Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Policies Help Virus Writers, Says Security Firm

timothy posted more than 4 years ago | from the this-door-to-remain-unlocked-at-all-times dept.

Windows 166

Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

cancel ×

166 comments

Sorry! There are no comments related to the filter you selected.

Do "Users" have a choice? (2, Insightful)

Monkeedude1212 (1560403) | more than 4 years ago | (#30525246)

I load up Malware Bytes or Super Anti Spyware or some other reputable Anti-Malware program, boot into safe mode, and do a scan of the whole PC.

Is it I, or anti malware developers, they are sending the message to? Because I certainly don't want to leave an inch of the computer unchecked.

Re:Do "Users" have a choice? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30525356)

Safe mode isn't good enough. You want to run it in the pre-boot environment (what windows setup / chkdsk runs in).

Also, believing that some half-assed "security" software is going to protect you from everything bad is just stupid.

Re:Do "Users" have a choice? (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30525686)

Safe Mode does fine enough for most people. I've been cleaning out viruses for almost a decade now and all it takes is a scan in safe mode and knowing what files to delete. (Temp internet files, any other out of place programs)

There has been one instance where I chose to boot into an antivirus software from a live CD and that was able to clean it out. I would probably use something in the BIOS if I knew of one.

-
And of course, no "security" software is ever going to protect you from everything. No one wants pre-emptive protection because it hinders their experience. If you know what you're doing, you won't fall for the cross scripting or phishing. There's a handful of dangerous things that don't actually require anything on your PC to be a danger to you, and those are the ones I educate people about.

As for viruses, trojans, spyware, and the likes - I tried to educate people once. It didn't work. I'm more than happy to remove it for them for a fee. It ain't much but it covers the Heating and Electricity.

Re:Do "Users" have a choice? (3, Informative)

ae1294 (1547521) | more than 4 years ago | (#30526072)

Safe Mode does fine enough for most people. I've been cleaning out viruses

Viruses perhaps but malware keeps loaders running hidden in the background. All those things you remove reinstall themselves. I do system clean up work and I see it all the time plus often the malware won't even let you run programs like HijackThis, SuperAntiSpyware, or MalwareBytes.

And of course, no "security" software is ever going to protect you from everything. No one wants pre-emptive protection because it hinders their experience. If you know what you're doing, you won't fall for

This isn't really true. Things like IE, Flash, Shockwave and Acrobat have zero day exploits that will infect your computer if you stumble on the right email or site. I'd say 85% of infections are from user ignorance but the rest is luck and who you have contact with. (Outlook address books, etc)

As for viruses, trojans, spyware, and the likes - I tried to educate people once.

It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something. It's all loose-loose, what really needs to happen is better enforcement of the network and better law enforcement involvement. Take all those people trying to protect the children and make them do some real work.

protection from lawyer-hackers :) (0)

Anonymous Coward | more than 4 years ago | (#30526322)

> It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

Yes there is something you can do, run a base system from a read-only device, like the LiveUsbPendrivePersistent [ubuntu.com] .

> what really needs to happen is better enforcement of the network and better law enforcement involvement

Since did when did laws prevent the crooks from breaking the law.

Re:protection from lawyer-hackers :) (1)

ae1294 (1547521) | more than 4 years ago | (#30526692)

Yes there is something you can do, run a base system from a read-only device

That is a good point. using linux to run a Virtual Machine of Windows and then having all of the Bookmarks, Documents, etc, etc pointed back to share's on that linux system while having the VR Windows load from a snapshop does work well. When someone needs to install something new they just need to do a clean boot, install their app and make a new snapshop. This does works in office settings really well.

Since did when did laws prevent the crooks from breaking the law

It doesn't, but putting these people in jail will reduce their numbers but not get rid of the problem completely.

Re:protection from lawyer-hackers :) (1)

Mister Whirly (964219) | more than 4 years ago | (#30526946)

That is a good point. using linux to run a Virtual Machine of Windows and then having all of the Bookmarks, Documents, etc, etc pointed back to share's on that linux system while having the VR Windows load from a snapshop does work well. When someone needs to install something new they just need to do a clean boot, install their app and make a new snapshop.

My 86 year old grandmother will be pleased as punch to hear this!! No more answering her stupid Windows questions anymore!!

Re:protection from lawyer-hackers :) (1)

ae1294 (1547521) | more than 4 years ago | (#30527022)

My 86 year old grandmother will be pleased as punch to hear this!!

Will she understand any of it???

Re:protection from lawyer-hackers :) (2, Funny)

Mister Whirly (964219) | more than 4 years ago | (#30527126)

I doubt it, seeing her grasp on technology is as shaky as your grasp on sarcasm.

Re:protection from lawyer-hackers :) (1)

ae1294 (1547521) | more than 4 years ago | (#30527204)

I doubt it, seeing her grasp on technology is as shaky as your grasp on sarcasm.

No I got it, perhaps I needed to include some sort of indication of such.

Regardless the only reason it doesn't work well at home is that lots of people want to play 3d games on their systems. Your grandmother would do well with such a setup... but you probably don't really have a grandmother....

Anyway... yeah...

