Slashdot Mirror
Antivirus Vendors Headed for Court
SkiifGeek writes "A showdown between Rising Tech, a Chinese Antivirus vendor, and Kaspersky Lab in a Chinese court could have implications for software vendors that misidentify system files and files from their competitors as being malicious."
Go Kapersky! One look at the trade deficit says that perhaps all Chinese software ought to be blocked.
This is my sig.
With system files, do you mean Windows Vista system files?
If I were an AV vendor, I'd probably tag every file with ".DLL" as a file extension as a potentially harmful file
TDz.
Why is it that only Kaspersky Antivirus is picking up on Rising Tech's files? What are the other antivirus vendors doing (or not doing) that is avoiding this problem?
Nothing to see, just a continuation of the 60's.
China and Russia both are big time into state-sponsored computer/network infiltration. In a country like China, it wouldn't be surprising at all that the government would co-opt companies - especially anti-virus companies - to make them help the Chinese government open back doors, exfiltrate data, etc.
The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package. Sure, it may finger other viruses, but it might also allow free access to the "right" people.
I know this sounds somewhat like tinfoil hat territory, but the SANS organization is frequently publishing articles about state-sponsored hacking/attacks. Why give them an easy pass? A perfect easy pass to use your system in electronic warfare against any country - especially the USA? It is at least something to be aware of and to consider.
Rising Star antivirus? Who's star is rising? China's? And by what means?
For all the good the AV industry does, they might as well be selling rocks.
davecb5620@gmail.com
This is a few scraps of slap talk dredged up from the bowels of the net. It isn't even a lawsuit or a comment by a legal professional, let alone an injunction or any kind of legal ruling.
Also, anti-virus software on Windows is so invasive that running two different scanners at the same time is just plain crazy. I imagine root kits and virus scanners do a lot of the same things. They all make a total mess of your OS. And not being a monopoly, I can't see how Kaspersky has an obligation to play nice with others.
-- http://thegirlorthecar.com funny dating game for guys
I work as a virus analyst for one of the major antivirus vendors. False positives, which we simply refer to as FP's, are a nasty fact of life, especially as detection becomes more based upon bahavioural analysis; and when software developers name their new application explorer.exe with a default Windows icon....
We had a customer send in a Window Portable Executable file which was flagged as containing a virus released in the early 90's (though the exact name escapes me). Very strange. What was stranger was that when analysed, it contained a plethora of code sequences of worms, trojans and viruses, completely ad verbatim. We then realised we were in fact looking at one of the main dll's of the Rising Sun engine! A false positive fix was not issued, as we reasoned that if a buffer overflow/wrongful jump occured, this malicious code could actually execute. Ie, a user could actually be infected by the cowboy AV scanning method.
Anyway, to this story I laugh and simple say to Rising Sun: learn to code an engine before bringing in lawyers. Oh, and flat file unoptimised code matching is hilariously primitive.
PS, unfortunately, there is no conspiracy this time: just badly thought out design and implementation.
.....would be running two AV programs at the same time anyway ?!?!
I have a website with a bunch of my own freeware apps available. On two separate occasions I've had a number of emails from users of major AV software asking me what the hell I was playing at trying to install trojans on their PCs. In both cases it was false positives, one from NAV and the other from the company mentioned in this article (which is what prompted me to post). Each time they eventually got around to correcting their definitions, but sure as anything it'll happen again. And in the meantime, how many dozens or hundreds of people assumed I was one of them there nasty spammer trojan virus people trying to infect their PC?
Why should the onus be on ME to check THEY haven't stuffed up? You can't install and run all the different brands of AV software on one PC, unless you install a bunch of virtual machines with one AV prog on each, and then you'd have to update the definitions daily.
Hal Spacejock: Science Fiction with Nuts
Apparently ALL anti-virus software gives false positives. Most of the users have little technical knowledge, and the software makers want to give the impression their software is more useful than it really is. I've seen numerous false positives on systems I use. One "virus" was a text file, with a .TXT extension, and
nothing in it but documentation!
