Microsoft launch Microsoft Security Essentials

[Scottish Business Owner]

It's very strange for Microsoft to launch anything that is free but these security tools actually ARE!!!

It's an intersting move for Microsoft moving into the free security market alongside AVG and Avast etc.

BBC NEWS | Technology | Microsoft launches free security

I just wonder if anyone is planning on using it or if anyone has what their thoughts are. I know we have a few IT people on here as well so it would be good to know their thoughts

 

[Lanarkshire IT Services]

Hi There

Will give it a try against some "stored" malware and see how it goes.

Apparently it's getting a good right up.

Will let you know

Regards

 

[stugster]

As the developers of the operating system and with access to the source code of it, you'd think they'd be able to develop a pretty sturdy and "working" security package.

This is their second attempt at releasing a successful security package, so I'm not going to be holding my breath in anticipation

 

[McVicar Marketing]

It'll be worth a punt once it settles down properly. However, I always think security is one thing worth paying for - no point in having expensive IT without protecting me (which I learnt a few years ago when I was hacked and had to work my system back from a nasty 'Teletext' mode).

I now use Norton - which has a whole host of issues going on, but has the depth without the interface hassle and seems to like working with the McAfee my server uses (though it'd be great if HP would give me a choice on that!).

I know a lot of IT folks will shudder at the mention of Norton - and am open to any suggestions of thorough security which will work with vista and an HP server. My Norton is up early next year, and am happy to fork out the pennies to protect my system.

Does make you wonder what on earth Mr Gates is up to. If it works, and stays free, it'll be a groundbreaker!

 

[Lanarkshire IT Services]

Hi There

I wouldn't touch Norton with a barge pole. Hopeless detection / removal rate and way behind others in real-time protection.

As you have a server, wouldnt you be better with a centralised AV / Malware / Spyware solution? ie one solution protecting both the server and clients. Though I suppose it depends on how many clients you have for it to be cost effective.

I think one of the best security moves anyone can make is to deploy MBAM corporate to clients. It is one of the best real time protection tools out there and highly recommended on professional malware removal forums.

I dont send a box out without it, even if it is the free version for home users.

Regards

 

[stugster]

I know a lot of IT folks will shudder at the mention of Norton - and am open to any suggestions of thorough security which will work with vista and an HP server.

AVG Antivirus and Security Software - AVG Internet Security Network Edition

 

[Mike Lewis]

A while ago, a pal told me I was mad not to have an anti-spyware app on my computer. I had been using the machine for at least five years, but it never occurred to me do a spyware scan.

So I read the reviews, and they all said that the Microsoft product was the most effective (this was the original version of Windows Defender, which later became Microsoft Security Essentials).

I dutifully downloaded the program and ran a scan, and it reported no threats present. It also advised me to do a "deep scan", which promised to search really thoroughly for spyware that would evade most ordinary scans. I went ahead with this; it took over an hour, but still failed to find anything.

My point is this. This was a computer I had been using intensively for several years, including downloading all manner of evaluation software and shareware, and visiting websites without any particular precautions. I had never before run a spyware scan. And yet a deep scan by the best program on the market failed to find any problems.

So, are these programs incapable of finding any threats? Or is it possible that these threats don't really exist after all?

NOTE: I'm not talking about viruses here; they're a different animal completely.

Mike

 

[Lanarkshire IT Services]

A while ago, a pal told me I was mad not to have an anti-spyware app on my computer. I had been using the machine for at least five years, but it never occurred to me do a spyware scan.

So I read the reviews, and they all said that the Microsoft product was the most effective (this was the original version of Windows Defender, which later became Microsoft Security Essentials).

I dutifully downloaded the program and ran a scan, and it reported no threats present. It also advised me to do a "deep scan", which promised to search really thoroughly for spyware that would evade most ordinary scans. I went ahead with this; it took over an hour, but still failed to find anything.

My point is this. This was a computer I had been using intensively for several years, including downloading all manner of evaluation software and shareware, and visiting websites without any particular precautions. I had never before run a spyware scan. And yet a deep scan by the best program on the market failed to find any problems.

So, are these programs incapable of finding any threats? Or is it possible that these threats don't really exist after all?

NOTE: I'm not talking about viruses here; they're a different animal completely.

Mike

Hi There

Maybe you were just lucky. Also Windows Defender, by MS's admission was never the best anti-malware program around.