Re:Do "Users" have a choice? (2, Insightful)

causality (777677) | more than 4 years ago | (#30526524)

It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.

You need not become an expert to protect yourself; you only have to achieve competency. That's all you need to exercise best practices. To give a tired old car analogy, they don't need to be mechanics, they just need to be safe drivers. I'll use the classic Trojan horse program as an example: you don't need to understand how a trojan installs a backdoor into your system and makes it join a botnet; you only need to understand that running untrusted executables is a bad idea. I think the biggest falsehood being perpetuated here is that you are either totally ignorant or you're an elite expert. Users buy into this falsehood anytime you give them basic precautionary steps they can take and they say "but I'm not a geek!" This is despite the fact that you don't need to be a geek to follow illustrated step-by-step instructions, you only need to be literate.

I think the marketing of most commercial software is partly to blame here. "Easy to use" isn't an inherently bad thing, but it is a disservice to users when it connotes "you can use this in a totally mindless fashion with zero understanding and never have any problems."

But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something. It's all loose-loose, what really needs to happen is better enforcement of the network and better law enforcement involvement. Take all those people trying to protect the children and make them do some real work.

We already have laws against computer intrusion. The problem is twofold: catching the actual perpetrators, who go to great lengths to conceal their identities; and prosecuting them when they are in other countries/jurisdictions. Protecting the clueless is the same as protecting the children, only it's worse. It's worse because children cannot be other than children, while the clueless could decide that learning is important to them.

I think the real way to deal with this is to put real security into Windows. Removing an infection after-the-fact is not real security. It is only damage control. Windows needs a real security system that can prevent intrusions in the first place with no third-party software needed. The goal here is not perfect security. The goal is to make our systems secure enough that automated attacks are no longer successful. Then malware authors cannot just write a program one time and use it over and over again to infect millions of machines. Achieve that, and intrusions require dedicated human effort for each compromised machine and can no longer occur on massive scales with little effort. Then and only then does it make sense to think about prosecuting the computer crimes that remain.

Re:Do "Users" have a choice? (1)

ae1294 (1547521) | more than 4 years ago | (#30526872)

We already have laws against computer intrusion. The problem is twofold: catching the actual perpetrators, who go to great lengths to conceal their identities; and prosecuting them when they are in other countries/jurisdictions. Protecting the clueless is the same as protecting the children, only it's worse. It's worse because children cannot be other than children, while the clueless could decide that learning is important to them.

Some of them do go to great lengths, most do not but you are right in that there is only so much law enforcement can do so I'll leave it at that.

I think the marketing of most commercial software is partly to blame here. "Easy to use" isn't an inherently bad thing, but it is a disservice to users

I have problems with the way the software is marketed as well. The whole "protect your computer from everything bad with just our product" part is the worst.

I think the real way to deal with this is to put real security into Windows.

That simply will never happen. If it did then there would be anti-trust cases but it doesn't mater as it just won't happen.

Re:Do "Users" have a choice? (0)

mcgrew (92797) | more than 4 years ago | (#30526618)

But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something.

That's the case with Windows many times as well. With Mandriva, at least, installing programs is dirt simple; most I've needed came with the distro anyway.

It's all loose-loose

Did you mean "lose-lose"? You're not being very clear. What's loose except your useage of two very different verbs (one of which you used as an adjective)?

You can browse the web with Java,Java Script,Flash,etc etc

I see, you're twelve years old and don't understand how to wite yet. Never mind then.

Re:Do "Users" have a choice? (1)

ae1294 (1547521) | more than 4 years ago | (#30526906)

You can browse the web with Java,Java Script,Flash,etc etc

I see, you're twelve years old and don't understand how to wite yet. Never mind then.

I'm not, but if I was, why would it mater? Are you not allowed to talk with them by court order or something?

Re:Do "Users" have a choice? (0)

Anonymous Coward | more than 4 years ago | (#30526850)

Ultimately, as malware gets more sophisticated, the best solution is not just pre-boot media and a signature scanner, but a heuristic scanner that uses a whitelist. What this would do is scan all the places where stuff can start (drivers, HKCU, HKLM, startup directories), and remove anything that doesn't have the same length and cryptographic hash as what is stored in the whitelist.

After checking the whitelist, then the heuristic scanner should check signatures of drivers and executables. If the signature on a driver or executable matches a well known key (not just a name, but a key ID and thumbprint), it should be OK.

Heuristics have one glaring problem though. Unless you know the OS and machine's history, it might be difficult to tell a true positive from a false positive.

Of course, this is a lot easier on Linux and UNIX variants. I can boot up from live media, do a find -print|xargs sha1sum>bigfile and diff the contents of that against the contents of vital filesystems when the box was installed. Same with a ls -lR and diffing to find permission changes. Yes, there will be a ton of false positives, but it becomes very easy to catch anything modified on the filesystems this way, even if the modifications are done using kernel level objects with clever rootkit hiding when the OS is running (clever enough to get around tripwire).

