Antivirus Vendors Headed for Court

SkiifGeek writes "A showdown between Rising Tech, a Chinese Antivirus vendor, and Kaspersky Lab in a Chinese court could have implications for software vendors that misidentify system files and files from their competitors as being malicious."

Why only Kaspersky?

[TheSHAD0W]

Why is it that only Kaspersky Antivirus is picking up on Rising Tech's files? What are the other antivirus vendors doing (or not doing) that is avoiding this problem?

Re:Why only Kaspersky?

[harlows_monkeys]

What are the other antivirus vendors doing (or not doing) that is avoiding this problem?

At the AV vendor I've worked for, when they get a report from another AV vendor of a false positive on that other vendor's product, they would investigate and get an update out within 24 hours to fix it.

Unfortunately, some vendors are not this fast. I've seen Spybot take years to fix false positives that have been brought to their attention.

Most are somewhere between these two. Generally, it goes like this. Company A notices that company B's product has a false positive on A's files. A contacts B about this, using B's public contact information, which generally is meant for the general public. So, A's complaint might end up in the support system, and might get kicked around there for a while as the support people try to figure out what to do with it. Eventually, it reaches some manager who has got a bunch of stuff on his plate, directly from his superiors, so he doesn't give this high priority.

A notices it is taking a long time, so looks for a better way to contact B. If A and B are reasonably big and in the same country or region, it will probably turn out someone high in A's management knows someone high in B's management, or knows someone who knows someone high in B's management who can introduce them, and then there is a high level request from A to B. That has a decent chance of getting results.

If no such contact can be found, or it fails to get action, then A calls the lawyers, and they write a letter to B's lawyers. That should get some attention at B, and whatever manager the first request got stuck at gets prompted to do something.

If nothing happens then, it is lawsuit time. When a lawsuit is actually filed, THAT gets the attention of B, all the way up to the top, and then things happen. (And the people who failed to act earlier get in a lot of trouble...companies do not like it when they get sued, even if the actual purpose of the suit is just to get someone's attention to fix a problem).

I suspect that a good percentage of lawsuits filed in the software industry (in general, not just AV) are to get the attention of upper management in the defendant to get some simple problem resolved that has fallen through the cracks.

A lesson here for anyone starting a company is to hire some top management people who are well-connected. If your Director of Engineering or CTO or Chief Scientist or whatever, in a situation like this, can say, "Hey...B's CTO went to my school and we were in the same fraternity...I can get his number, call, give the secret Alpha Delta Smegma pass phrase, and I'm sure he'll get the problem taken care of", that's great. The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.

Re:

[Opportunist]

I doubt Kaspersky is slow to pick up, they're pretty swift when it comes to reaction. Now, if you said MS still found a file wrongly days after notification, I'd sign that without asking, but Kaspersky has a record of reacting within minutes sometimes.

Still, Kaspersky has been losing ground in the last, say, 2 years. 2 years ago, they were the pinnacle of AV technology. They ain't anymore. I wonder why, but they sure as hell were losing ground.

Re:

[wfberg]

A lesson here for anyone starting a company is to hire some top management people who are well-connected. If your Director of Engineering or CTO or Chief Scientist or whatever, in a situation like this, can say, "Hey...B's CTO went to my school and we were in the same fraternity...I can get his number, call, give the secret Alpha Delta Smegma pass phrase, and I'm sure he'll get the problem taken care of", that's great. The tech industry, just like the other industry groups, has its old boy's network, and yo

Re:

[ben there...]

The tech industry, just like the other industry groups, has its old boy's network, and you want to have someone who is connected to that.

Or...you know...you could just have a separate support number/email and bug tracker for handling false positives, which are bound to come up frequently enough to require it. Then assign an employee part-time to resolve them appropriately.

Re:Why only Kaspersky?

[thegnu]

I've seen Spybot take years to fix false positives that have been brought to their attention.
By "Spybot," do you mean "Patrick Kolla?" I know now he's got help, but how many years ago did these "years" occur?

Plus, it's still part of THE best passive/manual protection you can get:

1. Spybot w. Hosts list & immunize
2. Spywareblaster
3. IESPYADS
4. Firefox
5. WRT54G
6. Merijn's BugOff

I know a router probably isn't really passive, but to the PC it is. Oh, and besides the router, this is all free. My 2 cents.

Re:

[harlows_monkeys]

By "Spybot," do you mean "Patrick Kolla?" I know now he's got help, but how many years ago did these "years" occur?

Some started as far back as 2002, and are still there in the current version.

If Spybot were a brand new program, from someone unknown, it would probably make the rogue list for too many false positives. But because it was one of the first, and was very good back in the old days when the spyware problem was much smaller, it gets grandfathered in, and people overlook a lot in it that they wo

Re:

[juventasone]

I've seen Spybot take years to fix false positives that have been brought to their attention.

Spybot is not for users. The results of its check are not always things you want to remove. Think of it as an intelligent version of HiJackThis that checks more places (contrary to AVs that scan everything). Even if you were to successfully argue that its results were somehow "wrong", its not a commercial product, and is "use at your own risk".

