Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Windows Microsoft Security IT

Microsoft Policies Help Virus Writers, Says Security Firm 166

Posted by timothy from the this-door-to-remain-unlocked-at-all-times dept.
Barence writes "Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC because 'they are not at risk of infection.' Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. 'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."
This discussion has been archived. No new comments can be posted.

Microsoft Policies Help Virus Writers, Says Security Firm More

Microsoft Policies Help Virus Writers, Says Security Firm

Comments Filter:

  • The whole point is... (Score:2, Interesting)

    by m2pc ( 546641 ) on Tuesday December 22, 2009 @01:28PM (#30525540) Homepage
    It does open up some security concerns when an A/V utility is advised to "skip over" certain files. A malware writer could easily exploit this and simply mask their executable "payload" with one of the "non scannable" file extensions to avoid detection. Malware could easily modify the registry to make one of these "non executable" extensions open with the windows shell, causing them to become executable even without the .EXE extension. This would only work, however, if the resident portion of the malware was able to evade detection.

  • Re:Don't virus-check database files (Score:3, Interesting)

    by Aladrin ( 926209 ) on Tuesday December 22, 2009 @01:43PM (#30525702)

    But by the same logic, I could write a virus that hides itself in files called edb.chk and mail.log and keep the code that a virus scanner would find in there. Then just load that into memory from some stub program.

    That's what the article is warning about.

  • Question (Score:3, Interesting)

    by Mr_Silver ( 213637 ) on Tuesday December 22, 2009 @01:44PM (#30525708)

    I've just configured a new laptop and told the anti-virus to ignore *.jpg, *.avi and *.mp3 on my understanding that it's not possible to hide malware in them and that it will make the scan significantly quicker.

    Am I right? Or is it a good idea to remove those exclusions?

  • Re:Really? (Score:2, Interesting)

    by rdavidson3 ( 844790 ) on Tuesday December 22, 2009 @01:58PM (#30525916)
    Whose to say that the malware doesn't have an executable renamed to a have a log extension, and the antiviruse skips over it. How trivial would it be to have a loader that does nothing except load "safe" files and do its bad things under the cloak of "but its a log file.... it should be safe".

    Excluding any files on the computer is a bad thing, and needs to be discouraged.

  • Re:Do "Users" have a choice? (Score:3, Interesting)

    by Z34107 ( 925136 ) on Tuesday December 22, 2009 @02:15PM (#30526162)

    To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

    In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode. The ones that aren't leave signs that MalwareBytes can detect (infections it can't delete or that reappear, etc.) The paranoid can confirm with a packet sniffer.

    If you really want to be paranoid, get a USB => IDE/SATA adapter from newegg. Pop out the hard drive and hook it up to a clean machine. Mount the registry hives using regedit, and do a scan with your favorite AV product. No relying on a potentially rooted machine, and no relying on an old/gimped AV product that works in a preboot environment.

  • Comment removed (Score:2, Interesting)

    by account_deleted ( 4530225 ) on Tuesday December 22, 2009 @02:40PM (#30526544)
    Comment removed based on user account deletion

  • Re:Do "Users" have a choice? (Score:3, Interesting)

    by ae1294 ( 1547521 ) on Tuesday December 22, 2009 @02:40PM (#30526548) Journal

    To all the people suggesting PE discs - what AV do you use? The vast majority simply do not work in a preboot environment. The ones that do tend to be old versions, which are about as helpful in removing real threats as a dull knife.

    You can use the included driverpacks app to include most LAN/WAN drivers and then use an online scanner if you like or you can install PE to a USB disk and install any Antivirus program you like.

    In my experience, the overwhelming majority of viruses are removed by MalwareBytes in safe mode.

    In my experience those people come back 3 days later with the same virus. MalwareByte's runs in PE now, as does SuperAntiSpyware and HijackThis and a number of Antivirus programs.

    get a USB => IDE/SATA adapter from newegg. Pop out the hard drive and hook it up to a clean machine. Mount the registry hives using regedit, and do a scan with your favorite AV product. No relying on a potentially rooted machine, and no relying on an old/gimped AV product that works in a preboot environment.

    That works or you can just use an PE Disk [ubcd4win.com] which will auto load your hives for you.

    Then you can run which ever programs you want like MalwareBytes, SuperAntiSpyware, HijackThis, etc and I normally delete the recycle bin, system restore folder, and all the temp folders while taking a look around for stray files. All this while the other scans are running.

    There really isn't any right or wrong way so whatever works for you is great. In my experience however safe mode is problematic.

    The best option is to nuke the MBR and format/reload the system but people hate that.

Slashdot Top Deals

"Money is the root of all money." -- the moving finger

Close