Re:Do "Users" have a choice? (4, Insightful)

geekboy642 (799087) | more than 4 years ago | (#30525604)

If you trust a single byte on the possibly-infected disk, you're not scanning for viruses: You're asking pretty please for the virus to show itself. Most are polite enough, but why take the chance? Use a known-clean read-only media to boot from, and scan the entire drive.

Re:Do "Users" have a choice? (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#30525732)

I agree - sometimes I get called over because of an "Error" - and I just head over right after work. Turns out the Error is Malware, I didn't bring my LiveCD, what can I do? A majority will get by with safe mode scans. There are those particularily nasty ones though, and as you said, boot from CD, or set it up as a slave drive with the proper security measures.

Re:Do "Users" have a choice? (1)

bberens (965711) | more than 4 years ago | (#30525902)

I ran into this case last week. My mother in law opened some malware and you can't even boot to command line safe-mode. As soon as you log in it logs you back out and goes to the login screen. :( So today I'm going back with a liveCD to try to get the documents off before doing a wipe.

Re:Do "Users" have a choice? (1)

ae1294 (1547521) | more than 4 years ago | (#30525766)

boot into safe mode, and do a scan of the whole PC

Safe mode will do nothing to keep malware from loading at this point....

Get a WinPE Distro like http://www.ubcd4win.com/ [ubcd4win.com]

Re:Do "Users" have a choice? (2, Interesting)

Z34107 (925136) | more than 4 years ago | (#30526162)

To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode. The ones that aren't leave signs that MalwareBytes can detect (infections it can't delete or that reappear, etc.) The paranoid can confirm with a packet sniffer.

If you really want to be paranoid, get a USB => IDE/SATA adapter from newegg. Pop out the hard drive and hook it up to a clean machine. Mount the registry hives using regedit, and do a scan with your favorite AV product. No relying on a potentially rooted machine, and no relying on an old/gimped AV product that works in a preboot environment.

Re:Do "Users" have a choice? (0)

Anonymous Coward | more than 4 years ago | (#30526514)

When I use PE disks I use a virus scan from my laptop that is connected to the infested machine(via filesharing). I can also use the additional programs in the PE environment to clean registry etc. etc.
I've found this works pretty well, and I've also used combofix and malwarebytes and gotten pretty good results with them as well. I don't think there will ever be a cheap *free* one program/process that will work for all virii/malware etc since that one way would gain enough popularity to be circumvented by the next latest and greatest virii/malware.

Re:Do "Users" have a choice? (2, Interesting)

ae1294 (1547521) | more than 4 years ago | (#30526548)

To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

You can use the included driverpacks app to include most LAN/WAN drivers and then use an online scanner if you like or you can install PE to a USB disk and install any Antivirus program you like.

In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode.

In my experience those people come back 3 days later with the same virus. MalwareByte's runs in PE now, as does SuperAntiSpyware and HijackThis and a number of Antivirus programs.

get a USB => IDE/SATA adapter from newegg. Pop out the hard drive and hook it up to a clean machine. Mount the registry hives using regedit, and do a scan with your favorite AV product. No relying on a potentially rooted machine, and no relying on an old/gimped AV product that works in a preboot environment.

That works or you can just use an PE Disk [ubcd4win.com] which will auto load your hives for you.

Then you can run which ever programs you want like MalwareBytes, SuperAntiSpyware, HijackThis, etc and I normally delete the recycle bin, system restore folder, and all the temp folders while taking a look around for stray files. All this while the other scans are running.

There really isn't any right or wrong way so whatever works for you is great. In my experience however safe mode is problematic.

The best option is to nuke the MBR and format/reload the system but people hate that.

Of course they do! (1)

WheelDweller (108946) | more than 4 years ago | (#30526036)

A couple a months before Jan 1 2000 I converted everything I had to Redhat, now Ubuntu Linux. In that time, I've never been hit by a virus, nor have I searched for them.

Every file on my machine is one that isn't likely to get a virus.

Why can't more of you guys try this alternative? It doesn't get any simpler. Stop being criminals with your MS Office and your nefarious copies of things.

Come, be free!

Also... (4, Funny)

InsertWittyNameHere (1438813) | more than 4 years ago | (#30525274)

disabling any backup software will improve "performance and avoid unnecessary conflicts" as well.

Re:Also... (0)

Anonymous Coward | more than 4 years ago | (#30525460)

So the ext4 approach to data consistency?

Re:Also... (1)

ae1294 (1547521) | more than 4 years ago | (#30526176)

So the ext4 approach to data consistency?

This is the worse troll ever...

Re:Also... (0)

Anonymous Coward | more than 4 years ago | (#30526276)

Yes, you are.

Re:Also... (0, Troll)

ae1294 (1547521) | more than 4 years ago | (#30527148)

Yes, you are.

I fucked your mom last night...

Are you serious? (4, Insightful)

bl4nk (607569) | more than 4 years ago | (#30525318)

Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe? Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here. This is coming from third-party AV companies, remember... they're fighting to stay relevant.

Re:Are you serious? (1)

postbigbang (761081) | more than 4 years ago | (#30525696)

And relevant they are.

