Microsoft Policies Help Virus Writers, Says Security Firm 166
Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."
Really? (Score:5, Informative)
Ok, so buried somewhere in the middle of an online support page about some potential file type exclusions MS mentions:
*.edb
*.sdb
*.log
*.chk
Ok first, I have to assume that most computer users will never see this. I am not concerned that the next time I see my parents computers that they'll have set up file type exclusions.
Second, if you're excluding file types from scanning, those are probably good one to exclude. These are files that have contents that are constantly changing and are not generally executable.
Third, this stinks of "Hey listen to us! Then buy our antivirus."
"Following the recommendations does not pose a significant threat as of now" But it may some day? Well no shit, doesn't that go for everything?
Am I missing something? Is this a ridiculous strech just to bash Microsoft or something? How is this an important read?
Nothing new (Score:4, Informative)
Don't virus-check database files (Score:5, Informative)
The blog points out that edb.chk and *.log files should be excluded. These files are used by the ESE/ESENT database engine (used by the Active Directory, Exchange Server, Windows Desktop Search, etc.) for database recovery and contain a list of physical database updates, in binary form. Historically the problem has been that these files can contain almost any byte sequence so virus checkers would start flagging them as infected and quarantine them, breaking database recovery. This can be particularily nefarious for Exchange Server because mailing an infected file as an attachment causes the same bytes to appear in the logfiles. If a virus checker quarantines the logfile then database recovery can be broken -- a neat DOS attack.
As the logfiles aren't executable, but can contain any byte sequence there isn't any benefit to checking the files, but a lot of damage can be done by 'repairing' or quarantining them.
Re:Really? (Score:4, Informative)
The MS Article also gives specific recommendations for domain controllers and servers, which make good sense as well. The files they list include startup scripts and GPOs which get heavy use. AV can induce severe problems if it kept locking the files. On the flip side, you should keep an eye on those files as a compromise (not necessary a generic detectable virus) could compromise your entire domain. Also note that you should exclude the database files on an Exchange server. Aside from the huge performance hit, you really don't want the a/v software deleting or screwing up the entire exchange store if it sees a virus buried way down in a single email.
Alternate Data Streams (Score:2, Informative)
As I understand it, any file in an NTFS partition can have one or more Alternate Data Streams [securityfocus.com] associated with it, regardless of its type or location. So if you tell someone not to scan something like "Edb.log", does that imply that they should not scan "Edb.log:virus.exe" either?
I have to agree with Trend Micro on this one. Completely skipping specific files in specific directories may prevent performance issues, but it may also make it easier for malware authors to find new hiding places.
Re:It used to be... (Score:4, Informative)
Keep telling your users that. Tell them that QuickTime is just fine. (along with Acrobat reader, while they are at it).. And no 3rd party media players have ever had buffer overflow problems...
then there was the whole Image thing.. http://www.microsoft.com/technet/security/bulletin/ms06-039.mspx [microsoft.com] makes it sound a little more serious than just murking with the file-name.
Re:Question (Score:3, Informative)
There have been issues with actual media files like *.png that caused a buffer overload in the image decoder and would allow execution of code embedded in the image itself.
However it is better to actually fix the buffer overflow instead of scanning files. I guess the only real use for virus scanners, if you and manufacturers keep your system up to date, is to not allow said file to be transported to an other computer that has not been updated.
That is what most linux and os x virus scanners mostly do, to make sure viruses are found before you send it to a vulnerable computer.
Re:Do "Users" have a choice? (Score:4, Informative)
Safe Mode does fine enough for most people. I've been cleaning out viruses
Viruses perhaps but malware keeps loaders running hidden in the background. All those things you remove reinstall themselves. I do system clean up work and I see it all the time plus often the malware won't even let you run programs like HijackThis, SuperAntiSpyware, or MalwareBytes.
And of course, no "security" software is ever going to protect you from everything. No one wants pre-emptive protection because it hinders their experience. If you know what you're doing, you won't fall for
This isn't really true. Things like IE, Flash, Shockwave and Acrobat have zero day exploits that will infect your computer if you stumble on the right email or site. I'd say 85% of infections are from user ignorance but the rest is luck and who you have contact with. (Outlook address books, etc)
As for viruses, trojans, spyware, and the likes - I tried to educate people once.
It's hard for people to grasp "there is nothing you can do to protect yourself except become a techie" You can browse the web with Java,Java Script,Flash,etc etc turned off and still have an APP that has a security hole that will infect your system.
But if you mean telling everyone to run Linux than sure that pretty much takes care of most of the problems but then you have to become their go-to person when ever they want to install something. It's all loose-loose, what really needs to happen is better enforcement of the network and better law enforcement involvement. Take all those people trying to protect the children and make them do some real work.
Re:Question (Score:3, Informative)
I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.
If you're running an operating system where the permissions are such that everthing is executable by default, do you really think that pursuing file extension related tweaks will solve your problems?
Sorry, but I'm having trouble not laughing. Not at you personally. You'd think Microsoft would have weaned itself from their perverse reliance of file extensions years ago when people first started clamoring about .386 files. JPEG files have a .jpg or .jpeg extension, but log files have an .evt extension. Unless it's a log file. But what kind of log file is it? And which type should I scan?
Face it, Microsoft makes things up as they go along. Trying to keep up or otherwise make sense of things is a waste of time (unless it's your job, and you're being paid to do it).
Re:Question (Score:3, Informative)
My virus scanner (MS Security Essentials) picked up a few viruses in mp3 files recently. On further investigation, apparently they weren't mp3 files at all. They were labled as mp3 files, but were in some other format that prompted Windows Media Player to download a codec from somewhere that contained the payload.
If you listen to your mp3 files on Winamp, maybe you are OK. Or maybe you are only OK if you update to the latest version which has a security fix.
Re:Question (Score:3, Informative)
You're all right with JPG, not sure about AVI, but if you use Windows Media Player don't whitelist MP3. WMA files (IIRC, it's windows' compressed sound files that are the problem) can have DRM, and its DRM allows it to run other programs. If you rename them with an MP3 extension, most media players will choke, but Windows Media Player will happily run it, DRM virus and all. I tested this several years ago.
I do remember a few years ago that one picture viewer (don't remember which one) had a bug that allowed a buffer overflow, and you could infect a machine with a specially crafted JPG.
On second thought, as soon as you install any new software (no matter who from), shut the machine down, boot from a non-writable media (like CD), and scan everything.
Re:Question (Score:3, Informative)
Re:Question (Score:3, Informative)
You'd think Microsoft would have weaned itself from their perverse reliance of file extensions years ago when people first started clamoring about .386 files. JPEG files have a .jpg or .jpeg extension, but log files have an .evt extension. Unless it's a log file. But what kind of log file is it?
Don't forget .nfo files. For the longest time, I could count on .nfo files containing the oh some important information about who cracked and couriered my warez. Then Microsoft decided to co-opt the file extension for System Information files. The bastards!
Re:Don't virus-check database files (Score:3, Informative)
Any such stub program that loads random binary code from a non-executable file and executes it would likely be identified as a virus itself by any decent AV scanner.