Re:

[BigDogCH]

"I've seen Spybot take years to fix false positives that have been brought to their attention."
And how much $ or time did you donate to help the cause? I am just curious. I don't think it is fair to criticize spybot on the same level as software you paid for.

This is more of a Chinese/Russia showdown

[MadRat]

Nothing to see, just a continuation of the 60's.

It Could Be Rising Tech Really Is Malicious

[NeverVotedBush]

China and Russia both are big time into state-sponsored computer/network infiltration. In a country like China, it wouldn't be surprising at all that the government would co-opt companies - especially anti-virus companies - to make them help the Chinese government open back doors, exfiltrate data, etc.

The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package. Sure, it may finger other viruses, but it might also allow free access to the "right" people.

I know this sounds somewhat like tinfoil hat territory, but the SANS organization is frequently publishing articles about state-sponsored hacking/attacks. Why give them an easy pass? A perfect easy pass to use your system in electronic warfare against any country - especially the USA? It is at least something to be aware of and to consider.

Rising Star antivirus? Who's star is rising? China's? And by what means?

Re:It Could Be Rising Tech Really Is Malicious

[El_Muerte_TDS]

And on the other side of the pond you've got companies that are for sale. For all you know Symantec allows certain backdoor software distributed by the MPAA/RIAA.

How much can you trust companies like that?

Re:

[l0ne]

ClamAV is really the way to go. Fully open. Fully accountable for. And if a definition is malicious, you can alter or remove it with relative ease.

Re:

[Opportunist]

ClamAV has only one problem: It's not in the loop.

Clam has a hard time getting updates in time. I'm not familiar with the detection utilities the ClamAV team uses, but they are notoriously slow. A virus has to be around for a while 'til Clam starts picking up on it.

For a sensible detection, you have to be fast. Preferably, you have to detect the attacker before it comes to your computer, because with the advent of rootkit kits (erh... however you wanna call them), it became trivial to craft rootkits. And ro

Re:

[Thing 1]

While you're right about ClamAV not having real-time virus detection and can only detect an infection after it has files on your machine, it's not true that it gets updates slower. I remember reading a couple years ago that, out of the most recent 50 viruses found, ClamAV was the first to have the signature for it, 80% of the time. That's pretty good for something that's free.

A rootkit though, once it's on it's tough to detect; ClamAV will need to develop real-time scanning, drivers that load before all

Re:

[Opportunist]

Well, minutes do make a difference, of course, when you're getting the update 5 minutes after the infection. Generally, though, you'll see that most updates of the "good" AV kits come within 5 hours of each other.

And yes, Clam even has occasionally the lead. Most of the time, though, this happens when it happens to detect a variant of the virus with a detection written actually for another variant, that happens to match the new variant as well, due to its detection algorithm.

But you can check for yourself.

Re:

[rtb61]

Speaking of updates, as distributing a computer virus is a criminal act, should not governments be maintaining virus registers and make the available to the public, so that the public can protect their machines.

Re:

[Jesus_666]

So you can't use Russian and Chinese AV software because it's from countries notorious for not caring much about privacy and for having the government mess with companies. You also can't use US AV Software because it's from a country also notorious for domestic and foreign spying and for having big business co-opting smaller business in order to sustain their business model. You can't use F/OSS AV software because it doesn't have the resources the vendors have. You might have gone with AntiVir, but thanks t

Re:

[Virgil Tibbs]

Which ever the best way to go is
It's not the Windows way...

Re:

[Ravon Rodriguez]

Like it or not, people have to use Windows. You may get away with open source substitutes for a lot of applications, but the fact is that it's extremely hard (or even impossible in a lot of cases) to run most games using something like Wine or Cedega. Not to mention that even Ubuntu, hailed as the easiest used implementation of Linux to date, is not quite ready for the grandmother test. So, while it may not be ideal to use a Windows system, it's necessary. That being the case, it also becomes important to k

Re:

[Tim C]

Not to mention that the vast majority of threats require user interaction to infect a machine - you actually have to run that executable claiming to be a nude picture of Paris Hilton, or a document that your "colleague" has edited and mailed back to you, or a security patch mailed by a router/firewall that has noticed virus activity on your PC...

That won't change if everyone switched to Linux or OS X. At best, no-one would run as root (just like you can choose not to run XP as Administrator...), but people

Re:

[Virgil Tibbs]

what i was trying to point out is that where as window s may be the option you believe you HAVE to use, it isnt the best thing to use.

Re:

[antdude]

Which backdoor software?

Re:

[zlogic]

The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package.

Because American anti-viruses like Norton are much better and easier to uninstall ;-)

I've used McAffee, Avast, Norton, Panda and Kaspersky, and Kaspersky, unlike others, had zero false positives and detected ALL viruses. For example, Norton often complained that portscanners and network monitoring tools look suspicious and removed them automatically, and Avast identified my own application (written in C++/MFC) as a virus! Once I received an email with a virus in it and it was included in Avast's signatures

Re:It Could Be Rising Tech Really Is Malicious

[NeverVotedBush]

I never said the American ones were good. I only said that I wouldn't install the Chinese or Russian ones. The simple reason being that China and Russia both are big into network infiltration and the USA is a prime target. I don't believe in handing over a back door. I have no clue if Kaspersky or Rising Tech are fronting or providing back doors for their respective governments. Maybe they are and maybe they aren't. But there is a very real possibility that they are.