This week: six different local 'family' machines needed junk scraped from them by yours truly, the tech support guy. Why? They didn't understand about renewing their AV subscriptions-- and got infected. Does Microsoft have something inherent in Windows, native to the OS, that prevents contamination? No. Do their products distribute freely with uptodate malware and virus prevention and thwarting? No. Users have to dig for them, install them, and hope that Microsoft's protection is sufficient.

Yes, there are free AV apps (for civilians) that work fine. Are they adept at using them? No. It's a huge failure.

Re:Are you serious? (0)

Anonymous Coward | more than 4 years ago | (#30526096)

Do their products distribute freely with uptodate malware and virus prevention and thwarting? No.

Wrong! [microsoft.com]

Re:Are you serious? (1)

causality (777677) | more than 4 years ago | (#30525740)

Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe?

Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here.

Joe Sixpack does not read the Microsoft KB, true. However, he pays the highest price for the malware problem as you point out. The bickering between Microsoft and AV vendors does at least indirectly affect him. Now, I'd assume that Microsoft would be the foremost expert on Windows for obvious reasons. But let's just say that they are wrong about this, yet the AV companies believe them. Now Joe Sixpack might get hit by malware that his AV tools don't know how to look for, because those infected files are listed as "not vulnerable".

This is coming from third-party AV companies, remember... they're fighting to stay relevant.

Well sure, they have a cottage industry to protect. If Microsoft gets its act together on Windows security, which would mean REAL security and not clever ways to clean up infections after-the-fact, and/or if average nontechnical Windows users get a clue, then it's bye-bye to that cottage industry.

Look at their business model. It's an arms race; the black-hats produce new instances of malware while the AV companies index those and produce signatures and removal tools. The thing about an arms race that's good for the AV companies is that it is self-perpetuating, so there is always work for them to do. Even if there were a Final Ultimate Security Solution for Windows, the AV companies wouldn't want it. They wouldn't want that for the same reason that lawn-mower manufacturers wouldn't want a strain of grass that only grows to be 3-4 inches tall.

Re:Are you serious? (1)

ae1294 (1547521) | more than 4 years ago | (#30526234)

Even if there were a Final Ultimate Security Solution for Windows

My MS Rep told me Windows 7 WAS that???

Off-Limits Liberty (2, Interesting)

halfloaded (932071) | more than 4 years ago | (#30526544)

In the Marine Corps, we called it the "off-limits liberty" list. It ended up being a shopping list for all those places you really actually want to go. I know the Marines had the best intention, but c'mon. If I am 20 years old and told, "here is a list of places where they serve underage and where one can 'find a good time'," it's a no-brainer how I am going to use that list.

Re:Are you serious? (1)

mcgrew (92797) | more than 4 years ago | (#30526794)

It's as easy to put your malwars in a secure place as it is to put in "my documents", and would be more effective in a "secure" place. If I were writing/spreading malware I'd be hiding it where AV software doesn't look.

After all, the lowest hanging fruit would be unpatched machines with no AV at all.

Re:Are you serious? (0)

Anonymous Coward | more than 4 years ago | (#30526966)

People who aren't total fuckwits don't need so-called antivirus software. Everyone else can have fun infecting their computer with a false sense of security.

Won't the malware be detected once loaded into RAM (0)

Anonymous Coward | more than 4 years ago | (#30525326)

Question mark. (Assuming that the anti-virus can detect the nasty with sigs/heuristics/behaviour monitoring)

Re:Won't the malware be detected once loaded into (1)

blai (1380673) | more than 4 years ago | (#30525808)

is this where you raise the question about rootkits or...?

Really? (4, Informative)

nametaken (610866) | more than 4 years ago | (#30525352)

Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:

*.edb
*.sdb
*.log
*.chk

...in certain folders.

Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.

Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.

Third, this stinks of "Hey listen to us! Then buy our antivirus."
"Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?

Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

It used to be... (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30525474)

It used to be that you could tell people to open picture/film because they were safe. then movie viewer program (i.e. media player) started to execute html to download certificate or decoder. Now you can get a trojan that way. It used to be that getting an email you could not get a virus. Then outlook started to actively open email or even hide extension.

See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...

Re:It used to be... (1)

L0rdJedi (65690) | more than 4 years ago | (#30525798)

Only Windows Media Player accepts executable code at the end of a video. Most other media players still do not do that so they are not susceptible to that attack. With the Outlook image thing, it's actually a VBS file with the .gif or .jpg somewhere else in the name and the actual extension spaced way off at the end, so images are actually still ok. Admittedly, turning off the display of extensions is a boneheaded move that MS still makes on their OS. It seems to be their way of trying to be more "Mac like".

Somehow I doubt that MS is going to give Notepad the ability to execute code found in a text file. Mainly because almost no one but a techie will ever use Notepad. Most people that need a "text editor" load up Word or Google Docs.

Re:It used to be... (3, Informative)

QuantumRiff (120817) | more than 4 years ago | (#30525930)

Keep telling your users that. Tell them that QuickTime is just fine. (along with Acrobat reader, while they are at it).. And no 3rd party media players have ever had buffer overflow problems...

then there was the whole Image thing.. http://www.microsoft.com/technet/security/bulletin/ms06-039.mspx [microsoft.com] makes it sound a little more serious than just murking with the file-name.

