Forgot your password?
typodupeerror
Windows Microsoft Security IT

Microsoft Policies Help Virus Writers, Says Security Firm 166

Posted by timothy
from the this-door-to-remain-unlocked-at-all-times dept.
Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."
This discussion has been archived. No new comments can be posted.

Microsoft Policies Help Virus Writers, Says Security Firm

Comments Filter:
  • by Monkeedude1212 (1560403) on Tuesday December 22, 2009 @01:03PM (#30525246) Journal

    I load up Malware Bytes or Super Anti Spyware or some other reputable Anti-Malware program, boot into safe mode, and do a scan of the whole PC.

    Is it I, or anti malware developers, they are sending the message to? Because I certainly don't want to leave an inch of the computer unchecked.

    • by geekboy642 (799087) on Tuesday December 22, 2009 @01:34PM (#30525604) Journal

      If you trust a single byte on the possibly-infected disk, you're not scanning for viruses: You're asking pretty please for the virus to show itself. Most are polite enough, but why take the chance? Use a known-clean read-only media to boot from, and scan the entire drive.

      • I agree - sometimes I get called over because of an "Error" - and I just head over right after work. Turns out the Error is Malware, I didn't bring my LiveCD, what can I do? A majority will get by with safe mode scans. There are those particularily nasty ones though, and as you said, boot from CD, or set it up as a slave drive with the proper security measures.

        • by bberens (965711)
          I ran into this case last week. My mother in law opened some malware and you can't even boot to command line safe-mode. As soon as you log in it logs you back out and goes to the login screen. :( So today I'm going back with a liveCD to try to get the documents off before doing a wipe.
        • by Zerth (26112)

          That's why I keep a stack of livecds in my trunk, next to the jack, and an ISO on my keychain in case the CDs warped in the sun.

          Lately, most of my relatives have upgraded enough they can boot from USB.

    • by ae1294 (1547521)

      boot into safe mode, and do a scan of the whole PC

      Safe mode will do nothing to keep malware from loading at this point....

      Get a WinPE Distro like http://www.ubcd4win.com/ [ubcd4win.com]

      • Re: (Score:3, Interesting)

        by Z34107 (925136)

        To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

        In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode. The ones that aren't leave signs that MalwareBytes can detect (infections it can't delete or that reappear, etc.) The paranoid can confirm with a packet sniffer.

        If you really wan

        • Re: (Score:3, Interesting)

          by ae1294 (1547521)

          To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

          You can use the included driverpacks app to include most LAN/WAN drivers and then use an online scanner if you like or you can install PE to a USB disk and install any Antivirus program you like.

          In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode.

          In my experience those people come back 3 days later with the same virus. MalwareByte's runs in PE now, as does SuperAntiSpyware and HijackThis and a number of Antivirus programs.

          get a USB => IDE/SATA adapter from newegg. Pop out the hard drive and hook it up to a clean machine. Mount the registry hives using regedit, and do a scan with your favorite AV product. No relying on a potentially rooted machine, and no relying on an old/gimped AV product that works in a preboot environment.

          That works or you can just use an PE Disk [ubcd4win.com] which will auto load your hives for you.

          Then you can run which ever programs you want like Malwa

        • by Mr. DOS (1276020)

          Use Avira AntiVir Rescue System [free-av.com] to get the system into a state where it can boot into Safe Mode, then finish off with MBAM [malwarebytes.org] and possibly SmitFraudFix [geekstogo.com].

                --- Mr. DOS

    • It's more than just that. Super Anti Spyware needs to be set to scan all files (all files greater than it's predefined size, and all files of all types). MalwareBytes does not need a settings change.

      Most other software either is not configurable (depending on version) or is configured to only scan "infectable" files.

      My personal experience of late is that I have seen many "non-infectable" files infected such as images, text documents, "unknown" document types, and so on. When I install any AV or AS softw

    • by Lord Kano (13027)

      Bart PE is a good way to do this. You create a cd on a different computer and use it to scan your suspect PC.