And you say your virus checkers of choice have detected "ALL" viruses? How do you know? Ask anyone who knows anything about AV software and they will tell you that the new ones are frequently missed completely because their behaviors or signatures are unknown. Until your AV company of choice puts in new definitions, you simply do not see them -- even though you may be infected and possibly infecting others. You even cite such an example yourself. If Kaspersky was to decide not to include a signature - say for a Russian government botnet back door - then you don't know it's there.

The fact is (and please go look at SANS or other websites that report such news) that China, Russia, and actually just about every country in the world have discovered that you can use the Internet for lots of military and economic gain. You can pull out sensitive data. You can set up systems so that if you ever need or want to, you can cripple infrastructure. You can wreck economic havoc. The USA especially uses the Internet for lots of things. Imagine the chaos that would come if you could shut it down with a single command. Trust me - they have.

Countries like Russia and China can go lean on companies to put in whatever hooks they want. I'm not saying they are in Kaspersky's software but I would not ever bet against it.

Re:

[Opportunist]

You may safely assume that KAV has been reversed by now. If it contained rootkits, you would have heard about it.

Re:

[darien]

There's a new version out next month...

Re:

[Opportunist]

Ladies and gentlemen, start your disassemblers! :)

Re:

[zlogic]

If Kaspersky was to decide not to include a signature - say for a Russian government botnet back door - then you don't know it's there.

I think if a computer got infected it doesn't really matter who wrote the virus. For example, McAffee refused to recognise Netbus as a virus - they said it was a remote administration tool. And remember how Gator/Claria sued everyone who identified their software as spyware. Or something like Sony's rootkit may happen. A company, just like the government, can force (or at least try doing so) an antivirus company to exclude malware from their databases.
And don't forget US companies like Microsoft who can th

Re:

[Frankie70]

The very last piece of software I would ever install on my own computers would be a Chinese or Russian anti-virus package. Sure, it may finger other viruses, but it might also allow free access to the "right" people.


Wow, the Chinese & Russian Govt are interested in accessing your
computer. It's great to have such people posting on Slashdot.
This is even better than Wil Wheaton posting here.

Re:

[NeverVotedBush]

I seriously doubt they are interested in my specific computer to exfiltrate data from. However, there are lots of computers owned/operated by lots of key people at key companies or in government, that they probably would like to inspect. Why bother sending an agent when you can do it from halfway around the globe?

You seem to forget the recent flap about how Estonia thinks that the crippling cyber attacks they have been having were or Russian origin? While nobody may be interested in the information on my

Re:

[Frankie70]

I guess people outside the US should stop using all US software.
Any piece of software can be used to own a machine to be part of
Bush's world conquering plans.

The who or the Russians?

[HiggsBison]

You seem to forget the recent flap about how Estonia thinks that the crippling cyber attacks they have been having were or Russian origin?

Great! They have /. filtering out all references to the "". Damn, they're good!

Re:

[theshowmecanuck]

and the U.S. government isn't interested in hacking into people's computers? give me a break. isn't that what that who at&t privacy case was about?

Re:

[Zantetsuken]

Much more likely is that this "Rising Tech" AV is a pseudo-av running an extortion scam and is in fact spyware or other malware. While Symantec and a few others are all too well known for false positives ("Windows kernel is a virus! Delete?") there are a higher percentage where you'll have your homepage hijacked or NetBus type symptoms - background suddenly changed to a malware web-page, infinite Windows Services notification or system tray notifications that "Buy our software and your problems will go away

might as well be selling rocks ..

[rs232]

For all the good the AV industry does, they might as well be selling rocks.

Re:

[Opportunist]

And? Been attacked by a tiger lately?

Seriously. AV tools have their place. They cannot be a replacement for good ol' common sense, but with the advent of MPack [pandasoftware.com] and similar infection tools, they're pretty much the only line of defense you have.

Getting infected is not only for the dumb and lazy anymore.

Re:

[EsbenMoseHansen]

Getting infected is not only for the dumb and lazy anymore.

Heh. One of the nice things about not running windows... no virus. So in that sense it is for the lazy, i.e. the ones that doesn't install something easier to use. Might I suggest Ubuntu?

As a bonus, you'll get more time for your wife/reading slashdot/posting blogs, since you won't be wasting your time with so much gaming anymore ;)

Re:

[zippthorne]

One of the nice things about not running windows... no virus.

how do you know?

Re:

[EsbenMoseHansen]

One of the nice things about not running windows... no virus.

how do you know?

In the same way that I know there is no amadillos in my garden. That is, I have not heard of any, nor encountered anything remotely like a virus in linux. I have heard of worms from the ancient days, and that's pretty much it. Of course, it is not real proof, but there is precious litle that we can definitely prove.

Furthermore, software gets installed via. signed packages from repositories, or compiled by myself in the case I am working on it. That leaves spreading-by-application-bugs, and as nearly all m

Re:

[zippthorne]

Yet, there are anti-virus programs for Linux. So, at least some are known to exist, however weak they may be. But without checking, you don't even know you don't have those.

