Slashdot Mirror
Microsoft Remotely Deleted Tor From Windows Machines To Stop Botnet
An anonymous reader writes "Microsoft remotely deleted old versions of Tor anonymizing software from Windows machines to prevent them from being exploited by Sefnit, a botnet that spread through the Tor network. It's unclear how many machines were affected, but the total number of computers on the Tor network ballooned from 1 million to 5.5 million as Sefnit spread. 'By October, the Tor network had dropped two million users thanks to Sefnit clients that had been axed. No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle,' the Daily Dot reported. In a blog post, Microsoft claimed it views Tor as a 'good application,' but leaving it installed presented a severe threat to the infected machines."
Who knew?
No one, not even the Tor developers themselves, knew how Microsoft had gone on a silent offensive against such a big opponent and won a decisive battle
It seems pretty obvious - the people who's machine had Tor removed didn't know it was installed and weren't using it to begin with. When MS removed it, they didn't notice or complain.
There is always the possibility it could have been executed through the security patch subsystem. It has the capacity to execute scripts/executables.
there's no "killswitch" it just got added to the definitions for removal. nothing to see here.
Malicious software removal tool.
Stamp out the virus, install Linux!
Every month's update includes an updated "malicious software" remover. Normal people who have their machines auto-update would get it automatically, and *if* the corrupted Tor wasn't hiding its existence in some way, it could be found and removed. That would be a legitimate use of the trust customers put in MS (as with other antivirus providers). If it turns out there's a backdoor, the way Amazon removed books from peoples' Kindles, then the entire Windows infrastructure would be unsafe.
This year!
Well we do know if we bother to RTFA.
This is no different from anti-virus, because it WAS the Microsoft anti-virus tool that did it. A specific version of TOR in a specific hidden directory being part of the virus payload.
Talk of not owning your own computer is nonsense. You are free to not run AV software if you prefer. It would be a dumb move, but you are free to do it.
It's 1996, the year of the linux desktop!
The software is leased, is it not?
It's more akin to renting a car and driving it around while the owner also has keys to it.
Windows Update has doubled as Windows Remote Administration for years.
Microsoft using their security software (Microsoft Security Essentials and Malicious Software Removal Tool) to tackle a real security hazard, while leaving legitimate Tor users unaffected? The horror!
Upcoming:
MS deletes Firefox, saying it was used to infect millions of computers.
I would make the obvious joke about how everyone uses Chrome nowadays, but given how behind the times Microsoft usually is, I'm now wondering why you didn't take the angle of them deleting Netscape Navigator.
now thats some gross spelling their
A classic Example of someone trying to point the finger when there is nothing to point at. You removed my botnet nad now i'm mad. STFU. Save your complaining for legitimate problems.
Windows Update - malicious software removal tool. When you install Windows, or other Microsoft software, you agree to the End User License Agreement (EULA). There is nothing unusual about this. If the EULA is not agreeable, another OS should be installed.
Try reading the article genius.
Removes malicious software, that just happens to use Tor.
Come on /., you can do better than this.
Upcoming:
MS deletes Firefox, saying it was used to infect millions of computers.
Microsoft only deleted the install used as part of Sefnit. They didn't disable legitimate installs, and they're not out to squash your freedom. From the blog:
http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx
The Tor client service left behind on a previously-infected machine may seem harmless at first glance - Tor is a good application used to anonymize traffic and usually poses no threat. Unfortunately, the version installed by Sefnit is v0.2.3.25 – and does not self-update. The latest Tor release build at the time of writing is v0.2.4.20.
By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from peopleâ(TM)s computers, without them even knowing it.
Maybe the next virus needs to remove Windows from all of those machines.
hmm how hard would it be to write virus capable using windows update to install linux bsd etc on all of those unpatched xp machines
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Well we do know if we bother to RTFA.
Indeed
Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:
October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.
Or only those on infected machines? And was this removal targeted only at the botnet-installed Tor client (TFA seems to imply this).