      LK

  • Also... (Score:5, Funny)

    by InsertWittyNameHere (1438813) on Tuesday December 22, 2009 @01:04PM (#30525274)
    disabling any backup software will improve "performance and avoid unnecessary conflicts" as well.
  • Are you serious? (Score:4, Insightful)

    by bl4nk (607569) on Tuesday December 22, 2009 @01:09PM (#30525318)
    Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe? Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here. This is coming from third-party AV companies, remember... they're fighting to stay relevant.
    • And relevant they are.

      This week: six different local 'family' machines needed junk scraped from them by yours truly, the tech support guy. Why? They didn't understand about renewing their AV subscriptions-- and got infected. Does Microsoft have something inherent in Windows, native to the OS, that prevents contamination? No. Do their products distribute freely with uptodate malware and virus prevention and thwarting? No. Users have to dig for them, install them, and hope that Microsoft's protection is suffi

    • by causality (777677)

      Helping virus writers? Don't virus writers target the lowest-hanging fruit: the average Joe?

      Joe sure as hell doesn't read the Microsoft Knowledge Base, let alone knows of its very existence! Let's be realistic, here.

      Joe Sixpack does not read the Microsoft KB, true. However, he pays the highest price for the malware problem as you point out. The bickering between Microsoft and AV vendors does at least indirectly affect him. Now, I'd assume that Microsoft would be the foremost expert on Windows for obv

      • by ae1294 (1547521)

        Even if there were a Final Ultimate Security Solution for Windows

        My MS Rep told me Windows 7 WAS that???

    • Off-Limits Liberty (Score:2, Interesting)

      by halfloaded (932071)
      In the Marine Corps, we called it the "off-limits liberty" list. It ended up being a shopping list for all those places you really actually want to go. I know the Marines had the best intention, but c'mon. If I am 20 years old and told, "here is a list of places where they serve underage and where one can 'find a good time'," it's a no-brainer how I am going to use that list.
      • by Lifyre (960576)

        Heck as a 27 year old Marine it makes for some fun reading and something to browse for while at work.

    • by mcgrew (92797) *

      It's as easy to put your malwars in a secure place as it is to put in "my documents", and would be more effective in a "secure" place. If I were writing/spreading malware I'd be hiding it where AV software doesn't look.

      After all, the lowest hanging fruit would be unpatched machines with no AV at all.

    • Microsoft doesn't have any real business interest in secure machines.

      Their reputation is secure among the believers no matter what they do, and their reputation is un-redeemable among those who are not Microsoft believers. They have enough money to buy the hype necessary to cover anything up, relative to the people who spend the most on Microsoft software.

      Shoot, the, "I can't be such a fool!" syndrome helps Microsoft's bottom line when people have to pay to fix Microsoft's bugs.

      No, this makes no sense. Sayi

  • Really? (Score:5, Informative)

    by nametaken (610866) * on Tuesday December 22, 2009 @01:13PM (#30525352)

    Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:

    *.edb
    *.sdb
    *.log
    *.chk

    ...in certain folders.

    Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.

    Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.

    Third, this stinks of "Hey listen to us! Then buy our antivirus."
    "Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?

    Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

    • It used to be... (Score:5, Insightful)

      by Anonymous Coward on Tuesday December 22, 2009 @01:23PM (#30525474)
      It used to be that you could tell people to open picture/film because they were safe. then movie viewer program (i.e. media player) started to execute html to download certificate or decoder. Now you can get a trojan that way. It used to be that getting an email you could not get a virus. Then outlook started to actively open email or even hide extension.