Now, Granted, I'm typing this from my Ubuntu partition, which I do not virus check, and I also have faith that it has picked up as many viruses as my XP partition (which I do virus check) has over the time I've had each: 0. (XP: 4 years vs. Feisty: 3 months since complete install)

On the other hand, I do have multiverse in my repositori

Re:

[EsbenMoseHansen]

Yet, there are anti-virus programs for Linux. So, at least some are known to exist, however weak they may be. But without checking, you don't even know you don't have those.

You are thinking of clam-AV? All or almost of the virus signatures are window viruses. The one I have installed occasionally finds a (windows)-virus in my email. So actually, I do check my mail at least for virus, and there has yet to be an incident. So there :p

Now, Granted, I'm typing this from my Ubuntu partition, which I do not virus check, and I also have faith that it has picked up as many viruses as my XP partition (which I do virus check) has over the time I've had each: 0. (XP: 4 years vs. Feisty: 3 months since complete install)

To the best of my knowlegde, I had not had a virus since I bought my first computer in the early 90ties, and I have run a number of opperating system... the DOS family up to windows me, the win Nt familiy (2000 only), OS/2, and in the last few yea

Re:

[Opportunist]

As a bonus, you'll get more time for your wife/reading slashdot/posting blogs, since you won't be wasting your time with so much gaming anymore ;)

Or so I thought. Alas, someone came along and decided it would be fun to develop WINE...

Re:

[EsbenMoseHansen]

As a bonus, you'll get more time for your wife/reading slashdot/posting blogs, since you won't be wasting your time with so much gaming anymore ;)

Or so I thought. Alas, someone came along and decided it would be fun to develop WINE...

Ah, but no problem! Just go for 64bit linux, and you are safe once again! :o) (Technically you could install wine in 32bit version, but it's not easy yet. Gutsy might change that, though)

Re:

[ploxiln]

I'd have to disagree. Getting infected is still for the "dumb and lazy", only the threshold is now a lot closer to the "smart and proactive" side of the meter than it used to be. Antivirus software is a losing proposition: It's not useful unless it's _ahead_ of the virus writers, it increasingly suffers from false positives, and if it identifies crap from a wealthy company it can be forced to ignore it. Even without considering the fact that all most successful antivirus packages on the market are crap (fo

Kaspersky aren't the only ones

[Anonymous Coward]

I work as a virus analyst for one of the major antivirus vendors. False positives, which we simply refer to as FP's, are a nasty fact of life, especially as detection becomes more based upon bahavioural analysis; and when software developers name their new application explorer.exe with a default Windows icon....

We had a customer send in a Window Portable Executable file which was flagged as containing a virus released in the early 90's (though the exact name escapes me). Very strange. What was stranger was that when analysed, it contained a plethora of code sequences of worms, trojans and viruses, completely ad verbatim. We then realised we were in fact looking at one of the main dll's of the Rising Sun engine! A false positive fix was not issued, as we reasoned that if a buffer overflow/wrongful jump occured, this malicious code could actually execute. Ie, a user could actually be infected by the cowboy AV scanning method.

Anyway, to this story I laugh and simple say to Rising Sun: learn to code an engine before bringing in lawyers. Oh, and flat file unoptimised code matching is hilariously primitive.

PS, unfortunately, there is no conspiracy this time: just badly thought out design and implementation.

Re:

[Opportunist]

China is learning fast. Why should you hire good programmers and deliver a good program if you can just hire good lawyers and sue everyone who shows that your program is crap?

Worked in other areas like a dream, so...

What kind of idiot......

[Shack24]

.....would be running two AV programs at the same time anyway ?!?!

Re:

[Idbar]

Your original McAfee and the trial period of Norton that never vanished? I know several people that install the corporative AV on their new computers without noticing they have another trial version that came with it. It certainly brings the computer performance down.

Re:

[stonecypher]

It's likely that one was incompletely uninstalled, then the other installed to replace it.

Re:

[flyingfsck]

All the home user 'experts' I know simply install yeat another anti-virus fix off the internet when the first thing doesn't work. It is a lot of fun fixing a machine that is messed up like that.

Re:

[rob1980]

Clearly you've never had to fix computers for a living.

Re:

[Scoldog]

The kinds of idiots I used to deal with at a large retail store in Aus

Idiot comes in with a laptop saying it runs very slow, and he knows why. I'm all ears. He turns it on, waits 10 minutes for it to get to a usable state on the Windows XP desktop, types in MSCONFIG in run, and says "Look. It runs slow because half the drivers aren't Microsoft certified! I want this fixed!"

I don't even bother to try to explain to him that saying a driver is bad because it is not Micrsoft certified is saying a chef is

Happened to me too

[Spacejock]

I have a website with a bunch of my own freeware apps available. On two separate occasions I've had a number of emails from users of major AV software asking me what the hell I was playing at trying to install trojans on their PCs. In both cases it was false positives, one from NAV and the other from the company mentioned in this article (which is what prompted me to post). Each time they eventually got around to correcting their definitions, but sure as anything it'll happen again. And in the meantime, how many dozens or hundreds of people assumed I was one of them there nasty spammer trojan virus people trying to infect their PC?

