Microsoft Policies Help Virus Writers, Says Security Firm

Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

Do "Users" have a choice?

[Monkeedude1212]

I load up Malware Bytes or Super Anti Spyware or some other reputable Anti-Malware program, boot into safe mode, and do a scan of the whole PC.

Is it I, or anti malware developers, they are sending the message to? Because I certainly don't want to leave an inch of the computer unchecked.

Re:Do "Users" have a choice?

Safe mode isn't good enough. You want to run it in the pre-boot environment (what windows setup / chkdsk runs in).

Also, believing that some half-assed "security" software is going to protect you from everything bad is just stupid.

Re:Do "Users" have a choice?

[geekboy642]

If you trust a single byte on the possibly-infected disk, you're not scanning for viruses: You're asking pretty please for the virus to show itself. Most are polite enough, but why take the chance? Use a known-clean read-only media to boot from, and scan the entire drive.

Re:Do "Users" have a choice?

[Monkeedude1212]

Safe Mode does fine enough for most people. I've been cleaning out viruses for almost a decade now and all it takes is a scan in safe mode and knowing what files to delete. (Temp internet files, any other out of place programs)

There has been one instance where I chose to boot into an antivirus software from a live CD and that was able to clean it out. I would probably use something in the BIOS if I knew of one.

-
And of course, no "security" software is ever going to protect you from everything. No one wants pre-emptive protection because it hinders their experience. If you know what you're doing, you won't fall for the cross scripting or phishing. There's a handful of dangerous things that don't actually require anything on your PC to be a danger to you, and those are the ones I educate people about.

As for viruses, trojans, spyware, and the likes - I tried to educate people once. It didn't work. I'm more than happy to remove it for them for a fee. It ain't much but it covers the Heating and Electricity.

Re:Do "Users" have a choice?

[Monkeedude1212]

I agree - sometimes I get called over because of an "Error" - and I just head over right after work. Turns out the Error is Malware, I didn't bring my LiveCD, what can I do? A majority will get by with safe mode scans. There are those particularily nasty ones though, and as you said, boot from CD, or set it up as a slave drive with the proper security measures.

Re:Do "Users" have a choice?

[ae1294]

boot into safe mode, and do a scan of the whole PC

Safe mode will do nothing to keep malware from loading at this point....

Get a WinPE Distro like http://www.ubcd4win.com/

Re:Do "Users" have a choice?

[bberens]

I ran into this case last week. My mother in law opened some malware and you can't even boot to command line safe-mode. As soon as you log in it logs you back out and goes to the login screen. :( So today I'm going back with a liveCD to try to get the documents off before doing a wipe.

Re:Do "Users" have a choice?

[ae1294]

Safe Mode does fine enough for most people. I've been cleaning out viruses

Viruses perhaps but malware keeps loaders running hidden in the background. All those things you remove reinstall themselves. I do system clean up work and I see it all the time plus often the malware won't even let you run programs like HijackThis, SuperAntiSpyware, or MalwareBytes.

And of course, no "security" software is ever going to protect you from everything. No one wants pre-emptive protection because it hinders their experience. If you know what you're doing, you won't fall for

This isn't really true. Things like IE, Flash, Shockwave and Acrobat have zero day exploits that will infect your computer if you stumble on the right email or site. I'd say 85% of infections are from user ignorance but the rest is luck and who you have contact with. (Outlook address books, etc)

As for viruses, trojans, spyware, and the likes - I tried to educate people once.

It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something. It's all loose-loose, what really needs to happen is better enforcement of the network and better law enforcement involvement. Take all those people trying to protect the children and make them do some real work.

Re:Do "Users" have a choice?

[Z34107]

To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode. The ones that aren't leave signs that MalwareBytes can detect (infections it can't delete or that reappear, etc.) The paranoid can confirm with a packet sniffer.

If you really want to be paranoid, get a USB => IDE/SATA adapter from newegg. Pop out the hard drive and hook it up to a clean machine. Mount the registry hives using regedit, and do a scan with your favorite AV product. No relying on a potentially rooted machine, and no relying on an old/gimped AV product that works in a preboot environment.

Re:Do "Users" have a choice?

When I use PE disks I use a virus scan from my laptop that is connected to the infested machine(via filesharing). I can also use the additional programs in the PE environment to clean registry etc. etc.
I've found this works pretty well, and I've also used combofix and malwarebytes and gotten pretty good results with them as well. I don't think there will ever be a cheap *free* one program/process that will work for all virii/malware etc since that one way would gain enough popularity to be circumvented by the next latest and greatest virii/malware.

Re:Do "Users" have a choice?

[causality]

It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

You need not become an expert to protect yourself; you only have to achieve competency. That's all you need to exercise best practices. To give a tired old car analogy, they don't need to be mechanics, they just need to be safe drivers. I'll use the classic Trojan horse program as an example: you don't need to understand how a trojan installs a backdoor into your system and makes it join a botnet; you only need to understand that running untrusted executables is a bad idea. I think the biggest falsehood being perpetuated here is that you are either totally ignorant or you're an elite expert. Users buy into this falsehood anytime you give them basic precautionary steps they can take and they say "but I'm not a geek!" This is despite the fact that you don't need to be a geek to follow illustrated step-by-step instructions, you only need to be literate.

I think the marketing of most commercial software is partly to blame here. "Easy to use" isn't an inherently bad thing, but it is a disservice to users when it connotes "you can use this in a totally mindless fashion with zero understanding and never have any problems."

But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something. It's all loose-loose, what really needs to happen is better enforcement of the network and better law enforcement involvement. Take all those people trying to protect the children and make them do some real work.

We already have laws against computer intrusion. The problem is twofold: catching the actual perpetrators, who go to great lengths to conceal their identities; and prosecuting them when they are in other countries/jurisdictions. Protecting the clueless is the same as protecting the children, only it's worse. It's worse because children cannot be other than children, while the clueless could decide that learning is important to them.

I think the real way to deal with this is to put real security into Windows. Removing an infection after-the-fact is not real security. It is only damage control. Windows needs a real security system that can prevent intrusions in the first place with no third-party software needed. The goal here is not perfect security. The goal is to make our systems secure enough that automated attacks are no longer successful. Then malware authors cannot just write a program one time and use it over and over again to infect millions of machines. Achieve that, and intrusions require dedicated human effort for each compromised machine and can no longer occur on massive scales with little effort. Then and only then does it make sense to think about prosecuting the computer crimes that remain.

Re:Do "Users" have a choice?

[ae1294]

To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

You can use the included driverpacks app to include most LAN/WAN drivers and then use an online scanner if you like or you can install PE to a USB disk and install any Antivirus program you like.

In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode.

In my experience those people come back 3 days later with the same virus. MalwareByte's runs in PE now, as does SuperAntiSpyware and HijackThis and a number of Antivirus programs.

get a USB => IDE/SATA adapter from newegg. Pop out the hard drive and hook it up to a clean machine. Mount the registry hives using regedit, and do a scan with your favorite AV product. No relying on a potentially rooted machine, and no relying on an old/gimped AV product that works in a preboot environment.

That works or you can just use an PE Disk which will auto load your hives for you.

Then you can run which ever programs you want like MalwareBytes, SuperAntiSpyware, HijackThis, etc and I normally delete the recycle bin, system restore folder, and all the temp folders while taking a look around for stray files. All this while the other scans are running.

There really isn't any right or wrong way so whatever works for you is great. In my experience however safe mode is problematic.

The best option is to nuke the MBR and format/reload the system but people hate that.

Re:Do "Users" have a choice?

[mcgrew]

But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something.

That's the case with Windows many times as well. With Mandriva, at least, installing programs is dirt simple; most I've needed came with the distro anyway.

It's all loose-loose

Did you mean "lose-lose"? You're not being very clear. What's loose except your useage of two very different verbs (one of which you used as an adjective)?

You can browse the web with Java,Java Script,Flash,etc etc

I see, you're twelve years old and don't understand how to wite yet. Never mind then.

