Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Policies Help Virus Writers, Says Security Firm

Posted by timothy on from the this-door-to-remain-unlocked-at-all-times dept.

Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

2 of 166 comments (clear)

  1. Really? by nametaken · · Score: 4, Informative

    Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:

    *.edb
    *.sdb
    *.log
    *.chk

    ...in certain folders.

    Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.

    Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.

    Third, this stinks of "Hey listen to us! Then buy our antivirus."
    "Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?

    Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

  2. Don't virus-check database files by Anonymous Coward · · Score: 5, Informative

    The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.

    As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.