Slashdot Mirror
Microsoft Policies Help Virus Writers, Says Security Firm
Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."
I load up Malware Bytes or Super Anti Spyware or some other reputable Anti-Malware program, boot into safe mode, and do a scan of the whole PC.
Is it I, or anti malware developers, they are sending the message to? Because I certainly don't want to leave an inch of the computer unchecked.
disabling any backup software will improve "performance and avoid unnecessary conflicts" as well.
Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe? Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here. This is coming from third-party AV companies, remember... they're fighting to stay relevant.
Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:
*.edb
*.sdb
*.log
*.chk
Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.
Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.
Third, this stinks of "Hey listen to us! Then buy our antivirus."
"Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?
Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?
Microsoft's been helping out malware writers since at least 1982...
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.
As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.
It used to be that you could tell people to open picture/film because they were safe. then movie viewer program (i.e. media player) started to execute html to download certificate or decoder. Now you can get a trojan that way. It used to be that getting an email you could not get a virus. Then outlook started to actively open email or even hide extension.
See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...
It does open up some security concerns when an A/V utility is advised to "skip over" certain files. A malware writer could easily exploit this and simply mask their executable "payload" with one of the "non scannable" file extensions to avoid detection. Malware could easily modify the registry to make one of these "non executable" extensions open with the windows shell, causing them to become executable even without the .EXE extension.
This would only work, however, if the resident portion of the malware was able to evade detection.
As I understand it, any file in an NTFS partition can have one or more Alternate Data Streams associated with it, regardless of its type or location. So if you tell someone not to scan something like "Edb.log", does that imply that they should not scan "Edb.log:virus.exe" either?
I have to agree with Trend Micro on this one. Completely skipping specific files in specific directories may prevent performance issues, but it may also make it easier for malware authors to find new hiding places.
I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.
Am I right? Or is it a good idea to remove those exclusions?
Avantslash - View Slashdot cleanly on your mobile phone.
A computer law is needed here, it is a simple best practice that someone needs to carve into stone. "Thou shalt not practice security through obscurity". Nice and simple, covers so very very much and could have saved this anti-virus vendor some public humiliation. This law applies to any operating system or application without fail.
We should ALL demand that our employers use Ubuntu
Mr Employer, can I interest you in an open-source, free, screensaver ?
In the Marine Corps, we called it the "off-limits liberty" list. It ended up being a shopping list for all those places you really actually want to go. I know the Marines had the best intention, but c'mon. If I am 20 years old and told, "here is a list of places where they serve underage and where one can 'find a good time'," it's a no-brainer how I am going to use that list.
I doubt it, seeing her grasp on technology is as shaky as your grasp on sarcasm.
"But this one goes to 11!"
Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.
With the millions of Linux machines out there, you'd think at least some of those viruses would be propagating in the wild. Not a large number, mind you, because of Linux's small percentage of marketshare. But if Linux is no more secure than Windows, that number should be significantly more than zero. Yet it isn't. Your common sense should tell you that this is a flaw in your theory there.
The viruses that exist for Linux are generally proof-of-concept examples, but they aren't actually attacking and infecting Linux machines successfully. That's despite the large number of Linux servers that have both lots of system resources (CPUs, RAM, etc) and high-speed connections, which would make them very attractive targets. I bet all of this is a real mystery to you if you believe that Windows and Linux are equally secure.
It is a miracle that curiosity survives formal education. - Einstein
So exactly how do you propose that an operating system prevent a user from downloading malware that can destroy the users files?
Partly because the notion of distro-maintained repositories, containing tens of thousands of packages, vetted and verified by people who know way more than you or I, and subsequently checked by thousands of people who use them and examine them, is an inherently safer method than the Microsoft ecosystem method of "search the web and download unknown binary installers from god-knows-where which will do god-knows-what to your system".
Yes, with Ubuntu you can download random, untrusted nonsense and run it. But it's essentially never necessary; there's just no reason. The Windows model, on the other hand, actively encourages such stupid behavior. Big surprise, people end up installing dumb things even without realising it.
Even when you think you know and trust the source you can get burned. When Chrome came out I installed it to see what all the fuss was about (nothing; it's a piece of garbage). Hey, it's Google, they're good guys, I know them, right? Right. So imagine my annoyance when it silently installed some "Google Updater" alongside, without asking or telling me, and was sending fuck-knows-what information to fuck-knows-who for fuck-knows-what reasons. And it wouldn't uninstall when I got rid of Chrome. I ended up having to manually remove its directory because it kept coming back. That, to me, is the very definition of spyware, and I thought I knew where I was getting this allegedly safe software.
Things like this are why Windows is vastly inferior in every aspect of security. The idea of downloading and running random, untrustable, closed binaries from random, untrustable sites is a fantastic way to get infected. It's the single largest vector of infection there is, by a ridiculous margin. The Linux model of package management eliminates this.
mirrorshades radio -- darkwave, industrial, futurepop, ebm.