Chris Sienko: Hello and welcome to another episode of CyberSpeak with Infosec Institute. Today’s guest is Michael Sherwood, senior director of technician services at Malwarebytes. Today we’re going to talk about one of the very specific features of Malwarebytes, namely the group’s free malware removal forums. Michael Sherwood leads Malwarebytes’s technician services division, as well as the organization’s public forums. He specializes in software development, toolkit development and change management, and has architected and patented automated malware removal methodologies. He’s also a prime mover behind assimilating the Geek Squad into Best Buy, growing from 50 to 20,000 global technicians. Michael, thank you for being here today.
Michael Sherwood: Thanks for having me.
Chris: All right, so give me a little bit about your security journey. How long have you been interested in security and tech and all that kind of thing?
Michael: Well, it starts all the way back in 1984. I was fortunate enough to receive a Apple II, for those of you that remember, that was a pretty cool device back then.
Chris: Top of the line, yeah.
Michael: Super young, but I really fell in love with technology, taking things apart and really kind of breaking and being curious, and it’s just kind of followed me throughout my career. I also served in the United States Air Force, so it got a little bit more of my professional training from the Air Force. Obviously went the college route for a little bit. Learned some great stuff there and really just packaged it all together. And I kind of jokingly say that I was put on this planet to serve people and I just happened to be good at technology.
Chris: Nice. Now did you work in a security capacity in the military as well?
Michael: Just a little bit, yeah. So essentially from a quick version, is we made sure that there was high speed internet throughout all of the kind of deployed locations. So if a plane went down or maybe there was an exercise that we needed to do, we took all of our equipment from the office and made sure that we had internet and from a secure perspective anywhere on the planet.
Chris: Hmm, okay. Very interesting. So tell me a little bit about the origins of Malwarebytes. How did it begin? What was its trajectory like? How and when did it differentiate itself from other computer protections, especially antivirus lines.
Michael: Sure. Well, it’s interesting we’re going to talk about the forums because that’s really where Malwarebytes started. So our founder, Marcin, similar to many of our users, found himself with a little bit of malware on his machine at the time and he, this is ironic for him and I’s relationship, he couldn’t afford the services of Geek Squad and other kind of computer repair companies. And so he went out looking for his own kind of solutions and he stumbled upon forums where then he started co-creating and co-authoring some small utilities that eventually turned into Malwarebytes. And then it turned into the protection that you see as well as all of the other suites of applications that we have.
Chris: So for those of us who tend to just sort of set it and forget it with regards to our protection plans, what are the divisions between what antivirus software does and what anti-malware does? Because I know sometimes they’ll tell you to use both.
Michael: Yeah. 15 years ago my answer would have been they’re very different. But nowadays they have just started to really merge what they mean. And I think there’s a little bit of an old school train of thought of, do I need antivirus? Do I need anti-malware? So what I would tell you is you need a good security stack. And that could be anti-malware, that could be anti-virus, that could be a browser extension, it could be a call blocking app on your phone. So there’s all sorts of ways to kind of slice and dice that.
Chris: Okay. So yeah, I guess let’s jump forward to that a little bit. What would be your sort of optimal security stack as you put it? What do you think any sort of savvy computer user worth their salt these days should have going for their system?
Michael: Sure. The first answer is, it always depends on what you’re trying to do. But if we make some assumptions that it’s a Windows device, it’s a home PC, laptop, what have you, traditional anti-virus, traditional anti-malware obviously is a no brainer, but also having some sort of powerful extension, maybe even some piracy utilities to look at what’s actually going on the machine, as well as a good password manager strategy. So making sure that you’ve got good passwords, two factor authentication enabled on everything. And then most importantly assume your data and all of your stuff is going to be hacked or at least at some point. So controlling that flow of information is critical.