Re:It used to be... (0)

Anonymous Coward | more than 4 years ago | (#30526516)

Only Windows Media Player accepts executable code at the end of a video. Most other media players still do not do that so they are not susceptible to that attack

Wait... I thought that 3rd party software is always to blame. At least that's what I've been told by Wintards for the last 20 years. What's all this talk about Media Player, Outlook, IE, and Notepad for?

Re:It used to be... (1)

aztracker1 (702135) | more than 4 years ago | (#30527158)

If there is a buffer overflow problem with notepad.exe it could very well be used as an attack vector.

Re:It used to be... (1)

QuantumRiff (120817) | more than 4 years ago | (#30525878)

Ahh, remember the 90's, when people would forward chain mails about how even looking at an email with a certain subject would wipe your entire hard drive? And then how us IT people would have to tell people that it was okay, that reading emails was fine, they were just text, just never, ever execute an attachment you weren't expecting...

Then outlook got real popular in companies...

Course, they also used to forward chain mails about "if you forward this to 10 people, Bill Gates would send you $200." and we would have to tell them that emails can't be tracked like that.. Of course, with 1x1 images in emails now.. they can..

Re:It used to be... (1)

CannonballHead (842625) | more than 4 years ago | (#30526144)

and we would have to tell them that emails can't be tracked like that..

You were wrong!! I can't believe you missed that opportunity!!!1 I just received a check from Bill Gates c/o Microsoft Corp. in Redmond, Washington for $1,689.34. It's works! But if you don't forward this to all your friends, someone from Microsoft will come around to collect what you owe!

...

Re:It used to be... (2, Insightful)

gsarnold (52800) | more than 4 years ago | (#30527034)

Meh... I think the problem is that about fifteen-some-odd years ago, Microsoft decided against all convention that storing auto-executable code and scripts inside data files was a great idea.

Re:Really? (3, Informative)

fluffy99 (870997) | more than 4 years ago | (#30525508)

The MS Article also gives specific recommendations for domain controllers and servers, which make good sense as well. The files they list include startup scripts and GPOs which get heavy use. AV can induce severe problems if it kept locking the files. On the flip side, you should keep an eye on those files as a compromise (not necessary a generic detectable virus) could compromise your entire domain. Also note that you should exclude the database files on an Exchange server. Aside from the huge performance hit, you really don't want the a/v software deleting or screwing up the entire exchange store if it sees a virus buried way down in a single email.

Re:Really? (1)

NotBorg (829820) | more than 4 years ago | (#30526862)

If your AV software is killing your Exchange database then you should be fired for running it. All the relevant AV vendors provide Exchange integration. I've seen NT 4 boxes with it (it's not new).

Home editions are for home computers not for your business' servers. Get the AV package that says "server" on it.

Re:Really? (2, Interesting)

rdavidson3 (844790) | more than 4 years ago | (#30525916)

Whose to say that the malware doesn't have an executable renamed to a have a log extension, and the antiviruse skips over it. How trivial would it be to have a loader that does nothing except load "safe" files and do its bad things under the cloak of "but its a log file.... it should be safe".

Excluding any files on the computer is a bad thing, and needs to be discouraged.

Re:Really? (1)

clodney (778910) | more than 4 years ago | (#30526980)

Whose to say that the malware doesn't have an executable renamed to a have a log extension, and the antiviruse skips over it. How trivial would it be to have a loader that does nothing except load "safe" files and do its bad things under the cloak of "but its a log file.... it should be safe".

Excluding any files on the computer is a bad thing, and needs to be discouraged.

So if you manage to get an executable onto the system, you can then use it to execute a malicious payload hidden in a seemingly innocuous file?

If I can get an executable on the system, I have already compromised your security. Why bother with a hidden payload at that point?

Re:Really? (1)

rdavidson3 (844790) | more than 4 years ago | (#30527064)

The point is that the hidden payload doesn't get scanned by anti-virus at any point.

Re:Really? (1)

clodney (778910) | more than 4 years ago | (#30527402)

The point is that I have already gotten you to execute a malicious executable. What more have I gained with a hidden payload? The damage is already done.

I will grant that this does open up one new vulnerability - I can write new malware that can be used to help the user execute old malware that is already known to the AV scanners.

But I still say that once I have gotten you to execute malware I don't worry about getting a second payload in place.

Re:Really? (1)

Amouth (879122) | more than 4 years ago | (#30525926)

i didn't read the article or the KB but from the types you have listed - first thing came to mind.

exchange.

edb/sdb belong to exchange stores - log is common but also used for transaction longs and chk if i remember right is used when rebuilding from TL's or doing an offline defrag.

given the type of shit thats in mailboxes and queues and that it isn't executable - sure stuff is there but not a risk.

then given the normal actions of AV software (hey i found shit in this file -remove handles deny access - hey user i quarantined this thing for you).. humm that could be quite bad

yes there are plenty of examples of why you wouldn't want to exclude things - but at the same time there are alot of reasons to.

I agree that this does smell of the "Hey listen to us! Then buy our antivirus." especially since Security Essentials actually turned out nice.