But why is anti-virus software so important? Apparently only because Microsoft profits more when its software is full of bugs and malware, and Microsoft is very adversarial toward its customers.
The true cost of a Microsoft operating system is perhaps 10 times its retail cost, because of the heavy maintenance expenses.
Microsoft's anti-customer behavior: Here are some paragraphs I wrote to someone having problems with temp files taking gigabytes of drive space.
On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.
Why doesn't Microsoft provide a utility to find all the temporary file folders and delete the files when starting or shutting down the computer? Apparently because the company is heavily engaged in adversarial behavior. Most people don't know that temporary files are a problem, and they certainly don't know where to find them; that was a challenge even for me. The temp files sometimes take so much space that there is not enough free space, and the file system begins running much slower.
The file defragmentation program won't run when there is limited free space. A fragmented file system is much slower. And most people don't even know that the defragmentation program exists, or why they should run it. So, their computers become imperceptibly slower and slower until they buy a new computer.
That's apparently why Microsoft software has so much malware, also. At present, there are 30 known vulnerabilities in Windows XP alone that haven't been fixed. There are 7 known vulnerabilities in the latest version of Microsoft Internet Explorer browser the the company has not fixed.
Some people say Microsoft software is targeted more often because there are so many copies in use. However, it is well known how to write secure software. Apparently Microsoft managers don't let their programmers finish their work.
Many people who don't know how to keep Microsoft products running buy new computers. Every time someone buys a new PC, they buy a new copy of the Microsoft operating system, even if they already owned a copy. So Microsoft makes more money if the company has defective products.
Microsoft gives each new version of Windows a new name, and many people think the new version is a new product. Somehow it has been arranged that people pay the full amount for new versions, instead of an upgrade price.
The New York Times article Corrupted PC's Find New Home also makes that point.
Note that the Apple operating system, OS X, and the Open BSD operating system have very few vulnerabilities. (The Open BSD web site says 2 in 10 years.) So it is possible to make a secure operating system. The volunteers that make the Open BSD system do security reviews of software to make sure vulnerabilities are not released to customers.
We use Microsoft operating systems because of historical reasons, and because it is expensive to change. In actuality, the business very seldom uses software that runs only under Microsoft Windows, and that is only in specific departments, where it would be easy to provide a second computer.
The easiest explanation, though, is that the scanner data contains pieces of the viruses it detects and they don't do enough to hide them from other scanners.
Consider, documentation on programming for the windows OS, from MS, outlines how to write without requiring admin access and generally speaking recommends this. Microsoft produced software, by and large, does not require admin access to RUN (somtimes, yes, to install, but not run). But all this aside, the accounts created during windows setup are admin and theres no push on the users to not run as admin.
All this combines to make a virus writers life easy: the unknowing users are running as admin because it came that way, the knowing users are STILL running as admin because too much windows software requires it, and only the truly dedicated take the time to get LUA to work. (at least prior to vista)
The problem with Windows is the ease-of-use. Let's see... I can email a link to an executable file to someone and when the click the link it runs the program. I can also email the executable itself and upon opening the attachment it will run the program.
This is very helpful in a corporate environment. When there are malicious people on the Internet this is a disaster. Which is the "right" way?
Sure, Windows could be made more secure. Unfortunately, all the security in the world will not prevent a machine from being compromised if the user runs a program. This is the "hole" in Vista - if you run a program and authorize it to run it will run and can affect the operation of the machine. Period.
Would a secure root/user logon environment make Windows secure? No. That is what Vista has implemented and it does not prevent the machine from being compromised.
I think someone needs to read Hanlon's Razor. Although I think I prefer Ingham's "Cock-up theory" myself.
Yeah, I had a sig once; I got bored of it.
I get a good laugh every time anyone says OS X has "very few" or "hardly any" vulnerabilities. Try telling that to Secunia.