Anyway malware is very real and removal can be very complex with dedicated tools and their knowledge required. Plus in depth registry / services / process / ADS etc experience.

I am about half way through an anti-malware course which I have been studying for months and I have to say it is extremely difficult. I thought I knew stuff too!

The techniques the malware writers use and the techniques to remove them are intense.

Ever tried to remove malware disguised as MS system service or Alternative Data Stream (ADS),or deeply hidden in HKLM, or a BHO that won't budge? Plus many more weird and wonderfull places that look legit to ordinary scanners.

Believe me you need more than Windows Defender in today's world.

Regards

 

[stugster]

Not necessarily just Windows Defender though. There are other anti-spyware and adware utilities that are just as effective at cleaning.

Having said that... I always recommend to clients that have infested computers that it's much better to do a full reinstall of their O/S. Working with linux systems a lot of the time, you never really can tell if your machine is still secure if the malware has elevated to the kernel.

If the kernel has been compromised, game over.

The same actually applies to any O/S and without a comparison to original vendor release files, there's no real way of realising malware is active in some cases.

We always reinstall to be safe. In most cases, it's actually cheaper for the client to do this as well.

 

[Lanarkshire IT Services]

Not necessarily just Windows Defender though. There are other anti-spyware and adware utilities that are just as effective at cleaning.

Having said that... I always recommend to clients that have infested computers that it's much better to do a full reinstall of their O/S. Working with linux systems a lot of the time, you never really can tell if your machine is still secure if the malware has elevated to the kernel.

If the kernel has been compromised, game over.

The same actually applies to any O/S and without a comparison to original vendor release files, there's no real way of realising malware is active in some cases.

We always reinstall to be safe. In most cases, it's actually cheaper for the client to do this as well.

Hi Buddy

Sorry but I have to disagree. Format and reinstall is a lazy / incompetent way out and most decent techs / malware specialists see it as defeat.

I understand that format / reinstall is clean etc but it's not for me and I don't recommend it.

Suppose your user has files / programs / data on there that they don't have elsewhere (most cases!) . You will have to sit and put all that back on, get product keys, setup internet / email settings etc etc.

"there's no real way of realising malware is active in some cases." - With a tool like Combofix / OTL malware can be detected anywhere in any state or form and removed.

Regards

Regards

 

[stugster]

Sorry but I have to disagree.

Hi Mate,

Don't be sorry! I love a good debate.

I think there's two key points I'd make to defend my stance. Yes, on the whole, removing viruses/malware/etc. is easy and in most cases effective... but:

1) I would debate that the amount of time involved in backing up a computer, reinstalling the necessary O/S and Software and then reinstating the files is a guaranteed way of ensuring there are no viruses on it if done properly. Also, the time it takes to do this could potentially be less or the same amount of time it takes waiting on virus scanners, registry checks, and then the manual work involved in making changes to the system.

2) If you have a virus at kernel level, it really is game over. There is no software that runs above the kernel, so whatever is running at kernel level only has to prevent the lower processes from functioning correctly and could easily lead to false negatives.

Malware is getting clever(er),and there are hundreds of variations of each strain. The programmers know what they're doing, and they know that by making changes at the kernel level, they win.

This kind of malware is able to intercept and change the way the Operating System works, the responses the O/S is giving, and the way software below communicates.

Unless your scanner is able to do a full scan with a clean kernel as its underlying base, you cannot guarantee that the scan is going to be effective.

I do agree that if you were to remove a hard disk and scan it using a different machine (i.e. a known clean o/s) then yes, this is effective. But scanning or attempting to remove malware on a live compromised system isn't guaranteed to be effective.

Also, if it's a business, the backup process shouldn't be an issue at all. They should have regular backups created externally, and they should have images of their machines to load the software, drivers, and o/s back on in a matter of minutes.

And lastly... If you run a business and you're infested with a virus, how much would you trust that computer after it had been 'cleaned'? <-- this point may be paramount above and beyond any of the technical aspects of the other points I've (tried) to make

 

[Lanarkshire IT Services]

OK a debate it is then lol!

First of all I cannot agree with the "format and reinstall" method either saving the customer money or its efficiency. Suppose you have a server with an AD structure, shares, exchange, IP addressing schemes, group policies etc and it gets infected with malware.

To format and reinstall all this to the way it was / should be will take days if not weeks with a hell of a downtime for the business. Downtime equaling cost.