Re:Do "Users" have a choice?

Ultimately, as malware gets more sophisticated, the best solution is not just pre-boot media and a signature scanner, but a heuristic scanner that uses a whitelist. What this would do is scan all the places where stuff can start (drivers, HKCU, HKLM, startup directories), and remove anything that doesn't have the same length and cryptographic hash as what is stored in the whitelist.

After checking the whitelist, then the heuristic scanner should check signatures of drivers and executables. If the signature on a driver or executable matches a well known key (not just a name, but a key ID and thumbprint), it should be OK.

Heuristics have one glaring problem though. Unless you know the OS and machine's history, it might be difficult to tell a true positive from a false positive.

Of course, this is a lot easier on Linux and UNIX variants. I can boot up from live media, do a find -print|xargs sha1sum>bigfile and diff the contents of that against the contents of vital filesystems when the box was installed. Same with a ls -lR and diffing to find permission changes. Yes, there will be a ton of false positives, but it becomes very easy to catch anything modified on the filesystems this way, even if the modifications are done using kernel level objects with clever rootkit hiding when the OS is running (clever enough to get around tripwire).

Re:Do "Users" have a choice?

[ae1294]

We already have laws against computer intrusion. The problem is twofold: catching the actual perpetrators, who go to great lengths to conceal their identities; and prosecuting them when they are in other countries/jurisdictions. Protecting the clueless is the same as protecting the children, only it's worse. It's worse because children cannot be other than children, while the clueless could decide that learning is important to them.

Some of them do go to great lengths, most do not but you are right in that there is only so much law enforcement can do so I'll leave it at that.

I think the marketing of most commercial software is partly to blame here. "Easy to use" isn't an inherently bad thing, but it is a disservice to users

I have problems with the way the software is marketed as well. The whole "protect your computer from everything bad with just our product" part is the worst.

I think the real way to deal with this is to put real security into Windows.

That simply will never happen. If it did then there would be anti-trust cases but it doesn't mater as it just won't happen.

Re:Do "Users" have a choice?

[ae1294]

You can browse the web with Java,Java Script,Flash,etc etc

I see, you're twelve years old and don't understand how to wite yet. Never mind then.

I'm not, but if I was, why would it mater? Are you not allowed to talk with them by court order or something?

Re:Do "Users" have a choice?

[mcgrew]

It's not a matter of being allowed, it's a matter of not wanting to.

Re:Do "Users" have a choice?

[causality]

That simply will never happen. If it did then there would be anti-trust cases but it doesn't mater as it just won't happen.

It might happen if average users see enough counter-examples to understand that frequent malware infection is not some unavoidable, inherent aspect of owning a computer, that the belief that this was ever the case amounts to having had the wool pulled over their eyes. You get people angry because they feel like they've been lied to and screwed over, and they will consider alternative solutions that they'd never have made the effort to investigate before. At that point, stopping them will be as futile as stopping any other economic force (c.f. Prohibition). Alternative solutions include Linux and MacOS. This might just provide the "secure it or go bankrupt" sort of incentive that Microsoft needs.

Re:Do "Users" have a choice?

[Mr.+DOS]

Sounds like it's time for the Avira AntiVir Rescue System.

      --- Mr. DOS

Re:Do "Users" have a choice?

[Mr.+DOS]

Use Avira AntiVir Rescue System to get the system into a state where it can boot into Safe Mode, then finish off with MBAM and possibly SmitFraudFix.

      --- Mr. DOS

Re:Do "Users" have a choice?

[Zerth]

That's why I keep a stack of livecds in my trunk, next to the jack, and an ISO on my keychain in case the CDs warped in the sun.

Lately, most of my relatives have upgraded enough they can boot from USB.

Re:Do "Users" have a choice?

[RobertM1968]

It's more than just that. Super Anti Spyware needs to be set to scan all files (all files greater than it's predefined size, and all files of all types). MalwareBytes does not need a settings change.

Most other software either is not configurable (depending on version) or is configured to only scan "infectable" files.

My personal experience of late is that I have seen many "non-infectable" files infected such as images, text documents, "unknown" document types, and so on. When I install any AV or AS software, I always configure it by hand to scan absolutely everything and then explain why to the end user.

Thus, sadly, my experience shows that this statement, though the person's heart is in the right place, is not correct:

'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog.

Nowadays, I've found malware hiding in every file type causing it to re-infect a machine continuously once an anti-malware software has killed the running version. It becomes a constant battle between the malware and the AM tool unless the "scan absolutely everything" option is enabled. I've had way too many customers come in thinking they've had tens of thousands of infections because of that little loop created by not scanning everything ("Gee, it just removed another 20 today, and 20 more the day before!!!")

Re:Do "Users" have a choice?

[RobertM1968]

- And of course, no "security" software is ever going to protect you from everything. No one wants pre-emptive protection because it hinders their experience.

True... I really like Spyware Terminator with ClamAV, but it creates more problems for my customers than it solves. They either:
(A) Disable it (usually because they keep forgetting to enable "Install Mode" when installing something)
(B) Disable the "Real Time Shield"
(C) Block everything - leading to numerous programs not working properly
(D) Allow everything - leading to a nicely infected machine and ST fighting the never ending battle of removing the infections

Ah well... no amount of attempted training seems to have solved that for us, so I no longer install it on any but my own single XP machine and the machines of only the most technologically savvy users.

Re:Do "Users" have a choice?

[Lord+Kano]

Bart PE is a good way to do this. You create a cd on a different computer and use it to scan your suspect PC.

LK

Re:Do "Users" have a choice?

Safe mode isn't good enough. You want to run it in the pre-boot environment (what windows setup / chkdsk runs in).

There's days when I miss Win9x. This is one of 'em.

Because the OS was little more than a glorified DOS shell, you could always boot to DOS and rip out anything that had been tampered with.

Going from 9x to NT made for a better OS, but it always felt like a UNIX system without the root password. No, being "admin" wasn't good enough.

Re:Do "Users" have a choice?

[Kalriath]

Actually you can run a command from the installation CD to drop a copy of the recovery console to your PC. The pain in the ass is that the recovery console doesn't allow you to run programs - just a specifically whitelisted set. But of course that set lets you enable/disable drivers and services, as well as manipulate the registry.

Re:Do "Users" have a choice?

[RockDoctor]

Safe Mode does fine enough for most people. I've been cleaning out viruses for almost a decade now

... then you're doing something pretty drastically wrong.
Try this for size : stop getting viruses.
Then, shock horror, you'd not need to be "cleaning out viruses" for the next ten years.

I know, I know : "it's impossible", "it'll never work", "will nobody think of the poor AV vendors?", "bloody lusers couldn't avoid a virus even if you switched the computer off and arc-welded the removable drive bays shut".

I got fed-the-fuck up with worrying about getting viruses back in the late '80s. So I started to be careful-the-fuck about what-the-fuck I did with my computer. The last virus I had to remove from one of *my* machines was a trojan sent from a friend's mail account (he'd been using an Abu Dhabi Internet cafe and forgot to log out of his account when he left ... [sigh]) in (IIRC) 1997. Still using the 'net ; still doing a lot of work. Viruses - someone else's problem. It's not rocket science.

(It's going to be a fun month or two at work - in the middle of a Korean office full of viruses. That's OK - data comes in on their memory sticks, the stick goes into my Linux laptop ; the data goes onto a "sheep-dipped" memory stick ; the sheep-dip goes into the works machine ; the virused memory stick goes back to it's owner. It's almost as much fun as taking lucky dip in the unconscious-VD-patient ward.)

Re:Do "Users" have a choice?

[ae1294]

I'm sorry but that's crazy talk. If you can't keep their windows free of spyware then it must be your fault.. Microsoft is a huge corp with billions so they must know how computer thingies work. It's all your fault and the fault of the last tech who couldn't help them visit lolcats.... your just trying to make money off them by making them come back over and over for the very same problem... /reality

Re:Do "Users" have a choice?