Chris: Yeah. Yeah. Yeah. So regarding Malwarebytes, what are some functions that you think most users are unaware of or could be used more thoroughly? Again, I think most people, “Okay, I got my thing, I turned it on, I set the thing. I make sure it scans once in awhile.” What would be your sort of optimization plan for your package?
Michael: Sure. So two answers on that. The first one is going to sound like a sales pitch, but most people that use our application use it in the remediation standpoint. So they grab a free trial, they grab one of our portable scanners, they kind of remediate, and then it goes into free mode, which is essentially non proactive mode. So the first tip I would say is make sure you’ve got a proactive approach with our application. Of course, that’s the paid application. And then the second is, we offer a variety of applications across platforms, specifically on the mobile platform. It’s a huge scammers haven for text messages, phone calls, and we’ve got some really powerful apps that are looking at blocking and helping people stay safe on those platforms.
Chris: These are sort of add ons to the standard malware premium.
Michael: These would be completely separate products at this point. We are looking at kind of converging at some point, but with Apple’s ecosystem, it’s separate right now.
Chris: Okay. So yeah. So what are the sort of different pieces of the Malwarebytes puzzle at this point?
Michael: Yeah. So we’ve got our traditional kind of windows and Mac proactive protection. We’ve got of course remediation services inside of that. We offer a little bit more of an enterprise wide approach with our endpoint protection application. And then of course we’ve got some mobile applications out there for the average consumer that’s looking to get a little bit of scam and protection on that angle.
Chris: Do you recommend sort of higher levels of things for people who are doing streaming, doing downloading, using their stuff more than just like emails and watching movies?
Michael: Yeah and I think that’s one of the things that’s probably changed over time where, if you go back 15 or 20 years ago, you could technically be safe on the internet to a degree. And kind of, if you weren’t clicking on the wrong sites or kind of doing the wrong thing, you were safe or safer. Nowadays with the Equifax breach, with the Yahoo breaches, with the Marriott breach that happened this week, you can do as much safe stuff as you want and you’re still [inaudible 00:06:54] to get taken advantage of. So from a security stack standpoint, it’s still very critical to have those on your machine, no matter what you’re doing, even if it’s the safe route, as you deemed.
Chris: Yeah. And now there was that article recently about how like 50% of scam sites have the lock and the URL that appear to be safe sites to… And an observant person. So I think we’ve gotten to the point now where you can’t just sort of count on you’re savvy, you need sort of something working behind the scenes just in case even a safe looking thing turns out that be safe.
Michael: You got it. That’s exactly right.
Chris: I know there’s a couple of schools of thought. I guess we’re kind of already dipping into this a little bit, but some people say whatever package your OS offers like Windows Defender, it’s probably enough to catch all the common issues. And if someone’s coming for you no anti-virus is going to stop it anyway. So what does Malwarebytes offer that goes above and beyond the out of the box protection packages offered by most computer manufacturers?
Michael: Yeah, this is an age old question and from my point of view, having worked on thousands of machines or some of the software we’ve created has helped millions of computers stay safe or more importantly recover from when they’ve been attacked. I think it’s a little bit dangerous just to say “I’m going to have this singular solution,” whether it’s the Out of Box solution or maybe it’s a third party add on, it’s really about what are you doing with that machine and making sure you’ve got enough stuff going on that machine to keep you protected.
It’s almost like a home. Every home is going to have some doors and some windows, some may opt for a lock, some may opt for the steel bar grates that you see in some areas of town. So you really need to understand the situation that you’re in and making sure that you’re applying the correct amount of security. You can of course have too much security. I’ve had lots of folks, if you can imagine this, actually lock their iPhone down so much with restrictions, which is the parental controls, that they actually blocked themselves from doing anything on their own phone. So don’t put everything on the machine unless you need everything on the machine.
Chris: Okay. So how do you sort decide what your saturation point is?
