MS whitelist suggestions? (no, it's not really a question)
in [Spyware]
|
Prev: MVPS HOSTS file updated [JAN-12-2010]
Next: MSE 2
From: FromTheRafters on 16 Jan 2010 19:54 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:hitlb509bf(a)news3.newsguy.com... > From: "FromTheRafters" <erratic(a)nomail.afraid.org> > > > < snip > > > | Viruses, on the other hand, cannot infect non-executables, so > | non-executable filetypes need not be searched for them. > > No but they can be hidden or contained within through such techniques > as steganography. Yes, but then they are trojan payloads. They need another malware instance to translate and execute them (trojan/dropper). ....or de-containerized by some mechanism - and *then* detected. (unfortunately Java doesn't do this and its containers must be searched as if they were executable files) Viruses are attached to code (probably in their view in that article) and perhaps they are not considering malware in general, just the (necessary) AV component (especially on servers). Why look for something where it *cannot* be?
From: Dustin Cook on 16 Jan 2010 23:49 "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in news:hite6k$lm4$1 @news.eternal-september.org: > "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message > news:Xns9D02121AB16ACHHI2948AJD832(a)69.16.185.250... >> http://www.itworld.com/security/90249/ignore-microsoft-check- everything? >> source=peer2peerpromo > > It's another case of terminology problems I think. > > If the filetype is non-executable - it *cannot* be infected so there is > no need to scan it for *viruses*. That's where the problem lies... Microsoft suggests excluding entire folders by default...this would actually allow malware to hide from their own application by doing that... Lol. :) and I do hope it's actually doing a header check on the files and not going by file extension. Yes, the windows GUI won't execute a .bmp file; it'll try to open it for viewing instead. However, a program oth, can call said .bmp (which was really an exe) and it won't display a picture but run instead. > data in the registry even becomes a hiding place for code. You might as > well include trojans in the mix, because replication is irrelevant to > whether or not a file should be scanned by an antimalware application. I agree. -- "Is there anything in Guul Draz that doesn't suck the life out of you?" - Tarsa, Sea Gate sell-sword.
From: FromTheRafters on 17 Jan 2010 07:29 "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9D02F2FD89A50HHI2948AJD832(a)69.16.185.247... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in > news:hite6k$lm4$1 > @news.eternal-september.org: > >> "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message >> news:Xns9D02121AB16ACHHI2948AJD832(a)69.16.185.250... >>> http://www.itworld.com/security/90249/ignore-microsoft-check- > everything? >>> source=peer2peerpromo >> >> It's another case of terminology problems I think. >> >> If the filetype is non-executable - it *cannot* be infected so there >> is >> no need to scan it for *viruses*. > > That's where the problem lies... Microsoft suggests excluding entire > folders by default...this would actually allow malware to hide from > their > own application by doing that... Lol. :) I don't understand their logic in suggesting an entire directory can be excluded, but I also don't see that actually suggested here: http://support.microsoft.com/kb/822158 Maybe upon re-reading I will see it. The files that they suggest can be excluded are not excluded based on the extension, they are named in order for the user to identify them and only those identified files (not any others that may use the same extension) are being suggested for exclusion. As for entire folders (as they put it) I assumed that maybe those would be symbolic links (which aren't really directories). Just guessing there though as I haven't re-read the article yet. > and I do hope it's actually doing a header check on the files and not > going by file extension. Yes, the windows GUI won't execute a .bmp > file; > it'll try to open it for viewing instead. However, a program oth, can > call said .bmp (which was really an exe) and it won't display a > picture > but run instead. Yes, that I *do* remember - each time that they offer the suggestion, they stipulate that files should not be excluded *based* on extensions, but the extensions can be used to help the user identify the files that are targeted for exclusion. >> data in the registry even becomes a hiding place for code. You might >> as >> well include trojans in the mix, because replication is irrelevant to >> whether or not a file should be scanned by an antimalware >> application. > > I agree. You just can't go around excluding areas from scanning for malware, but viruses (in this context) will *not* be found in non-executable filetypes. The problem now is that AV scanners do more than just check for viruses but attempt to cover a wide spectrum of malware types. Excluding areas from scanning for viruses will also exclude them from scanning for other malware types. AV should have remained strictly anti-VIRUS like many of us suggested years ago in the alt.comp.virus groups. The AV companies, in their zeal to be the *all* for protecting users from the need to behave properly, have made a mess of things by chasing the allmighty dollar. They now offer antispyware components in an attempt to muscle into that arena to the exclusion of any competitor's programs - citing resource conflicts as the *reason* for excluding competitors (better) products. Give me an AV that checks for *viruses* and allow me to choose what other programs (or policies) to use to avoid other malware types. Gotta go to work (before I *really* start ranting... :o)