[ae1294]

It's not a matter of being allowed, it's a matter of not wanting to

Then maybe u should have never responded to my first post?
You sound like a very conflicted fellow with the not wanting to but then going ahead and doing that very same thing...

Re:Do "Users" have a choice?

[jonadab]

> I'd say 85% of infections are from user ignorance

I would have quoted a much higher percentage for infections that an educated user would have avoided. As a rule, people who know what they're doing can, with only a little luck, go *years* without being infected, while complete idiots get new infections every day. Most folks are somewhere in between.

> but the rest is luck and who you have contact with.
> (Outlook address books, etc)

Outlook address books only matter if you use inherently unsafe email software (such as Outlook or Outlook Express). Switch to something safe and sane, like Pegasus Mail, and suddenly it won't matter whose address book you're in. Junk will still be sent to you, but there won't be any way for it to infect your computer. Until Outlook came along, the prospect of email-borne malware was purely theoretical. It had never happened. I used to tell users it was basically impossible, because your email software doesn't *execute* the contents of incoming messages, it only *displays* them for you to read. (Yes, theoretically there could be a buffer overflow. But I'm not aware of a single documented instance of a mailreader buffer overflow ever having been exploited in the wild.) Then Microsoft announced that, for convenience, Outlook would have this great new feature wherein it would automatically launch attachments. Everyone in the computer security community responded with lengthy commentary about why this was an incredibly bad idea, but Microsoft didn't listen. The rest is history. Now everyone just assumes you can get malware from reading email, but they forget the rest of the sentence. You can get malware from reading email *if* you use Outlook. So don't do that.

In the last five years or so, Microsoft has significantly improved Outlook's security, and its track record has improved considerably. But you'd still have to be an idiot to want to use it. Its security track record even over the last five years is still worse than any other mailreader in history bar none, and there are much better, much more user-friendly, and much more featureful mailreaders out there anyway.

You say 15% of malware infections are caused by bad luck and circumstances. I say people are making their own bad luck and circumstances.

Re:Do "Users" have a choice?

[IICV]

To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

Boot Knoppix, sudo apt-get install clamav, clamscan -R /mount/*

Granted, I don't know how good clamscan is, but at least it will have up-to-date heuristics.

Re:Do "Users" have a choice?

[causality]

I'm sorry but that's crazy talk.

It takes courage to imagine something new and different, even when it's something relatively minor like this issue.

Re:Do "Users" have a choice?

[ae1294]

Outlook address books only matter if you use inherently unsafe email software (such as Outlook or Outlook Express)

I say bad luck because a large number of people are forced into using outlook for work and also use it at home since that is what they know.

I don't use outlook and would never dare too but that doesn't change the fact that people are sorta forced into it which is why I choose 85%.

If you really want to be an ass you can just say that 99% of malware and viruses are because people are idoits and should have known not to use X, Y or Z.

I've not had any sort of virus problem since Win98 many years ago.

Re:Do "Users" have a choice?

[ae1294]

It takes courage to imagine something new and different, even when it's something relatively minor like this issue.

It really doesn't take courage to imagine something new or different?
Hoping that the majority's nature and their perspective will change any time soon is just silly...

Re:Do "Users" have a choice?

[causality]

It takes courage to imagine something new and different, even when it's something relatively minor like this issue.

It really doesn't take courage to imagine something new or different? Hoping that the majority's nature and their perspective will change any time soon is just silly...

"Anytime soon" is the only part that's in question. Otherwise, as the ancients observed, one of the laws of the universe is Change. That was more than a primitive, pre-physics observation of the Second Law of Thermodynamics.

Particularly when things get bad and change is long overdue, it can often be quite sudden and sometimes severe. That's especially the case when gradual, incremental small changes that would have regularly occurred over time were held back by the fiat of some kind of hierarchy, such as a monied interest or an authority. A dam bursting is the model for that scenario.

Re:Do "Users" have a choice?

[ae1294]

"Anytime soon" is the only part that's in question. Otherwise, as the ancients observed, one of the laws of the universe is Change

People haven't changed that much in 3000 years. The modern world is hardly different from that of Roman times. People might rise up now and again but as soon as they calm down things will always go back to the way they where. It's all the same stuff repeated endlessly.

Greed, Lust, Fear and Envy rule mankind and that isn't going to ever change. People are always going to take their anger out on those they can more so than those who deserve it. They will want the stuff their neighbor has simply because they have it, will wear silly clothing because that's the in thing and do as they are told by their masters.

The masses do as they are told and that will not change for any length of time. Right now they are told told to use Windows. One day it might be Apple but the people in charge will be the same...

Re:Do "Users" have a choice?

[jonadab]

> a large number of people are forced into using outlook

In every single case, when someone is required to use Outlook, there is somebody at their organization who made the decision to require them to use it. So my point stands.

Re:Do "Users" have a choice?

[ae1294]

In every single case, when someone is required to use Outlook, there is somebody at their organization who made the decision to require them to use it. So my point stands.

O come on now, your point stands only because Outlook is evil and should not have been picked by the boss but that doesn't change the fact that employees are forced to use it and get to enjoy having their email addressee/contacts spread to every Malware, Nigerian, and Spam outfit on earth.

Also...

[InsertWittyNameHere]

disabling any backup software will improve "performance and avoid unnecessary conflicts" as well.

Re:Also...

So the ext4 approach to data consistency?

Re:Also...

[ae1294]

So the ext4 approach to data consistency?

This is the worse troll ever...

Re:Also...

Yes, you are.

Re:Also...

[ae1294]

Yes, you are.

I fucked your mom last night...

Re:Also...

[ae1294]

I fucked your mom again tonight, along with some random drifter she met up at the bar... We heard you come up from the basement for snacks. You really should have said hello...

Are you serious?

[bl4nk]

Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe? Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here. This is coming from third-party AV companies, remember... they're fighting to stay relevant.

Re:Are you serious?

[postbigbang]

And relevant they are.

This week: six different local 'family' machines needed junk scraped from them by yours truly, the tech support guy. Why? They didn't understand about renewing their AV subscriptions-- and got infected. Does Microsoft have something inherent in Windows, native to the OS, that prevents contamination? No. Do their products distribute freely with uptodate malware and virus prevention and thwarting? No. Users have to dig for them, install them, and hope that Microsoft's protection is sufficient.

Yes, there are free AV apps (for civilians) that work fine. Are they adept at using them? No. It's a huge failure.

Re:Are you serious?

[causality]

Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe?

Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here.

Joe Sixpack does not read the Microsoft KB, true. However, he pays the highest price for the malware problem as you point out. The bickering between Microsoft and AV vendors does at least indirectly affect him. Now, I'd assume that Microsoft would be the foremost expert on Windows for obvious reasons. But let's just say that they are wrong about this, yet the AV companies believe them. Now Joe Sixpack might get hit by malware that his AV tools don't know how to look for, because those infected files are listed as "not vulnerable".

This is coming from third-party AV companies, remember... they're fighting to stay relevant.

Well sure, they have a cottage industry to protect. If Microsoft gets its act together on Windows security, which would mean REAL security and not clever ways to clean up infections after-the-fact, and/or if average nontechnical Windows users get a clue, then it's bye-bye to that cottage industry.

Look at their business model. It's an arms race; the black-hats produce new instances of malware while the AV companies index those and produce signatures and removal tools. The thing about an arms race that's good for the AV companies is that it is self-perpetuating, so there is always work for them to do. Even if there were a Final Ultimate Security Solution for Windows, the AV companies wouldn't want it. They wouldn't want that for the same reason that lawn-mower manufacturers wouldn't want a strain of grass that only grows to be 3-4 inches tall.

Re:Are you serious?

Do their products distribute freely with uptodate malware and virus prevention and thwarting? No.

Wrong!

Re:Are you serious?

[ae1294]

Even if there were a Final Ultimate Security Solution for Windows

My MS Rep told me Windows 7 WAS that???

Re:Are you serious?

