Re: Alerting - Malicious software removal tool

Leythos wrote:
In article <2587A271-ED15-49A5-A39F-556393F20D68@xxxxxxxxxxxxx>, steve.riley@xxxxxxxxxxxxx says...
Meanwhile, the customers I consult with are grateful for this tool. The CSOs and CTOs and security architects I work with around the world, who represent several million client computers, have commented that the MSRT is one of the most responsible things they've seen us do -- in addition to all the work we've done to improve the quality of Windows. Plus, much of what the MSRT removes are worms that exploit vulnerabilities in humans, not vulnerabilities in the software -- even a perfect operating system (which is impossible to build) can't protect itself from that.

Steve, you wrote that "CSO's and CTO's.... 'commented that the MSRT is one of the most responsible things they've seen us do..."

I agree, it's great that you, Microsoft, put out a tool to clean malware off your OS that you have spend years not securing against that malware.

The big problem is the users, they want to be connected but don't understand the risks. And some businesses choose to ignore them.

The end users just want a machine that is cheap and works, they really don't want to pay a premium.

Otherwise they would either learn or pay someone else to admin the box


The malware protection companies are no better because they really don't provide much informatin past the marketing spew






Don't get me wrong, I own a company that is a MS partner, sells MS based solutions, never had a compromised computer on any of our customers networks, and I've been doing this since the late 70's.

The only compromised PC's we see are ones from improperly guarded networks and or improperly guarded home networks (even if it's just a PC of one). Of those compromised machines, all of them were running Windows (mostly XP, but now even vista), all had major brand AV software actively working, some had stopped using IE because of the risks and switched for Fire Fox or Opera, but, the key point is that all of them were being used by people that COULD have learned more and didn't because they thought they had done enough.

I'll give you an example of what happens to many HOME users - a nice lady owned a computer, running Windows XP + SP2 (sp3 was not released yet), used MS Works, had a single account, administrator level logon (which is the default for most computers), 1 kid, about 8 years old, using the computer also. They could not get it to respond properly, pop-
ups, etc.... I attempted to clean it, decided that after 5 passes with different tools that it was not worth the "Time" to "clean" it and wiped and reinstalled XP.

I provided three accounts for them to use "Administrator" with password, "Mom" and "Son", M/S were limited user accounts. Set IE to high-security Mode, bought them a NAT Router (no inbound Port forwarding), installed all updates and patches. Installed AVG Free (and updates), and several manual scanners. Automatic Updates enabled. I explained that they should not use the Administrator account except in rare cases where "MOM" needed to install an application that she could not install from her/son's accounts, that they were NOT to run anything as the "Administrator" account.

I got the computer back in two weeks, hosed again. The "Mom" had let the kid use the administrator account because he could not get his "Games" to run under his account, etc.... Needless to say, it was compromised again in less than two weeks because the OS, using MS Suggested High-
Security settings would not provide the user with what they needed to run the programs that they wanted to use while protecting them from malware.


You had a user bypass the security, can't really blame MS for this one unless it was an MS game





I installed Ubuntu, OO, and setup email and FireFox for them, machine has been used for almost a year now and it's doing all that they NEED, unable to play some of the games (online) that the kid wanted (since they need active-x), but the computer is STILL running smooth and no problems reported (and I check about once a month).


How about using wine to run IE or setup a virtual machine






While I was out of the state my mother-inlaw bought a PC and her oldest son installed it for her - XP Home, all updates, bought a Linksys NAT appliance, but they didn't install it, connected directly to cable modem for internet - Windows Firewall enabled.... By the time I got back the PC wasn't working, bad things on the screen, etc... All the typical signs of being hacked. The MS Firewall had default holes for File/Printer sharing setup by Dell, and software installed more holes for itself to use... Wiped her machine, installed NAT Router, setup three accounts "Admin", "XXXX" (her name), "Visitors", same as the one above - in this case she kept the computer clean, but she had to logon as Admin to run QuickBooks since it would not run as "XXXX" user as a limited account. She gave up things like the online game site POGO since it would not install/run as a limited account, and she's basically used the computer for QB, Browsing the web in IE HS Mode (which breaks many sites) and for email.....