From: Ant on 17 Jan 2010 08:13 "FromTheRafters" wrote: > "Ant" wrote: >> Yes, indeed but such files are not "executables" in the way that exe >> and dll files are. > > The WMF filetype example was designed to be, but many assumed it was > not. It may contain code (the SetAbortProc callback) for use by the GDI but is not an executable that can be run by the OS exe loader. Any scan only needs to check if this callback record is present. > Unfortunately, there is the possibility that those experts use the term > "viruses" to mean malware - in which case it would be wrong to exclude > any filetypes. Yes. >> Also, you can't rely on file extensions to determine the type. > > That was mentioned on the MS page ISTR. I hadn't read that until now. >> This means that all files should be opened and read by a scanner, >> regardless of extension, in order to check their format even if no >> further scanning is done on a particular file. > > Malware scanners, yes. I would say virus scanners also need to check, since executable files with an extension other than 'exe' can still be launched from the registry. > The idea that certain filetypes and/or directories can be safely > excluded from malware scanning is too 'brain-dead' an idea even for > Microsoft. I agree and am somewhat puzzled by that MS KB article. They warn about corruption and other stuff if certain files are not excluded. If these files are critical they should be locked for exclusive access by whatever MS program is using them. > Viruses, on the other hand, cannot infect non-executables, so > non-executable filetypes need not be searched for them. Yes, but they should be accessed and read to determine their executability.
From: FromTheRafters on 18 Jan 2010 07:27
"Ant" <not(a)home.today> wrote in message news:DeidnTYC5MepkM7WnZ2dnUVZ7oWdnZ2d(a)brightview.co.uk... > "FromTheRafters" wrote: > >> "Ant" wrote: >>> Yes, indeed but such files are not "executables" in the way that exe >>> and dll files are. >> >> The WMF filetype example was designed to be, but many assumed it was >> not. > > It may contain code (the SetAbortProc callback) for use by the GDI but > is not an executable that can be run by the OS exe loader. Any scan > only needs to check if this callback record is present. There are plenty of examples of executable filestypes not directly loaded by the loader chain. What I meant is that an attacker using this filetype for hostile code is not exploiting a software vulnerability in this case, but is abusing a function. That function was deprecated and nearly forgotten, and the filetype was assumed to be graphic data only. >> Unfortunately, there is the possibility that those experts use the >> term >> "viruses" to mean malware - in which case it would be wrong to >> exclude >> any filetypes. > > Yes. > >>> Also, you can't rely on file extensions to determine the type. >> >> That was mentioned on the MS page ISTR. > > I hadn't read that until now. Did you see any reference to excluding an entire folder? Or was that reference intended to mean all files within that folder that were placed there by the OS installation? I think that they might have meant that all files placed (by default by the OS when installed) within some folders and only *some* files (identified by filename or extension) in other folders. >>> This means that all files should be opened and read by a scanner, >>> regardless of extension, in order to check their format even if no >>> further scanning is done on a particular file. >> >> Malware scanners, yes. > > I would say virus scanners also need to check, since executable files > with an extension other than 'exe' can still be launched from the > registry. I believe they are only concerned with the files mentioned. They know what those files are and are not capable of. They are *not* executable files and need not be scanned. They are *not* saying (for instance) that *all* log files or database files are benign. >> The idea that certain filetypes and/or directories can be safely >> excluded from malware scanning is too 'brain-dead' an idea even for >> Microsoft. > > I agree and am somewhat puzzled by that MS KB article. They warn about > corruption and other stuff if certain files are not excluded. If these > files are critical they should be locked for exclusive access by > whatever MS program is using them. I'm guessing that these files are fairly large and that they change often, making AV scanners that use change detection in order to avoid having to scan again already scanned files, scan them every time. This in addition to their already stated corruption issues. >> Viruses, on the other hand, cannot infect non-executables, so >> non-executable filetypes need not be searched for them. > > Yes, but they should be accessed and read to determine their > executability. I suppose that that isn't too much to ask - should be much quicker than scanning for virus signatures. |