[mcgrew]

It's as easy to put your malwars in a secure place as it is to put in "my documents", and would be more effective in a "secure" place. If I were writing/spreading malware I'd be hiding it where AV software doesn't look.

After all, the lowest hanging fruit would be unpatched machines with no AV at all.

Re:Are you serious?

People who aren't total fuckwits don't need so-called antivirus software. Everyone else can have fun infecting their computer with a false sense of security.

Re:Are you serious?

Don't virus writers target the lowest-hanging fruit: the average Joe?

Sure, if you only want 10 million systems. if you want 50 million computers and for no one to know about it you're going to spend some more time.

Re:Are you serious?

Try MS Security Essentials.

Won't the malware be detected once loaded into RAM

Question mark. (Assuming that the anti-virus can detect the nasty with sigs/heuristics/behaviour monitoring)

Really?

[nametaken]

Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:

*.edb
*.sdb
*.log
*.chk

...in certain folders.

Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.

Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.

Third, this stinks of "Hey listen to us! Then buy our antivirus."
"Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?

Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

Re:Really?

[fluffy99]

The MS Article also gives specific recommendations for domain controllers and servers, which make good sense as well. The files they list include startup scripts and GPOs which get heavy use. AV can induce severe problems if it kept locking the files. On the flip side, you should keep an eye on those files as a compromise (not necessary a generic detectable virus) could compromise your entire domain. Also note that you should exclude the database files on an Exchange server. Aside from the huge performance hit, you really don't want the a/v software deleting or screwing up the entire exchange store if it sees a virus buried way down in a single email.

Re:Really?

[rdavidson3]

Whose to say that the malware doesn't have an executable renamed to a have a log extension, and the antiviruse skips over it. How trivial would it be to have a loader that does nothing except load "safe" files and do its bad things under the cloak of "but its a log file.... it should be safe".

Excluding any files on the computer is a bad thing, and needs to be discouraged.

Re:Really?

[Amouth]

i didn't read the article or the KB but from the types you have listed - first thing came to mind.

exchange.

edb/sdb belong to exchange stores - log is common but also used for transaction longs and chk if i remember right is used when rebuilding from TL's or doing an offline defrag.

given the type of shit thats in mailboxes and queues and that it isn't executable - sure stuff is there but not a risk.

then given the normal actions of AV software (hey i found shit in this file -remove handles deny access - hey user i quarantined this thing for you).. humm that could be quite bad

yes there are plenty of examples of why you wouldn't want to exclude things - but at the same time there are alot of reasons to.

I agree that this does smell of the "Hey listen to us! Then buy our antivirus." especially since Security Essentials actually turned out nice.

Re:Really?

[Shimbo]

Third, this stinks of "Hey listen to us! Then buy our antivirus."

It's an antivirus vendor blog FFS, what did you expect?
 
Why do so many of them end up as front-page stories? Don't ask me.

Re:Really?

[Volante3192]

Yeah, in exchange's case what you need is something that hooks into the databases and scans the mail directly. Scanning a database as a virus just isn't going to work. It's like a zip file with a virus inside. You can scan the zip file and it'll pass. You need to look inside to figure out if you're safe.

Re:Really?

[NotBorg]

If your AV software is killing your Exchange database then you should be fired for running it. All the relevant AV vendors provide Exchange integration. I've seen NT 4 boxes with it (it's not new).

Home editions are for home computers not for your business' servers. Get the AV package that says "server" on it.

Re:Really?

[clodney]

Whose to say that the malware doesn't have an executable renamed to a have a log extension, and the antiviruse skips over it. How trivial would it be to have a loader that does nothing except load "safe" files and do its bad things under the cloak of "but its a log file.... it should be safe".

Excluding any files on the computer is a bad thing, and needs to be discouraged.

So if you manage to get an executable onto the system, you can then use it to execute a malicious payload hidden in a seemingly innocuous file?

If I can get an executable on the system, I have already compromised your security. Why bother with a hidden payload at that point?

Re:Really?

[rdavidson3]

The point is that the hidden payload doesn't get scanned by anti-virus at any point.

Re:Really?

If you scan your .edb's or your .sdb's plan on having a worse day than most viruses will give you as you will likely trash you exchange server's database.

Re:Really?

[clodney]

The point is that I have already gotten you to execute a malicious executable. What more have I gained with a hidden payload? The damage is already done.

I will grant that this does open up one new vulnerability - I can write new malware that can be used to help the user execute old malware that is already known to the AV scanners.

But I still say that once I have gotten you to execute malware I don't worry about getting a second payload in place.

Re:Really?

[girlintraining]

Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

The entire idea of scanning for signatures is what's ridiculous. This broken model of ring-based security is what's ridiculous. Buy into those ideas and yeah, it would make sense then to exclude certain file types.

What's needed is something like Tripwire, built into a bootable flash drive and Microsoft (and other vendors) releasing hashes of their files. But it's easier to do reactive security than proactive security -- and by easier I mean shoving the costs onto the consumers. At least then we could verify the integrity of the operating system and boot files independently of the software on the computer -- which is easily compromised. All this talk about a TCB has turned out to be just that -- talk. It hasn't helped system security one iota.

Re:Really?

[causality]

The entire idea of scanning for signatures is what's ridiculous. This broken model of ring-based security is what's ridiculous. Buy into those ideas and yeah, it would make sense then to exclude certain file types.

I don't think that ring-based security is broken merely because Microsoft and developers of most Windows software refuse to utilize the principle of least-privilege. OpenBSD uses the ring-based security of modern processors to great effect.

Re:Really?

[girlintraining]

OpenBSD uses the ring-based security of modern processors to great effect.

True, but then OpenBSD was designed with security in mind from the ground up.

Re:Really?

The point is that I have already gotten you to execute a malicious executable. What more have I gained with a hidden payload? The damage is already done.

No, the original executable is not 'malicious', ie: there is no malicious code in it. It is just a loader for the malicious code, which in in the un-scanned files.

Sheesh.

Re:Really?

No, the original executable is not 'malicious', ie: there is no malicious code in it. It is just a loader for the malicious code, which in in the un-scanned files.

Think about what the "stub" loader must be able to do at a minimum: load portions of an arbitrary file into memory, then flag those data pages as executable; alternatively, the loader has a large enough region of executable memory consisting entirely of no-op instructions, then it has to load portions of an arbitrary file to overlay those executable pages. I pity the users of any anti-malware scanner which cannot detect that. The idea of malware having one or more separate payloads is nothing new.

- T

Re:Really?

[drsmithy]

True, but then OpenBSD was designed with security in mind from the ground up.

No, it's just really well audited and minimally configured to the point of uselessness by default.

If it was designed "with security in mind from the ground up", it wouldn't have a superuser and it sure as hell wouldn't be using the archaic user/group/other security model of traditional UNIX.

Re:Really?

[fluffy99]

Okay, hop off that pedestal of superior knowledge for a moment. There are a lot of small businesses running exchange. A significant portion of whom are running consumer or small-business versions of antivirus including those intended for servers. Now realize that their IT guy is usually only part time and probably not an expert. A recipe for disaster I know, but small businesses can't devote much resources to IT.

As for antivirus vendors, Symantec Endpoint Protection client for servers installs just fine and doesn't automatically exclude the exchange stores or other critical files. Hence one reason for MS issuing the KB article. Yeah Symantec is crap but it is very prevalent in the corp environment (including mine). So even experience IT guys can get bit by this.

Vista & Windows 7

[hey]

Maybe Microsoft should just say: Vista and Windows 7 are so secure there is no point in scanning anything. As these OSs are safe because of UAC :)

Re:Vista & Windows 7

[LOLLinux]

You mean the Mac and Linux attitude towards security? That worked out real well with that recent malware in those .deb files, right?