Secure software doesn't mean "software that has no security holes". It means "software that is designed so that failure doesn't create security holes". Secure software is, by default, inherently safe. Secure software provides feedback on errors. Secure software can not be unlocked except from the "outside". Secure software provides interfaces and protocols with no paths leading to elevated privileges. Secure software provides fault isolation and user-visible and managable layering.
...) more privileges than the application itself normally provides, then:
Secure software may have bugs that lead to exploitable vulnerabilities, but fixing these bugs will not break third-party components that depend on public interfaces and protocols exposed by the software, because the privileges exposed by the vulnerability are never intended to be exposed.
For example, if an interface in a secure application provides an object (file, script, applet, web page,
(1) That interface is disabled by default. Ideally, there is no code path in the application that leads to that interface.
(2) Enabling that interface requires a deliberate premeditated action by the user or administrator. Ideally, this action involves a plug-in or other component in a distinct repository from the one that the application normally uses, and running a new instance of the application (or a new shell around the application) that has access to that repository.
(3) Enabling that interface in one instance of the application does not enable it in any other instance.
(4) An instance of the application with that interface enabled can not be accessed by any request to an instance of the application with that interface disabled.
(5) The mechanism by which a user launches the modified instance of the application is clearly distinct.
(6) The modified instance of the application does not include a mechanism to load new objects through protocols that are normally used to access untrusted data, except using addresses (URIs, file paths, etcetera) that are provided by the application itself, or by launching a new instance of itself without any unsafe interfaces enabled.
The poster child for applications that violate these rules is Internet Explorer. In Internet Explorer, it is possible for a webpage to request an applet it provides be installed and run, through a mechanism called "ActiveX".
(1) It is enabled by default.
(2) It is not possible to launch IE in a way that prevents access to ActiveX plugins already installed.
(3) There is only one pool of plugins for IE. Worse, there is one pool of plugins shared among all applications that use the HTML control.
(4) You can't disable it, all you can do is tell IE to avoid "unsafe" controls, and even then the default behavior for "unsafe" controls is risky.
(5) There's no distinct instance of IE... rather there's a set of heuristics for the HTML control to use to try and guess whether the document being viewed should be considered "safe" or not.
(6) The HTML control makes the decision as to whether to load an object, not the application.
Most browsers have *some* shortcomings in this area, but few to anywhere near the extent of IE, and none are designed so that fixing these shortcomings will break working applications until they are redesigned to access the browser through a new API.
Won't this be covered by the software product's EULA? As user you have to abide by the license, but as competitor you can bring them to court to get to change the software. Hrrm.
When I go into a computer cafe and sign in, they (apparently) copy a disk image of the hard drive onto my computer. If I pick up any malware, it's eliminated because the whole hard drive is erased and the OS reinstalled for the next customer.
Why can't I do that at home? I could (and do anyway) make a disk image of the partition with my operating system and apps with GHOST or something, save it on a DVD, and re-install it whenever my computer seems to be infected with malware or is acting funny for any reason.
The other thing I do is, when I install my OS and apps, I make a detailed log of the configurations, so I can easily reinstall them again. (I'm following the example of a friend who was a nuclear engineer.) That makes it relatively easy to reinstall the system. Yeah, reinstall takes an hour or so, but it's a lot easier, faster and more reliable than trying to eliminate malware or to trouble-shoot whatever is really causing the problem.
Hi. There is a distinction that is being missed here. These infected file are not and should not be identified as viruses. They SHOULD however be identified as infected files. If the anti-virus software cannot remove the virus from the file, and/or the file has been corrupted, the software needs to inform the user that the file may need to be replaced, or the operating systen re-installed.
