Alerting - Malicious software removal tool

Discussion in 'Virus Information' started by Jeepn, Nov 25, 2008.

  1. Jeepn

    Leythos Guest

    Steve, you wrote that "CSO's and CTO's.... 'commented that the MSRT is
    one of the most responsible things they've seen us do..."

    I agree, it's great that you, Microsoft, put out a tool to clean malware
    off your OS that you have spend years not securing against that malware.

    Don't get me wrong, I own a company that is a MS partner, sells MS based
    solutions, never had a compromised computer on any of our customers
    networks, and I've been doing this since the late 70's.

    The only compromised PC's we see are ones from improperly guarded
    networks and or improperly guarded home networks (even if it's just a PC
    of one). Of those compromised machines, all of them were running Windows
    (mostly XP, but now even vista), all had major brand AV software
    actively working, some had stopped using IE because of the risks and
    switched for Fire Fox or Opera, but, the key point is that all of them
    were being used by people that COULD have learned more and didn't
    because they thought they had done enough.

    I'll give you an example of what happens to many HOME users - a nice
    lady owned a computer, running Windows XP + SP2 (sp3 was not released
    yet), used MS Works, had a single account, administrator level logon
    (which is the default for most computers), 1 kid, about 8 years old,
    using the computer also. They could not get it to respond properly, pop-
    ups, etc.... I attempted to clean it, decided that after 5 passes with
    different tools that it was not worth the "Time" to "clean" it and wiped
    and reinstalled XP.

    I provided three accounts for them to use "Administrator" with password,
    "Mom" and "Son", M/S were limited user accounts. Set IE to high-security
    Mode, bought them a NAT Router (no inbound Port forwarding), installed
    all updates and patches. Installed AVG Free (and updates), and several
    manual scanners. Automatic Updates enabled. I explained that they should
    not use the Administrator account except in rare cases where "MOM"
    needed to install an application that she could not install from
    her/son's accounts, that they were NOT to run anything as the
    "Administrator" account.

    I got the computer back in two weeks, hosed again. The "Mom" had let the
    kid use the administrator account because he could not get his "Games"
    to run under his account, etc.... Needless to say, it was compromised
    again in less than two weeks because the OS, using MS Suggested High-
    Security settings would not provide the user with what they needed to
    run the programs that they wanted to use while protecting them from
    malware.

    I installed Ubuntu, OO, and setup email and FireFox for them, machine
    has been used for almost a year now and it's doing all that they NEED,
    unable to play some of the games (online) that the kid wanted (since
    they need active-x), but the computer is STILL running smooth and no
    problems reported (and I check about once a month).

    While I was out of the state my mother-inlaw bought a PC and her oldest
    son installed it for her - XP Home, all updates, bought a Linksys NAT
    appliance, but they didn't install it, connected directly to cable modem
    for internet - Windows Firewall enabled.... By the time I got back the
    PC wasn't working, bad things on the screen, etc... All the typical
    signs of being hacked. The MS Firewall had default holes for
    File/Printer sharing setup by Dell, and software installed more holes
    for itself to use... Wiped her machine, installed NAT Router, setup
    three accounts "Admin", "XXXX" (her name), "Visitors", same as the one
    above - in this case she kept the computer clean, but she had to logon
    as Admin to run QuickBooks since it would not run as "XXXX" user as a
    limited account. She gave up things like the online game site POGO since
    it would not install/run as a limited account, and she's basically used
    the computer for QB, Browsing the web in IE HS Mode (which breaks many
    sites) and for email.....

    So, your story about the CSO/CTO is great, they appreciate that you've
    (Microsoft) taken a "Responsible" step, but what you didn't report is
    how many malware were removed from their networks by the MSRT.

    We all agree, the MSRT is a 'Responsible' step from Microsoft, but it's
    a day late and a $1 short. The problem is the OS lack of security
    against malware and a tool like the MSRT is not preventing anything,
    only reacting AFTER the compromise.

    Again, my company provides MS platform solutions all over the USA and
    India, we secure our networks and systems against threats and have
    managed to never have a compromised system on any of our managed
    networks. I am not a Linux advocate, don't believe it's ready for the
    masses, but I also see LOTS of compromised non-client systems and home
    systems each year, all of which would not have been compromised if MS
    had just bite-the-bullet and change the foundation to a more secure
    platform instead of trying to remain compatible.

