Microsoft Policies Help Virus Writers, Says Security Firm 166
Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."
Do "Users" have a choice? (Score:3, Insightful)
I load up Malware Bytes or Super Anti Spyware or some other reputable Anti-Malware program, boot into safe mode, and do a scan of the whole PC.
Is it I, or anti malware developers, they are sending the message to? Because I certainly don't want to leave an inch of the computer unchecked.
Are you serious? (Score:4, Insightful)
Re:Do "Users" have a choice? (Score:1, Insightful)
Safe mode isn't good enough. You want to run it in the pre-boot environment (what windows setup / chkdsk runs in).
Also, believing that some half-assed "security" software is going to protect you from everything bad is just stupid.
It used to be... (Score:5, Insightful)
See the trend ? The problem is not that the content cannot be executed, it is that more and more the decoder/reader for such file is looking at active markup or script which allow virus maker to exploit fault (buffer overflow) or execute their own script. Now a days I would not put it past a crafty virus maker to exploit flaws in notepad...
Re:Do "Users" have a choice? (Score:5, Insightful)
If you trust a single byte on the possibly-infected disk, you're not scanning for viruses: You're asking pretty please for the virus to show itself. Most are polite enough, but why take the chance? Use a known-clean read-only media to boot from, and scan the entire drive.
A computer law is needed (Score:4, Insightful)
Re:Do "Users" have a choice? (Score:3, Insightful)
You need not become an expert to protect yourself; you only have to achieve competency. That's all you need to exercise best practices. To give a tired old car analogy, they don't need to be mechanics, they just need to be safe drivers. I'll use the classic Trojan horse program as an example: you don't need to understand how a trojan installs a backdoor into your system and makes it join a botnet; you only need to understand that running untrusted executables is a bad idea. I think the biggest falsehood being perpetuated here is that you are either totally ignorant or you're an elite expert. Users buy into this falsehood anytime you give them basic precautionary steps they can take and they say "but I'm not a geek!" This is despite the fact that you don't need to be a geek to follow illustrated step-by-step instructions, you only need to be literate.
I think the marketing of most commercial software is partly to blame here. "Easy to use" isn't an inherently bad thing, but it is a disservice to users when it connotes "you can use this in a totally mindless fashion with zero understanding and never have any problems."
We already have laws against computer intrusion. The problem is twofold: catching the actual perpetrators, who go to great lengths to conceal their identities; and prosecuting them when they are in other countries/jurisdictions. Protecting the clueless is the same as protecting the children, only it's worse. It's worse because children cannot be other than children, while the clueless could decide that learning is important to them.
I think the real way to deal with this is to put real security into Windows. Removing an infection after-the-fact is not real security. It is only damage control. Windows needs a real security system that can prevent intrusions in the first place with no third-party software needed. The goal here is not perfect security. The goal is to make our systems secure enough that automated attacks are no longer successful. Then malware authors cannot just write a program one time and use it over and over again to infect millions of machines. Achieve that, and intrusions require dedicated human effort for each compromised machine and can no longer occur on massive scales with little effort. Then and only then does it make sense to think about prosecuting the computer crimes that remain.
Re:won't make a bit of difference (Score:1, Insightful)
It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.
Yeah. We could call it... Trusted Computing. And require that all executable code be signed by Microsoft.
Re:It used to be... (Score:2, Insightful)
Meh... I think the problem is that about fifteen-some-odd years ago, Microsoft decided against all convention that storing auto-executable code and scripts inside data files was a great idea.
Re:This is sick! (Score:3, Insightful)
Then when Linux is attacked in the same way as Windows we will see just how secure it is? There have been viruses written for Linux, it is not inherently secure.
With the millions of Linux machines out there, you'd think at least some of those viruses would be propagating in the wild. Not a large number, mind you, because of Linux's small percentage of marketshare. But if Linux is no more secure than Windows, that number should be significantly more than zero. Yet it isn't. Your common sense should tell you that this is a flaw in your theory there.
The viruses that exist for Linux are generally proof-of-concept examples, but they aren't actually attacking and infecting Linux machines successfully. That's despite the large number of Linux servers that have both lots of system resources (CPUs, RAM, etc) and high-speed connections, which would make them very attractive targets. I bet all of this is a real mystery to you if you believe that Windows and Linux are equally secure.
Re:This is sick! (Score:3, Insightful)
Partly because the notion of distro-maintained repositories, containing tens of thousands of packages, vetted and verified by people who know way more than you or I, and subsequently checked by thousands of people who use them and examine them, is an inherently safer method than the Microsoft ecosystem method of "search the web and download unknown binary installers from god-knows-where which will do god-knows-what to your system".
Yes, with Ubuntu you can download random, untrusted nonsense and run it. But it's essentially never necessary; there's just no reason. The Windows model, on the other hand, actively encourages such stupid behavior. Big surprise, people end up installing dumb things even without realising it.
Even when you think you know and trust the source you can get burned. When Chrome came out I installed it to see what all the fuss was about (nothing; it's a piece of garbage). Hey, it's Google, they're good guys, I know them, right? Right. So imagine my annoyance when it silently installed some "Google Updater" alongside, without asking or telling me, and was sending fuck-knows-what information to fuck-knows-who for fuck-knows-what reasons. And it wouldn't uninstall when I got rid of Chrome. I ended up having to manually remove its directory because it kept coming back. That, to me, is the very definition of spyware, and I thought I knew where I was getting this allegedly safe software.
Things like this are why Windows is vastly inferior in every aspect of security. The idea of downloading and running random, untrustable, closed binaries from random, untrustable sites is a fantastic way to get infected. It's the single largest vector of infection there is, by a ridiculous margin. The Linux model of package management eliminates this.