Why should the onus be on ME to check THEY haven't stuffed up? You can't install and run all the different brands of AV software on one PC, unless you install a bunch of virtual machines with one AV prog on each, and then you'd have to update the definitions daily.

Re:

[NeverVotedBush]

Google recently published a study that approximately 10% of web sites have been hacked and actually do contain malicious code.

Do you run programs like tripwire from a secure, off-net host, that monitor your website box to make sure that it has not been compromised and actually does have malicious code?

False positives trick users. MS is adversarial.

[Futurepower(R)]

Apparently ALL anti-virus software gives false positives. Most of the users have little technical knowledge, and the software makers want to give the impression their software is more useful than it really is. I've seen numerous false positives on systems I use. One "virus" was a text file, with a .TXT extension, and nothing in it but documentation!

But why is anti-virus software so important? Apparently only because Microsoft profits more when its software is full of bugs and malware, and Microsoft is very adversarial toward its customers.

The true cost of a Microsoft operating system is perhaps 10 times its retail cost, because of the heavy maintenance expenses.

Microsoft's anti-customer behavior: Here are some paragraphs I wrote to someone having problems with temp files taking gigabytes of drive space.

On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.

Why doesn't Microsoft provide a utility to find all the temporary file folders and delete the files when starting or shutting down the computer? Apparently because the company is heavily engaged in adversarial behavior. Most people don't know that temporary files are a problem, and they certainly don't know where to find them; that was a challenge even for me. The temp files sometimes take so much space that there is not enough free space, and the file system begins running much slower.

The file defragmentation program won't run when there is limited free space. A fragmented file system is much slower. And most people don't even know that the defragmentation program exists, or why they should run it. So, their computers become imperceptibly slower and slower until they buy a new computer.

That's apparently why Microsoft software has so much malware, also. At present, there are 30 known vulnerabilities in Windows XP [secunia.com] alone that haven't been fixed. There are 7 known vulnerabilities [secunia.com] in the latest version of Microsoft Internet Explorer browser the the company has not fixed.

Some people say Microsoft software is targeted more often because there are so many copies in use. However, it is well known how to write secure software. Apparently Microsoft managers don't let their programmers finish their work.

Many people who don't know how to keep Microsoft products running buy new computers. Every time someone buys a new PC, they buy a new copy of the Microsoft operating system, even if they already owned a copy. So Microsoft makes more money if the company has defective products.

Microsoft gives each new version of Windows a new name, and many people think the new version is a new product. Somehow it has been arranged that people pay the full amount for new versions, instead of an upgrade price.

The New York Times article Corrupted PC's Find New Home [nytimes.com] also makes that point.

Note that the Apple operating system, OS X [apple.com], and the Open BSD [openbsd.org] operating system have very few vulnerabilities. (The Open BSD web site says 2 in 10 years.) So it is possible to make a secure operating system. The volunteers that make the Open BSD system do security reviews of software to make sure vulnerabilities are not released to customers.

We use Microsoft operating systems because of historical reasons, and because it is expensive to change. In actuality, the business very seldom uses software that runs only under Microsoft Windows, and that is only in specific departments, where it would be easy to provide a second computer.

Re:

[aerthling]

The Open BSD web site says 2 in 10 years.

It actually says 2 remote holes in the base installation in more than 10 years. If you want a full list of all the vulnerabilities in OpenBSD ever, you can count them all here: http://openbsd.org/errata41.html [openbsd.org]

Have fun.

Remote holes are what count for novice home users.

[Futurepower(R)]

How many "remote holes" have been found in the base install of Windows? Hundreds? Remote holes in the base install are what count for novice Windows users, who are mostly at home, with no network, and use their computers only for email, web surfing, and typing a few letters, and signs like "wet paint".

I don't understand your objection, if you are objecting.

Re:

[Anonymous Coward]

Good FUD there.

On one computer I checked, temp files were stored in 49 different places, and that includes only temp file folders made by the Windows operating system and not temp file folders made by application software.

List the folders. All of them. Otherwise, I honestly refuse to believe that. Also, temp files are listed under Disk Cleanup. If you run that (and it will suggest you do if you start running out of space), then it will remove them.

The number of temp files or folders is nothing to do with security.

Only one of the vulnerabilities you listed is critical and requires that someone open a malicious .mdb file specifically in Access 2003. Most of the others require either physical access to the machi

It really *is* known how to write secure software.

[argent]

Secure software doesn't mean "software that has no security holes". It means "software that is designed so that failure doesn't create security holes". Secure software is, by default, inherently safe. Secure software provides feedback on errors. Secure software can not be unlocked except from the "outside". Secure software provides interfaces and protocols with no paths leading to elevated privileges. Secure software provides fault isolation and user-visible and managable layering.

Secure software may have b

Re:

[dabraun]

The poster child for applications that violate these rules is Internet Explorer. In Internet Explorer, it is possible for a webpage to request an applet it provides be installed and run, through a mechanism called "ActiveX".

(1) It is enabled by default.

By default it will ask users if they want to install controls after first showing them the signature information.

