Re: Alerting - Malicious software removal tool

I'm not here to argue with you, don't take it that way, but you've not
posted anything to contradict my statement. You've only posted that
people thing the MSRT is a great step, that it's removed malware, but
you've not posted all the information that would be needed to show that
it's a good tool.

I don't think either one of us is here to argue with the other. You describe a few instances of where users have gotten themselves infected with malware, which leads you to claim that the tool is completely useless. Yet the data from the SIR shows the tool is very effective at what it does. I fail to see what else is required to meet anyone's definition of "good tool." If by "good" you mean "perfect" -- that is, capable of eliminating all malware -- then your expectations are too high. If by "good" you mean "unnecessary" because all operating systems, all applications, and all users are free of vulnerabilities -- then your expectations are beyond realistic. All these are impossible tasks.

In another post, you wrote:

I was actually hoping that MS would abandon the legacy idea when they
came out with Vista - all of the crap they put into it to look pretty,
to require Core 2 processors with 2GB ram, and 512MB video cards just to
have a machine that performs as well as the 2.5Ghz P4, 512MB RAM, and a
128MB video card, but they failed again on changing the OS to be secure.

We've all seen Vista machines compromised by the same crap that hits our
XP machines, and yea, it's great that MS is trying to clean up the mess
that gets ISP's residential networks black-listed for spamming/zombies,
but they didn't address the core problem - THE OS ITSELF.

Again, the data in the SIR contradict your assertions. A chart on page 53 compares, by Windows type, the number of computers cleaned per 1000 MSRT executions. Page 138 tabulates the numbers. Windows XP RTM shows 33.8, Windows XP SP 3 shows 9.2, Windows Vista RTM shows 4.9, Windows Vista SP1 shows 4.5. If we "failed again" to make the OS secure, if "the same crap" that infected XP also attacked Vista, wouldn't the numbers for Vista be equivalent to those for XP?

Anecdotes are not data. Your few instances of machines getting infected can't compare to the data reflecting research across tens of millions of computers.

--
Steve Riley
steve.riley@xxxxxxxxxxxxx
http://blogs.technet.com/steriley
Protect Your Windows Network: http://www.amazon.com/dp/0321336437



"Leythos" <spam999free@xxxxxxxxxx> wrote in message news:MPG.2399c673207e1396989724@xxxxxxxxxxxxxxxxxxxxxxx

Steve, you wrote that "CSO's and CTO's.... 'commented that the MSRT is
one of the most responsible things they've seen us do..."

I agree, it's great that you, Microsoft, put out a tool to clean malware
off your OS that you have spend years not securing against that malware.

Don't get me wrong, I own a company that is a MS partner, sells MS based
solutions, never had a compromised computer on any of our customers
networks, and I've been doing this since the late 70's.

The only compromised PC's we see are ones from improperly guarded
networks and or improperly guarded home networks (even if it's just a PC
of one). Of those compromised machines, all of them were running Windows
(mostly XP, but now even vista), all had major brand AV software
actively working, some had stopped using IE because of the risks and
switched for Fire Fox or Opera, but, the key point is that all of them
were being used by people that COULD have learned more and didn't
because they thought they had done enough.

I'll give you an example of what happens to many HOME users - a nice
lady owned a computer, running Windows XP + SP2 (sp3 was not released
yet), used MS Works, had a single account, administrator level logon
(which is the default for most computers), 1 kid, about 8 years old,
using the computer also. They could not get it to respond properly, pop-
ups, etc.... I attempted to clean it, decided that after 5 passes with
different tools that it was not worth the "Time" to "clean" it and wiped
and reinstalled XP.

I provided three accounts for them to use "Administrator" with password,
"Mom" and "Son", M/S were limited user accounts. Set IE to high-security
Mode, bought them a NAT Router (no inbound Port forwarding), installed
all updates and patches. Installed AVG Free (and updates), and several
manual scanners. Automatic Updates enabled. I explained that they should
not use the Administrator account except in rare cases where "MOM"
needed to install an application that she could not install from
her/son's accounts, that they were NOT to run anything as the
"Administrator" account.