If this was the case, then good for them (Microsoft). Although they could have been a bit more open about their removal with the Tor developers, so as to reassure them that they were not attacking Tor. And to get feedback on anything that could cause a false positive and removal.
Have gnu, will travel.
While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.
Well you're in luck!
Using the Malicious Software Removal Tool is entirely voluntary.
If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.
If you don't like it, run something else.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Dude, you may want to step away from the keyboard and take a deep breath. This is not some uninvited guest helping themselves to your snacks. You allow them in via EULA. Perhaps taking a moment to breath will prevent a knee-jerk reaction.
Exactly how does Microsoft gain access and remove software? Well I guess that means Microsoft has complete control of other people PCs. What kind of F@#$%^ up nightmare is this?
Well if we read the article
Since the Sefnit-caused Tor eruption in August, we have worked to curb this risk. In this process, we consulted with Tor project developers to help plan the cleanup. We retroactively remediated machines that had previously been cleaned of Sefnit but still had a Sefnit-added Tor service:
October 27, 2013: We modified our signatures to remove the Sefnit-added Tor client service. Signature and remediation are included in all Microsoft security software, including Microsoft Security Essentials, Windows Defender on Windows 8, Microsoft Safety Scanner, Microsoft System Center Endpoint Protection, and Windows Defender Offline.
November 12, 2013: Signature and remediation is included in Malicious Software Removal Tool and delivered through Windows Update/Microsoft Update.
Microsoft Security Essentials is a popular antivirus program that people tout as being a good free option to Symantec or McAfee. In this case it seems it did a good job of squashing a botnet. Malicious Software Removal Tool is an update that comes monthly, with Windows updates, that can be disabled or deselected if you wish. The idea is that "This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month. " So even if you don't use MSE or any other AV software, if you do updates, you will get the worst of the worst. Such as this millions infected with Sefnit.
No hidden remote kill switch. No evil. The security tools did what they advertized to remove a threat, while leaving legitimate Tor users untouched.
Isn't it illegal to secretly infiltrate a computer system and remove legal software from it?
Do a simple and clean install, saving personal docs and with the right payload (like WhicheverOfficeFork, video player, music player, etc). Do it with one of the XP/IE lookalike themes... the "victim" would only wonder why their PC suddenly started performing well.
no harm, no foul?
If we look BEYOND the misleading headline, we will understand that when a TROJAN illegally and secretly installs software n a user's machine, it does so in a way that will leave a clear signature. So, a trojan that installs Tor, for instance, will do so in a way that minimises visibility of the app to users. Microsoft can and SHOULD (if a user is willingly using a Microsoft anti-trojan tool) attempt to identify apps that have been illegitimately installed, even if the app itself can ordinarily be a legitimate user install, and remove that app.
If the user did NOT consent for app X to be placed on their machine, there can be no controversy if a user activated Microsoft security product removes X without explicit user permission.
Now if Microsoft DARED to remove copies of Tor that a user had explicitly installed, the situation would be a very, very different one. So why are the owners of Slashdot trying to imply something that isn't true? And don't give me crap that it is the fault of the authors of the original article. When Slashdot promotes a story, the content of that story (and the misleading Slashdot summary) are Slashdot's responsibility.
you would realize how silly you look here.
You: "hi. come on in! Welcome to my home. Have a seat, make yourself comfortable...... WHAT THE FUCK? HOW DID YOU GET IN MY HOUSE??"
The ability to remotely remove progams en masse from people's computers, without them even knowing it.
What the smeg do you think anti-malware software DOES day in and day out? Removing a program without impacting the user is exactly what these programs are supposed to do.
While the intention was definitely good, I personally would not want to use a machine that the could be remotely accessed in such a mannter.
True, something like anti-virus software self-updating and removing a threat would be acceptable to most users. But this is more akin buying a car and discovering the manufacturer has a master key and a representative can come over and drive it around whenever he/she wants, and it's fully legal and you can't do anything about it.
