Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Policies Help Virus Writers, Says Security Firm

Posted by timothy on from the this-door-to-remain-unlocked-at-all-times dept.

Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

11 of 166 comments (clear)

  1. Also... by InsertWittyNameHere · · Score: 4, Funny

    disabling any backup software will improve "performance and avoid unnecessary conflicts" as well.

  2. Are you serious? by bl4nk · · Score: 4, Insightful

    Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe? Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here. This is coming from third-party AV companies, remember... they're fighting to stay relevant.

  3. Really? by nametaken · · Score: 4, Informative

    Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:

    *.edb
    *.sdb
    *.log
    *.chk

    ...in certain folders.

    Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.

    Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.

    Third, this stinks of "Hey listen to us! Then buy our antivirus."
    "Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?

    Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

    1. Re:Really? by fluffy99 · · Score: 3, Informative

      The MS Article also gives specific recommendations for domain controllers and servers, which make good sense as well. The files they list include startup scripts and GPOs which get heavy use. AV can induce severe problems if it kept locking the files. On the flip side, you should keep an eye on those files as a compromise (not necessary a generic detectable virus) could compromise your entire domain. Also note that you should exclude the database files on an Exchange server. Aside from the huge performance hit, you really don't want the a/v software deleting or screwing up the entire exchange store if it sees a virus buried way down in a single email.

  4. Nothing new by Hawthorne01 · · Score: 3, Informative

    Microsoft's been helping out malware writers since at least 1982...

    --
    "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
  5. Don't virus-check database files by Anonymous Coward · · Score: 5, Informative

    The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.

    As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.

  6. It used to be... by Anonymous Coward · · Score: 5, Insightful

    It used to be that you could tell people to open picture/film because they were safe. then movie viewer program (i.e. media player) started to execute html to download certificate or decoder. Now you can get a trojan that way. It used to be that getting an email you could not get a virus. Then outlook started to actively open email or even hide extension.

    See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...

    1. Re:It used to be... by QuantumRiff · · Score: 3, Informative

      Keep telling your users that. Tell them that QuickTime is just fine. (along with Acrobat reader, while they are at it).. And no 3rd party media players have ever had buffer overflow problems...

      then there was the whole Image thing.. http://www.microsoft.com/technet/security/bulletin/ms06-039.mspx makes it sound a little more serious than just murking with the file-name.

      --

      What are we going to do tonight Brain?
  7. Re:Do "Users" have a choice? by geekboy642 · · Score: 4, Insightful

    If you trust a single byte on the possibly-infected disk, you're not scanning for viruses: You're asking pretty please for the virus to show itself. Most are polite enough, but why take the chance? Use a known-clean read-only media to boot from, and scan the entire drive.

    --
    Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
  8. A computer law is needed by onyxruby · · Score: 3, Insightful

    A computer law is needed here, it is a simple best practice that someone needs to carve into stone. "Thou shalt not practice security through obscurity". Nice and simple, covers so very very much and could have saved this anti-virus vendor some public humiliation. This law applies to any operating system or application without fail.

  9. Re:Do "Users" have a choice? by ae1294 · · Score: 3, Informative

    Safe Mode does fine enough for most people. I've been cleaning out viruses

    Viruses perhaps but malware keeps loaders running hidden in the background. All those things you remove reinstall themselves. I do system clean up work and I see it all the time plus often the malware won't even let you run programs like HijackThis, SuperAntiSpyware, or MalwareBytes.

    And of course, no "security" software is ever going to protect you from everything. No one wants pre-emptive protection because it hinders their experience. If you know what you're doing, you won't fall for

    This isn't really true. Things like IE, Flash, Shockwave and Acrobat have zero day exploits that will infect your computer if you stumble on the right email or site. I'd say 85% of infections are from user ignorance but the rest is luck and who you have contact with. (Outlook address books, etc)

    As for viruses, trojans, spyware, and the likes - I tried to educate people once.

    It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

    But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something. It's all loose-loose, what really needs to happen is better enforcement of the network and better law enforcement involvement. Take all those people trying to protect the children and make them do some real work.