Which is better: prevention or detection of malware? At the end of my last post, For Computer Security, Can Malwarebytes Do the Job?, a client’s computer was still suffering from a bunch of infections and Malwarebytes was chugging away on it. I submitted the post while the scan was in process, but when it was finished, nothing malicious was found. That was a puzzle because I suspected there were still problems, so I did some test surfing and quickly found the Babylon Toolbar had come back in spite of having been deleted in a way that has worked in the past. Also, several suspect processes were active. In addition, operation did not seem normal. So I did what should have been done when presented with a badly infected computer: I did a full reinstall of Windows. This was not as burdensome as one might have suspected it would be; even activation went through without a hitch. But I always feel like a loser when falling back to that kind of brute force solution. Maybe that is why I wasted too much time trying to do the wrong thing. Taking pride in your work is good, but taking pride in the wrong kind of work helps no one.
The necessity for a Windows re-installation is not a putdown on Malwarebytes for not fixing everything. I hold it in the highest regard. It is one of the best available anti-malware programs in either free or paid format. The thing we have to remember is that no single program finds and cures all possible infections. For instance, here is a video showing Malwarebytes finding a Trojan after Kaspersky missed it. One could probably make a similar video with Kaspersky finding a Trojan that Malwarebytes missed.
Several organizations publish test results of competing anti-malware products. For instance, consider AV-Comparatives. This list results from 22 anti-malware companies in a comprehensive series of tests, but Malwarebytes is not among those being tested. It also lists seven different types of results including the often overlooked false alarm rate. The false alarm rate is important. After all, if you want to make an anti-malware product that is guaranteed to catch every bad thing, you can simply bias the discriminator to give more false positives as an acceptable cost of minimizing false negatives. At the limit, a 100% detection system would flag everything as bad. In this way, nothing is missed!
But AV-Comparitives does not force you to wade through all the data. Instead, it combines the results from all of its tests and, with a disclaimer saying that consumers should download trial versions first before making a decision to purchase, it recommends a best choice. The winner in the December 2011 summary was Kaspersky. This is one reason why I was interested in seeing the video of Malwarebytes finding a Trojan that Kaspersky missed.
A somewhat dated (July, 2010) video shows a brave soul deliberately infecting a computer (presumed to be a virtual machine) with a lot of nasties and then using Malwarebytes by itself to find and get rid of them. His conclusion was “It is pretty good.” Another, more recent video, posted April, 2012 tests AVG used in cooperation with Malwarebytes. The test was done on a virtual machine infected with 321 pests. AVG by itself found about 87%, but combined with the paid version of Malwarebytes, all were found. This is very impressive for the combination. This supports my contention that this dual support method is the better way to go.
After finding these videos, I naturally searched for “MSE and Malwarebytes” since that is the combination that I have been recommending for consumer use. Many studies have been done. The results are about the same as the video with AVG. The combination works well.
What I have not been able to convince myself of is why the major testing labs have not reported results with Malwarebytes. We can speculate, and perhaps some of you reading this know the insides of the business better than me (not difficult, since I know nothing). It could be because Malwarebytes is an oddball compared to the others, or it could be that money is involved, or it could be a business decision. I just do not know.
But as a result of such adventures, I have come to greatly appreciate the difference between being able to find and cure infections during a scan and preventing infections by incoming detection before the harm can be done. When a computer comes to me highly contaminated, how will we know if it is truly clean after any number of scans? The best way seems to be to recover as much personal data as can be recovered safely and then reinstall Windows. This means that all applications must be reinstalled and personal settings reconfigured. Such is life. Suck it up. This is still better than not being sure after spending hours or even days chasing ghosts only to have a recurrence of the same problems. For that reason, I prefer to concentrate on anti-malware applications that are good at intercepting incoming problems before they get established.
Malwarebytes in combination with another anti-malware application is good, but the best protection is still the user. Just as seat belts and airbags are good protection in automobiles, anti-malware is good protection, but the first line of defense in an automobile is an alert driver, and similarly the first line of defense for a computer is the user. Prevention of an accident is much better than the best seatbelt. This does not mean that I advocate driving without insurance or airbags. You still need those protections, but the emphasis should be on accident prevention. The same holds true for safe surfing and general computer usage.