In the end, for better or for worse, I think it's important that we actually own the devices we buy and pay for. Cases like this, and similar ones with Kindles and mobile devices remotely being accessed and modified or used to spy on us, are strong evidence that we do not. (I know that this particular case is not a big deal in of itself, but the fact that Microsoft can do what it did is not good news.)
How do you think Anti-virus software works if it doesn't have a "master key" to your computer that lets it uninstall any application it thinks is malicious?
Whoops, never mind. I thought it was Windows doing the job itself.
How is this different form apt-get upgrade or dist-upgrade?
Oh... good point. Guess I really should RTFA next time.
I don't want ANYBODY going into my computer. That's no different than breaking into my house, and stealing.
FUCK MICROSOFT
Microsoft Updates and anti-virus protection are completely optional. If you don't want anyone changing files on your computer, you ought to turn off WIndows Updates immediately, and don't run any anti-virus software.
It's a little more like hiring someone to fix your leaky windows, then accusing them of stealing after they replaced the moldy wood framing around the window when they put in the new one because you really loved that wood frame even if it was moldy and you want it returned.
I came here to say just this. TFA is a neat story in a general sense, but in the sense of "Microsoft controlling your computer", there's exactly nothing there we didn't know already. It can only be a surprise to people who don't know or are in denial about what it means to update their operating system. Every second Tuesday, Microsoft adds stuff to your windows computers, which is way scarier than removing stuff, if one thinks about it for just a second.
Well, it's just that MSRT runs and executes a find and destroy script. In this case, it looked for a special version of Tor that the malware installed in a special location and configured in a special way. That way it would not destroy legitimate Tor installations.
And you have the option of not running it, if you really wanted to - you still own the machine.
It's the same as if you set your Linux box to self-update - are the updates it downloads able to remove other software? Yes. In fact, it's expected during updates that new versions remove old versions. And sometimes they also remove other software that are no longer prerequisites.
Sure you have the option to not do it, just like you have the option to not run the update.
It's really no different on any OS - updates automatically apply and they can remove stuff at will too.
Probably the most interesting thing is that Apple, of all companies, has not actually shown the need to remove apps remotely. We know they have the capability to disable apps (only the ones using CoreLocation, though), and they have removed apps from the store. But they have not removed apps from people's iTunes libraries, nor removed the ability of deleted apps to run, period. As long as you have a copy somewhere, it can be installed on other devices using iTunes long after it's been removed.
Heck, even when Disney forced the removal of its movies from Amazon and iTunes, they still play if you have a copy on your hard drive! Which can be copied to other devices or streamed to your AppleTV just fine. It only screwed you if you didn't already have a downloaded copy.
Funny how the most "walled" of walled gardens hasn't yet needed to flex its abilities. Even Steam has removed games from people's libraries (granted, the game didn't work anymore, but still - people paid for the game, and Valve deleted it!)
This incident was discussed in the 30c3 talk on Tor. Roger Dingledine stated that Microsoft removed the botnet, but left Tor installed. Therefore the headline that Microsoft deleted Tor is not correct. You can watch the video here: http://www.youtube.com/watch?v=CJNxbpbHA-I
Well, there's a program called "Malicious Software Removal Tool". What do you think it does?
The Tao of math: The numbers you can count are not the real numbers.
If you don't want anybody in your computer, then simply don't invite him there. It's not as if the Malicious Software Removal Tool installed itself on the computer.
The Tao of math: The numbers you can count are not the real numbers.
the train of thought will effect us all
And yum, apt, etc, isn't?
Of course the only difference between malware and legitimate software or other content is the intent, which the tool obviously cannot detect. Therefore any tool that can be used to remove malicious software can also be used to remove legal software or other content.
The Tao of math: The numbers you can count are not the real numbers.
so Microsoft removes a virus with there removal tool and somehow they did a bad thing. and removed the infected version of tor not the new ones.
