malwarebytes.yes or no

Although this topic has been marked "solved", I'm going to ask the same question as "bigotis1954" but with particular reference to the fact that MalwareBytes has now been upgraded to version 3, thereby going from a simple "on demand" tool to something far more complex (if you pay up after the trial that is).

Don't get me wrong, I've used v1 (and previously AdwareMedic) with no issues but v3 seems to be a totally different approach in that it is now more like a fully fledged virus program (operating in the back ground) that as you say most on this forum warn against using because of how they can negatively effect the OS.

What are your thoughts, and for those that have upgraded how does v3 perform, have you let it work in the background or has it been configured as just an on-demand tool? - at the moment I've stuck with v1.2.6 because of the above concerns and the fact that "signatures" can still be updated via the Scanner menu without the need to use "Check for updates" which obviously pushes v3 at you as well.

Hello SiHancox,

I've been thinking many of the same things recently. People rarely look at the dates on posts. There are an awful lot of old posts of mine out there recommending AdwareMedic and MalwareBytes for Mac. At one point I even incorporated it into my own app EtreCheck. But I soon realized it was a bad idea to depend on someone else's software that was out of my control.

The new version of MalwareBytes for Mac is now very similar to every other 3rd party "endpoint security solution" on the market. Most people here are Apple Support Communities, with the notable exception of the original developer of MalwareBytes for Mac nė AdwareMedic, are vehemently opposed to those kinds of system-modifying security packages. It will be interesting to see how this develops as more people find out about the new version.

I never saw any public announcement about a major new version with a completely new design. I got an e-mail forwarded to me a few days ago about the beta and then it was live. I didn't find about about the public release until one of my customers reported that EtreCheck was flagging the new MalwareBytes as possible adware because it wasn't signed with an Apple Developer ID. Without that signature, there is no way to guaranteee that software really is what it claims to be or really comes from its purported author. Malware is known to masquerade as other software to avoid detection. Checking the signature is the only way to verify that.

Thank you for your thoughts (much appreciated) and also for highlighting the "signing" issue which I was not aware of - as said previously because the "older" version still appears to retain the ability for signature updates (wonder for how long though) I will remain with that for the time being, can't help but think the new update is more about revenue now, but I may be wrong, will be interesting to follow what others think/experience if they do give it a try!

Thanks again.

I, too, was not aware that Malwarebytes had switched to the "run in background" model and now agree that there is little to separate it from other "anti-virus" software, sadly.

It also seems they switched to a free/premium tier model, and the language on their site now sounds very gimmicky. That is just my opinion at first glance, maybe Thomas (the original developer) will drop in here and explain the changes.

got contact by a company right on my Mac saying apple spotted malware on my macbook pay 51$ and he install the program with a team viewer technicians says he worked for apple as a subcontractor I really didn't know what to do check the guy on the screen down stuff during a hour. hope it was not a scam

Apple didn't spot anything. They do not make random calls to users - ever. You got a random call from a crook and got scammed. Not only that, you let him have direct access to your computer. Your first order of business it to immediately call your credit card company and contest the charge to have it reversed. Then to immediately have it canceled and a new card issued.

Since there's no way of telling what this crook did to your computer, your only option is to erase the drive and reinstall the OS from scratch. Restore a backup ONLY if it was made before the crook was allowed access.

Only AFTER you've restored your computer to a point where the crook cannot be possibly watching what you're doing, you will need to change all of your passwords, starting with financial ones, such as your bank.

shut down my computer it was my old one change my bank nip and froze credit card, il mean they install team viewer and malwarebyte, and blocks add-on omg did I bytes the hook ????? only 51$ less in my pocket

You're asking it as a question, "Did I bite the hook?" Yes, and the sinker and most of the line. I think I made that pretty clear.

You need to take this intrusion much more seriously. Freezing the credit card is a start, but it needs to be cancelled. They have the number now. As soon as the freeze is released, they, or any other crook they sell the card number to can start charging on it.

And why just let the crook have $51? Call the credit card company, explain you now realize you were scammed and want the charges reversed. It will hardly be the first time they've heard this.

SiHancox wrote:

v3 seems to be a totally different approach in that it is now more like a fully fledged virus program (operating in the back ground) that as you say most on this forum warn against using because of how they can negatively effect the OS.

If you don't want the real-time protection (RTP) functionality, you can always turn that off (and not purchase when the trial ends) and just keep using it for on-demand scans and removal.