Sounds like intuit needs to work on their install program, or maybe do the install in an area that the user has full rights too.

How about troubleshooting the problem with sysinternals utilities and or

LUA Bug light <http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx>


When I setup a computer I ask the user(s) to make a list of programs required and then test before the job is considered complete




So, your story about the CSO/CTO is great, they appreciate that you've (Microsoft) taken a "Responsible" step, but what you didn't report is how many malware were removed from their networks by the MSRT.

We all agree, the MSRT is a 'Responsible' step from Microsoft, but it's a day late and a $1 short. The problem is the OS lack of security against malware and a tool like the MSRT is not preventing anything, only reacting AFTER the compromise.

Again, my company provides MS platform solutions all over the USA and India, we secure our networks and systems against threats and have managed to never have a compromised system on any of our managed networks. I am not a Linux advocate, don't believe it's ready for the masses, but I also see LOTS of compromised non-client systems and home systems each year, all of which would not have been compromised if MS had just bite-the-bullet and change the foundation to a more secure platform instead of trying to remain compatible.

In "My" experience I've yet to see that MSRT clean a system, and I know this because after running it I can still experience problems that are cleaned up by other tools - SBS&D, Symantec, MBAM, Multi-AV, even registry edits manually.


I don't believe that is the main use of the program

from :http://www.microsoft.com/security/malwareremove/families.mspx:

The Microsoft Windows Malicious Software Removal Tool removes specific, prevalent malicious software families from computers running compatible versions of Windows. Microsoft releases a new version of the tool on the second Tuesday of every month, and as needed to respond to security incidents.




I'm not here to argue with you, don't take it that way, but you've not posted anything to contradict my statement. You've only posted that people thing the MSRT is a great step, that it's removed malware, but you've not posted all the information that would be needed to show that it's a good tool.


It would be really interesting if mrt could identify the more info about the box it helped fix

- patch status
- installed anti malware software (and update status)


Maybe some of the concerns will be helped by the free av MS is releasing , though from earlier testing it appears it could use some work



John





.

Relevant Pages

  • Re: Alerting - Malicious software removal tool
    ... much of what the MSRT ... yet), used MS Works, had a single account, administrator level logon ... needed to install an application that she could not install from ... only reacting AFTER the compromise. ...
    (microsoft.public.security.virus)
  • Re: Alerting - Malicious software removal tool
    ... You describe a few instances of where users have gotten themselves infected with malware, which leads you to claim that the tool is completely useless. ... A chart on page 53 compares, by Windows type, the number of computers cleaned per 1000 MSRT executions. ... yet), used MS Works, had a single account, administrator level logon ... needed to install an application that she could not install from ...
    (microsoft.public.security.virus)
  • Re: Networking XP home & PRO computers w/Linksys Router
    ... I also have Nortan Internet security and Norton Antivirus. ... > Other bad stuff that you need to defend against is spyware and viruses. ... use of the Guest account ... Don't install software based upon advice from unknown ...
    (microsoft.public.windowsxp.network_web)
  • Re: Basic beginners security for a new mac owner
    ... Social Security number, etc.) (Of course this applies equally to ... Make your main user account a Standard account, ... Whenever you try to install an application program the computer will ask ... Turn on the Firewall that is built into Mac OS X, ...
    (comp.sys.mac.apps)
  • Re: Basic beginners security for a new mac owner
    ... Social Security number, etc.) (Of course this applies equally to ... Make your main user account a Standard account, ... Whenever you try to install an application program the computer will ask ... Turn on the Firewall that is built into Mac OS X, ...
    (comp.sys.mac.apps)