    In "My" experience I've yet to see that MSRT clean a system, and I know
    this because after running it I can still experience problems that are
    cleaned up by other tools - SBS&D, Symantec, MBAM, Multi-AV, even
    registry edits manually.

    I'm not here to argue with you, don't take it that way, but you've not
    posted anything to contradict my statement. You've only posted that
    people thing the MSRT is a great step, that it's removed malware, but
    you've not posted all the information that would be needed to show that
    it's a good tool.
     
    Leythos, Nov 28, 2008
    #41
    1. Advertisements

  2. Jeepn

    Geoff Guest

    A very typical scenario. But the real security breach was the humans. The
    mother let the kid use the administrator account and he was the source of
    the original infection. You failed to analyze the root cause and correct it
    on the first iteration.

    The money they spent on your fixes would have been better spent on a new
    computer for her and letting the kid use the old one with a reinstalled OS.
    So you installed an OS that neither of them understand and I'll bet you
    didn't give them the root access password so neither of them can get very
    far. You would have done just as well reinstalling XP and denying them the
    administrator password.
     
    Geoff, Nov 28, 2008
    #42
    1. Advertisements

  3. Jeepn

    Leythos Guest

    No, I clearly understood the root cause - users that don't want to be
    locked down or "will not be" locked down. Users that want the freedom to
    use their computers to have fun.
    It's not my computer, so the mother has the ROOT password, she has to
    have it in order to apply updates - Ubuntu needs root access to do
    updates. Your solution is not viable, not giving the password, in the
    real world.

    I didn't charge them, don't charge home users to fix their system.

    So, again, YOU missed the real root cause:

    1) Root cause of compromised computers - OS with exploits and holes that
    can't be closed while allow the masses to easily use their computers
    without LOTS of extra effort that most are not willing to put out.

    2) Humans that are not willing to use their computers in the MS
    recommended HIGH-Security settings mode, since most vendors apps for
    residential users won't install or run while HS mode is in use.

    I was actually hoping that MS would abandon the legacy idea when they
    came out with Vista - all of the crap they put into it to look pretty,
    to require Core 2 processors with 2GB ram, and 512MB video cards just to
    have a machine that performs as well as the 2.5Ghz P4, 512MB RAM, and a
    128MB video card, but they failed again on changing the OS to be secure.

    We've all seen Vista machines compromised by the same crap that hits our
    XP machines, and yea, it's great that MS is trying to clean up the mess
    that gets ISP's residential networks black-listed for spamming/zombies,
    but they didn't address the core problem - THE OS ITSELF.

    I would be willing to pay $400 for a new 3 CAL license of XYZ OS from MS
    if they could keep the pretty stuff, find a way to run Office 2003
    (since 2007 is so dang bad) and to play the 1 or 2 games that I like -
    having it spawn them in a VM so that it's destroyed after the session
    ends, but only if they could ELIMINATE the threats for most users.

    Before you reply, consider your idea of the root cause against what MAC
    and Linux people have, and look at how some of them run as ROOT and
    don't experience the issues that masses of Win people experience.

    So, would the MSRT have prevented any of this - nope, would it have
    completely cleaned their machines - nope. So, we're back to the idea
    that the MSRT is not effective.
     
    Leythos, Nov 28, 2008
    #43
  4. The big problem is the users, they want to be connected but don't
    understand the risks. And some businesses choose to ignore them.

    The end users just want a machine that is cheap and works, they really
    don't want to pay a premium.

    Otherwise they would either learn or pay someone else to admin the box


    The malware protection companies are no better because they really don't
    provide much informatin past the marketing spew





    You had a user bypass the security, can't really blame MS for this one
    unless it was an MS game




    How about using wine to run IE or setup a virtual machine





    Sounds like intuit needs to work on their install program, or maybe do
    the install in an area that the user has full rights too.

    How about troubleshooting the problem with sysinternals utilities and or

    LUA Bug light
    <http://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx>


    When I setup a computer I ask the user(s) to make a list of programs
    required and then test before the job is considered complete



    I don't believe that is the main use of the program

    from :http://www.microsoft.com/security/malwareremove/families.mspx:

    The Microsoft Windows Malicious Software Removal Tool removes specific,
    prevalent malicious software families from computers running compatible
    versions of Windows. Microsoft releases a new version of the tool on the
    second Tuesday of every month, and as needed to respond to security
    incidents.