(2) It is not possible to launch IE in a way that prevents access to ActiveX plugins already installed.

Completely false - it is trivial to disable

Your answers presume technical knowledge.

[Futurepower(R)]

You said:

"By default it will ask users if they want to install controls after first showing them the signature information."

"... it is trivial to disable activex controls and it can be done without launching the browser (right click on IE in your start menu, chose internet properties.)"

"As per above, you certainly can disable it and it's quite easy to do so."

It seems to me that your statements presume a high amount of technical knowledge. In decades, I have never known even one user to have m

You're an optimist. :)

[argent]

In decades, I have never known even one user to have much technical knowledge. They just want to use computers as a tool, not make computers a time-consuming profession.

You're an optimist. Even the users who DO have technical knowledge get caught by this.

For most of the past fifteen years I have been a system admin for a network of software developers.

I have had several of them come to me and say "Peter, I just clicked OK (or Open, or whatever it was in this case) on that window again and I think I have a v

Sex and the secure application.

[argent]

By default it will ask users if they want to install controls after first showing them the signature information.

In other words, it's enabled by default. The fact that an approval dialog is displayed first is irrelevant: Windows trains people to automatically approve such dialogs, by reflex, because they're presented with them all the time.

Completely false - it is trivial to disable activex controls and it can be done without launching the browser (right click on IE in your start menu, chose internet proper

Re:

[dabraun]

That is an attempt to mitigate the fact that IE is not inherently secure. The problem is that security is like sex... once you're penetrated you're fucked. If an attacker can run code on your computer, even if they protected mode is everything that Microsoft claims (and it isn't), a remote exploit still grants them a beachead to launch further attacks using any resources available to IE... which include the ability to run applications (to attempt a local privilege escalation attack), make network connection

Enter freely and of your own free will.

[argent]

no matter how much you secure the internet browser it is a high risk application by the very nature of what it does (browse complex content created by unknown sources)

Indeed, which is why it should not contain mechanisms for that content to request privilege escalation.

protected mode adds another layer of security

Unfortunately, neither protected mode not IE by themselves provide a very high level of security.

You can completely own the iexplore process and still you can not do any attacks you claim are possi

Next time, skip the anger.

[Futurepower(R)]

Acting out your anger is optional. Next time, try dealing with your anger yourself, rather than making it a problem for others.

You said, "The number of temp files or folders is nothing to do with security."

You didn't read what I said carefully. I said that, if temp files fill the hard drive, the file system becomes slower. And also, even worse, the defrag program refuses to operate. When computers become slow, many users buy a new computer.

A few temporary file locations in the Windows XP operating

On one computer, 75 cache folders.

[Futurepower(R)]

And don't forget cache folders made by the Windows XP OS, and temp folders made by applications:

C:\WINNT\PCHEALTH\HELPCTR\Config\Cache

If you have Microsoft Office installed, there are two more apparently for each user:

C:\Documents and Settings\ user \Application Data\OfficeUpdate12\Cache
C:\Documents and Settings\ user \Application Data\OfficeUpdate12\Temp

And Microsoft provided no guidance to developers, so software companies put temporary files everywhere, and forget to delete them someti

More Windows OS Temp files.

[Futurepower(R)]

I wouldn't want anyone to think that I had listed all the temp folders created by the Microsoft Windows operating system. I just had to stop to do something else. Here are a few more:

One for each user who uses NT Backup:
C:\Documents and Settings\ user \Local Settings\Application Data\Microsoft\Windows NT\NTBackup\temp\

C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Temp o rary ASP.NET Files\
C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\
C:\WINNT\system32\CatRoot\{127E0A1A-4EF2

Re:

[Kalriath]

Demons, you persist in using APPLICATIONS to mean the Operating System! NT Backup, not an OS component. Installed with the OS, yes. NOT part of it. ASP.NET. Not an OS component. And you decide to tack in folders that don't exist on the PCs of anyone who's actually recently REBOOTED (the ones under CatRoot) and a couple of temporary user-space folders (System has a profile too, you know).

Your entire ranting is a whole load of FUD. I assume if I felt the inclination to look at your "website" (which I d

I found old .tmp files in Catroot.

[Futurepower(R)]

I just rebooted a test system. Result: Old .tmp files in Catroot.

Microsoft.NET files are present in a default install of Windows XP.

NT Backup is the backup program provided with the Windows OS. A backup program is a necessary OS component.

You said, "It's Microsoft, they have plenty of REAL reasons to bash them."

Okay, what are YOUR reasons?

Anyhow, the point is made that there are a LOT of places for malware to hide, far more than even Slashdot readers generally know. Think how difficult it is

Re:

[Kalriath]

I just rebooted a test system. Result: Old .tmp files in Catroot.

Whereas none of my PCs have anything in them. Congratulations, you're an exception.

Microsoft.NET files are present in a default install of Windows XP.

But Temporary ASP.NET Files are not, if you do not install IIS.

NT Backup is the backup program provided with the Windows OS. A backup
program is a necessary OS component.

Actually, Backup can be uninstalled.

Anyhow, the point is made that there are a LOT of places for malware
to hide, far more than even Slashdot readers generally know. Think how
difficult it is for the average user when "temporary" files fill the hard
drive and make Windows slower.