Michael: Well one great point that you can get clarified is folks like our forums helpers really help people understand kind of what is going on with their machine and kind of stepping them into the right security package. For me, at least for my average consumers, which most are still residential for me, it’s a good antivirus, built in Windows Defender is really phenomenal these days. Our package of course is great. A browser extension is fantastic. And then of course the fourth one is password managements. Very specifically making sure you’ve got two factor authentication in that password strategy kind of designed. And all of that goes a really long way with good user education of kind of what’s happening and what to do.
Chris: In the past I know I’ve had situations where my computer had a malware detection system, Malwarebytes, and an antivirus running in tandem and there were a lot of times issues of the two somehow sort of fighting each other or causing glitches with the computer. Is that sort of thing being resolved? Is that less common now? Or is that still an issue?
Michael: It is definitely still an issue and I can’t speak to all of our competitors, but most definitely in the traditional AV space you’re going to have two conflicts when you’ve got kind of two AVs going on. So when you see an AV getting put on, a lot of times they’ll disable Defender or vice versa. With ours, we’ve always positioned our product as a sidekick and as an addition if you will. And now with the latest 3.0, not even latest because it’s been two years now, we’re actually saying that can be the leading security product on the machine. You can certainly use Defender if you wish. You can certainly use another third party vendor. But we really recommend having Malwarebytes on a machine and at minimum having Defender there. It’s a really good one two punch combo.
Chris: So we got right into the point that I wanted to specifically talk to you about today. You mentioned the forums. But I think one of the most intriguing things about Malwarebytes when I discovered it, which at this point, probably five years or more, seven years, who knows, was that you had these free malware removal forums to get you up to speed for people who have Malwarebytes. This is a member only service, right? Or is this usable by anyone?
Michael: It’s actually open to anybody. So we’ve got kind of our traditional support, which does look at kind of our paid or even our free users or even our premium business users. But on the forums, the forums is really open to anybody that wants to join and maybe get some assistance.
Chris: Right. And to that end, you can come onto the malware removal forums and say “Something’s wrong with my computer. Something got through my anti-virus, my anti-malware things and there’s definitely something wrong.” And I’ve been on so many forums where you just get that same cut and paste response from whoever. You get a dedicated person who looks at your case one-on-one and takes it on personally, sends you a detailed walk through what you need to do, check this folder, initiate this log file, send me the log, I’ll tell you what to do next, and analyzes the entire procedure until what you have done has been removed, checked, taken care of. And this can take up to 48 hours. Three, four steps. So how did Malwarebytes come up with the idea for this system? There wasn’t anything like that before that was there?
Michael: Yeah. So the forums are kind of interesting. So forums have been around since the 90s in a variety of different fashions and a couple of big industries that came out of that were the automobile. So kind of the car technicians as well as the computer technicians with the worldwide web coming really into kind of full swing in the late nineties. And if you remember, Marcin started on the forums, our founder and CEO. And he found it very valuable to come on and get some assistance. And not only did they help him, but they help spark an idea inside of him to create Malwarebytes and really create the company that we have today. So the forums are there one, to kind of pay respect to that and to make sure that that service is there for anybody that needs some assistance, whether it’s a Malwarebytes customer, a Malwarebytes potential customer, or maybe it’s just somebody on the internet that needs some computer assistance. We want to make sure that they’ve got some help available.
Chris: So how were the techs in this forum recruited? Are they part of the company? Are they employees? Are they just people who are volunteering their time to sort of help out in need? I know that there’s a tip jar system
Michael: There is. So we’ve got kind of two members if you will besides the general public that comes on. So we’ve got our employees and those are folks that are the product managers, QAs, the engineers they’re on there kind of learning about the product. Also some are helping from a support perspective. And then what really drives our community is, well, the community. And that’s made up of a variety of different volunteers that are maybe doing it part time, maybe they’ve retired or maybe they just love fixing computers.