Re:Vista & Windows 7

Linux attitude towards viruses is "meh, can't secure entire code base so why bother with something that will be undetectable in the first place?". Linux attitude is after an intrusion, the system has to be replaced, not simply a "removal of a virus". BTW, Linux has rootkit scanners and they are virus scanners and vulnerability scanners. But knowledgeable people know that such things are not the reason why there is no mass viruses for Linux servers and desktops. Unsecured Linux is as vulnerable as Windows or Mac to viruses, but one can take steps to secure the OS. You can do the same on Windows, but I'm not sure about Mac..

Malware in .deb files is nothing that was not predicted. There is a reason why distributions have crypto signatures for their packages. There are tons of freely available exploits for Linux. Yes, no mass trojans.

Mac's attitude towards viruses is they don't exist.

Re:Vista & Windows 7

[aztracker1]

Mac's attitude towards viruses is they don't exist.

What is this round Earth concept you speak of? It intrigues me.

Nothing new

[Hawthorne01]

Microsoft's been helping out malware writers since at least 1982...

Re:Nothing new

Funny how once they release Security Essentials for free, they all suddenly have issues with them. The free offering from M$ removes the need for a 3rd party AV.

Re:Nothing new

[weicco]

You mean like DEC helped to write the first computer virus in the world?

Don't virus-check database files

The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.

As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.

Re:Don't virus-check database files

[Aladrin]

But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there. Then just load that into memory from some stub program.

That's what the article is warning about.

Re:Don't virus-check database files

But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there. Then just load that into memory from some stub program.

That's what the article is warning about.

And then, the stub program gets its own virus definition and is defeated once more. Yaaaay! That was hard!

Re:Don't virus-check database files

Then the virus checker just needs to detect the stub program. What you are describing is a standard virus trick, but instead of using edb.chk you can encrypt the virus and the stub program can decrypt and execute it. Modern virus checkers have to be able to deal with that.

Re:Don't virus-check database files

[Sycraft-fu]

You also don't want to check any intensively accessed files in general. It can add a lot of overhead if the thing is being continually accessed by many different users/processes.

For example on my system I have excepted EWI and EWS files from checking. Those files are the instruments and samples for the virtual instruments I use. The reason for the exception is that they are accessed in a very intense manner. The system has to read them in very quickly to stream sample data off the disk in realtime and you can have hundreds being accessed at the same time, repeatedly. Scanning them over and over really adds to overhead and can cause audio dropouts.

So, while I suppose in theory this is a vector for infection, I guess that someone would infect a sample file that causes an overflow in the VST that then causes the sequencer to misbehave and infects my system, it is a pretty low one. As such it isn't worth taking a performance hit and having troubles, instead it is better to just tell the virus scanner to leave those files alone.

Re:Don't virus-check database files

[shutdown+-p+now]

Any such stub program that loads random binary code from a non-executable file and executes it would likely be identified as a virus itself by any decent AV scanner.

Re:Don't virus-check database files

If the virus scanner is not able to handle finding the virus loading stub, then the virus scanner is little more than a waste of CPU cycles.

Re:Don't virus-check database files

Why would it? It doesn't do anything malicious itself. It'd be like saying IE is malicious because it can load a file that is malicious.

besides, do you know how many different ways to load another file there are? You can't define all of them as malware,or you'd interfere with legit programs.

Re:Don't virus-check database files

[drsmithy]

But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there.

This virus brought to you by the Dept. of Redundancy Department.

It used to be...

It used to be that you could tell people to open picture/film because they were safe. then movie viewer program (i.e. media player) started to execute html to download certificate or decoder. Now you can get a trojan that way. It used to be that getting an email you could not get a virus. Then outlook started to actively open email or even hide extension.

See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...

Re:It used to be...

[L0rdJedi]

Only Windows Media Player accepts executable code at the end of a video. Most other media players still do not do that so they are not susceptible to that attack. With the Outlook image thing, it's actually a VBS file with the .gif or .jpg somewhere else in the name and the actual extension spaced way off at the end, so images are actually still ok. Admittedly, turning off the display of extensions is a boneheaded move that MS still makes on their OS. It seems to be their way of trying to be more "Mac like".

Somehow I doubt that MS is going to give Notepad the ability to execute code found in a text file. Mainly because almost no one but a techie will ever use Notepad. Most people that need a "text editor" load up Word or Google Docs.

Re:It used to be...

[QuantumRiff]

Ahh, remember the 90's, when people would forward chain mails about how even looking at an email with a certain subject would wipe your entire hard drive? And then how us IT people would have to tell people that it was okay, that reading emails was fine, they were just text, just never, ever execute an attachment you weren't expecting...

Then outlook got real popular in companies...

Course, they also used to forward chain mails about "if you forward this to 10 people, Bill Gates would send you $200." and we would have to tell them that emails can't be tracked like that.. Of course, with 1x1 images in emails now.. they can..

Re:It used to be...

[QuantumRiff]

Keep telling your users that. Tell them that QuickTime is just fine. (along with Acrobat reader, while they are at it).. And no 3rd party media players have ever had buffer overflow problems...

then there was the whole Image thing.. http://www.microsoft.com/technet/security/bulletin/ms06-039.mspx makes it sound a little more serious than just murking with the file-name.

Re:It used to be...

[CannonballHead]

and we would have to tell them that emails can't be tracked like that..

You were wrong!! I can't believe you missed that opportunity!!!1 I just received a check from Bill Gates c/o Microsoft Corp. in Redmond, Washington for $1,689.34. It's works! But if you don't forward this to all your friends, someone from Microsoft will come around to collect what you owe!

...

Re:It used to be...

Only Windows Media Player accepts executable code at the end of a video. Most other media players still do not do that so they are not susceptible to that attack

Wait... I thought that 3rd party software is always to blame. At least that's what I've been told by Wintards for the last 20 years. What's all this talk about Media Player, Outlook, IE, and Notepad for?

Re:It used to be...

[gsarnold]

Meh... I think the problem is that about fifteen-some-odd years ago, Microsoft decided against all convention that storing auto-executable code and scripts inside data files was a great idea.

Re:It used to be...

[aztracker1]

If there is a buffer overflow problem with notepad.exe it could very well be used as an attack vector.

Re:It used to be...

[dissy]

Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...

http://seclists.org/fulldisclosure/2008/Jan/339

Yes it is a joke, but a funny one!

Re:It used to be...

Image exploits were certainly real. The reason being the image viewer didn't handle dodgy data properly. Once you find that kind of failure, you are looking to deliver a payload to exploit the suspect image viewer or library. Once the payload is delivered you have successfully managed to have your code running on the machine by simply having a user view an image. Of course on windows, most windows users were effectively running at superusers, so you get control of the machine. Presumably current versions are saner.

It doesn't matter what the file type is, what the extension may be, it's about how the application opening the file handles bad data. This is the prime attack method for rooting devices.

Re:It used to be...

[Blakey+Rat]

Course, they also used to forward chain mails about "if you forward this to 10 people, Bill Gates would send you $200." and we would have to tell them that emails can't be tracked like that.. Of course, with 1x1 images in emails now.. they can..

Actually, the majority of mail clients now won't load images from remote servers. Tracking email was much more effective in the Windows 9x days than it is now.

Re:It used to be...

[ae1294]

so images are actually still ok

http://www.theregister.co.uk/2004/09/15/windows_jpeg_bug/

The old bromide that promises you can't get a computer virus by looking at an image file crumbled a bit further Tuesday when Microsoft announced a critical vulnerability in its software's handling of the ubiquitous JPEG graphics format.

The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs. The poisoned picture could be displayed on a website, sent in email, or circulated on a P2P network.

Somehow I doubt that MS is going to give Notepad the ability to execute code found in a text file.

Step 1. virus.exe.txt
Step 2. rename.txt.bat
Step 3. HKLM or taskman runs rename_txt.bat
Step 4. virus.exe executes
Step ~. &%*&^*^))_(*((&^%^%^%%V1@GR@!$$#$@#

won't make a bit of difference

[viralMeme]

"'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

'Why is "Enumerating Badness" a dumb idea? It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness'

Re:won't make a bit of difference

[Calydor]

And how, exactly, are you going to whitelist software?