One of the biggest bugs in Winjdows has always been that it has allowed installers etc... to install files to the system folders, and even overwrite files in the system folders. This was a HUGE mistake, that should have been correected long ago! When a program is installed files should only be allowed to be written to folders created for that program. Anytime that any program tries to write files to the system folders, they should be re-directed to the program's own folder, and a coresponding entry in the registry should redirect any attempts of the program to access these files to the file's true location. Also, a warning message should be displayed to the user that the program has attempted to install files into the system folder, and that this is not allowed.
Despite recent articals to the contrary, Vista is NOT secure at all for the average user, because the security "features"are so annoying that the average user turns them off after a very short time. To bad the DRM crap imbedded in Vista cannot be disable so easily!
As to the common practice of an anti-virus program identifying the files of a competing product (that are not viruses nor infected with a virus) as viruses or infected is just plain wrong. This practice is in the Micro$haft
tradition of anti-competitive, monopolistic behavior.
I agree, mostly. To have multiple anti-virus or spyware packages running resident is nuts. Running Norton is nuts too.
But running multiple scanners (different times) is not nuts.
Anti-virus software has to have information regarding virii and a package may pick up on it. There are some virii and trojans that use a modified version of Kaspersky to prevent competitors from infecting the same machine.
Fight Spammers!
How many "remote holes" have been found in the base install of Windows? Hundreds? Remote holes in the base install are what count for novice Windows users, who are mostly at home, with no network, and use their computers only for email, web surfing, and typing a few letters, and signs like "wet paint".
I don't understand your objection, if you are objecting.
The idea that an "anti-virus" program that does signature checking against a (almost continuously) updated database of virus signatures is probably a good source of "genetic material" for a virus will eventually occur to someone who does malware.
And, just for grins, its catalogued. So, to use that genetic material, the virus sinply needs the key (and the knowledge that a particular anti-virus program is installed). That is probably denser than trying to keep the infection information with the virus itself.
In other words, target Kaspersky "protected" systems (or any other "anti-virus" vendor" specifically.
Why? Hell, I would do it just because it would amuse me to no end!
Just another "Cubible(sic) Joe" 2 17 3061
Other than the obvious, AV vendors actually creating the beasties they protect against..
Has anyone calculated the odds that a virus could be created by transmission error (assuming negligence in checksumming)?
I'm sure it's very low, but are we talking, "Not before the Heat death of the universe" low or "struck by lightning while being mauled by a bear" low?
Can you be Even More Awesome?!
Acting out your anger is optional. Next time, try dealing with your anger yourself, rather than making it a problem for others.
You said, "The number of temp files or folders is nothing to do with security."
You didn't read what I said carefully. I said that, if temp files fill the hard drive, the file system becomes slower. And also, even worse, the defrag program refuses to operate. When computers become slow, many users buy a new computer.
A few temporary file locations in the Windows XP operating system:
C:\Documents and Settings\Administrator\Local Settings\Temp\
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\
C:\Documents and Settings\ user \Local Settings\Temp\ and
C:\Documents and Settings\ user \Local Settings\Temporary Internet Files\
for each value of user . On the computer that had the trouble, there are several users.
C:\Documents and Settings\NetworkService\Local Settings\Temp\
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\
C:\Documents and Settings\LocalService\Local Settings\Temp\
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\
C:\Documents and Settings\Default User\Local Settings\Temp\
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\
According to Microsoft, these may all be different:
%SystemRoot%\Temp\
%SystemDrive%\Temp\
%SystemRoot%\Tmp\
%SystemDrive%\Tmp\
In my opinion, it doesn't matter how many temp file locations defined by the operating system there are, if the number is more than, let's say, 2. I've seen computers infected with malware that uses temp file locations of other users to store files, marked read only. There is no method provided by Microsoft, that runs automatically, that deletes read only temp files in all the locations, and does that securely under OS control, so that malware cannot use those locations between computer re-starts. That's my understanding, and you haven't said differently.
Also, most users don't know to run Disk Cleanup. The point is, most users are not technically knowledgeable, and are not able to maintain Windows, and, as the New York Times article to which I linked says, they buy new computers, because that is cheaper than trying to maintain the OS.