Re:Really? (1)

Volante3192 (953645) | more than 4 years ago | (#30526816)

Yeah, in exchange's case what you need is something that hooks into the databases and scans the mail directly. Scanning a database as a virus just isn't going to work. It's like a zip file with a virus inside. You can scan the zip file and it'll pass. You need to look inside to figure out if you're safe.

Re:Really? (1)

Shimbo (100005) | more than 4 years ago | (#30526070)

Third, this stinks of "Hey listen to us! Then buy our antivirus."

It's an antivirus vendor blog FFS, what did you expect?
 
Why do so many of them end up as front-page stories? Don't ask me.

Re:Really? (0)

Anonymous Coward | more than 4 years ago | (#30527154)

If you scan your .edb's or your .sdb's plan on having a worse day than most viruses will give you as you will likely trash you exchange server's database.

Re:Really? (1)

girlintraining (1395911) | more than 4 years ago | (#30527488)

Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

The entire idea of scanning for signatures is what's ridiculous. This broken model of ring-based security is what's ridiculous. Buy into those ideas and yeah, it would make sense then to exclude certain file types.

What's needed is something like Tripwire, built into a bootable flash drive and Microsoft (and other vendors) releasing hashes of their files. But it's easier to do reactive security than proactive security -- and by easier I mean shoving the costs onto the consumers. At least then we could verify the integrity of the operating system and boot files independently of the software on the computer -- which is easily compromised. All this talk about a TCB has turned out to be just that -- talk. It hasn't helped system security one iota.

Vista & Windows 7 (1)

hey (83763) | more than 4 years ago | (#30525374)

Maybe Microsoft should just say: Vista and Windows 7 are so secure there is no point in scanning anything. As these OSs are safe because of UAC :)

Re:Vista & Windows 7 (0, Troll)

LOLLinux (1682094) | more than 4 years ago | (#30525484)

You mean the Mac and Linux attitude towards security? That worked out real well with that recent malware in those .deb files, right?

Re:Vista & Windows 7 (0)

Anonymous Coward | more than 4 years ago | (#30525718)

Linux attitude towards viruses is "meh, can't secure entire code base so why bother with something that will be undetectable in the first place?". Linux attitude is after an intrusion, the system has to be replaced, not simply a "removal of a virus". BTW, Linux has rootkit scanners and they are virus scanners and vulnerability scanners. But knowledgeable people know that such things are not the reason why there is no mass viruses for Linux servers and desktops. Unsecured Linux is as vulnerable as Windows or Mac to viruses, but one can take steps to secure the OS. You can do the same on Windows, but I'm not sure about Mac..

Malware in .deb files is nothing that was not predicted. There is a reason why distributions have crypto signatures for their packages. There are tons of freely available exploits for Linux. Yes, no mass trojans.

Mac's attitude towards viruses is they don't exist.

Re:Vista & Windows 7 (1)

aztracker1 (702135) | more than 4 years ago | (#30527196)

Mac's attitude towards viruses is they don't exist.

What is this round Earth concept you speak of? It intrigues me.

Nothing new (3, Informative)

Hawthorne01 (575586) | more than 4 years ago | (#30525378)

Microsoft's been helping out malware writers since at least 1982...

Re:Nothing new (0)

Anonymous Coward | more than 4 years ago | (#30525646)

Funny how once they release Security Essentials for free, they all suddenly have issues with them. The free offering from M$ removes the need for a 3rd party AV.

Re:Nothing new (1)

weicco (645927) | more than 4 years ago | (#30526496)

You mean like DEC [wikipedia.org] helped to write the first computer virus in the world?

Don't virus-check database files (5, Informative)

Anonymous Coward | more than 4 years ago | (#30525412)

The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.

As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.

Re:Don't virus-check database files (2, Interesting)

Aladrin (926209) | more than 4 years ago | (#30525702)

But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there. Then just load that into memory from some stub program.

That's what the article is warning about.

Re:Don't virus-check database files (0)

Anonymous Coward | more than 4 years ago | (#30526824)

But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there. Then just load that into memory from some stub program.

That's what the article is warning about.

And then, the stub program gets its own virus definition and is defeated once more. Yaaaay! That was hard!

Re:Don't virus-check database files (0)

Anonymous Coward | more than 4 years ago | (#30527008)

Then the virus checker just needs to detect the stub program. What you are describing is a standard virus trick, but instead of using edb.chk you can encrypt the virus and the stub program can decrypt and execute it. Modern virus checkers have to be able to deal with that.

won't make a bit of difference (1)

viralMeme (1461143) | more than 4 years ago | (#30525486)

"'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

'Why is "Enumerating Badness [ranum.com] " a dumb idea? It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness'

Re:won't make a bit of difference (1)

Calydor (739835) | more than 4 years ago | (#30526012)

And how, exactly, are you going to whitelist software?

Let's say you're making a fun little game in C++, but you can't test it on a protected system because it's not in the whitelist.

And what's to say that it won't cost money to be added to the whitelist? Goodbye F/OSS.