      See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...
      • by L0rdJedi (65690)

        Only Windows Media Player accepts executable code at the end of a video. Most other media players still do not do that so they are not susceptible to that attack. With the Outlook image thing, it's actually a VBS file with the .gif or .jpg somewhere else in the name and the actual extension spaced way off at the end, so images are actually still ok. Admittedly, turning off the display of extensions is a boneheaded move that MS still makes on their OS. It seems to be their way of trying to be more "Mac l

      • Ahh, remember the 90's, when people would forward chain mails about how even looking at an email with a certain subject would wipe your entire hard drive? And then how us IT people would have to tell people that it was okay, that reading emails was fine, they were just text, just never, ever execute an attachment you weren't expecting...

        Then outlook got real popular in companies...

        Course, they also used to forward chain mails about "if you forward this to 10 people, Bill Gates would send you $200." and we

        • and we would have to tell them that emails can't be tracked like that..

          You were wrong!! I can't believe you missed that opportunity!!!1 I just received a check from Bill Gates c/o Microsoft Corp. in Redmond, Washington for $1,689.34. It's works! But if you don't forward this to all your friends, someone from Microsoft will come around to collect what you owe!

          ...

        • by Blakey Rat (99501)

          Course, they also used to forward chain mails about "if you forward this to 10 people, Bill Gates would send you $200." and we would have to tell them that emails can't be tracked like that.. Of course, with 1x1 images in emails now.. they can..

          Actually, the majority of mail clients now won't load images from remote servers. Tracking email was much more effective in the Windows 9x days than it is now.

      • Re: (Score:2, Insightful)

        by gsarnold (52800)

        Meh... I think the problem is that about fifteen-some-odd years ago, Microsoft decided against all convention that storing auto-executable code and scripts inside data files was a great idea.

      • by dissy (172727)

        Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...

        http://seclists.org/fulldisclosure/2008/Jan/339 [seclists.org]

        Yes it is a joke, but a funny one!

    • Re:Really? (Score:4, Informative)

      by fluffy99 (870997) on Tuesday December 22, 2009 @01:25PM (#30525508)

      The MS Article also gives specific recommendations for domain controllers and servers, which make good sense as well. The files they list include startup scripts and GPOs which get heavy use. AV can induce severe problems if it kept locking the files. On the flip side, you should keep an eye on those files as a compromise (not necessary a generic detectable virus) could compromise your entire domain. Also note that you should exclude the database files on an Exchange server. Aside from the huge performance hit, you really don't want the a/v software deleting or screwing up the entire exchange store if it sees a virus buried way down in a single email.

      • by NotBorg (829820)

        If your AV software is killing your Exchange database then you should be fired for running it. All the relevant AV vendors provide Exchange integration. I've seen NT 4 boxes with it (it's not new).

        Home editions are for home computers not for your business' servers. Get the AV package that says "server" on it.

        • by fluffy99 (870997)

          Okay, hop off that pedestal of superior knowledge for a moment. There are a lot of small businesses running exchange. A significant portion of whom are running consumer or small-business versions of antivirus including those intended for servers. Now realize that their IT guy is usually only part time and probably not an expert. A recipe for disaster I know, but small businesses can't devote much resources to IT.

          As for antivirus vendors, Symantec Endpoint Protection client for servers installs just fine an

    • Re: (Score:2, Interesting)

      by rdavidson3 (844790)
      Whose to say that the malware doesn't have an executable renamed to a have a log extension, and the antiviruse skips over it. How trivial would it be to have a loader that does nothing except load "safe" files and do its bad things under the cloak of "but its a log file.... it should be safe".

      Excluding any files on the computer is a bad thing, and needs to be discouraged.
      • by clodney (778910)

        Whose to say that the malware doesn't have an executable renamed to a have a log extension, and the antiviruse skips over it. How trivial would it be to have a loader that does nothing except load "safe" files and do its bad things under the cloak of "but its a log file.... it should be safe".

        Excluding any files on the computer is a bad thing, and needs to be discouraged.

        So if you manage to get an executable onto the system, you can then use it to execute a malicious payload hidden in a seemingly innocuous file?

        If I can get an executable on the system, I have already compromised your security. Why bother with a hidden payload at that point?

