Microsoft Policies Help Virus Writers, Says Security Firm

Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

Do "Users" have a choice?

[Monkeedude1212]

I load up Malware Bytes or Super Anti Spyware or some other reputable Anti-Malware program, boot into safe mode, and do a scan of the whole PC.

Is it I, or anti malware developers, they are sending the message to? Because I certainly don't want to leave an inch of the computer unchecked.

Re:Do "Users" have a choice?

Safe mode isn't good enough. You want to run it in the pre-boot environment (what windows setup / chkdsk runs in).

Also, believing that some half-assed "security" software is going to protect you from everything bad is just stupid.

Re:Do "Users" have a choice?

[geekboy642]

If you trust a single byte on the possibly-infected disk, you're not scanning for viruses: You're asking pretty please for the virus to show itself. Most are polite enough, but why take the chance? Use a known-clean read-only media to boot from, and scan the entire drive.

Re:Do "Users" have a choice?

[causality]

It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

You need not become an expert to protect yourself; you only have to achieve competency. That's all you need to exercise best practices. To give a tired old car analogy, they don't need to be mechanics, they just need to be safe drivers. I'll use the classic Trojan horse program as an example: you don't need to understand how a trojan installs a backdoor into your system and makes it join a botnet; you only need to understand that running untrusted executables is a bad idea. I think the biggest falsehood being perpetuated here is that you are either totally ignorant or you're an elite expert. Users buy into this falsehood anytime you give them basic precautionary steps they can take and they say "but I'm not a geek!" This is despite the fact that you don't need to be a geek to follow illustrated step-by-step instructions, you only need to be literate.

I think the marketing of most commercial software is partly to blame here. "Easy to use" isn't an inherently bad thing, but it is a disservice to users when it connotes "you can use this in a totally mindless fashion with zero understanding and never have any problems."

But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something. It's all loose-loose, what really needs to happen is better enforcement of the network and better law enforcement involvement. Take all those people trying to protect the children and make them do some real work.

We already have laws against computer intrusion. The problem is twofold: catching the actual perpetrators, who go to great lengths to conceal their identities; and prosecuting them when they are in other countries/jurisdictions. Protecting the clueless is the same as protecting the children, only it's worse. It's worse because children cannot be other than children, while the clueless could decide that learning is important to them.

I think the real way to deal with this is to put real security into Windows. Removing an infection after-the-fact is not real security. It is only damage control. Windows needs a real security system that can prevent intrusions in the first place with no third-party software needed. The goal here is not perfect security. The goal is to make our systems secure enough that automated attacks are no longer successful. Then malware authors cannot just write a program one time and use it over and over again to infect millions of machines. Achieve that, and intrusions require dedicated human effort for each compromised machine and can no longer occur on massive scales with little effort. Then and only then does it make sense to think about prosecuting the computer crimes that remain.

Are you serious?

[bl4nk]

Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe? Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here. This is coming from third-party AV companies, remember... they're fighting to stay relevant.

It used to be...

It used to be that you could tell people to open picture/film because they were safe. then movie viewer program (i.e. media player) started to execute html to download certificate or decoder. Now you can get a trojan that way. It used to be that getting an email you could not get a virus. Then outlook started to actively open email or even hide extension.

See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...

Re:It used to be...

[gsarnold]

Meh... I think the problem is that about fifteen-some-odd years ago, Microsoft decided against all convention that storing auto-executable code and scripts inside data files was a great idea.

A computer law is needed

[onyxruby]

A computer law is needed here, it is a simple best practice that someone needs to carve into stone. "Thou shalt not practice security through obscurity". Nice and simple, covers so very very much and could have saved this anti-virus vendor some public humiliation. This law applies to any operating system or application without fail.

Re:won't make a bit of difference

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

Yeah. We could call it... Trusted Computing. And require that all executable code be signed by Microsoft.

Re:This is sick!

[causality]

Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.

With the millions of Linux machines out there, you'd think at least some of those viruses would be propagating in the wild. Not a large number, mind you, because of Linux's small percentage of marketshare. But if Linux is no more secure than Windows, that number should be significantly more than zero. Yet it isn't. Your common sense should tell you that this is a flaw in your theory there.

The viruses that exist for Linux are generally proof-of-concept examples, but they aren't actually attacking and infecting Linux machines successfully. That's despite the large number of Linux servers that have both lots of system resources (CPUs, RAM, etc) and high-speed connections, which would make them very attractive targets. I bet all of this is a real mystery to you if you believe that Windows and Linux are equally secure.

Re:This is sick!

[rantingkitten]

So exactly how do you propose that an operating system prevent a user from downloading malware that can destroy the users files?

Partly because the notion of distro-maintained repositories, containing tens of thousands of packages, vetted and verified by people who know way more than you or I, and subsequently checked by thousands of people who use them and examine them, is an inherently safer method than the Microsoft ecosystem method of "search the web and download unknown binary installers from god-knows-where which will do god-knows-what to your system".

Yes, with Ubuntu you can download random, untrusted nonsense and run it. But it's essentially never necessary; there's just no reason. The Windows model, on the other hand, actively encourages such stupid behavior. Big surprise, people end up installing dumb things even without realising it.

Even when you think you know and trust the source you can get burned. When Chrome came out I installed it to see what all the fuss was about (nothing; it's a piece of garbage). Hey, it's Google, they're good guys, I know them, right? Right. So imagine my annoyance when it silently installed some "Google Updater" alongside, without asking or telling me, and was sending fuck-knows-what information to fuck-knows-who for fuck-knows-what reasons. And it wouldn't uninstall when I got rid of Chrome. I ended up having to manually remove its directory because it kept coming back. That, to me, is the very definition of spyware, and I thought I knew where I was getting this allegedly safe software.

Things like this are why Windows is vastly inferior in every aspect of security. The idea of downloading and running random, untrustable, closed binaries from random, untrustable sites is a fantastic way to get infected. It's the single largest vector of infection there is, by a ridiculous margin. The Linux model of package management eliminates this.