Re:won't make a bit of difference (1)

AlphaBit (1244464) | more than 4 years ago | (#30526204)

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

Realistic for who? A whitelist approach sounds great if you're already a massive software company that can pay the fees and jump through the hoops necessary to get listed. It's also great for weeding out real competition and innovation in software.

Fortunately, it's already been tried by MS (Signed software) and found to be totally irrelevant (Install anyway).

Re:won't make a bit of difference (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30526614)

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

Yeah. We could call it... Trusted Computing. And require that all executable code be signed by Microsoft.

Gotta Love Trend (0)

Anonymous Coward | more than 4 years ago | (#30525490)

Security firm Trend Micro has accused Microsoft of giving malware writers a heling hand by advising users not to scan certain files on their C because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not ose a significant threat as of now but it has a very big otential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

Although, my all-time fave was when their phishing filter (composed by know-nothing $1-an-hour workers in the Philippines) used Wells Fargo's ACTUAL 800 customer-service number as a signature. Needless to say, that's an account (WF) they subsequently lost

The whole point is... (2, Interesting)

m2pc (546641) | more than 4 years ago | (#30525540)

It does open up some security concerns when an A/V utility is advised to "skip over" certain files. A malware writer could easily exploit this and simply mask their executable "payload" with one of the "non scannable" file extensions to avoid detection. Malware could easily modify the registry to make one of these "non executable" extensions open with the windows shell, causing them to become executable even without the .EXE extension. This would only work, however, if the resident portion of the malware was able to evade detection.

Re:The whole point is... (1)

jim_v2000 (818799) | more than 4 years ago | (#30525712)

>This would only work, however, if the resident portion of the malware was able to evade detection.

Yes, so really, if you're already infected, the virus can pretty much do whatever it wants to your system, including breaking your antivirus. The "security concerns" with excluding those extensions are not really security concerns at all.

What? (1)

sajuuk (1371145) | more than 4 years ago | (#30525608)

No obligatory comment that Microsoft itself is a malware producer?

Re:What? (0)

Anonymous Coward | more than 4 years ago | (#30525666)

no

conflict of interest (0)

Anonymous Coward | more than 4 years ago | (#30525616)

More importantly, the installation process for Windows guides users to run primarily as administrator, which makes the whole OS one big target. Microsoft could do a lot more for security by not guiding users to surf the web, etc, as admin. But then, there wouldn't be as much of a need for antivirus/antimalware software such as "security firm" Trend Micro's.

Alternate Data Streams (2, Informative)

nlewis (1168711) | more than 4 years ago | (#30525650)

As I understand it, any file in an NTFS partition can have one or more Alternate Data Streams [securityfocus.com] associated with it, regardless of its type or location. So if you tell someone not to scan something like "Edb.log", does that imply that they should not scan "Edb.log:virus.exe" either?

I have to agree with Trend Micro on this one. Completely skipping specific files in specific directories may prevent performance issues, but it may also make it easier for malware authors to find new hiding places.

Huh? Sounds like shit talking. (1)

pyster (670298) | more than 4 years ago | (#30525668)

This sounds like shit talking. anti-virus/malware vendors do the same crap

I do not trust any anti-virus/malware software anymore. I've had trendmicro pick up text files written 20 years ago as a virus. I've had norton kill copies of remote admin (at the absolute worse times too...). I've had adaware find crap on systems virgin systems... and the stuff it finds i know isnt infected.

My solution to the problem has been to use zonealarm, shut down ports at the router level, monitor my network traffic, restore a ghost image on a regular basis, and watch what i install. It's not a perfect system but it mostly works well enuf that i doubt i am part of the botnet. I scan with microtrend once in a while for fun...

If you didnt write it, dont trust it. We've seen time and time again legitimate software doing things we dont feel they should be doing.

Re:Huh? Sounds like shit talking. (1)

fast turtle (1118037) | more than 4 years ago | (#30526930)

I've used Zonealarm in the past (was one of the beta testers long ago) but now that Win7 includes a true bi-directional firewall, I don't use it. What I've done is the same as I would on a *nix box. Simply deny all both directions then open the minimal exceptions I actually need. Yep even firefox gets no direct connection (goes through my proxy server) and it's the same for those few apps that actually need net access. Otherwise Nothing and I mean absolutely nothing is granted permission by default, including SVCHOST. I locked that down so hard WinUpdate quit working until I figured out exactly what to allow. Then created the rules for it and only it.

As someone posted earlier, the problem is this, we are all at the mercy of the devs who may not pay any attention to whether their app trully needs net access, yet most of those installed work fine after access is cut.

In a related story, water is wet (0)

Anonymous Coward | more than 4 years ago | (#30525674)

Microsoft's policies (and products!) are crappy for security.

Who could have possibly known?

This is sick! (1)

tyroneking (258793) | more than 4 years ago | (#30525680)

In this day and age we should not need antivirus software and firewalls- Microsoft wake up! What the hell is going on here? A whole market devoted to protecting an OS that we all have to pay for when we buy a new PC?
So, Microsoft taxes all new PCs, and we pay av vendors even more to protect the Microsoft OS.
This is surreal and sick.
We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

Re:This is sick! (1)

rjolley (1118681) | more than 4 years ago | (#30525942)

So, what are you going to say when everyone starts to use ubuntu and malware writers start targeting it instead of windows? QUICK EVERYONE SWITCH TO OPENSOLARIS!