    • by Amouth (879122)

      i didn't read the article or the KB but from the types you have listed - first thing came to mind.

      exchange.

      edb/sdb belong to exchange stores - log is common but also used for transaction longs and chk if i remember right is used when rebuilding from TL's or doing an offline defrag.

      given the type of shit thats in mailboxes and queues and that it isn't executable - sure stuff is there but not a risk.

      then given the normal actions of AV software (hey i found shit in this file -remove handles deny access - hey u

      • Yeah, in exchange's case what you need is something that hooks into the databases and scans the mail directly. Scanning a database as a virus just isn't going to work. It's like a zip file with a virus inside. You can scan the zip file and it'll pass. You need to look inside to figure out if you're safe.

    • by Shimbo (100005)

      Third, this stinks of "Hey listen to us! Then buy our antivirus."

      It's an antivirus vendor blog FFS, what did you expect?
       
      Why do so many of them end up as front-page stories? Don't ask me.

    • Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?

      The entire idea of scanning for signatures is what's ridiculous. This broken model of ring-based security is what's ridiculous. Buy into those ideas and yeah, it would make sense then to exclude certain file types.

      What's needed is something like Tripwire, built into a bootable flash drive and Microsoft (and other vendors) releasing hashes of their files. But it's easier to do reactive security than proactive security -- and by easier I mean shoving the costs onto the consumers. At least then we could verify

      • by causality (777677)

        The entire idea of scanning for signatures is what's ridiculous. This broken model of ring-based security is what's ridiculous. Buy into those ideas and yeah, it would make sense then to exclude certain file types.

        I don't think that ring-based security is broken merely because Microsoft and developers of most Windows software refuse to utilize the principle of least-privilege. OpenBSD uses the ring-based security of modern processors to great effect.

        • OpenBSD uses the ring-based security of modern processors to great effect.

          True, but then OpenBSD was designed with security in mind from the ground up.

          • by drsmithy (35869)

            True, but then OpenBSD was designed with security in mind from the ground up.

            No, it's just really well audited and minimally configured to the point of uselessness by default.

            If it was designed "with security in mind from the ground up", it wouldn't have a superuser and it sure as hell wouldn't be using the archaic user/group/other security model of traditional UNIX.

  • Maybe Microsoft should just say: Vista and Windows 7 are so secure there is no point in scanning anything. As these OSs are safe because of UAC :)

  • Nothing new (Score:4, Informative)

    by Hawthorne01 (575586) on Tuesday December 22, 2009 @01:15PM (#30525378)
    Microsoft's been helping out malware writers since at least 1982...
  • by Anonymous Coward on Tuesday December 22, 2009 @01:19PM (#30525412)

    The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.

    As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.

    • Re: (Score:3, Interesting)

      by Aladrin (926209)

      But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there. Then just load that into memory from some stub program.

      That's what the article is warning about.

      • Re: (Score:3, Informative)

        Any such stub program that loads random binary code from a non-executable file and executes it would likely be identified as a virus itself by any decent AV scanner.

      • by drsmithy (35869)

        But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there.

        This virus brought to you by the Dept. of Redundancy Department.

    • You also don't want to check any intensively accessed files in general. It can add a lot of overhead if the thing is being continually accessed by many different users/processes.

      For example on my system I have excepted EWI and EWS files from checking. Those files are the instruments and samples for the virtual instruments I use. The reason for the exception is that they are accessed in a very intense manner. The system has to read them in very quickly to stream sample data off the disk in realtime and you c

  • "'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

    It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

    'Why is "Enumerating Badness [ranum.com]" a dumb idea? It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of
    • by mcgrew (92797) *

      Then the malware writers would write viruses that attacked programs in the white list. A better approach would be better QC by the software companies; it's hard for a worm to wiggle through a hole that isn't there.