However, note that there actually are some big differences between the approach taken by the Malwarebytes 3 RTP engine and that of more "traditional" anti-virus software. In particular, note that the Malwarebytes Mac engine is not trying to examine every single file event, and scan every single file that gets touched, like traditional anti-virus software. Although one can argue there can be some utility to doing that, I think the risks outweigh the benefits. Malwarebytes for Mac ignores most filesystem events, only examining those that it has reason to look at.

I've been running various pre-release builds of this software for months now, and have never yet experienced a performance issue. I won't try to claim that it's impossible for anyone to have a performance problem, but I would ask that you at least give it a shot before you lump it in with all other Mac AV software. And keep in mind that we're still working on improving it.

I knew going in that this was going to be an unpopular choice among some groups. But the average Mac user has been clamoring for it, and there's a true need for some kind of more active protection these days, despite what many Mac AV naysayers will tell you.

Thomas Reed

Director of Mac & Mobile, Malwarebytes

First, thank you for taking the time to give us more insight into the design aims of V3, but is it possible to put a figure on what extra overhead RTP actually puts on a system and how does that compare with other typical AV software.

Also, if v3 is run in "on-demand" only does it still bring additional benefits (and if so what are they) when compared to v1 or is it basically the same as v1.

All I can give you is anecdotal data, we haven't performed benchmarks. I can say that I've had it installed for months, and I can play graphically-intense games, run multiple virtual machines, or have literally a dozen different apps open without noticing any difference in performance.

As for why that is, it's the same reason our manual scans are so fast. We're not trying to look at every file on the system, like every other AV is doing. The same is true of our real-time protection.

If you turn off real-time protection, the on-demand benefits of 3.0 are about the same as 1.x, although in the near future we'll also have self-protection... meaning improved protection of our own files against manipulation by malware. We've seen some malware messing with our files in 1.x in an attempt to keep us from detecting it.

thomas_r. wrote:

If you turn off real-time protection, the on-demand benefits of 3.0 are about the same as 1.x,

Are there instructions anywhere about how to do that? I've looked, but I can't find any way to manually turn off real-time protection. What happens when the 30 days are up? Is the kernel extension still loaded? Does the user get notified after the 30 days? How does it work with other real-time protection systems and/or kernel extensions?

I have already seen two reports of the new version spinning out of control. In both cases, uninstalling MalwareBytes fixed the problem. I realize this is a new version and those are always a challenge. But I'm pretty sure that you keep your machine in a more orderly state than many other people.

One of the reasons people have been so eager to recommend MalwareBytes, and especially AdwareMedic before, was because it was not invasive. It is not unusual for people to have systems so unstable that they think they have a virus and start installing any antivirus software they can find. I can't imagine that the MalwareBytes kernel extension is going to help in that scenario.

although in the near future we'll also have self-protection... meaning improved protection of our own files against manipulation by malware. We've seen some malware messing with our files in 1.x in an attempt to keep us from detecting it.

Hopefully that solution will include a digital signature. The MalwareBytes executables are currently unsigned. Without a signature, there is no way to distinguish MalwareBytes 3.0 from malware. It is only a matter of time before malware developers realize they don't need to give their files distinctive and easy-to-identify names. They could easily hide in the noise of commonly installed 3rd party software like MalwareBytes. No one is going to think twice about a file named "com.malwarebytes.mbam.updater.daemon.plist".

I am working on a new version of EtreCheck with a major upgrade to its security features. The old whitelist is going away for good. I think I've come up with a sustainable way to handle unsigned executables. I'm just going to put them into a category all their own, called, creatively, "Unsigned Files", and let the user decide what to do with them. I strongly encourage you to click that little checkbox and sign your executables so that MalwareBytes will not show up in that list. That will make everyone's lives easier.

Malcolm J. Rayfield wrote:

I've looked, but I can't find any way to manually turn off real-time protection.

Click the Malwarebytes icon in the Menu bar and select "Stop Real-Time Protection".

Thanks! I didn't see that. The kernel extension stays loaded however.

Kurt Lang wrote:

Since it's an extension, would a restart be required after turning it off?

A kernel extension doesn't require a restart after unloading it. But in this case, it never gets unloaded so that is a moot point.

Hello bigotis1954,

MalwareBytes has proven to be a safe and effective tool to remove adware. It, or its predecessor AdwareMedic, has been recommended thousands of times here on Apple support communities.

You should be aware that this is a "sensitive topic". There are a few people who still feel that Macs are immune to all malware or that users themselves are ultimately to blame for their adware or malware infections. I don't share those beliefs.