Re:This is sick! (1)

Karlt1 (231423) | more than 4 years ago | (#30525950)

In this day and age we should not need antivirus software and firewalls- Microsoft wake up! What the hell is going on here? A whole market devoted to protecting an OS that we all have to pay for when we buy a new PC?
So, Microsoft taxes all new PCs, and we pay av vendors even more to protect the Microsoft OS.
This is surreal and sick.
We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

So exactly how do you propose that an operating system prevent a user from downloading malware that can destroy the users files? How do you propose that an OS do anything but warn a user before a program can access priveleged parts of the OS?

Re:This is sick! (2, Funny)

daveime (1253762) | more than 4 years ago | (#30526116)

We should ALL demand that our employers use Ubuntu

Mr Employer, can I interest you in an open-source, free, screensaver ?

Re:This is sick! (1)

Coren22 (1625475) | more than 4 years ago | (#30526172)

Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.

Re:This is sick! (1)

CannonballHead (842625) | more than 4 years ago | (#30526212)

We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

Oh boy.

Oh boy.

Your employer pays Microsoft to use Microsoft's OSs. If your employer wants to stop paying Microsoft and use Ubuntu, I'm sure they can. Maybe they don't want to. In which case, demanding it probably won't do too much for you.

Of course, if someone actually demonstrated the same efficiency, no configuration issues, no breakages every time Ubuntu decides to roll out an upgrade, etc., maybe more employers would listen. Or perhaps if Ubuntu offered paid support (do they? I don't know).

There's a reason people pay for Oracle, for example, instead of using the free MySQL. Perhaps there are reasons employers pay for Microsoft instead of using Canonical. (as a user-targeted OS, anyways)

Re:This is sick! (1)

CannonballHead (842625) | more than 4 years ago | (#30526230)

Oh boy x2 was a mistake. hehe.

Re:This is sick! (1)

L0rdJedi (65690) | more than 4 years ago | (#30527570)

Yeah, good luck with that. I'm sure the other guy, ya know, the one that's willing to use Windows, will enjoy taking your job.

Question (2, Interesting)

Mr_Silver (213637) | more than 4 years ago | (#30525708)

I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.

Am I right? Or is it a good idea to remove those exclusions?

Re:Question (2, Informative)

takev (214836) | more than 4 years ago | (#30525996)

There have been issues with actual media files like *.png that caused a buffer overload in the image decoder and would allow execution of code embedded in the image itself.

However it is better to actually fix the buffer overflow instead of scanning files. I guess the only real use for virus scanners, if you and manufacturers keep your system up to date, is to not allow said file to be transported to an other computer that has not been updated.

That is what most linux and os x virus scanners mostly do, to make sure viruses are found before you send it to a vulnerable computer.

Re:Question (2, Informative)

value_added (719364) | more than 4 years ago | (#30526316)

I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.

If you're running an operating system where the permissions are such that everthing is executable by default, do you really think that pursuing file extension related tweaks will solve your problems?

Sorry, but I'm having trouble not laughing. Not at you personally. You'd think Microsoft would have weaned itself from their perverse reliance of file extensions years ago when people first started clamoring about .386 files. JPEG files have a .jpg or .jpeg extension, but log files have an .evt extension. Unless it's a log file. But what kind of log file is it? And which type should I scan?

Face it, Microsoft makes things up as they go along. Trying to keep up or otherwise make sense of things is a waste of time (unless it's your job, and you're being paid to do it).

A simple question (1)

shreshtha (1609099) | more than 4 years ago | (#30525772)

Which security company want to have a world with absolutely no Virus, Botnet, Worm ....or make the world such???

Apple too (0)

Anonymous Coward | more than 4 years ago | (#30525776)

Apple provides a convenient list of setuid files you can modify that users will be told to ignore any warnings about.
http://support.apple.com/kb/TS1448

A computer law is needed (3, Insightful)

onyxruby (118189) | more than 4 years ago | (#30525812)

A computer law is needed here, it is a simple best practice that someone needs to carve into stone. "Thou shalt not practice security through obscurity". Nice and simple, covers so very very much and could have saved this anti-virus vendor some public humiliation. This law applies to any operating system or application without fail.

Wait a minute! (1)

hesaigo999ca (786966) | more than 4 years ago | (#30525986)

Any AV has a select files to avoid functionality, to bypass going through files that you know are ok, and save some time from the memory hog that our AVs are these days. So in fact, if we can say forget about these to an AV, why would this be any different.
As long as M$ allows that list to be modified to have nothing in the list to avoid, as per each user's preference when installing, I have no problem. The problem comes when M$ decides for you, and does not allow any changes to that config.

I am not a fan of vista or windows7, so I have no such problems, however, knowing that most people tend to go with default settings to use apps, such as AVs, I wonder if by default, the files selected by M$ are in effect the same ones always?

Ubuntu user here (0)

Anonymous Coward | more than 4 years ago | (#30527482)

... what's Anti-Virus?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>