  • by m2pc (546641)
    It does open up some security concerns when an A/V utility is advised to "skip over" certain files. A malware writer could easily exploit this and simply mask their executable "payload" with one of the "non scannable" file extensions to avoid detection. Malware could easily modify the registry to make one of these "non executable" extensions open with the windows shell, causing them to become executable even without the .EXE extension. This would only work, however, if the resident portion of the malware
    • by jim_v2000 (818799)
      >This would only work, however, if the resident portion of the malware was able to evade detection.

      Yes, so really, if you're already infected, the virus can pretty much do whatever it wants to your system, including breaking your antivirus. The "security concerns" with excluding those extensions are not really security concerns at all.
  • by nlewis (1168711)

    As I understand it, any file in an NTFS partition can have one or more Alternate Data Streams [securityfocus.com] associated with it, regardless of its type or location. So if you tell someone not to scan something like "Edb.log", does that imply that they should not scan "Edb.log:virus.exe" either?

    I have to agree with Trend Micro on this one. Completely skipping specific files in specific directories may prevent performance issues, but it may also make it easier for malware authors to find new hiding places.

  • In this day and age we should not need antivirus software and firewalls- Microsoft wake up! What the hell is going on here? A whole market devoted to protecting an OS that we all have to pay for when we buy a new PC?
    So, Microsoft taxes all new PCs, and we pay av vendors even more to protect the Microsoft OS.
    This is surreal and sick.
    We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

    • by Karlt1 (231423)

      In this day and age we should not need antivirus software and firewalls- Microsoft wake up! What the hell is going on here? A whole market devoted to protecting an OS that we all have to pay for when we buy a new PC?
      So, Microsoft taxes all new PCs, and we pay av vendors even more to protect the Microsoft OS.
      This is surreal and sick.
      We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

      So exactly how do you propose that an operating system prevent a user from downloading m

      • Re: (Score:3, Insightful)

        by rantingkitten (938138)
        So exactly how do you propose that an operating system prevent a user from downloading malware that can destroy the users files?

        Partly because the notion of distro-maintained repositories, containing tens of thousands of packages, vetted and verified by people who know way more than you or I, and subsequently checked by thousands of people who use them and examine them, is an inherently safer method than the Microsoft ecosystem method of "search the web and download unknown binary installers from god-kno
    • Re: (Score:3, Funny)

      by daveime (1253762)

      We should ALL demand that our employers use Ubuntu

      Mr Employer, can I interest you in an open-source, free, screensaver ?

    • by Coren22 (1625475)

      Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.

      • Re: (Score:3, Insightful)

        by causality (777677)

        Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.

        With the millions of Linux machines out there, you'd think at least some of those viruses would be propagating in the wild. Not a large number, mind you, because of Linux's small percentage of marketshare. But if Linux is no more secure than Windows, that number should be significantly more than zero. Yet it isn't. Your common sense should tell you that this is a flaw in your theory there.

        The viruses that exist for Linux are generally proof-of-concept examples, but they aren't actually attacking and

        • by jpmorgan (517966)

          Network affect [wikipedia.org].

    • We should ALL demand that our employers use Ubuntu ... every day ... until they give in...

      Oh boy.

      Oh boy.

      Your employer pays Microsoft to use Microsoft's OSs. If your employer wants to stop paying Microsoft and use Ubuntu, I'm sure they can. Maybe they don't want to. In which case, demanding it probably won't do too much for you.

      Of course, if someone actually demonstrated the same efficiency, no configuration issues, no breakages every time Ubuntu decides to roll out an upgrade, etc., maybe more employers would listen. Or perhaps if Ubuntu offered paid support (do they? I don't know).

      There's a

    • by L0rdJedi (65690)

      Yeah, good luck with that. I'm sure the other guy, ya know, the one that's willing to use Windows, will enjoy taking your job.

  • Question (Score:3, Interesting)

    by Mr_Silver (213637) on Tuesday December 22, 2009 @01:44PM (#30525708)

    I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.

    Am I right? Or is it a good idea to remove those exclusions?

