MBAM is not an anti virus application and does not replace an an anti virus application. MBAM is an adjunct, complimentary, anti malware application.
In its role as a adjunct, complimentary, anti malware application it has limitations in aspects that the anti virus application performs in its role.
MBAM does not target script files. That means MBAM will not target; JS, JSE, PY, .HTML, HTA, VBS, VBE, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, WSF, etc.
It also does not target document files such as; PDF, DOC, DOCx, DOCm, XLS, XLSx, PPT, PPS, ODF, RTF, etc.
It also does not target media files; MP3, WMV, JPG, GIF, etc.
Until MBAM, v1.75, MBAM could not access files in archives but with v1.75 came that ability so it can unarchive a Java Jar (which is a PKZip file) but it won't target the .CLASS files within. Same goes with CHM files (which is a PKZip file) but it doesn't target the HTML files within. MBAM v1.75 specifically will deal with; ZIP, RAR, 7z, CAB and MSI for archives. And self-Extracting; ZIP, 7z, RAR and NSIS executables (aka; SFX files).
MBAM specifically targets binaries that start with the first two characters being; MZ
They can be; EXE, CPL, SYS, DLL, SCR and OCX. Any of these files types can be renamed to be anything such as; TXT, JPG, CMD and BAT and they will still be targeted just as long as the binary starts with 'MZ'.
MBAM targets mainly non-viral malware. The exception being a virus dropper ( a malware file that drops a virus and starts a virus infection but is not infected with the virus ) and worms ( such as Internet worms and AutoRun worms ).
MBAM is incapable of removing malicious code that has been prepended, appended or cavity injected into a legitimate file. That means if a file infecting virus infects a legitimate file MBAM will be unable to remove the malicious code. An anti virus application should be able to remove malicious code from an infected file and hopefully bring it back to its preinfected state. Which may or may not return the file to its original, non infected, checksum value.
A file infecting virus will prepend, append or cavity inject malicious code into a legitimate file. Once infected, that infected file can further the infection by infecting other legitimate files.
On the other hand there are trojans that will prepend, append or cavity inject malicious code into a legitimate file. However that file can not infect other files. The infection stops with that targeted file. These files are either deemed to be "trojanized" or "patched". Since MBAM can not remove the added malicious code, at best MBAM will try to replace the trojanized file with a legitimate, unaltered, file.
Where a traditional anti virus application is weak, MBAM is strong. Today's malware is much more complex than 10 years ago. When we saw the Melissa virus ( I-Worm via SMTP ), Lovsan/Blaster worm ( I-Worm via RPC/RPCSS @ TCP port 135 ) etc, they were distributed for the effect, damage and bragging rights. Today's malware is more sophisticated in that it is "all about the money". Malicious actors use malware to profit from. Either by stealing, distribution affiliation revenue, data exfiltration, personal identification impersonation, etc. To effect that the malicious actors don't want the victim to know that their system was compromised or they are so blatant about it by generating advertisements, Yesterday's malware was simple and less obtrusive. Today's malware is very intrusive and makes numerous modifications to the Operating System. Those numerous modifications to the Operating System is where the traditional anti virus application does poorly and where MBAM specializes.
MBAM is not a historical anti malware solution. That means it will not target old malware. It's intent is to target 0-Day malware. Malware that is infecting computers Today with malware found in-the-wild, Today. That means that something like the BugBear which infected years ago will not be targeted by MBAM. Malwarebytes will actually cull their signature database for malware that is no longer seen in-the-wild Today. This is why Malwarebytes requests samples that are submitted for detection consideration be no older than 3 months old.
Malwarebytes rests its new declaration as a replacement upon the shoulders of its anti exploit module.
When one talks about an "exploit" there are two basic kinds.
- Exploiting a software vulnerability to gain elevated privileges to effect a compromise
- Taking advantage of a capability to use in their benefit in an unexpected or unanticipated way.
As an example of the first case I'll use the Lovsan/Blaster worm. It exploited a software vulnerability in the Operating System RPCSS/DCOM which uses TCP port 135. The Lovsan/Blaster worm would send a specific set or string of characters to TCP port 135 to create a "buffer overflow with an elevation of privileges" condition where if successful, the worm would create a BLASTER.EXE file on the target system and then execute it. Once the PC was infected it would seek new hosts and the Lovsan/Blaster worm would spread exponentially.
As an example of the second case I'll use the Wimad trojan. The Wimad trojan takes advantage of the Digital Rights Management (DRM) incorporated in media files such as MP3, WMV and other music and video files. By taking advantage of the DRM, it would be used in combination of Social Engineering and one's desire for "free music" or a "free movie" to cause the person to download and run some malicious program.
Therefore you use an anti exploitation application to thwart the malicious activity of deliberately exploiting a vulnerability to effect a system compromise.
One may use a specially crafted...
- PDF file to exploit a vulnerability in a PDF viewer like Adobe Reader or FoxIt.
- MOV file to exploit a vulnerability in a Apple's QuickTime renderer.
- GIF file to exploit a vulnerability in Microsoft's Graphics Device Interface (GDI).
- DOC, XLS or other MS Office document file to exploit a vulnerability in Microsoft Office or to use a macro to download and execute a file or extract an embedded file and execute it.
- RMP file to exploit a vulnerability in RealPlayer.
It is for situations as enumerated above where an anti exploit application will be used to monitor and shield a given application, which exhibits vulnerabilities, from attempts using the vulnerability/exploitation attack vector. It is not for untrusted applications.
The intention is to monitor and shield a given application which has a propensity of being exploited.
So MBAM may block a Wimad trojan from exploiting Windows DRM but it is incapable of detecting a media file as being a Wimad trojan. This is something an anti virus application will do. Now one may not get infected due to a Winmad trojan while using MBAM, but it will not identify these DRM exploitative files.
MBAM is not VIM or MAPI compliant nor does it supply POP Proxy capability. Therefore email is not scanned for malicious file or malicious content. MBAM may block a "known" Phishing URL or a HTML.FakeAlert but it is incapable of identifying and quarantining the malicious email. This is also something an anti virus can do.
MBAM may block a "known" Phishing URL or a HTML.FakeAlert site but since it does not target scripted malware it can't preload the HTML and block access to a site using malicious code if is not known by Malwarebytes. MBAM may handle a software exploit well but due to its inability to scan scripted malware, it will not help in Social Engineering events which is a the Human Exploit. A traditional anti virus application on the other hand ads that additional capability. Below is a snapshot of some of the detections a traditional anti virus application can perform that MBAM can not.
With all the things that that MBAM can not do, it is not an anti virus application and it remains an anti malware application which relegates it to its complimentary position.