The fundamental point: Given what I have just mentioned, I don't see that Microsoft is caring towards its customers. The company could do far, far better. Microsoft apparently doesn't do better because Microsoft managers believe it is morally acceptable to use adversarial methods to make a profit.
I didn't know I had a website. I just looked, and I can see I do. I don't have much time to make a web site, and I had forgotten that I had an index.html. Normally, I just provide links to particular articles.
Anyhow, look at this article on my "web site": Windows XP Shows the Direction Microsoft is Going. Quote:
Bruce Schneier, well-known computer security analyst, said in his November 15 newsletter that this article is "A well-written analysis of the major security/ privacy/ stability concerns of Windows XP." Mr. Schneier wrote the books Applied Cryptography and Secrets and Lies: Digital Security in a Networked World, and other books.
Back then, several years ago, I thought Bruce was being overly generous. However, soon after I published my article, which was translated into French and Spanish by readers, and other languages for which I could not find an editor to verify the translation, security vulnerabilities were found that I predicted in the article.
By default it will ask users if they want to install controls after first showing them the signature information.
Completely false - it is trivial to disable activex controls and it can be done without launching the browser (right click on IE in your start menu, chose internet properties.)
This is true; this is being worked on.
As per above, you certainly can disable it and it's quite easy to do so.
I'm not sure I understand your sentences here, but IE does run 'distinct instances' and unless the site in question is on the safe list (user specified sites ONLY) it runs IE instances in protected mode, highly isolated from even the current user account's data, never mind the admin data.
Actually, the user makes the decision and the app hosting IE can not override this - the user will always be prompted - some would call this a security feature.
I've seen this kind of statement frequently: "OS X is not better."
You said, "By default OSX and Linux run stuff unsandboxed with the same privileges as the logged on user and the logged on user has lots of network privileges, can set up cron jobs, and all other nice stuff..."
By default, and largely because they are forced, most Windows users run with administrator privileges, and malware can modify the operating system. I don't know OS X, but my understanding is that OS X is not that insecure.
Also, you said, "Note: I'm not referring to the security abomination that's called Vista - Vista's UAC just trains already click-thru happy users to click-thru even more. If Microsoft cared about security they should have implemented sandbox _templates_ or something similar."
You seem to agree with my underlying point, which is that Microsoft is uncaring towards its users, apparently because Microsoft managers believe that it is morally acceptable to use adversarial methods to make a profit.
You said, "Most of the windows malware _running_ out there don't even care about root/admin privileges. Most are zombie machines to spam or DDoS and spread. Don't need root/admin for that."
The high maintenance costs for Windows operating systems come partly from users and malware having admin privileges. Zombies are not the biggest problem, the biggest problem is that a stranger has complete and lasting control over a user's computer.
Apparently Microsoft managers lack confidence in themselves. If they had confidence, they would make a profit by making good products, and would not depend on adversarial methods to make a profit.
I definitely agree with your point that operating systems have a long way to go to provide the maximum possible security.
You said:
"By default it will ask users if they want to install controls after first showing them the signature information."
"... it is trivial to disable activex controls and it can be done without launching the browser (right click on IE in your start menu, chose internet properties.)"
"As per above, you certainly can disable it and it's quite easy to do so."
It seems to me that your statements presume a high amount of technical knowledge. In decades, I have never known even one user to have much technical knowledge. They just want to use computers as a tool, not make computers a time-consuming profession.
Every home user I have known will "install controls". What would they do, call for technical help? Most users of computers don't have anyone to give them technical help. The best they have is people like the Geek Squad at Best Buy, an option that 1) is very expensive, 2) depends on people who probably do not know the answer, 3) takes a lot of time, and 4) does not allow asking single questions.
The underlying point is that the "default install" of Microsoft operating systems is insecure beyond the ability of most users to correct, and that Microsoft profits by providing an operating system that is, for most users, effectively insecure.