Let's say you're making a fun little game in C++, but you can't test it on a protected system because it's not in the whitelist.

And what's to say that it won't cost money to be added to the whitelist? Goodbye F/OSS.

Re:won't make a bit of difference

[AlphaBit]

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

Realistic for who? A whitelist approach sounds great if you're already a massive software company that can pay the fees and jump through the hoops necessary to get listed. It's also great for weeding out real competition and innovation in software.

Fortunately, it's already been tried by MS (Signed software) and found to be totally irrelevant (Install anyway).

Re:won't make a bit of difference

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

Yeah. We could call it... Trusted Computing. And require that all executable code be signed by Microsoft.

Re:won't make a bit of difference

[mcgrew]

Then the malware writers would write viruses that attacked programs in the white list. A better approach would be better QC by the software companies; it's hard for a worm to wiggle through a hole that isn't there.

Gotta Love Trend

Security firm Trend Micro has accused Microsoft of giving malware writers a heling hand by advising users not to scan certain files on their C because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not ose a significant threat as of now but it has a very big otential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

Although, my all-time fave was when their phishing filter (composed by know-nothing $1-an-hour workers in the Philippines) used Wells Fargo's ACTUAL 800 customer-service number as a signature. Needless to say, that's an account (WF) they subsequently lost

get your solution here ..

[viralMeme]

LiveUsbPendrivePersistent ...

The whole point is...

[m2pc]

It does open up some security concerns when an A/V utility is advised to "skip over" certain files. A malware writer could easily exploit this and simply mask their executable "payload" with one of the "non scannable" file extensions to avoid detection. Malware could easily modify the registry to make one of these "non executable" extensions open with the windows shell, causing them to become executable even without the .EXE extension. This would only work, however, if the resident portion of the malware was able to evade detection.

Re:The whole point is...

[jim_v2000]

>This would only work, however, if the resident portion of the malware was able to evade detection.

Yes, so really, if you're already infected, the virus can pretty much do whatever it wants to your system, including breaking your antivirus. The "security concerns" with excluding those extensions are not really security concerns at all.

What?

[sajuuk]

No obligatory comment that Microsoft itself is a malware producer?

Re:What?

no

conflict of interest

More importantly, the installation process for Windows guides users to run primarily as administrator, which makes the whole OS one big target. Microsoft could do a lot more for security by not guiding users to surf the web, etc, as admin. But then, there wouldn't be as much of a need for antivirus/antimalware software such as "security firm" Trend Micro's.

Alternate Data Streams

[nlewis]

As I understand it, any file in an NTFS partition can have one or more Alternate Data Streams associated with it, regardless of its type or location. So if you tell someone not to scan something like "Edb.log", does that imply that they should not scan "Edb.log:virus.exe" either?

I have to agree with Trend Micro on this one. Completely skipping specific files in specific directories may prevent performance issues, but it may also make it easier for malware authors to find new hiding places.

Huh? Sounds like shit talking.

[pyster]

This sounds like shit talking. anti-virus/malware vendors do the same crap

I do not trust any anti-virus/malware software anymore. I've had trendmicro pick up text files written 20 years ago as a virus. I've had norton kill copies of remote admin (at the absolute worse times too...). I've had adaware find crap on systems virgin systems... and the stuff it finds i know isnt infected.

My solution to the problem has been to use zonealarm, shut down ports at the router level, monitor my network traffic, restore a ghost image on a regular basis, and watch what i install. It's not a perfect system but it mostly works well enuf that i doubt i am part of the botnet. I scan with microtrend once in a while for fun...

If you didnt write it, dont trust it. We've seen time and time again legitimate software doing things we dont feel they should be doing.

Re:Huh? Sounds like shit talking.

[fast+turtle]

I've used Zonealarm in the past (was one of the beta testers long ago) but now that Win7 includes a true bi-directional firewall, I don't use it. What I've done is the same as I would on a *nix box. Simply deny all both directions then open the minimal exceptions I actually need. Yep even firefox gets no direct connection (goes through my proxy server) and it's the same for those few apps that actually need net access. Otherwise Nothing and I mean absolutely nothing is granted permission by default, including SVCHOST. I locked that down so hard WinUpdate quit working until I figured out exactly what to allow. Then created the rules for it and only it.

As someone posted earlier, the problem is this, we are all at the mercy of the devs who may not pay any attention to whether their app trully needs net access, yet most of those installed work fine after access is cut.

In a related story, water is wet

Microsoft's policies (and products!) are crappy for security.

Who could have possibly known?

This is sick!

[tyroneking]

In this day and age we should not need antivirus software and firewalls- Microsoft wake up! What the hell is going on here? A whole market devoted to protecting an OS that we all have to pay for when we buy a new PC?
So, Microsoft taxes all new PCs, and we pay av vendors even more to protect the Microsoft OS.
This is surreal and sick.
We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

Re:This is sick!

[rjolley]

So, what are you going to say when everyone starts to use ubuntu and malware writers start targeting it instead of windows? QUICK EVERYONE SWITCH TO OPENSOLARIS!

Re:This is sick!

[Karlt1]

In this day and age we should not need antivirus software and firewalls- Microsoft wake up! What the hell is going on here? A whole market devoted to protecting an OS that we all have to pay for when we buy a new PC?
So, Microsoft taxes all new PCs, and we pay av vendors even more to protect the Microsoft OS.
This is surreal and sick.
We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

So exactly how do you propose that an operating system prevent a user from downloading malware that can destroy the users files? How do you propose that an OS do anything but warn a user before a program can access priveleged parts of the OS?

Re:This is sick!

[daveime]

We should ALL demand that our employers use Ubuntu

Mr Employer, can I interest you in an open-source, free, screensaver ?

Re:This is sick!

[Coren22]

Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.

Re:This is sick!

[CannonballHead]

We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

Oh boy.

Oh boy.

Your employer pays Microsoft to use Microsoft's OSs. If your employer wants to stop paying Microsoft and use Ubuntu, I'm sure they can. Maybe they don't want to. In which case, demanding it probably won't do too much for you.

Of course, if someone actually demonstrated the same efficiency, no configuration issues, no breakages every time Ubuntu decides to roll out an upgrade, etc., maybe more employers would listen. Or perhaps if Ubuntu offered paid support (do they? I don't know).

There's a reason people pay for Oracle, for example, instead of using the free MySQL. Perhaps there are reasons employers pay for Microsoft instead of using Canonical. (as a user-targeted OS, anyways)

Re:This is sick!

[CannonballHead]

Oh boy x2 was a mistake. hehe.

Re:This is sick!

[L0rdJedi]

Yeah, good luck with that. I'm sure the other guy, ya know, the one that's willing to use Windows, will enjoy taking your job.

Re:This is sick!

[causality]

Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.

With the millions of Linux machines out there, you'd think at least some of those viruses would be propagating in the wild. Not a large number, mind you, because of Linux's small percentage of marketshare. But if Linux is no more secure than Windows, that number should be significantly more than zero. Yet it isn't. Your common sense should tell you that this is a flaw in your theory there.

The viruses that exist for Linux are generally proof-of-concept examples, but they aren't actually attacking and infecting Linux machines successfully. That's despite the large number of Linux servers that have both lots of system resources (CPUs, RAM, etc) and high-speed connections, which would make them very attractive targets. I bet all of this is a real mystery to you if you believe that Windows and Linux are equally secure.

Re:This is sick!

[rantingkitten]

So exactly how do you propose that an operating system prevent a user from downloading malware that can destroy the users files?

Partly because the notion of distro-maintained repositories, containing tens of thousands of packages, vetted and verified by people who know way more than you or I, and subsequently checked by thousands of people who use them and examine them, is an inherently safer method than the Microsoft ecosystem method of "search the web and download unknown binary installers from god-knows-where which will do god-knows-what to your system".