What you need to know about technicians is we love serving and helping others. So they want to learn about stuff, they want to help people. And inside of the computer repair kind of forums world, there’s a few tests and procedures that you need to go through to make sure that you’re certified. There’s a handful of sites that kind of all follow the same rules and once you get certified at a certain level, you get a certain badge and then we say, “Yep, come on our forums and you can speak on half of kind of the malware issues happening on Malwarebytes,” or maybe it’s bleepingcomputer.com, that’s another very popular site. But we all try to remain kind of the same educated level, if you will. And then applying the same techniques on our forums.
Chris: So it sounds like there’s not necessarily a training process for these volunteers. They’ve been trained just by the force of their experience. Or do you have sort of a flow chart that you suggest to anyone that’s sort of doing the volunteer work?
Michael: Yeah, so there’s kind of light guiding principles, if you will. And you’ve got to pass some certain tests if you’re doing malware removal. You’ve got to understand the inside of Windows, the inside of Macs, instead of whatever platform you’re working on. And then of course, kind of the architecture of how malware and malware removal works. But then we do leave it up to each individual to kind of come up with their procedure. It’s guided of course, but you’ll see that with some of the customized responses, they look very personalized. They’re kind of we call them canned messages. They’re a light canned message that they don’t have to type the same thing over and over. But there is a personal kind of flair on it to help them serve you in the way that they see fit.
Chris: Right. And so is there sort of someone sort of supervising the solutions? Have you ever had a situation where a tech was maybe not giving the right advice and someone was able to sort of tap them on the shoulder and say, “Why not do this instead?”
Michael: Yeah, it happens all the time. Whether it’s with the procedure itself, maybe there’s a tool that… Techs love using tools that work. Then once a tool works, it’s almost the hardest thing to take away from a technician. Even if that company stopped supporting it, even if it worked in windows XP 18 years ago and it no longer works today. They love the tool. But they really love learning and then coming up with those new techniques and behind the scenes we’re always constantly sharing on almost a daily basis on new techniques and procedures and tools.
Chris: All right. How do you retain these experts? Is there a high burnout rate with these people?
Michael: Well that’s a very interesting question. So they really love being in this space and you can actually see some of the same names between our community and the Bleeping Computer community, Wilders as well. And they really like being in all of these areas to one, keep their knowledge up to speed, but then two, really serve people. So some people will pop on for a year or two, maybe take a little bit of time off. But for the most part, most of our community is very, very tenured. Six, seven, eight, 10, 15 years, which is a pretty long time in the computer support world.
Chris: What are some of the most common malware removal problems that these techs receive? I’m assuming that there are sort of categories that come up again and again. What are some things also that people can do to sort of prevent these common issues?
Michael: Yeah, the big one nowadays is the browsers really getting attack and that could come in kind of two ways. One is an actual malicious attack and then one is what we call, I don’t want to say it’s benign, it’s almost like an annoying ad. Maybe it’s an ad that comes up and says, “Hey, call Microsoft.” The ad itself isn’t malicious, but the phone number, once you engage with that phone number, then you’re starting down that kind of malicious trajectory, if you will. On the actual infection side, we’re seeing a lot of Bitcoin miners that are showing up. So somebody who goes into a site and some of the legitimate sites are now saying, “Pay us, turn your ad blocker off, or let us drop a Bitcoin miner on your machine and that’s how you can get to our services.” So helping people understand, what are those Bitcoin miners doing and why they may or may not want them on their machine.
Chris: Yeah. Yeah. And talk a little more about that. So they actually tell you upfront, “We’re going to drop a Bitcoin miner onto your computer,” and people are like, “Fine, that’s fine.” I mean, how much bandwidth or processing work does that take on your computer?
Michael: Well what’s interesting about this is it’s the age old kind of end user license agreement that comes on and says, “Hey, I’m going to do a bunch of stuff.” It’s a really long document and you just go, “Oh, accept, accept, accept, accept. Just get me to the thing that I’m trying to read.” And I think people are really getting taken advantage by that. And the mining itself, it’s really up to the site and to the creator how much they’re actually going to kind of lean away from the user. Of course they want to use as many CPU cycles as possible, but if they want to go undetected, they’re just going to hang out and take a cycle here or a cycle there and hopefully not get picked up or noticed by anything.
