry, etc on a computer for malware. If you have not already done so, please read
ComboFix usage, Questions, Help? - Look here.
When compared to other security tools the
advantage of Malwarebytes Anti-Malware is that it uses a
proprietary low level driver similar to some anti-rootkit (ARK) scanners to locate hidden files and
special techniques which enable it to detect a wide spectrum of threats including active rootkits,
zero-day malware and malware in the wild. Malwarebytes is designed to be a much more comprehensive scanner than other tools and the new scanning engine in version 2.0 has some enhancements to deal with current threats that the old version did not have...but performs the same way whether using the Free or Premium version. Proprietary scan sections include "
Pre-Scan Operations" and "
Heuristic Analysis" which at times can be resource intensive leading to a false impression that the scanner is hanging or unresponsive. All scans require loading various databases which alone can take some time to complete.
Malwarebytes Anti-Malware's technology in the Premimum version includes a real-time
Protection Module that runs at startup to
prevent the installation of most new malware,
stopping malware distribution at the source. This technology dynamically blocks malware sites & servers, prevents the execution of malware, proactively monitors every process and helps
stop malicious processes before they can infect your computer. Anti-virus software is
inherently reactive...meaning it usually finds malware after a computer has been infected. Keep in mind that this feature does not guarantee something will not slip through as
no product can detect and prevent every type of malware. The database that defines the heuristics is updated as often as there is something to add to it. Also keep in mind that
Malwarebytes Anti-Malware is not meant to be a replacement for antivirus software...it does not act as a real-time protection scanner for every file like an anti-virus program so it is
intended to be a supplement, not a substitute.
Malwarebytes is designed to detect and remove malware effectively by checking memory and looking at the most prevalent places and known launch points (Memory Objects, Startup Objects, Registry Objects, and File system Objects) for active malware infections. The THREAT SCAN also detects any running malicious files regardless of its location so even if the malware is running from a location not checked by the file system portion of the scan, the THREAT SCAN would still detect it. This check includes not only running processes, but also loaded modules such as .DLLs injected into other processes. Malwarebytes uses advanced
heuristics scanning that bypasses polymorphic blackhat packers & encryption,
MD5, check memory (loaded .exes and .dlls), unique strings, autostart load points and hotspots (everywhere current malware is known to load from) and multiple
other proprietary malware checks which are not discussed in public to safeguard the program from malware writers who would use that information for nefarious purposes.
Malwarebytes free includes the same detection and removal capabilities as the Premium version but does
not include any features or benfits provided by the real-time real-time Protection Module.
Advanced Heuristics Engine (Shuriken) enables a second method of heuristic analysis to Malwarebytes detection techniques. Shuriken is a supplementary concealed weapon used for detecting newer mutations of infections that have not been added to Malwarebytes' threat database. This feature is turned on by default under the 'Detection and Protection' Option section. However,
heuristic analysis is built-in and always employed when a scan is performed...even when this option is not selected. Therefore, disabling this setting will not completely remove heuristic analyzing. Enabling the
self-protection module controls whether Malwarebytes creates a safe zone to prevent malicious manipulation of the program and its components.
In addition to malicious software detection and removal, Malwarebytes Anti-Malware also detects and deals with two classes of
non-malware...these are
Potentially Unwanted Programs (PUPs) and
Potentially Unwanted Modifcations (PUM)s. The default setting for detected PUPs is to "
Warn user about detections". Malwarebytes will not automatically remove these detections unless you reconfigure (change) the default
Non-Malware Protection settings to "
Treat detections as malware".
Malwarebytes has an aggressive PUP Policy and has been in the forefront to educate product users and blog readers.
For more specific information, please refer to:
Malicious Website Blocking (IP Protection) is part of the Protection Module and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert. An
outgoing IP alert indicates that a process on your system tried to access a malicious IP and was prevented from loading content onto your system. A browser is not required to be running for an alert to occur...just an active Internet connection with processes running. IP alerts are also triggered by banner ads appearing on websites since in some case these ads are malicious. Notification that an outgoing IP address has been blocked
does not necessarily mean the computer is infected. Some legitimate programs on your computer (i.e. iTunes, Instant Messenger client, SKYPE, P2P software, web browsers) have access to the Internet and that action can trigger an IP alert if it tried to access a malicious IP address.
IP Protection is also designed to
block incoming connections (communications) it determines to be malicious and you did not request from entering your computer. it determines to be malicious. Hackers use "
port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs.
Botnets and
Zombie computers scour the net, randomly scanning a block of IP addresses, searching for for vulnerable ports (commonly probed ports) and make repeated attempts to access them.