Microsoft remotely deleted a characteristic version of Tor and other maliciously installed software which a botnet had installed from Windows machines to stop said botnet, just as it does for all kinds of malicious software via its (get this) Malicious Software Removal tool (which regularly appears in Windows Update) and/or Microsoft Security Essentials, which you, the user, gave it permission to do.
...but it didn't fit*.
*in length or in terms of agenda.
systemd is Roko's Basilisk.
Ok Attorneys: Could this qualify for a class action suit to shut them down forever and burn them to the ground?
---- Booth was a patriot ----
No one spoke out since it didn't effect them...
---- Booth was a patriot ----
the only problem is that MS wont give you some updates if you refuse to run the malicious software removal tool. This includes things like Security Eseentials along with Important updates to the OS that solve other problems, meaning they're shooting themselves in the foot trying to prevent a botnet from expanding by denying updates that may block it to begin with. Damned if you do. Damned if you don't
Mod me up/Mod me down: I wont frown as I've no crown
Security Essentials removes this TOR payload anyway.
I dunno, how hard is it to compromise the official debian repository? And whats the budget disparity between the folks running Windows Update servers and the Debian repos?
Im thinking "hard".
Perhaps you should try something original... like reading the actual article.
Wow, a 4-digit UID and you cant be bothered to RTFA or any of the dozen other comments explaining why your comment is false.
The really sad thing is your UID indicates youve been into technology for at least a decade-- but it apparently doesnt stop you from making comments on stuff that you have absolutely no clue about.
Heres a hint: It was through MSRT / Security Essentials.
If we could just implement a script on slashdot to mute or auto-downmod users who post comments which clearly indicate both ignorance and not having read the article, maybe we could clean the site up.
power to uninstall is also the power to install
This is no different from anti-virus, because it WAS the Microsoft anti-virus tool that did it. A specific version of TOR in a specific hidden directory being part of the virus payload.
Talk of not owning your own computer is nonsense. You are free to not run AV software if you prefer. It would be a dumb move, but you are free to do it.
You know, I haven't seen a virus scanner log on any of my computers come up with any positive results since early 2000s, so maybe things have changed. However, the way it was done back then, and the way I assumed it was still done today, is that the anti-virus would flag the potentially malicious files, and then tell you in big red letters, "We detected virus blah. What would you like to do? Ignore / Delete / Quarantine"
In this mode of operation, nothing is being done without explicit user authorization. I actually don't even see anything wrong with having an option for automatically deleting anything that it detects as malicious as long as it's not the default option, which would therefore still be considered an user-authorized action. However, to have any anti-virus software delete files or uninstall software without any consent other than the decision to run anti-virus software is most certainly unacceptable. Even if you disagree with me from an ethical perspective, even looking at it from a practical viewpoint it's a bad idea. After all, there are such things as false positives in virus-scans.
Warning: Opinions known to be heavily biased.
Jacob Appelbaum and Roger Dingledine talked about this at the 30c3 conference last December. Here's a link to the video: https://www.youtube.com/watch?v=CJNxbpbHA-I They talk about this around the 39:55 mark. Basically they weren't thrilled about microsoft doing such a thing, but on the other hand if the attack had been malicious it would have taken down the entire TOR network.
They did it the right way. Good job.
Well, I don't really detect sarcasm, and same for troll detection, yet I have a hard time accepting these as real questions, but what the hell....
According to TFA, the botnet was mining bitcoins for the two botnet 'herders'.
'Doing anything bad?'
1.) Taking control away from the PC's owner and covertly installing malware
2.) Using significant amounts of energy at the owners expense without agreement
3.) Tor network users jumped from approx. 1 million users, to over 5 million users when this botnet went online. I imagine that would have the opposite effect of 'making Tor faster for everyone'
4.) In some cases, clogging and disrupting users networks
In other words, not doing anything good, and a whole lot of bad.
This is one time that Microsoft was acting responsibly, and did the right thing, IMHO.