Chris: These mining devices, do they have a stop point? Or are they just kind of on the computer for good until you remove it?
Michael: They’re kind of on the computer until you remove it. Certainly some, have time bombs inside of it. But if I’m trying to create something like this and I just want to use your CPU cycles, I’m going to drop it on the machine. Maybe take a cycle or two. It’s going to be less than a Word document so you’re not even really going to notice any performance hit as this is doing it. And the average user’s not going to open up task manager and notice anything with a one or 2% CPU spike that’s [inaudible 00:18:48] to them.
Chris: Until it’s been going on for 18 months or whatever.
Michael: You got it.
Chris: So for people wanting to get involved with the forums as technicians, how much free time is required and sort of what are the qualifications? How would you sort of toss your hat in the ring I guess?
Michael: Yeah, just come out to our forums. It’s super easy to engage with us there. If that is something you’re looking to do, just come onto our forums and ping any one of the moderators, myself, no problem. We’ll chat with you. And really it’s as much time as you want to give. Some of our volunteers are on there four or five hours a day. Maybe they’re retired or maybe they’re in between jobs or they just want to be in the community. And then it’s really up to you how you want to engage and some of the stuff we look at is what is your training? What is your history? Sometimes people vouch for another person from another forum.
But for the most part we really want people to go through kind of the malware philosophy of how to kind of approach these machines. Because there is kind of a flow that we want them to go through. Of course they want to add their own flare and we allow people to bring their own tools. We don’t want to say “Don’t use this third party or this competitor’s tool.” If a community member wants to use one of our competitor’s tools on our website, we actually support that because we really like seeing those different tools and different kind of philosophies applied. And maybe we can even learn something and incorporate it into Malwarebytes.
Chris: So what skill sets would a potential tech need to demonstrate what? Or what experience would they have to have in their background to be considered? Or is it pretty much just I can do this?
Michael: Yeah, so the two kind of traits that I look for is technicians are curious. That’s the first and foremost trait that we have. And then the second is going to sound weird, but having a personality. Having that ability to talk to people. So you can teach anybody kind of the, I don’t want to say anybody, but most people, you can teach the technology behind it but you can’t teach that curiosity and kind of that customer support. So once you’ve got those two and then you’ve got that technical kind of training background, maybe it’s new, what have you, that’s how you get a well rounded technician.
Chris: Okay. So as we move toward the end of year holiday season, actually by the time this draft we might already have been past it, but every year we get, what I’ve heard described as the parent computer amnesty weekend as everyone goes home to their family and says, “What’s wrong with my computer?” What are some pieces of advice you could give for us to avoid getting hit by potential malware? And what advice could you give people trying to sort of fortify their parents computers or their less tech savvy relatives? It’s one thing you know to have your computer locked down but it’s another thing when your parents keep sending you weird things or forwarding things or you know what have you.
Michael: It’s endless. I like the amnesty part. That’s a funny way to approach it. I love going home for the holidays because I get asked all sorts of new kind of bizarre things that I didn’t know somebody could do with an iPhone or with an Android device or something. But if I could give one piece of advice and there’s all sorts of things and one of the problems with us technically minded people is we’re trying to get everybody to sign up for the security stack and the AV and the anti-malware and the password manager and all this. They don’t care. They just don’t care about it.
Michael: One quick thing that you can do is you can enable two factor authentication on as many accounts of your relatives as possible. Now, I’m not saying you can go around with an easy username and an easy password, but having two factor authentication is a better step than having a complex password on a site. So get two factor on all the sites that you can and if that’s too much of a pain for you, get two factor on the top five that they use. Facebook, Gmail, put a it’s kind of a quasi account password, but for your cell phone so people can’t sign up and get new cell phones for you. You can do it on your social security account, your IRS account, your United States postal service accounts, so you’ve got all sorts of options. Get two factor on the top five sites that your parents and relatives use.