And my points are: 1) and half of them are the fault of third party developers. If they'd used the bloody API to get the temp folder in the first place, there'd be no problem and 2) isn't this all horrendously off-topic?

All programs shipped with an OS are the OS

[aclidiere]

From the point of view of a user who is not an expert, all programs shipped with an operating system are part of the operating system.

This discussion should ultimately benefit those who are the least technically knowledgeable, since they are those who suffer most.

Today, a big majority of computers users are not experts.

Re:

[Tim C]

Are you seriously trying to tell me that per-user, per-application temporary files are a bad thing? That a better solution is to have one or two central locations for temporary files, and force every application developer to worry about file permissions, name-clashes, unexpected over-writing or deletion, etc?

There are a great many reasons to criticise MS, but this isn't one of them. I hate waste as much as the next person, but I've not had to worry about the amount of disk space temp files were taking up in

Re:

[Kalriath]

%TEMP% (usually %LocalAppData%\Temp)

Temporary Directory for programs in User Space

Wherever IE hides its TEMP directory (no, not the cache)

Doesn't exist - bullshit

%SystemRoot% (really, I don't know why)

No temp files are stored in this place by the operating system, save PAGEFILE.SYS which is your virtual memory - bullshit

[Every Drive]\Recycler

The RECYCLE BIN?!? Explicit user action is required to get files there! When empty, it's contents will be the typical stuff - one desktop.ini per user, in a subfolder with the user's SID as it's name. Again - bullshit

[Every Drive]\System Volume Information

System Restore - not a temp folder. No temp files are stored there, but a HUGE amount of your d

The fundamental issue is correct.

[Futurepower(R)]

There are people whose only way of making a living is to work with Windows. Those people sometimes feel very threatened if they learn something new about Windows.

Consider your manner. Basically, you communicate that if you disagree with someone, they are wrong, and not only that, they are to be scorned and otherwise treated badly.

Slashdot readers should remember that no one is paid to comment on Slashdot. If the underlying point is correct, it is not necessary to be particularly intense about a detail

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LMariachi]

"The most severe unpatched Secunia advisory affecting Apple Macintosh OS X, with all vendor patches applied, is rated Less critical (2/5)"

Laugh away.

Re:

[TheLink]

(I used to work in the IT Security line).

Using OSX is safer (for now), but to say OSX is more secure than Windows is foolishness.

Most of the windows malware _running_ out there don't even care about root/admin privileges. Most are zombie machines to spam or DDoS and spread. Don't need root/admin for that.

By default OSX and Linux run stuff unsandboxed with the same privileges as the logged on user and the logged on user has lots of network privileges, can set up cron jobs, and all other nice stuff (perl + Th

Underlying point: Microsoft is adversarial.

[Futurepower(R)]

I've seen this kind of statement frequently: "OS X is not better."

You said, "By default OSX and Linux run stuff unsandboxed with the same privileges as the logged on user and the logged on user has lots of network privileges, can set up cron jobs, and all other nice stuff..."

By default, and largely because they are forced, most Windows users run with administrator privileges, and malware can modify the operating system. I don't know OS X, but my understanding is that OS X is not that insecure.

Als

Re:

[TheLink]

"most Windows users run with administrator privileges"

Sure, but technically they don't have to and it doesn't really matter in the big picture. Most Linux users would happily do "perl Makefile.pl; make; make test. switch to root, make install" without caring. Most users are ignorant (they can't know everything) and the popular OSes (OSX included) do not make it easy for them to do "the right thing".

It is unreasonable to require a normal person to _correctly_ figure out what an arbitrary program would _actua

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[flyingfsck]

Hmm, OpenBSD is playing it down though. I have nothing against my fellow Calgarian, but Theo's system is certainly not a good as he claims. It is on par with Linux - no better - no worse.

Re:

[Pyrion]

So what do you think would happen if Microsoft did everything right and good from your perspective? Or, more pointedly, how many corporations would Microsoft be putting out of business by fixing all the problems with their operating systems?

Those who stand to make money off of plugging the leaks in Windows would have a pretty damn good case for claiming "anti-competitive behavior."

Important argument: Immoral behavior provides jobs

[Futurepower(R)]

You said, "... how many corporations would Microsoft be putting out of business by fixing all the problems with their operating systems?"

Yours is an argument being made nationally concerning the U.S. government. Something like, "If the U.S. government stops killing people for money [krysstal.com], a lot of U.S. citizens will have to find other jobs."

The jobs will be there. Running a business or a country well helps create prosperity. Prosperity creates jobs.

Problem with WIndows

[cdrguru]

The problem with Windows is the ease-of-use. Let's see... I can email a link to an executable file to someone and when the click the link it runs the program. I can also email the executable itself and upon opening the attachment it will run the program.

This is very helpful in a corporate environment. When there are malicious people on the Internet this is a disaster. Which is the "right" way?

Sure, Windows could be made more secure. Unfortunately, all the security in the world will not prevent a machin

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[SEMW]

"if you run a program and authorize it to run it will run and can affect the operation of the machine" -- I don't wish to sound sarcastic, but what would you suggest an OS should do if you run a program, and explicitely authorize it, apart from, well... run it?