You said, "... how many corporations would Microsoft be putting out of business by fixing all the problems with their operating systems?"
Yours is an argument being made nationally concerning the U.S. government. Something like, "If the U.S. government stops killing people for money, a lot of U.S. citizens will have to find other jobs."
The jobs will be there. Running a business or a country well helps create prosperity. Prosperity creates jobs.
I have fought viruses and other malware for a very long time, and I would have to disagree with you to a certain extent.
Damage done by malware is already done, that can't be fixed by antivirus software. Nor can the fire department un-burn your house after the fact. Same thing. You do have backups of important files, right...
If you have the proper tools, it's easy once the devs have defs/repairs for it. (Those come out incredibly fast. Of course, 3 hours before you even heard of it, isn't fast enough for lots of people.) It's true you may have to do something you don't want to, like shut down your server, but so what. If the doctor is going to surgically remove that cancer, he's going to have to cut a hole in you, deal with it.
If you don't have the tools necessary, you're screwed. That's not the fault of the antivirus company, now is it. They told you to make a clean boot disk. And the travel advisory committee tells you to get a malaria inoculation if going to a malaria zone, but they don't sit at the airport with a hypo waiting for you...
The media calls just about everything undesirable on the computer a virus, even though there have been almost no new computer viruses since about two years after "I love you" plastered the world. (It was a worm, not a virus. There are many types of malware: worms, viruses, trojans, droppers, spyware, adware, etc... There are even hybrids, but they are all defined differently, and viruses have a very specific definition.)
Besides, this article was about legal action against false positives. It's something that's going to happen, until machines are a lot smarter than people. (Even then...) It's possible they are trying to lay the ground for paranoids and lawyers for cases where the false positives are intentional for some bloody reason. (Kinda like a form of sabotage.)
And don't forget cache folders made by the Windows XP OS, and temp folders made by applications:
/S /AD /B
C:\WINNT\PCHEALTH\HELPCTR\Config\Cache
If you have Microsoft Office installed, there are two more apparently for each user:
C:\Documents and Settings\ user \Application Data\OfficeUpdate12\Cache
C:\Documents and Settings\ user \Application Data\OfficeUpdate12\Temp
And Microsoft provided no guidance to developers, so software companies put temporary files everywhere, and forget to delete them sometimes (often). One one computer, I listed 75 cache folders, and those are just the cache folders that begin with the letters "cache". Try it yourself by running these commands with an account that has administrator privileges:
%systemdrive%
CD \
DIR cache*.*
The point is, there are temporary files stored in many, many places, when Microsoft could have provided one Temporary files folder and one Cache folder, and required that application developers use sub-folders in those folders.
All that disorganization has the effect of making Windows more expensive to administer. If an application forgets to delete its temporary files, eventually that uses the available space, and the computer becomes slow. Often people buy new computers when their computers get slow, making Microsoft more money.
With better organization, there could be a program that deletes unneeded files, making the Microsoft operating system far better for users.
I wouldn't want anyone to think that I had listed all the temp folders created by the Microsoft Windows operating system. I just had to stop to do something else. Here are a few more:
o rary ASP.NET Files\
p orary ASP.NET Files\
6 08-01B04FC291E0}\TempDir\
5 E5-01B04FC291E0}\TempDir\
One for each user who uses NT Backup:
C:\Documents and Settings\ user \Local Settings\Application Data\Microsoft\Windows NT\NTBackup\temp\
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temp
C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Tem
C:\WINNT\system32\CatRoot\{127E0A1A-4EF2-11E1-8
C:\WINNT\system32\CatRoot\{F259E6C3-38EE-11E1-8
C:\WINNT\system32\config\systemprofile\Local Settings\Temp\
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\
I just rebooted a test system. Result: Old .tmp files in Catroot.
Microsoft.NET files are present in a default install of Windows XP.