Yes, with Ubuntu you can download random, untrusted nonsense and run it. But it's essentially never necessary; there's just no reason. The Windows model, on the other hand, actively encourages such stupid behavior. Big surprise, people end up installing dumb things even without realising it.

Even when you think you know and trust the source you can get burned. When Chrome came out I installed it to see what all the fuss was about (nothing; it's a piece of garbage). Hey, it's Google, they're good guys, I know them, right? Right. So imagine my annoyance when it silently installed some "Google Updater" alongside, without asking or telling me, and was sending fuck-knows-what information to fuck-knows-who for fuck-knows-what reasons. And it wouldn't uninstall when I got rid of Chrome. I ended up having to manually remove its directory because it kept coming back. That, to me, is the very definition of spyware, and I thought I knew where I was getting this allegedly safe software.

Things like this are why Windows is vastly inferior in every aspect of security. The idea of downloading and running random, untrustable, closed binaries from random, untrustable sites is a fantastic way to get infected. It's the single largest vector of infection there is, by a ridiculous margin. The Linux model of package management eliminates this.

Re:This is sick!

[0ld_d0g]

With the millions of Linux machines out there, you'd think at least some of those viruses would be propagating in the wild.

The viruses that exist for Linux are generally proof-of-concept examples, but they aren't actually attacking and infecting Linux machines successfully. That's despite the large number of Linux servers that have both lots of system resources (CPUs, RAM, etc) and high-speed connections, which would make them very attractive targets.

Many houses on my street have never been robbed. And guess what ! They happen to be painted off-white. Many of them have wide screen TVs and other expensive items. The security system these Off-white houses use must be better than others !!

Prove that a significant amount of malware programmers are trying to write malware for Linux and are unable to and you *might* have the hope of constructing a point.

The viruses that exist for Linux are generally proof-of-concept examples, but they aren't actually attacking and infecting Linux machines successfully

The mere fact that they can exist points to a flaw in Linux; would you not agree?

I bet all of this is a real mystery to you if you believe that Windows and Linux are equally secure.

By that logic ofcource Plan9 is the most secure OS.

Simplistically, an operating system's job is to move the magnetic head on the hard disk and load bits from the hard disk, copy them into memory and set the CPU instruction pointer so the bits are read by the CPU as instructions and thus the executable executes till a pre-emptive interrupt is triggered after the specified time slice.

I cant for the life of me think of anything in *ANY* operating system that would prevent that. The only way to prevent such an executable from executing would be to know before hand if these 'bits' cause harm to your PC or is a regular executable. Again, can't think of any OS that would prevent that.

Lets look at common forms of malware. (includes viruses IMO)

Malware that spreads though a user action: Downloading & Installing malware (disguised as a screensaver with ponies). No OS can prevent you from doing that.

Malware that spreads through a 'drive-by' exploit through the browser: There exist and have existed for time immortal arbitrary code execution vulnerabilities in almost all browsers. Making a comparison of Windows vs Linux is moot, since the browsers are but applications and have nothing to do with the core functionality of the OS making flaws in them, irrelevant to a discussion on OS design.

Malware that spreads through an exploit in the OS: If you want to claim that any Linux default install doesn't have or rather hasn't ever had any remote code execution vulnerabilities through which malware spreads on Windows, then there is no point talking to you because you have taken some industrial strength kool-aid that would be hard to argue against.

-------

Heres what I think contributes to Windows computers getting compromised. Ofcource this doesn't include co-ordinated attempts at hacking a computer. We've seen numerous times any server can get r00ted given the right amount of time and expertise.

* Lack of white-listed software :- Default way to install software on Windows is to download an untrusted installer and run it.

* Lack of culture of frequent patching :- We've seen it over and over again. Worms like conficker get wire spread coverage MONTHS after the vulnerability has been patched by MS. In many cases the worm itself is created after reverse engineering security patches. Many users turn off windows autoupdate, making the job of infecting their PCs all the more easier.

* Lack of diversity in install base :- Common executable format and insane amounts of backwards and cross compatiblity among different windows flavors makes writing a windows malware easy.

* Lack of securit

Re:This is sick!

[jpmorgan]

Network affect.

Re:This is sick!

[colinrichardday]

Simplistically, an operating system's job is to move the magnetic head on the hard disk and load bits from the hard disk, copy them into memory and set the CPU instruction pointer so the bits are read by the CPU as instructions and thus the executable executes till a pre-emptive interrupt is triggered after the specified time slice.

I cant for the life of me think of anything in *ANY* operating system that would prevent that. The only way to prevent such an executable from executing would be to know before hand if these 'bits' cause harm to your PC or is a regular executable. Again, can't think of any OS that would prevent that.

What if a file system requires that an executable be marked as executable before it can be executed?

Re:This is sick!

[0ld_d0g]

What if a file system requires that an executable be marked as executable before it can be executed?

Then you have stopped compiled binary files from executing. However, you can get around that by using a python script, which AFAIK requires no executable permission. A quick check on my macbook pro shows that it works.

node-1:tmp nox$ cat test.py
def main():
        print 'hello';

main()
node-1:tmp nox$ ls -all test.py
-rw-r--r-- 1 nox wheel 36 Dec 23 08:16 test.py
node-1:tmp nox$ python test.py
hello
node-1:tmp nox$

Re:This is sick!

[colinrichardday]

That would require that the target have python.

Re:This is sick!

[0ld_d0g]

That would require that the target have python.

I thought the fact that I used python to demonstrate it makes it obvious. The point is, executable permissions are easily bypassed. And in the case of exploiting arb. code execution vulnerabilities, this is irrelevant.

Also, last time I checked ubuntu (the most popular distro) does install python, (or maybe perl) as part of the base install. I don't know if this is true for the majority of distros.

Re:This is sick!

It is a little amazing that you even linked to a page that uses the correct word, 'effect,' and yet you used the wrong word in your link text.

Re:This is sick!

[Karlt1]

Partly because the notion of distro-maintained repositories, containing tens of thousands of packages, vetted and verified by people who know way more than you or I, and subsequently checked by thousands of people who use them and examine them, is an inherently safer method than the Microsoft ecosystem method of "search the web and download unknown binary installers from god-knows-where which will do god-knows-what to your system".

http://linux.slashdot.org/story/09/12/09/2215253/Malware-Found-Hidden-In-Screensaver-On-Gnome-Look

Re:This is sick!

[rantingkitten]

Which proves my point. That screensaver didn't come from the repo, did it? You had to actively seek out and download it off the web, which is not something most Linux users will ever have to do. The repo-based model actually discourages doing such things, whereas the Windows model actively encourages, and even requires it.

I hope you'll also note that was an isolated incident. One or two examples doesn't even begin to compare to the tens of thousands of Windows viruses, trojans, spyware, and other junk out there.

The problem was also discovered and corrected quickly. Compare this to waiting for Microsoft to even acknowledge the problem, nevermind waiting for them to get off their asses and release a patch, if they ever do. There are tons of vulnerabilities that have been known about forever but Microsoft has yet to do a damn thing about them.

Holding up rare cases like this and trying to say Linux is just as insecure as Windows is just sour grapes

Question

[Mr_Silver]

I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.

Am I right? Or is it a good idea to remove those exclusions?

Re:Question

[takev]

There have been issues with actual media files like *.png that caused a buffer overload in the image decoder and would allow execution of code embedded in the image itself.

However it is better to actually fix the buffer overflow instead of scanning files. I guess the only real use for virus scanners, if you and manufacturers keep your system up to date, is to not allow said file to be transported to an other computer that has not been updated.

That is what most linux and os x virus scanners mostly do, to make sure viruses are found before you send it to a vulnerable computer.

Re:Question

[value_added]

I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.

If you're running an operating system where the permissions are such that everthing is executable by default, do you really think that pursuing file extension related tweaks will solve your problems?

Sorry, but I'm having trouble not laughing. Not at you personally. You'd think Microsoft would have weaned itself from their perverse reliance of file extensions years ago when people first started clamoring about .386 files. JPEG files have a .jpg or .jpeg extension, but log files have an .evt extension. Unless it's a log file. But what kind of log file is it? And which type should I scan?

