Re: Alerting - Malicious software removal tool



In article <2587A271-ED15-49A5-A39F-556393F20D68@xxxxxxxxxxxxx>,
steve.riley@xxxxxxxxxxxxx says...

Meanwhile, the customers I consult with are grateful for this tool. The CSOs
and CTOs and security architects I work with around the world, who represent
several million client computers, have commented that the MSRT is one of the
most responsible things they've seen us do -- in addition to all the work
we've done to improve the quality of Windows. Plus, much of what the MSRT
removes are worms that exploit vulnerabilities in humans, not
vulnerabilities in the software -- even a perfect operating system (which is
impossible to build) can't protect itself from that.

Steve, you wrote that "CSO's and CTO's.... 'commented that the MSRT is
one of the most responsible things they've seen us do..."

I agree, it's great that you, Microsoft, put out a tool to clean malware
off your OS that you have spend years not securing against that malware.

Don't get me wrong, I own a company that is a MS partner, sells MS based
solutions, never had a compromised computer on any of our customers
networks, and I've been doing this since the late 70's.

The only compromised PC's we see are ones from improperly guarded
networks and or improperly guarded home networks (even if it's just a PC
of one). Of those compromised machines, all of them were running Windows
(mostly XP, but now even vista), all had major brand AV software
actively working, some had stopped using IE because of the risks and
switched for Fire Fox or Opera, but, the key point is that all of them
were being used by people that COULD have learned more and didn't
because they thought they had done enough.

I'll give you an example of what happens to many HOME users - a nice
lady owned a computer, running Windows XP + SP2 (sp3 was not released
yet), used MS Works, had a single account, administrator level logon
(which is the default for most computers), 1 kid, about 8 years old,
using the computer also. They could not get it to respond properly, pop-
ups, etc.... I attempted to clean it, decided that after 5 passes with
different tools that it was not worth the "Time" to "clean" it and wiped
and reinstalled XP.

I provided three accounts for them to use "Administrator" with password,
"Mom" and "Son", M/S were limited user accounts. Set IE to high-security
Mode, bought them a NAT Router (no inbound Port forwarding), installed
all updates and patches. Installed AVG Free (and updates), and several
manual scanners. Automatic Updates enabled. I explained that they should
not use the Administrator account except in rare cases where "MOM"
needed to install an application that she could not install from
her/son's accounts, that they were NOT to run anything as the
"Administrator" account.

I got the computer back in two weeks, hosed again. The "Mom" had let the
kid use the administrator account because he could not get his "Games"
to run under his account, etc.... Needless to say, it was compromised
again in less than two weeks because the OS, using MS Suggested High-
Security settings would not provide the user with what they needed to
run the programs that they wanted to use while protecting them from
malware.

I installed Ubuntu, OO, and setup email and FireFox for them, machine
has been used for almost a year now and it's doing all that they NEED,
unable to play some of the games (online) that the kid wanted (since
they need active-x), but the computer is STILL running smooth and no
problems reported (and I check about once a month).

While I was out of the state my mother-inlaw bought a PC and her oldest
son installed it for her - XP Home, all updates, bought a Linksys NAT
appliance, but they didn't install it, connected directly to cable modem
for internet - Windows Firewall enabled.... By the time I got back the
PC wasn't working, bad things on the screen, etc... All the typical
signs of being hacked. The MS Firewall had default holes for
File/Printer sharing setup by Dell, and software installed more holes
for itself to use... Wiped her machine, installed NAT Router, setup
three accounts "Admin", "XXXX" (her name), "Visitors", same as the one
above - in this case she kept the computer clean, but she had to logon
as Admin to run QuickBooks since it would not run as "XXXX" user as a
limited account. She gave up things like the online game site POGO since
it would not install/run as a limited account, and she's basically used
the computer for QB, Browsing the web in IE HS Mode (which breaks many
sites) and for email.....

So, your story about the CSO/CTO is great, they appreciate that you've
(Microsoft) taken a "Responsible" step, but what you didn't report is
how many malware were removed from their networks by the MSRT.

We all agree, the MSRT is a 'Responsible' step from Microsoft, but it's
a day late and a $1 short. The problem is the OS lack of security
against malware and a tool like the MSRT is not preventing anything,
only reacting AFTER the compromise.

Again, my company provides MS platform solutions all over the USA and
India, we secure our networks and systems against threats and have
managed to never have a compromised system on any of our managed
networks. I am not a Linux advocate, don't believe it's ready for the
masses, but I also see LOTS of compromised non-client systems and home
systems each year, all of which would not have been compromised if MS
had just bite-the-bullet and change the foundation to a more secure
platform instead of trying to remain compatible.

In "My" experience I've yet to see that MSRT clean a system, and I know
this because after running it I can still experience problems that are
cleaned up by other tools - SBS&D, Symantec, MBAM, Multi-AV, even
registry edits manually.

I'm not here to argue with you, don't take it that way, but you've not
posted anything to contradict my statement. You've only posted that
people thing the MSRT is a great step, that it's removed malware, but
you've not posted all the information that would be needed to show that
it's a good tool.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.



Relevant Pages

  • Re: Alerting - Malicious software removal tool
    ... Plus, much of what the MSRT removes are worms that exploit vulnerabilities in humans, not vulnerabilities in the software -- even a perfect operating system can't protect itself from that. ... I explained that they should not use the Administrator account except in rare cases where "MOM" needed to install an application that she could not install from her/son's accounts, that they were NOT to run anything as the "Administrator" account. ... Security settings would not provide the user with what they needed to run the programs that they wanted to use while protecting them from malware. ...
    (microsoft.public.security.virus)
  • Re: Alerting - Malicious software removal tool
    ... You describe a few instances of where users have gotten themselves infected with malware, which leads you to claim that the tool is completely useless. ... A chart on page 53 compares, by Windows type, the number of computers cleaned per 1000 MSRT executions. ... yet), used MS Works, had a single account, administrator level logon ... needed to install an application that she could not install from ...
    (microsoft.public.security.virus)
  • Re: Seriously, now that I got Linux LiveCD running, what can I do with it? Newbie questions
    ... create a 'documents' folder automatically if you install it to your ... as opposed to in Windows. ... will, upon creating a new user account, automatically create a user ... In most distributions, yes. ...
    (comp.os.linux.setup)
  • Re: Advanced Client install nightmare
    ... I can successfully install manually using the SMS account. ... MS Client Configuration Manager cannot install the Advanced Client to ...
    (microsoft.public.sms.admin)
  • Re: userName="machine" didnt work
    ... Juan, ... version) than the .42 dlls. ... Deleted the ASPNET account from "Local Users and Group – ... ASPNET user and allowed the ASP.NET install to re-create it. ...
    (microsoft.public.dotnet.framework.aspnet)