I seem to say this a lot, but...

[_Shad0w_]

I think someone needs to read Hanlon's Razor. Although I think I prefer Ingham's "Cock-up theory" myself.

EULA

[micktaggart]

Won't this be covered by the software product's EULA? As user you have to abide by the license, but as competitor you can bring them to court to get to change the software. Hrrm.

Dumb question: Why not reinstall OS regularly?

[nbauman]

When I go into a computer cafe and sign in, they (apparently) copy a disk image of the hard drive onto my computer. If I pick up any malware, it's eliminated because the whole hard drive is erased and the OS reinstalled for the next customer.

Why can't I do that at home? I could (and do anyway) make a disk image of the partition with my operating system and apps with GHOST or something, save it on a DVD, and re-install it whenever my computer seems to be infected with malware or is acting funny for any reaso

Re:

[Tsuki_no_Hikari]

It's a program like DriveShield. Basically works like reimaging it each time you reboot, but only altered files are overwritten I imagine. You never noticed a speed difference while rebooting.

Either that or it played with the file system and only made things seem like you edited them, while just putting the file in a temp space. Never did try filling the college hard drives. Should have torrented more..

Interesting -- and its not a false positive

[ratboy666]

The idea that an "anti-virus" program that does signature checking against a (almost continuously) updated database of virus signatures is probably a good source of "genetic material" for a virus will eventually occur to someone who does malware.

And, just for grins, its catalogued. So, to use that genetic material, the virus sinply needs the key (and the knowledge that a particular anti-virus program is installed). That is probably denser than trying to keep the infection information with the virus itself.

In other words, target Kaspersky "protected" systems (or any other "anti-virus" vendor" specifically.

Why? Hell, I would do it just because it would amuse me to no end!

OT: Virus Sources

[zippthorne]

Other than the obvious, AV vendors actually creating the beasties they protect against..

Has anyone calculated the odds that a virus could be created by transmission error (assuming negligence in checksumming)?

I'm sure it's very low, but are we talking, "Not before the Heat death of the universe" low or "struck by lightning while being mauled by a bear" low?

F--- the article

[acidrain]

Rising Tech announced on the 30th of May that they were planning to sue the Beijing office of Kaspersky for unfair competitive practices (though it isn't known whether this suit was brought to court).

This is a few scraps of slap talk dredged up from the bowels of the net. It isn't even a lawsuit or a comment by a legal professional, let alone an injunction or any kind of legal ruling.

Also, anti-virus software on Windows is so invasive that running two different scanners at the same time is just plain crazy. I imagine root kits and virus scanners do a lot of the same things. They all make a total mess of your OS. And not being a monopoly, I can't see how Kaspersky has an obligation to play nice with others.

Did you read it?

[www.sorehands.com]

It refers to the lawsuit [interfax.cn] that was filed on May 19th.

lso, anti-virus software on Windows is so invasive that running two different scanners at the same time is just plain crazy. I imagine root kits and virus scanners do a lot of the same things. They all make a total mess of your OS. And not being a monopoly, I can't see how Kaspersky has an obligation to play nice with others.

I agree, mostly. To have multiple anti-virus or spyware packages running resident is nuts. Running Norton is nuts too.
But running mul

Re:

[jargon82]

It's not just "windows making it easy for them" though, it's the simple fact that nearly every windows users runs as admin. We'll see what impact, if any, vista has on this, but in all previous versions it's been a mixed bag and IMO can largely be blamed on a conflict of various policies within Microsoft.

Consider, documentation on programming for the windows OS, from MS, outlines how to write without requiring admin access and generally speaking recommends this. Microsoft produced software, by and large,

Re:

[kb0hae]

Hi. There is a distinction that is being missed here. These infected file are not and should not be identified as viruses. They SHOULD however be identified as infected files. If the anti-virus software cannot remove the virus from the file, and/or the file has been corrupted, the software needs to inform the user that the file may need to be replaced, or the operating systen re-installed.

One of the biggest bugs in Winjdows has always been that it has allowed installers etc... to install files to the sy

Re:

[SEMW]

One of the biggest bugs in Winjdows has always been that it has allowed installers etc... to [...] overwrite files in the system folders. This was a HUGE mistake, that should have been correected long ago!

That WAS corrected long ago. Specifically, Windows 2000 and newer. See http://en.wikipedia.org/wiki/Windows_File_Protecti on [wikipedia.org].

Despite recent articals to the contrary, Vista is NOT secure at all for the average user, because the security "features"are so annoying that the average user turns them off after a very short time.

Could you provide a source for that? Certainly, my experience has been the exact opposite ("the average user" doesn't do many administrative tasks and so practically never sees a UAC prompt, excapt when installing new programs, which isn't often). Of course, I'm willing to be proved wrong if you have any data which suggests that most average users do turn UAC off; but I rather s

Re:

[Cro Magnon]

Despite recent articals to the contrary, Vista is NOT secure at all for the average user, because the security "features"are so annoying that the average user turns them off after a very short time.

Odd. The only time I see Vista's security features is when FF upgrades itself. Certainly not enough to annoy me.