NT Backup is the backup program provided with the Windows OS. A backup program is a necessary OS component.
You said, "It's Microsoft, they have plenty of REAL reasons to bash them."
Okay, what are YOUR reasons?
Anyhow, the point is made that there are a LOT of places for malware to hide, far more than even Slashdot readers generally know. Think how difficult it is for the average user when "temporary" files fill the hard drive and make Windows slower.
You seem to forget the recent flap about how Estonia thinks that the crippling cyber attacks they have been having were or Russian origin?
Great! They have /. filtering out all references to the "". Damn, they're good!
My other car is a 1984 Nark Avenger.
There are people whose only way of making a living is to work with Windows. Those people sometimes feel very threatened if they learn something new about Windows.
Consider your manner. Basically, you communicate that if you disagree with someone, they are wrong, and not only that, they are to be scorned and otherwise treated badly.
Slashdot readers should remember that no one is paid to comment on Slashdot. If the underlying point is correct, it is not necessary to be particularly intense about a detail that is in error.
In this case, the underlying point is correct. The Slashdot story on which we are commenting is about malware. The point is being made that there are a lot of unnecessary places for malware to hide. Maybe Microsoft managers did not design Windows to be costly to maintain. But they certainly allow that.
To "Wherever IE hides its TEMP directory (no, not the cache)" you said, "Doesn't exist". However:
C:\Documents and Settings\ user \Local Settings\Temporary Internet Files\
for each value of user is where IE puts its "Temporary" files.
To "%SystemRoot% (really, I don't know why)" you said, " No temp files are stored in this place by the operating system, save PAGEFILE.SYS which is your virtual memory"
Maybe he left out some characters there, and meant the SystemRoot Temp folder. Remember, %SystemRoot% is usually C:\WINNT. The PAGEFILE.SYS file is in %SystemDrive%\ which is usually C:\, where Windows keeps its Temp and Tmp folders. Windows XP puts HIBERFIL.SYS in %SystemDrive%\, and doesn't always delete the file if Hibernation is turned off. HIBERFIL.SYS is huge, a little larger than system memory.
To "[Any Drive]\[Random Characters].tmp" you said, "The operating system does not create folders matching this pattern."
He is talking about files, not folders. I just checked a test system. This is one of the results:
Directory of C:\WINDOWS\Installer
09/09/2006 03:44 AM 110,950 MSI26.tmp
04/11/2006 09:13 PM 474,624 MSI68.tmp
04/11/2006 05:08 PM 70,545,476 MSIBC.tmp
04/11/2006 05:08 PM 474,624 MSIC6.tmp
4 File(s) 71,605,674 bytes
The fundamental issue is that Windows has no automatic method of dealing with these unnecessary files. And that sometimes cause people to buy another computer, because the file system becomes slower when there is not much free space.
What's purple and commutes? An Abelian grape.
http://secunia.com/product/13223/ Enjoy.
These days lots of AV software uses virus-like behaviour and backdoors to get a good look at your system, so its seems only natural that one AV would trigger another.
In the example of Spybot, do we really want it to ignore so-called "false positives" or should it be telling us that MyAntivirus.exe is behaving strangely but is also though to not be malicious. As soon as you start coding these programs to ignore certain cases, you'll get a rush of malware pretending to be the said whitelisted applications.
From the point of view of a user who is not an expert, all programs shipped with an operating system are part of the operating system.
This discussion should ultimately benefit those who are the least technically knowledgeable, since they are those who suffer most.
Today, a big majority of computers users are not experts.
Odd. The only time I see Vista's security features is when FF upgrades itself. Certainly not enough to annoy me.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
By default it will ask users if they want to install controls after first showing them the signature information.
In other words, it's enabled by default. The fact that an approval dialog is displayed first is irrelevant: Windows trains people to automatically approve such dialogs, by reflex, because they're presented with them all the time.
Completely false - it is trivial to disable activex controls and it can be done without launching the browser (right click on IE in your start menu, chose internet properties.)