    • Re: (Score:3, Informative)

      by takev (214836)

      There have been issues with actual media files like *.png that caused a buffer overload in the image decoder and would allow execution of code embedded in the image itself.

      However it is better to actually fix the buffer overflow instead of scanning files. I guess the only real use for virus scanners, if you and manufacturers keep your system up to date, is to not allow said file to be transported to an other computer that has not been updated.

      That is what most linux and os x virus scanners mostly do, to mak

    • Re: (Score:3, Informative)

      by value_added (719364)

      I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.

      If you're running an operating system where the permissions are such that everthing is executable by default, do you really think that pursuing file extension related tweaks will solve your problems?

      Sorry, but I'm having trouble not laughing. Not at you personally. You'd think Microsoft would have

      • Re: (Score:3, Informative)

        by dave562 (969951)

        You'd think Microsoft would have weaned itself from their perverse reliance of file extensions years ago when people first started clamoring about .386 files. JPEG files have a .jpg or .jpeg extension, but log files have an .evt extension. Unless it's a log file. But what kind of log file is it?

        Don't forget .nfo files. For the longest time, I could count on .nfo files containing the oh some important information about who cracked and couriered my warez. Then Microsoft decided to co-opt the file extension

        • Don't forget .nfo files .. Microsoft decided to co-opt the file extension for System Information files. The bastards!

          LOL. I haven't gotten over that one myself. At the time, I suspected it was deliberate choice, and a portent of Bad Things to come (WGA, as it turned out).

          IIRC, within a year of that change, I stopped using Windows altogether and left the warez scene behind me. Funny how those two go hand in hand.

    • Re: (Score:3, Informative)

      by jonbryce (703250)

      My virus scanner (MS Security Essentials) picked up a few viruses in mp3 files recently. On further investigation, apparently they weren't mp3 files at all. They were labled as mp3 files, but were in some other format that prompted Windows Media Player to download a codec from somewhere that contained the payload.

      If you listen to your mp3 files on Winamp, maybe you are OK. Or maybe you are only OK if you update to the latest version which has a security fix.

    • Re: (Score:3, Informative)

      by mcgrew (92797) *

      You're all right with JPG, not sure about AVI, but if you use Windows Media Player don't whitelist MP3. WMA files (IIRC, it's windows' compressed sound files that are the problem) can have DRM, and its DRM allows it to run other programs. If you rename them with an MP3 extension, most media players will choke, but Windows Media Player will happily run it, DRM virus and all. I tested this several years ago.

      I do remember a few years ago that one picture viewer (don't remember which one) had a bug that allowed

      • Re: (Score:3, Informative)

        by TrancePhreak (576593)
        I prefer to scan software before installing it. You can often scan the installation containers.
  • by onyxruby (118189) <onyxruby&comcast,net> on Tuesday December 22, 2009 @01:51PM (#30525812)
    A computer law is needed here, it is a simple best practice that someone needs to carve into stone. "Thou shalt not practice security through obscurity". Nice and simple, covers so very very much and could have saved this anti-virus vendor some public humiliation. This law applies to any operating system or application without fail.
  • Any AV has a select files to avoid functionality, to bypass going through files that you know are ok, and save some time from the memory hog that our AVs are these days. So in fact, if we can say forget about these to an AV, why would this be any different.
    As long as M$ allows that list to be modified to have nothing in the list to avoid, as per each user's preference when installing, I have no problem. The problem comes when M$ decides for you, and does not allow any changes to that config.

    I am not a fan o

  • The biggest problem is getting the system secured to the point where remote sites can't drop the files in the first place. Scanning executables isn't going to get you 100% infection free anyway because newer exploits change the stealth algorithm all the time. People need to move away from this idea that virus scanning is the first line of defense because it's not. All it is, is damage control.

An age is called Dark not because the light fails to shine, but because people refuse to see it. -- James Michener, "Space"

Working...