Slashdot Mirror
Microsoft Policies Help Virus Writers, Says Security Firm
Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."
disabling any backup software will improve "performance and avoid unnecessary conflicts" as well.
Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe? Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here. This is coming from third-party AV companies, remember... they're fighting to stay relevant.
Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:
*.edb
*.sdb
*.log
*.chk
Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.
Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.
Third, this stinks of "Hey listen to us! Then buy our antivirus."
"Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?
Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?
The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.
As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.
It used to be that you could tell people to open picture/film because they were safe. then movie viewer program (i.e. media player) started to execute html to download certificate or decoder. Now you can get a trojan that way. It used to be that getting an email you could not get a virus. Then outlook started to actively open email or even hide extension.
See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...
If you trust a single byte on the possibly-infected disk, you're not scanning for viruses: You're asking pretty please for the virus to show itself. Most are polite enough, but why take the chance? Use a known-clean read-only media to boot from, and scan the entire drive.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio