Re: Online THREATS
From: cquirke (MVP Windows shell/user) (cquirkenews_at_nospam.mvps.org)
Date: 05/29/05
- Next message: cquirke (MVP Windows shell/user): "Re: Online THREATS"
- Previous message: Joan Archer: "Re: LONG, LONG time to startup 2"
- In reply to: Dave: "Online THREATS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 May 2005 13:12:27 +0200
On Fri, 27 May 2005 21:15:24 -0700, "Dave" <Dave@ bigpond.com> wrote:
>Windows have asked me to put my beef on the discussion groups.
"Windows" says that?
>1. On my computer, I have loaded Symantec. Norton AV 2004, which , after
>Scanning , has told me , for about 2 weeks, that I have 25 at Risk Files on
>my Computer -- Adware/Spyware/Malware. BUT will NOT delete any of them.
>The ONLY option is Manual Deletion.
You are scanning for malware while the malware is active. Is it
surprising the malware wins?
>2, Earlier this Week, my "Guru" installed the Trial version of microsoft
>AntiSpyware.
>It removed 8 , leaving me with 17 Threats.
OK
>3. Yesterday, Panda offered me a trial of Truprevent automatic protection.
>This removed 14 Threats -- leaving me with 3.
OK
>4. Running Norton AV , again, these 3 ALL Prove to be the same Adeare
>"Adware.BetterInternet" BUT there is a REMOVAL TOOL.
>I ran this TWICE , on each occassion, it finally told me I did NOT have
>Adware.BetterInternet on my computer.
>5. Ran Norton AGAIN --- still there....
OK - that looks like either a false positive (or residues) if the
removal tool is right, and a new varient unknown to the removal tool
if NAV is right. Residues is likely, i.e. where the malware's ability
to operate is destroyed by punching it out, but leftover malware
content is left lying around for other scanners to alert on.
>IF ALL YOU FIRMS GOT TOGETHER AND POOLED YOUR INFORMATION, YOU MAY BE ABLE
>TO PRODUCE A HALF REASONABLE PROGRAMME.
We already have helf reasonable programs, and that is as good as it's
likely to get, for as long as MS fails to improve maintainability
(e.g. a malware-safe Safe Mode plus a maintenance OS) so that when
(not if) the bad guy owns your system, you can get it back.
>To Remove 24 threats, I would have to outlay WELL OVER $100 AUD, and still
>NOT have complete protection for my computer.
What did you spend AU$100 on? Norton? The other tools you mentioned
(AdAware, MSAS Beta) are free, as are Avast and AVG that you could
have used instead of knee-jerk Norton.
>WHEN can Computer Users, find GOOD PROGRAMMES, Which are FOOLPROOF, at a
>Reasonable Cost?
When the OS is structured to facilitate recovery from malware
ownership. Until then, the only maintenance OS in town is a volunteer
effort from Bart's that is at risk of being litigated off the map by
MS at any time. Needless to say, that makes it a very high risk for
av vendors to invest in (i.e. develop for).
So you have three approaches from the av industry:
- hope the problem will go away / pretend what we have works
- develop for Bart, but charge a fortune to recover costs quickly
- build a mOS from scratch, which costs effort and therefore money
MS themselves fall into the first category, maintaining (in the face
of all evidence to the contrary) that XP on NTFS is sooo secure that
it will never be malware-owned, so need for recovery does not arise.
Avast have stepped up to the plate in the first category, building
exactly the siort of thing we all need; an av scanner written
specifically for Bart's PE, and bundled with it, that does the job.
Alas, it costs a lot more than AU$100 to buy it in a form that
freelance techs could use in the field to clean your system. It's
only cheaper if crippled to work within one domain only (fine for
corporate sysadmins, to hell with anyone else) or if it's crippled
further so that it works only on one PC.
Kaspersky's taken the third approach, as far as I know, by using a
bootable Linux CD to host their recovery (post-infection) scanner. As
Linux can't safely write to NTFS, I presume this is a "look, don't
touch" scanner that hopefully informs how to proceed thereafter.
Kaspersky AV doesn't fall out of the sky for free, either.
>IF, I purchase ANY, which is worthwhile ? NONE at the Moment .
>Can you PLEASE INFORM COMPUTER OWNERS, When you
>ave programmes on which they can really rely?
Firstly, when it comes to commercial malware in particular, it may be
a judgement call as to whether you wish to be rid of the "threat" or
not. That may be why you see "X threats found, Y threats removed".
For example, if I look in your medicine cupboard and find rat poison,
LSD and Insulin, I'd likely destroy only the rat poison. All three
might kill you if taken in excess, but you may choose to run the risk
of taking LSD in small doses for recreation, and you may need to take
Insulin to survive. And for that matter, you might shout at me for
killing the rat poison if you were planning on killing some rats.
Secondly, this is MALicous softWARE we are talking about here, i.e. it
is *designed* to be unco-operative and beastly. Is it really
surprising that detecting and removing this will be tricky?
Thirdly, a basic rule of combat is that whoever owns the air, wins.
If you are taxiing to take off and I'm over you dropping bombs, who is
likely to win? If the malware code is running and you try to start up
a defence tool, which is likely to win?
You'd only place bets on the second if the first was really useless,
i.e. a bomber who can't shoot straight, or a malware that ignores the
opportunity to defend itself or react punitively.
Right now, folks are flapping their arms and jumping up and down
because malware has started to take this opportunity, in the shape of
"root kits". A root kit is simply a malware that hides itself, by
tapping into all OS functionalities that might reveal its presence,
and thus censor the information flow to hide itself from view.
It's like phoning home to see if your family is OK, and one of the
home invaders picks up and (mimicing your wife's voice) says "Ah yes,
all's well, no balaclava-clad gun-toting rapists here, see you later".
The obvious thing to do is not rely on a word from iside the ?owned
house, but to check it out yourself. That means not running the
infected code (i.e. using a mOS) and then checking the code to see if
there are any known bad guys (blacklisting) and that only approved
code is in place in unaltered form (whitelisting).
Because of the constant code creep from patches, whitelisting is
difficult. What you you compare the code with, a data list on the
same ?infected HD? So you detect that info has been tampered with;
now what? You've just been DoS'd out of recovery, unless you have
something that will replace all known code. Where is that magical,
uninfected set of up-to-date code going to come from?
Let's assume you've verified the core code is OK. Now we can run the
OS in Safe Mode, but that's only malware-safe if two other conditions
are met; that the OS processes NO integration points whatsoever, so no
3rd-party code gets to run (integration by design), and that the OS
does not handle any material on the HD so as to expose an exploitable
risk surface (integration by code exploit).
Notice that the above applies whether you choose to clean malware, or
backup data and wipe the system. Unless you know what the malware
was, you have no confidence that re-infection won't recur (as has
already happened once). Without a firm difference between data and
code, you can't be sure your backed-up data is safe to restore.
Right now, we do not have a mOS, and the Safe Mode that the OS offers
is far from malware-safe, as it explicitly processes a host of
integrations by design (screensaver, file associations, drivers, BHOs
and shell integrations, even parts of the startup axis Safe used to
claim it did not run in Win9x) and it caresses material on the HD in
ways that are quite likely to be exploitable.
We can use 3rd-party media players, web browsers and email apps, so we
don't really need MS to provide those. We do need MS to provide core
OS value, and this they are failing to do.
>------------------------ ---- --- -- - - - -
Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!
>------------------------ ---- --- -- - - - -
- Next message: cquirke (MVP Windows shell/user): "Re: Online THREATS"
- Previous message: Joan Archer: "Re: LONG, LONG time to startup 2"
- In reply to: Dave: "Online THREATS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