You misunderstand what I mean. I'm not talking about the user deciding that some component should be disabled, I'm talking about disabling the ability for Internet Explorer to run any already-installed ActiveX controls at all. You can't do that, because IE is implemented as a shell around a group of such controls, including the HTML control itself.
I'm not sure I understand your sentences here, but IE does run 'distinct instances'
All instances of IE use the same settings, and grant the same rights to objects they display. Therefore, from a security point of view, they're a single instance.
it runs IE instances in protected mode
That is an attempt to mitigate the fact that IE is not inherently secure. The problem is that security is like sex... once you're penetrated you're fucked. If an attacker can run code on your computer, even if they protected mode is everything that Microsoft claims (and it isn't), a remote exploit still grants them a beachead to launch further attacks using any resources available to IE... which include the ability to run applications (to attempt a local privilege escalation attack), make network connections (to attempt remote exploits against other systems on the LAN from behind the perimeter firewall), send mail (as part of a spam botnet), and read local resources (to extract security tokens for offline decryption, harvest addresses for secondary attacks, and so on).
Actually, the user makes the decision and the app hosting IE can not override this - the user will always be prompted - some would call this a security feature.
Yes, a lot of people mistake the omnipresent approval dialogs in Windows for a security feature. Unfortunately, they're terribly mistaken... they're actually a sign of an inherently insecure application.
An inherently secure application doesn't ask a user "I'm about to do something stupid, should I go ahead?". It's designed so that it doesn't need to do stupid things.
In decades, I have never known even one user to have much technical knowledge. They just want to use computers as a tool, not make computers a time-consuming profession.
You're an optimist. Even the users who DO have technical knowledge get caught by this.
For most of the past fifteen years I have been a system admin for a network of software developers.
I have had several of them come to me and say "Peter, I just clicked OK (or Open, or whatever it was in this case) on that window again and I think I have a virus."
Note that word again.
These are smart guys. We're talking PhD egnineers who've been programming for a living since that meant coding pads and punched cards. Approval dialogs are so frequently presented, and so easy to reflexively select the default action, that people like this are *still* making the same mistake multiple times.
The most effective thing I ever did in that job, from the point of view of desktop security, was to ban Internet Explorer in our division. That pretty much stopped that kind of incident. When they integrated IT and overrode me, and put a "standard load" with a version of IE "locked down" as tight as Corporate could stand, I started getting people coming to me with that story again.
no matter how much you secure the internet browser it is a high risk application by the very nature of what it does (browse complex content created by unknown sources)
Indeed, which is why it should not contain mechanisms for that content to request privilege escalation.
protected mode adds another layer of security
Unfortunately, neither protected mode not IE by themselves provide a very high level of security.
You can completely own the iexplore process and still you can not do any attacks you claim are possible from a protected mode instance of IE
There are things that IE must be able to do to function as a browser. It must be able to read and write temporary internet files. It must be able to read its own configuration. It must be able to open files in your profile. It must be able to open TCP/IP connections to web sites. It must be able to send mail. It must be able to create windows and other graphical user interface objects. It must be able to make system calls. These are the things that I claim are possible from a protected mode instance of IE, because they must be possible from IE. These are all things that can be used to mount secondary attacks.
"Defense in depth" typically involves multiple layers of protection, each of which is designed as securely as it can be. Putting a leaky wall in front of a sandbox that allows secondary attacks is a terribly weak "defense in depth". Putting a firewall in front of network services that can not be disabled is not "defense in depth". Running IE inside a temporary virtual machine firewalled outside that VM's trust boundary to only allow TCP/IP connections to a logging web proxy, or running a KHTML-based browser in a chrooted environment, these are defense in depth where each of the layers involved constitutes a significant defense.
But IE inside protected mode? That's inviting a vampire into your spare bedroom and hoping he doesn't interpret it as carte blanche access to the rest of your house.