The Microsoft anti-malware tools worked as designed, although a bit more proactive than the normal reactive incident.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Upcoming: MS deletes Firefox, saying it was used to infect millions of computers.
I'm moderating, but I didn't moderate your post. Whether you realise it or not, MS have done similar things in the past, just not with the software in discussion.
Sorry about your "troll" rating, it's wrong, but I don't think it's important enough to use any of my moderator points correcting it.
~ Demonoid Penguin
Maybe it's punctuation:
White hats go to jail unless....your worth: billions of dollars.
"City hall" in German is "Rathaus" Kinda explains a few things......
I heard the sky was falling... you should probably just kill yourself!
Back in the '90s it would send a warning for every blocked/removed item. But these days, the constant barrage from the average user's machine and browsing habits would have them turning it off. So it's more a wake up call that all AV (yes, sadly, all malware is now a "virus") removes things silently, unless manually configured otherwise. That's only news to people that don't know IT.
Learn to love Alaska
The first cleaning took out the main virus, but missed the C&C hidden in a legitimate program. The second clean removed the virus's C&C, affecting no uninfected computers. How is that news?
Learn to love Alaska
Users would click "ignore" and the virus would not be removed. So the industry moved to default installs that silently remove them. You can re-enable the chattty mode in most programs, but they turn chatty off because users clicked the "wrong" button.
Learn to love Alaska
I did, also read this politician calling for banning open source and anonymizing software. The precedent is set, just wait a few months.
The real question should be, how can Symantec/McAfee gain access and remove software? After all, this "virus" was moved by more than just MS. Maybe someday, you should learn how AV works.
Learn to love Alaska
You don't need to be an auto mechanic to drive, and you shouldn't have to be a codemonkey to operate a computer.
Users should be entitled to take whatever the vendor says at face value without being screwed.
Very true. If Microsoft decided that, say, *any* copy of Tor was malicious, or anything listed on Sourceforge . . . . Or any .iso with a name that matches a movie . .
Well I guess that means Microsoft has complete control of other people PCs.
You mean, like they write software that oh... operates the system or something?
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Well, it's just that MSRT runs and executes a find and destroy script. In this case, it looked for a special version of Tor that the malware installed in a special location and configured in a special way. That way it would not destroy legitimate Tor installations.
And you have the option of not running it, if you really wanted to - you still own the machine.
It's the same as if you set your Linux box to self-update - are the updates it downloads able to remove other software? Yes. In fact, it's expected during updates that new versions remove old versions. And sometimes they also remove other software that are no longer prerequisites.
Sure you have the option to not do it, just like you have the option to not run the update.
It's really no different on any OS - updates automatically apply and they can remove stuff at will too.
Probably the most interesting thing is that Apple, of all companies, has not actually shown the need to remove apps remotely. We know they have the capability to disable apps (only the ones using CoreLocation, though), and they have removed apps from the store. But they have not removed apps from people's iTunes libraries, nor removed the ability of deleted apps to run, period. As long as you have a copy somewhere, it can be installed on other devices using iTunes long after it's been removed.
Heck, even when Disney forced the removal of its movies from Amazon and iTunes, they still play if you have a copy on your hard drive! Which can be copied to other devices or streamed to your AppleTV just fine. It only screwed you if you didn't already have a downloaded copy.
Funny how the most "walled" of walled gardens hasn't yet needed to flex its abilities. Even Steam has removed games from people's libraries (granted, the game didn't work anymore, but still - people paid for the game, and Valve deleted it!)
Apple has stopped apps from working, which is the same from removing apps. Look at Siri on iphones from the 4 on down. It is apples to apples, and there are many others they have stopped.
The Revolution Will Not Be Televised
Except the fuckers crashed my machine when they pushed out the update.
Citation needed, since I recall no such major outcry. Your machine is probably one of the ones with 25 browser toolbars, or ten download accelerators, or fifty outdated browser plugins, or a couple of undetected rookits etc., which is usually the reason behind a security patch "crashing your machine".
