Antivirus is a misnomer. Antivirus companies are no longer just antivirus; but the name has stuck. Everybody accepts that antivirus alone is no longer enough to keep computers and networks safe — but because of the misnomer, new next-gen machine learning endpoint protection vendors have been able to take center stage as antivirus replacement products. Legacy antivirus vendors, like Symantec, Sophos and McAfee have been compelled to release new products to rid themselves of the legacy association. Today Malwarebytes became the latest with the launch of Malwarebytes 3.0.
This new version combines the market preference for a single all-in-one product with the security expert’s preference for layered security. Even the free consumer version has been amalgamated into the single build 3.0, and differentiated from the enterprise version by the product’s license key. It is the consumer version that is launched today. This will give Malwarebytes, which raised $50 million in series B funding in January 2016, the experience and feedback from millions of users before launching the enterprise version in early 2017.
“The consumer version will always be free with the same remediation capabilities as the enterprise version,” CEO Marcin Kleczynski told SecurityWeek. “It goes back into the deep roots of where the company came from. I was infected with malware back in 2003 and was completely helpless. The only thing that saved me was the free tools that were out there. Unfortunately there were many that I had to run — so MalwareBytes was an attempt to bring everything together in one product; and we will always offer that free for consumers.”
The layered protection available in the new version is through the combination of different components. “The first layer is web blocking,” explained Kleczynski. “We’re looking to block any connection to a malicious host so that the user cannot even pull down the malware. The next layer is anti-exploit: here we’re looking for things like malvertising or anything that comes in through Flash or Java browser exploits. Then we’ve got the payload analysis (the anti-malware component); so if the user has malware on the machine, perhaps through email, we do pre-execution analysis on the file before it can run. Next we have an anti-ransomware layer based on behavior. And finally we have a remediation layer so that, if everything else has failed, we can get the user back to a clean environment.”
The anti-ransomware layer is really a behavior blocker tuned to anti-ransomware simply because of the magnitude of the threat. “The anti-malware side of the product is a pre-execution component, meaning it will try to detect malware before it can actually run on the machine,” explained Kleczynski. “It will probably detect a big chunk of ransomware as well. The anti-ransomware component is completely signature-less; it’s a behavioral blocker. This means that the malware has already got through and has started running — which is unfortunate — but it also means we can watch what it is doing. It’s the last layer of defense.”
Kleczynski claims that the anti-malware component will catch 99.99% of all ransomware before execution, but the anti-ransomware will catch anything that gets through by analyzing its behavior. “Ransomware encrypts files. So if files start to get encrypted, you know there may be ransomware. We don’t like to see more than 2 to 3 files being encrypted before we make a go/no go decision on whether this is ransomware or not. With just 2 or 3 files, we’ve stored a lot of the information in memory and can potentially reverse the changes, thus leaving the machine completely unharmed.”
Behavior blocking is a bit like machine learning without the machine. It uses manually generated rules rather than machine generated rules. But Kleczynski said that its product will be enhanced by machine learning proper in the near future.
“We’ve seen enough malware in the world to have a machine learn on that malware and predict the future — we’ve seen so many malware files that we can look at individual characteristics and learn about and from them,” Kleczynski said. “So we have some stuff in beta that we’ll come out with by the end of the year around machine learning; not just in anti-ransomware and behavior but in pre-execution. A couple of companies are already doing some interesting stuff in this area, and we want to make sure we’re ahead of that game as well.”
But he’s not an out-and-out fan of machine learning, and it will never be more than part of the Malwarebytes mix. “My issue with the new next-gen companies that have emerged over the last few years,” he told SecurityWeek, “is that they try to be a silver bullet, a one-trick pony. Several of them just do machine learning — which is good; but you won’t detect more than 95% of malware and the false positive rate will go through the roof. Our approach,” he continued, “which we think is the right approach, is to layer components. I don’t need 95% detection with 1% false positive in a layered solution — I’ll take 50% detection with 0% false positives. This beefs up my overall security without much overhead at all. I can use the other components, like the behavior and web blocking and anti-exploit and anti-malware that we already have, to get to the remaining 50%. The aim is to aggressively detect malware without incurring a high rate of false positives.”
The consumer version of Malwarebytes 3.0 is available now. The enterprise version will be launched early in 2017.