Face it, Microsoft makes things up as they go along. Trying to keep up or otherwise make sense of things is a waste of time (unless it's your job, and you're being paid to do it).

Re:Question

[jonbryce]

My virus scanner (MS Security Essentials) picked up a few viruses in mp3 files recently. On further investigation, apparently they weren't mp3 files at all. They were labled as mp3 files, but were in some other format that prompted Windows Media Player to download a codec from somewhere that contained the payload.

If you listen to your mp3 files on Winamp, maybe you are OK. Or maybe you are only OK if you update to the latest version which has a security fix.

Re:Question

[mcgrew]

You're all right with JPG, not sure about AVI, but if you use Windows Media Player don't whitelist MP3. WMA files (IIRC, it's windows' compressed sound files that are the problem) can have DRM, and its DRM allows it to run other programs. If you rename them with an MP3 extension, most media players will choke, but Windows Media Player will happily run it, DRM virus and all. I tested this several years ago.

I do remember a few years ago that one picture viewer (don't remember which one) had a bug that allowed a buffer overflow, and you could infect a machine with a specially crafted JPG.

On second thought, as soon as you install any new software (no matter who from), shut the machine down, boot from a non-writable media (like CD), and scan everything.

Re:Question

[TrancePhreak]

I prefer to scan software before installing it. You can often scan the installation containers.

Re:Question

[dave562]

You'd think Microsoft would have weaned itself from their perverse reliance of file extensions years ago when people first started clamoring about .386 files. JPEG files have a .jpg or .jpeg extension, but log files have an .evt extension. Unless it's a log file. But what kind of log file is it?

Don't forget .nfo files. For the longest time, I could count on .nfo files containing the oh some important information about who cracked and couriered my warez. Then Microsoft decided to co-opt the file extension for System Information files. The bastards!

Re:Question

[value_added]

Don't forget .nfo files .. Microsoft decided to co-opt the file extension for System Information files. The bastards!

LOL. I haven't gotten over that one myself. At the time, I suspected it was deliberate choice, and a portent of Bad Things to come (WGA, as it turned out).

IIRC, within a year of that change, I stopped using Windows altogether and left the warez scene behind me. Funny how those two go hand in hand.

Re:Question

[StuartHankins]

JPG files can be used to hide arbitrary binary data. See the example / howto at http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/ .

A simple question

[shreshtha]

Which security company want to have a world with absolutely no Virus, Botnet, Worm ....or make the world such???

Apple too

Apple provides a convenient list of setuid files you can modify that users will be told to ignore any warnings about.
http://support.apple.com/kb/TS1448

Re:Won't the malware be detected once loaded into

[blai]

is this where you raise the question about rootkits or...?

A computer law is needed

[onyxruby]

A computer law is needed here, it is a simple best practice that someone needs to carve into stone. "Thou shalt not practice security through obscurity". Nice and simple, covers so very very much and could have saved this anti-virus vendor some public humiliation. This law applies to any operating system or application without fail.

Re:A computer law is needed

Thou shalt not practice security through obscurity

Allrighty then. Give me all your passwords.

Re:A computer law is needed

Security is an illusion. No computer is truly secure except for the ones with no data and the ones that no one can access. Thus, Obscurity is the only form of true Security.

Wait a minute!

[hesaigo999ca]

Any AV has a select files to avoid functionality, to bypass going through files that you know are ok, and save some time from the memory hog that our AVs are these days. So in fact, if we can say forget about these to an AV, why would this be any different.
As long as M$ allows that list to be modified to have nothing in the list to avoid, as per each user's preference when installing, I have no problem. The problem comes when M$ decides for you, and does not allow any changes to that config.

I am not a fan of vista or windows7, so I have no such problems, however, knowing that most people tend to go with default settings to use apps, such as AVs, I wonder if by default, the files selected by M$ are in effect the same ones always?

protection from lawyer-hackers :)

> It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

Yes there is something you can do, run a base system from a read-only device, like the LiveUsbPendrivePersistent.

> what really needs to happen is better enforcement of the network and better law enforcement involvement

Since did when did laws prevent the crooks from breaking the law.

Re:protection from lawyer-hackers :)

[ae1294]

Yes there is something you can do, run a base system from a read-only device

That is a good point. using linux to run a Virtual Machine of Windows and then having all of the Bookmarks, Documents, etc, etc pointed back to share's on that linux system while having the VR Windows load from a snapshop does work well. When someone needs to install something new they just need to do a clean boot, install their app and make a new snapshop. This does works in office settings really well.

Since did when did laws prevent the crooks from breaking the law

It doesn't, but putting these people in jail will reduce their numbers but not get rid of the problem completely.

Re:protection from lawyer-hackers :)

[Mister+Whirly]

That is a good point. using linux to run a Virtual Machine of Windows and then having all of the Bookmarks, Documents, etc, etc pointed back to share's on that linux system while having the VR Windows load from a snapshop does work well. When someone needs to install something new they just need to do a clean boot, install their app and make a new snapshop.

My 86 year old grandmother will be pleased as punch to hear this!! No more answering her stupid Windows questions anymore!!

Re:protection from lawyer-hackers :)

[ae1294]

My 86 year old grandmother will be pleased as punch to hear this!!

Will she understand any of it???

Re:protection from lawyer-hackers :)

[Mister+Whirly]

I doubt it, seeing her grasp on technology is as shaky as your grasp on sarcasm.

Re:protection from lawyer-hackers :)

[ae1294]

I doubt it, seeing her grasp on technology is as shaky as your grasp on sarcasm.

No I got it, perhaps I needed to include some sort of indication of such.

Regardless the only reason it doesn't work well at home is that lots of people want to play 3d games on their systems. Your grandmother would do well with such a setup... but you probably don't really have a grandmother....

Anyway... yeah...

Off-Limits Liberty

[halfloaded]

In the Marine Corps, we called it the "off-limits liberty" list. It ended up being a shopping list for all those places you really actually want to go. I know the Marines had the best intention, but c'mon. If I am 20 years old and told, "here is a list of places where they serve underage and where one can 'find a good time'," it's a no-brainer how I am going to use that list.

Re:Off-Limits Liberty

[Lifyre]

Heck as a 27 year old Marine it makes for some fun reading and something to browse for while at work.

Ubuntu user here

... what's Anti-Virus?

Trend whitepaper about MS file exclusion...

yeh, maybe Trend researcher should look at their own white paper. Take a look at http://trendedge.trendmicro.com/pr/tm/te/document/OSCE_8_0_MS_File_Exclusions.pdf

Re:Trend whitepaper about MS file exclusion...

[MaximKat]

I guess this should be the only comment here, because their OWN recommendations contain EXACTLY the same exclusions. Go figure...

File extensions aren't the biggest problem

[bl8n8r]

The biggest problem is getting the system secured to the point where remote sites can't drop the files in the first place. Scanning executables isn't going to get you 100% infection free anyway because newer exploits change the stealth algorithm all the time. People need to move away from this idea that virus scanning is the first line of defense because it's not. All it is, is damage control.

I hate to remind you of this, but,

[reiisi]

Microsoft doesn't have any real business interest in secure machines.

Their reputation is secure among the believers no matter what they do, and their reputation is un-redeemable among those who are not Microsoft believers. They have enough money to buy the hype necessary to cover anything up, relative to the people who spend the most on Microsoft software.

Shoot, the, "I can't be such a fool!" syndrome helps Microsoft's bottom line when people have to pay to fix Microsoft's bugs.

No, this makes no sense. Saying that you don't need to look in place X is just telling the virus and malware writers, "X marks the spot."

Of course, it is really difficult to design a machine to examine itself when the engineer admits there is no safe place to examine from.

Not surprised

[mahadiga]

because it helps Microsoft Marketing Department. Virus, Patents, Copyrights, Trademarks etc help advertise Microsoft Brand.