And if Windows closed the app with unsaved work, you'd be here whinging that Microsoft destroyed your work. And if you really gave a crap, you'd go in and change the Windows Update setting from "Automatically install" to "Ask me first".
Microsoft has done some seriously stupid stuff. And some bad stuff. But if you want to abuse them, at least abuse them for the stupid stuff not the sane stuff.
WTF kind of story is this?
BREAKING NEWS: AV software removes threat!
If this story were about ClamWIN it would all be w00t open source FTW!
But apparently a free MS product did its job - boo, hiss, etc
Show me a machine that has Firefox installed by malware without the user's consent, and I'll show you a machine that should have Firefox removed.
Now there are only nine hundred ninety nine millions, nine hundred ninety nine thousand and nine hundred ninety nine failures to fix on windows.
If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.
If you don't like it, run something else.
No, this is not about "trust". Trust comes into play when you suspect abuse. However, the Microsoft EULA explicitly reserves the right to Microsoft to control all software installations remotely, enable and disable any components written either by themselves or by others as they see fit, and, if it so happens, brick your machine without recompensation.
When you run a current version of Microsoft Windows, you explicitly "I agree" that the computer, for all purposes, remains the property of Microsoft to dispose of as they see fit.
The consumer has repeatedly spoken about the Microsoft EULAs increasingly spiraling out of control for every new version, and his verdict has been "Baaah! Baaaah! Baaah!".
So that's what he's getting.
Bah.
Well, there's a program called "Malicious Software Removal Tool". What do you think it does?
According to its title, I would expect it to maliciously remove software.
Try TAILS Linux.
Should have focused on POS machines at Target. This headline is just a ruse to let the MS huggers hide the biggest malware heist in history. Unpatched windows running on cash registers?
I used to run an active, unlimited TOR exit node on my office PC during non-work hours, that is until for some unknown reason our office had our Skype account blocked - I called Skype, my network provider, everyone trying to figure why we couldn't access Skype at all from any of the computers on our office network (we have a fixed IP which could have added to the problem). I read some threads on the Skype forums that this has happened to several people - apparently once Microsoft integrated Skype over the last year, anyone running an Exit Node was blacklisted. Note that we got any kind of notification, just a banned IP, they would not even confirm we were banned. I shut down my Exit Node and about 2 weeks later Skype returned. Not exactly what I call a positive treatment for a so called "good application."
Microsoft antivirus program removes a virus. Slashdot collectively goes retarded. News at 11.
Microsoft has been silently removing malware from users' computers for years now. What do you think the Windows Malicious Software Removal Tool does? The only new thing here is that this particular piece of malware contained an otherwise-legitimate open-source component, which Microsoft decided to remove as well. I believe there's nothing wrong with that decision since it's been used as part of the malware and for malicious purposes. In this case the decision is even more justified since having Tor installed, even without the original malware, can have consequences to the user, such as a substantial drop in available bandwidth. Even then, Microsoft made sure that they only remove instances of Tor installed by the malware and not copies that users knowingly installed so I really see no problem here. When Microsoft decides to remove Firefox or VLC or any other open-source stuff just because it competes with their products, please inform me and I'll ditch Windows altogether. Until then, I'll keep the Windows MRT installed and updated.
We use that application for official business, and Microsoft arrogently thinks it's okay for them to control what is install on OUR system? that WE paid for?
Somebody is likely going to make a military response against them, and it will be M$ fault.
Someone on Slashdot doesn't know what the hell they are talking about! what a surprise! :P
No offense..but..if you are using Microsoft wares for security checks then you are either gullible or just plain ol' stupid.
You know, I haven't seen a virus scanner log on any of my computers come up with any positive results since early 2000s, so maybe things have changed. However, the way it was done back then, and the way I assumed it was still done today, is that the anti-virus would flag the potentially malicious files, and then tell you in big red letters, "We detected virus blah. What would you like to do? Ignore / Delete / Quarantine"
I don't know the way Microsoft Security Essentials does it, as I moved to the Mac a long time ago. But having the dialog you mention as a default would be a big mistake. 99.9% of users wouldn't know what to do, and it would be a pure fluke if they selected the most appropriate action.