A malware removal job now becomes an IT consultancy project which could have been fixed in 20 mins using even HJT.

Next

This kernel level virus you refer to - there is NO such thing. I think what you are refering to is rootkit technology which is only a technology that can be exploited to allow viruses / malware to run at kernel level.

Again easily fixed with decent rootkit tools.

That's my rant for today.

Regards

 

[Canary Dwarf]

Hi There

I wouldn't touch Norton with a barge pole. Hopeless detection / removal rate and way behind others in real-time protection.

As you have a server, wouldnt you be better with a centralised AV / Malware / Spyware solution? ie one solution protecting both the server and clients. Though I suppose it depends on how many clients you have for it to be cost effective.

I think one of the best security moves anyone can make is to deploy MBAM corporate to clients. It is one of the best real time protection tools out there and highly recommended on professional malware removal forums.

I dont send a box out without it, even if it is the free version for home users.

Regards

Glad I'm not the only one. Customers do look at me oddly when I advise them to remove Norton and put on something better, particularly on new PCs.

 

[stugster]

Re the comment about the server. To a certain degree, yes, I agree with you. Removal of the malware may be much more cost effective. My points about it being quicker to reinstall the O/S were based on the assumption the malware infected a desktop computer of a worker.

In terms of you saying that there's no such thing as Kernel Malware, you need to read up on this a bit.

In 1999 we had the WinNT/Infis Kernel-mode malware for Windows-NT based machines. In 2003 Virus.Win32.Chatter appeared.

The numbers of kernel based malware is increasing.

It's not common for kernel-based malware to go around, but how do you know it's not on your system when you get infected? One other example of spyware based malware is Trojan.Win32.Crypt.t (Symantec calls it Spyware.Apropos.C).

As I said, it's not easy to get to the most privileged "ring 0" mode in a kernel, but once it's there, you're stuffed.

Another thing you should remember is that rootkits aren't just there to give someone root. Once the person owns the machine, they want to achieve something. It may be they want to use you to launch DDoS attacks on other networks/clients (DDoS Detection and Mitigation is actually my Honours Thesis),but there are other instances where they just want to spy. Look at Haxdoor in 2006 for example.

Haxdoor is possibly the best known example of kernel-mode code that makes detection and removal difficult - although not impossible! Without the ability to compare every single O/S file on the machine against its MD5 signature hash, you've got no chance of detection. It injects payload into all new running processes (Like your anti virus, your malware removal tool, etc.) and prevents you from getting clear cut responses.

Then we've got the daddy of them all. Mailbot. (And of course, the variants).

Brilliant paper that summarises it well is here: www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf

 

[Lanarkshire IT Services]

"you need to read up on this a bit"

M8 that paper is 3 years old - a lot has changed since then.

Are you using your own knowledge or Google to prove me wrong?

Drop your eyes down to GMER - Rootkit Detector and Remover

Regards

 

[stugster]

Yes, a lot has changed, but the underlying concept of how computers operate hasn't. The point is, the malware at kernel level cannot be easily removed because it is the malware the is in control. No matter what software or service you install or run on that machine, the malware still owns you.

 

[Lanarkshire IT Services]

Yes, a lot has changed, but the underlying concept of how computers operate hasn't. The point is, the malware at kernel level cannot be easily removed because it is the malware the is in control. No matter what software or service you install or run on that machine, the malware still owns you.

OK I don't agree.

ALL malware CAN be removed. The trick is identifying it and applying the appropriate tool. Were not talking an AVG scan in safe mode here.

Anyway I'm not going to spend anymore time on this. It's like 2 kids trying to prove who's right.

So the next time you have a malware infested system or this so called "kernel malware" problem. Give me a shout. I'll send you some tools and you can post me the logs and I'll propose a fix.

You can even use a test box with no AV / Malware software installed and download some torrents etc and its bound to get infected.

Nothing like getting practical.

Regards

 

[stugster]

It's like 2 kids trying to prove who's right.

But you know it's me


Nah, you're right, we'll never agree Lets leave it at that mate!

I would send you the log files, but the whole point of the malware being at kernel level is that the logs would be useless.

 

[Lanarkshire IT Services]

ARRRRGH

Use a bootable CD / USB to produce the logs as the OS isnt even running so readings WILL be accurate

Regards

 

[stugster]

ARRRRGH

Use a bootable CD / USB to produce the logs as the OS isnt even running so readings WILL be accurate

Regards

Now you're talking