I got the computer back in two weeks, hosed again. The "Mom" had let the
kid use the administrator account because he could not get his "Games"
to run under his account, etc.... Needless to say, it was compromised
again in less than two weeks because the OS, using MS Suggested High-
Security settings would not provide the user with what they needed to
run the programs that they wanted to use while protecting them from
malware.

I installed Ubuntu, OO, and setup email and FireFox for them, machine
has been used for almost a year now and it's doing all that they NEED,
unable to play some of the games (online) that the kid wanted (since
they need active-x), but the computer is STILL running smooth and no
problems reported (and I check about once a month).

While I was out of the state my mother-inlaw bought a PC and her oldest
son installed it for her - XP Home, all updates, bought a Linksys NAT
appliance, but they didn't install it, connected directly to cable modem
for internet - Windows Firewall enabled.... By the time I got back the
PC wasn't working, bad things on the screen, etc... All the typical
signs of being hacked. The MS Firewall had default holes for
File/Printer sharing setup by Dell, and software installed more holes
for itself to use... Wiped her machine, installed NAT Router, setup
three accounts "Admin", "XXXX" (her name), "Visitors", same as the one
above - in this case she kept the computer clean, but she had to logon
as Admin to run QuickBooks since it would not run as "XXXX" user as a
limited account. She gave up things like the online game site POGO since
it would not install/run as a limited account, and she's basically used
the computer for QB, Browsing the web in IE HS Mode (which breaks many
sites) and for email.....

So, your story about the CSO/CTO is great, they appreciate that you've
(Microsoft) taken a "Responsible" step, but what you didn't report is
how many malware were removed from their networks by the MSRT.

We all agree, the MSRT is a 'Responsible' step from Microsoft, but it's
a day late and a $1 short. The problem is the OS lack of security
against malware and a tool like the MSRT is not preventing anything,
only reacting AFTER the compromise.

Again, my company provides MS platform solutions all over the USA and
India, we secure our networks and systems against threats and have
managed to never have a compromised system on any of our managed
networks. I am not a Linux advocate, don't believe it's ready for the
masses, but I also see LOTS of compromised non-client systems and home
systems each year, all of which would not have been compromised if MS
had just bite-the-bullet and change the foundation to a more secure
platform instead of trying to remain compatible.

In "My" experience I've yet to see that MSRT clean a system, and I know
this because after running it I can still experience problems that are
cleaned up by other tools - SBS&D, Symantec, MBAM, Multi-AV, even
registry edits manually.

I'm not here to argue with you, don't take it that way, but you've not
posted anything to contradict my statement. You've only posted that
people thing the MSRT is a great step, that it's removed malware, but
you've not posted all the information that would be needed to show that
it's a good tool.


.

Relevant Pages

  • Re: Alerting - Malicious software removal tool
    ... Plus, much of what the MSRT removes are worms that exploit vulnerabilities in humans, not vulnerabilities in the software -- even a perfect operating system can't protect itself from that. ... I explained that they should not use the Administrator account except in rare cases where "MOM" needed to install an application that she could not install from her/son's accounts, that they were NOT to run anything as the "Administrator" account. ... Security settings would not provide the user with what they needed to run the programs that they wanted to use while protecting them from malware. ...
    (microsoft.public.security.virus)
  • Re: Alerting - Malicious software removal tool
    ... much of what the MSRT ... yet), used MS Works, had a single account, administrator level logon ... needed to install an application that she could not install from ... only reacting AFTER the compromise. ...
    (microsoft.public.security.virus)
  • Re: Looking for user "Rock"
    ... For some reason my anti virus prog wasnt finding the malware, ... Login to the problem account. ... Here is a link for how to do do a repair install. ... go to the windows update site and install all the updates again. ...
    (microsoft.public.windowsxp.general)
  • Re: Looking for user "Rock"
    ... Login to the problem account. ... Computer model is Gateway 507GR IntelP4 processor Windows XP home ... OK more answers:never did sys restore and dont know anything about malware ... Once you know the machine is clean try a repair install. ...
    (microsoft.public.windowsxp.general)
  • Re: Hacked, Trojan, violated... but which is it?
    ... I ran on all my machines and it did identify a number of malware, ... Pulled plug on my daughters pc, ... Each kid should have her own account on each machine. ... rid of your current AV software and install that. ...
    (microsoft.public.windowsxp.general)