Developers shouldn't delegate the hard decisions to users. They should work out the right thing to do, and do it. In cases where there is no doubt that this is a malware that might be to delete immediately. In cases where false positives are possible, that might mean quarantining, and deleting at some time in the future.
From the sounds of it, this sounds like a delete immediately case. It happens on machines that are known to have the malware, and the TOR client is an old version installed in a specific hidden directory. There is no chance of a false positive.
Of course it's probably a good idea for virus checkers to have a mode with a dialog such as you describe, for use by virus researchers etc. But it should be a well hidden option, not the default.
But having the dialog you mention as a default would be a big mistake. 99.9% of users wouldn't know what to do, and it would be a pure fluke if they selected the most appropriate action.
Well, I gave you the wrong idea about the dialog, if you think that's true. They certainly made the option to "ignore" seem like the worst of all choices, a scary and dangerous decision. If you ever clicked it, it would further nag you about how that was likely to be incredibly unwise and ask you to confirm that option. Then, on every subsequent scan, it would keep flagging that file anyway, and you'd have to ignore it every time.
Personally, I never treated anti-virus software as software to *clean* viruses. I use them for their virus scanner feature, and if they ever come up positive, it's time to reformat the box and start from scratch, hoping your BIOS is clean. The way I see it, if your system has been compromised, your anti-virus could be compromised. I think clicking, "delete" and getting that nice message on how your system is now clean at the end gives the user a dangerous feeling of false comfort. They're really not that much safer than if they had clicked ignore, they're fairly likely to be just as screwed.
From the sounds of it, this sounds like a delete immediately case. It happens on machines that are known to have the malware, and the TOR client is an old version installed in a specific hidden directory. There is no chance of a false positive.
Yeah, I'm not all up in arms against Microsoft for deleting this particular program, mind you. If anything I said implied that, then I was unclear in how I phrased my thoughts. Microsoft appeared very responsible in dealing with this particular case, down to contacting the Tor developers and making sure there was no legitimate reason why Tor would ever have been installed in that way. Kudos.
What gives me pause is that they have the capability of choosing to delete anything off a box. Because there's no guarantee they're going to be responsible with that tool tomorrow, and the next thing you know, a false positive gets deleted. I don't think such an action should even be legal, without explicit consent.
I moved to the Mac a long time ago...Developers shouldn't delegate the hard decisions to users. They should work out the right thing to do, and do it.
Well, that's certainly the Apple philosophy. I'm not saying that disparagingly, and I recognize the advantages of that philosophy, but I will like to point out that it's a preference, not a universal truth. Since you subscribe to it, you're probably very happy with that move to the Mac. I did the Mac thing myself for many years as a result of Apple switching to x86 compatible machines, and as a result of Mac OS X being UNIX. My latest laptop, however, is not an Apple, precisely because I personally hate that Apple philosophy, and it got in my way much more often than it was ever helpful.
I am a software developer. My philosophy, as a developer and as a user, is that a developer doesn't make decisions ever, regardless of whether they're easy or hard. A developer makes suggestions, when the choice appear obvious, in the form of defaults that can be changed in an advanced menu. If it's a hard decision, either because you're not sure what should be chosen, or because the stakes are high (files are going to get deleted, overwritten, the user will have to log out or reboot, etc.), then you don't even pick a default. You ask the question, and allow the user to set his answer as the default in the future, if he so chooses.
Once again, I'm not trying to tell you my philosophy is right and yours is wrong here, I'm just explaining my own preferences. My philosophy is right for me, and I look to use, buy, and create software that abides by it. This is Windows vs. Mac, KDE vs. Gnome stuff...you always have to trade off control for initial user friendliness, and people draw the line of where the cutoff should be differently.
Warning: Opinions known to be heavily biased.