Skip to main content

This real-time map of antivirus fails is roasting MalwareBytes’ competitors

malwarebytes laptop
Image used with permission by copyright holder
In the wake of the Equifax hack and growing mistrust of major anti-virus companies, it’s becoming harder and harder to know where to turn for your digital security. MalwareBytes believes it should be your solution in these troubled times, and has thrown down the gauntlet for other anti-virus firms with a new tool and report that highlights how they are failing their customers.

MalwareBytes is an anti-malware application that offers manual scanning in its free version, and real-time protection with its premium option. Traditionally, it’s been used as remediation tool by consumers, as a redundancy after their main anti-viral solution fails to prevent infection. But as 2017 ends, MalwareBytes is looking to step out of the toolsets of IT professionals, and into the hearts and minds of consumers the world over — by taking a swipe at its competitors.

To highlight their failings, it’s released a heat map of MalwareBytes users the world over, who have discovered malware infections using its scanning tool. The kicker is that all of those found to be infected are already running some form of security software, be it anti-virus tools like Avast, AVG or Symantec, or built-in defense systems like Windows Defender.

Regardless of the security system in place, every dot on that map is someone actively fixing their system with MalwareBytes. That’s why the company wants you to make MalwareBytes your first line of defense, not the last.

Stepping out of the shadows

First released in 2007 after co-founder and CEO Marcin Kleczynski had his own brush with troublesome malware, MalwareByres has been used as a popular “remediation,” tool ever since. That’s because many users have found it to be a more effective tool for discovering infections and attacks than existing antivirus protection. We asked  Kleczynski what makes MalwareBytes a more effective way to discover, and ultimately stop, malware attacks in their tracks.

malwarebytes art
Image used with permission by copyright holder

“A lot of traditional antivirus firms do a lot of work with signatures,” he said. “You’ve seen it before, they ship a large database of signatures [of malware]. They’re hundreds of megabytes. They update it every day or every hour. The issue with that approach is they must react. They actually have to see the malware.”

That’s no good, he says, because it’s impossible to discover every piece of malicious software out there. “You’re never going to see all of the malware, you’re not even going to see five percent of the malware. You have to look at trends and patterns,” he said.

Malwarebytes does exactly that, relying on analysis of how software is running instead of looking for specific signatures associated with known malware. “When we started in 2004, the majority of antivirus ideas were already 20 years old, so we were really able to come up with AV 2.0, and take our own approach to it. […] Even back in 2004, we were already looking at characteristics.”

Today, MalwareBytes employs numerous approaches to cover as many bases as possible. That includes using the signatures of existing and detected malware to track down known infections, and leveraging machine learning to plan. It also looks at behaviors and expected use patterns, so if certain software starts doing something it shouldn’t, it can put a block on it before it starts.

“You’re never going to see all of the malware, you’re not even going to see five percent.”

“Our anti-ransomware system which ships with MalwareBytes, it’s exclusively behavior based,” Kleczynski said. “We look for encryption events and we score them and if we see too much, we actually roll back the process and arrest it. That’s an example of a custom-built technology that we had to put together, because ransomware was such a big issue.”

Ultimately, Kleczynski said, MalwareBytes doesn’t use a “Silver Bullet” technique, claiming that no one solution works for all malware attacks. Instead, it uses a combination of systems and expertise to come at the modern world of breaches and infections with a multi-faceted approach.

Carrots and sticks

While Kleczynski talks a big game, its the company’s recent report on its competitors that is the starkest part of its recent promotional efforts. It’s not just claiming that MalwareBytes is the best. It’s showing how its competitors are failing customers.

“[We]’ve seen a lot of the AV labs putting out reports where many of them score 100 percent,” Kleczynski said. “It’s become increasingly popular with AV vendors to slap stickers on their website. Malware in a lab performs very different from malware in the wild. The only real way, I think, to compare AV vendors is to analyze the real-world data.”

malwarebytes heat map
Image used with permission by copyright holder

That’s exactly what it did with its “Mapping AV Detection Failures,” report. In it, it looked at around 10 million infected systems that cleaned themselves up using the MalwareByte scanning tool between January, and June, of 2017. Of that number, some 44 percent had two or more antivirus solutions installed — yet were infected anyway.

“Taking out all data that looks at MalwareBytes actively blocking threats, we only looked at data of the major AV companies,” Kleczynski said. “They had to be registered in the Windows security center, so had to be actually activated with Windows. If we cleaned up the mess after AV, we sent that information back to our servers. [We recorded] if we have cleaned up malware on a computer and [what antivirus] it has installed. That’s the only data we collected, no personally identifiable information. We tossed away all the IP addresses.”

Other notable stats in the report include that 52 percent of ransomware infections caused by the notorious ransomware known as Hidden Tear were discovered on systems running multiple antivirus solutions. If you eliminate Microsoft’s bundled Windows Defender from the results, some 40 percent of all malware tracked were discovered on a system with an add-on antivirus solution.

Live tracking success and failure

MalwareBytes is aware of the potential for perceived bias in such a report. After all, its own report claiming it’s better than the competition is hardly surprising. That’s where the live heatmap comes in. Available now for anyone to view, it tracks live MalwareBytes scans across the world, highlighting that often these systems have third party antivirus installed — which failed.

While MalwareBytes goes out of its way to avoid naming and shaming anyone in its aggregated report, the live data does not. Microsoft tops the list, suggesting the Windows Defender tool that comes installed by default with Windows 10 is the most popular antiviral solution around. Still, big names like Avast, AVG, McAffee, Symantec, Kaspersky, and many others make the list. They all fail to pick up malware that MalwareBytes ultimately cleans up.

“They might have Windows Defender installed, and then add in Avast, but they’re still getting infected.”

If nothing else, the heatmap shows that a lot of people are using MalwareBytes, and they’ve having success with it. Within just a few minutes of viewing the map, hundreds of success “blips” appear across it. Scrolling through the list, just about every mainstream consumer and business antivirus has been thwarted by an infection that MalwareBytes ultimately cleans up.

“This map shows when remediation cleans up the malware on the devices as its happening,” Kleczynski said. “[We’re] not claiming we’re the best, but […] we’re looking at a lot of consumers who use multiple solutions. They might have Windows Defender installed, and then add in Avast, but they’re still getting infected.”

Building trust in a world full of breaches

Along with its more varied approach to malware detection and prevention, MalwareBytes also employs several practices to keep its own code secure. Competitors like of Ccleaner and Symantec have faced security concerns at the very core of their service, so MalwareBytes thinks this could help build trust among consumers who find it increasingly hard to know where to turn for protection. It’s especially important now that security researchers have highlighted how some antivirus software can introduce more security vulnerabilities than they protect against.

“We have internal security teams – I just hired a new information security officer myself a year ago – and we do a lot of code audits, third party audits,” Kleczynski said. “We have a bug bounty where we pay up to $5,000 for a bug discovered and are thinking about raising that to raise interest. We’re partnered with HackerOne, too.”

This is something all companies should be doing though, he thinks. Highlighting how some of the recent debacles with security at major firms have impacted the public’s opinion of them and data collection services in general, Kleczynski highlighted that ultimately, it’s the way that companies respond to issues that defines them most.

“People will try to find vulnerabilities in your software and it’s how you respond. No programmer is perfect, and I don’t think AV [introduces] more vulnerabilities if done right.”

And his idea of what antivirus (or anti-malware) “done right,” — is MalwareBytes of course.

Jon Martindale
Jon Martindale is the Evergreen Coordinator for Computing, overseeing a team of writers addressing all the latest how to…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more