Chris: Nice. So what role can education play in making people more savvy about malware? What are some strategies you can use to explain these risks to you’re less tech savvy members of your family? And just sort of, how do you let them know what the actual danger is apart from just putting it on their machine?
Michael: Yeah. So I kind of have two approaches. One is you have to assume you’re going to get attacked at some point. And by attack I mean maybe your stuff leaked with the Equifax breach. Maybe your Facebook actually got hacked, not the hack that you hear everybody say, but assume your stuff is going to be taken advantage of. So kind of safeguard your information.
And then the second is really help them with an analogy that kind of comes to where they’re at. Car analogies is a fantastic one. Cars and the services industry for cars has been around for a hundred plus years or so. But helping them understand, “Well when you get a blue screen that’s like a check engine light. When you get a piece of malware that’s like a nail in your tire.” And helping them understand those bearing levels that they don’t just see… The big term from the 90s and early 2000s was virus and now everything you see is a virus. My computer’s slow, it’s a virus. My computer’s fast, it’s a virus. My computer blew up, it’s a virus. So I thought that was good. But it also didn’t really educate anybody because now they’re just saying a generic term that means way too many things behind the scenes.
Chris: Yeah. And at the same time I imagine it’s not as important that they know the exact theory of every single thing that’s attacking them as long as they know what they need to do to sort of keep it away.
Michael: You got it.
Chris: And also I’ve had family members who have been hit. And I think it’s important to also let them know that it’s not something to be ashamed of or to hide. Just about every one of us has gotten hit. Like you said, even the head of Malwarebytes has been hit by malware and so forth. So it’s a rite of passage more than anything.
Michael: It is. And your stuff is going to get stolen. I mean the Equifax I keep mentioning, the Marriott breach that just happened, the Yahoo breaches, the LinkedIn breaches, you really did nothing wrong there or even anything like Target. So a regular store’s breaches. Making sure that you safeguard that information. And control what actually ends up in the hands of these companies is step one. And then if your stuff does get leaked, rather when, you kind of know what that controlled amount of data is.
Chris: All right. As we wrap up today, do you have any final safety recommendations? Any big things on the horizon for Malwarebytes?
Michael: Yeah, so we do have a couple of really interesting products coming next year. Specifically if you’re listening to this and you’re working in the MSP space, watch for something very, very interesting for us. So think of it as kind of our current products, but with an MSP dedication if you will, early in quarter one of next year.
And for kind of the average listener of your show here, control your data that goes out to these companies. Don’t always sign up with your full name, your first name, your full email address and everything of that nature. A great example, instead of saying, Chris Johnson as a username, obfuscate the username, so when the data does leak, they’ve got an obfuscated username, they’ve got a great strong password, you’ve got two factor authentication on it, and somebody on the dark web is going to look at that and go, “Well, I don’t care who this random hexadecimal username is, but I do know who Chris Johnson is that lives in Tennessee.” And that gives you a starting point to find your data. So as much as you can obfuscate your data, obfuscate your data,
Chris: Great plan. And Michael Sherwood, thank you for being with us today.
Michael: Thanks for having me.
Chris: Thank you all for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to YouTube and type in InfoSec Institute. Check out our collection of tutorials, interviews, and past webinars. If you’d like to have us in your ears during your workday all of our videos are available as audio podcasts, including this one. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you’d like to qualify for a free pair of headphones with a class signup podcast listeners can go to infosecinstitute.com/podcast to learn more. And if you’d like to try our free security IQ package, which includes phishing simulators you can use to fake phish and then educate your colleagues in the ways of security awareness, please visit infosecinstitute.com/security IQ. Thank you once again to Michael Sherwood and thank you all for watching and listening. We’ll speak to you next week.