    It would be really interesting if mrt could identify the more info about
    the box it helped fix

    - patch status
    - installed anti malware software (and update status)


    Maybe some of the concerns will be helped by the free av MS is releasing
    , though from earlier testing it appears it could use some work



    John
     
    John Mason Jr, Nov 28, 2008
    #44
  5. Jeepn

    Leythos Guest

    I think the issue is more two issues:

    1) Insecure OS that hasn't fixed the problems because MS is afraid they
    will take a hit (sales) if they don't support older applications, so
    they keep producing an OS/Versions that have the same fatal flaw.

    2) Users that think of computers as appliances.

    With that in mind, why shouldn't users think of their computers as
    appliances? If the OS was secure it would be just another appliance.

    User "Didn't bypass" security, they used the computer in a normal
    manner. It's normal to install applications as Administrator, and it's
    "normal" to run many applications as Administrator since they won't run
    as a limited user.

    So, again, the flaw is in the OS, allowing itself to be compromised.
    If I can't make them understand simple things I'm sure not going to get
    them to understand Wine. If I was going to go that route I would have
    installed Fedora.
    It's been that way for many years, many, and there are hacks, but
    nothing a typical masses type user is going to learn/do.

    [snip]
    Yes, so do we. and with most MS systems we even image the drive and put
    it on DVD(s) so that we can restore it to like-new status for people
    that we support (home computers) so that it's easier to rebuild when
    they screw it up again :)
    [snip]

    And I agree, but it's still a day late and a $1 short. Why build
    something to fix the compromise AFTER you know it's going to happen
    instead of creating a tool that protects the users in real time.
    [snip]

    It would be more interesting to see if the money they have invested in
    the MSRT was worth it - and the only way to know if it was worth
    anything is to know how much it fixed vs how much it didn't fix.

    Since all we have is marketing hype, like NAT router vendors calling
    their hardware a "Firewall", we don't really know how good the MSRT is,
    except that most of us never see it find/fix anything.
     
    Leythos, Nov 28, 2008
    #45
  6. Jeepn

    1PW Guest



    Hello Dave:

    I know you were trying to be helpful. However, this was a follow-up to
    Steve Riley's post.

    I've read what you read. I am not quite ready to accept the above on
    its face value just yet. However, my mind will remain open.

    Let's let Mr. Riley expand on this, if he's a mind to.

    Thank you though Dave. Mr. Riley: If you would sir. Thank you.
     
    1PW, Nov 28, 2008
    #46
  7. From: "1PW" <>

    | Hello Dave:

    | I know you were trying to be helpful. However, this was a follow-up to
    | Steve Riley's post.

    | I've read what you read. I am not quite ready to accept the above on
    | its face value just yet. However, my mind will remain open.

    | Let's let Mr. Riley expand on this, if he's a mind to.

    | Thank you though Dave. Mr. Riley: If you would sir. Thank you.

    | --
    | 1PW

    Would be even better if Mr. R. Treit (Microsoft) would post some information. I haven't
    communicated with him since 11/'05.

    I don't know if Steve Riley works with Mr. Treit or not.
     
    David H. Lipman, Nov 28, 2008
    #47
  8. But if the individual is running as root/admin privs then they must
    accept some level of responsibility.

    Though I do agree MS does have some level of responsibility mostly by
    ommision not making it clear to the new user where they could be vulnerable.

    The other software manufacturers should also bear part of the blame for
    not properly configuring their programs to run with an appropriate level
    of privileges.

    John









    <snip>
     
    John Mason Jr, Nov 28, 2008
    #48
  9. From: "John Mason Jr" <>


    | But if the individual is running as root/admin privs then they must
    | accept some level of responsibility.

    | Though I do agree MS does have some level of responsibility mostly by
    | ommision not making it clear to the new user where they could be vulnerable.

    | The other software manufacturers should also bear part of the blame for
    | not properly configuring their programs to run with an appropriate level
    | of privileges.

    | John

    Don't forget the fact that if there is a vulnerability that can be exploited with a buffer
    overflow, an elevation of privileges will allow malware to be installed even with a
    Limited User Account (LUA).
    { Albeit it was mentioned in this thread the malware targeted by MRT is usually installed
    via Social Engineering (human exploitation) and not the software vulnerability/exploit
    vector }
     
    David H. Lipman, Nov 29, 2008
    #49
  10. True it would be nice if software run with appropriate privs and was
    written securely.

    That will only happen when customers start requiring it in purchasing
    contracts and RFPs.



    John
     
    John Mason Jr, Nov 29, 2008
    #50
  11. I'm not here to argue with you, don't take it that way, but you've not
    I don't think either one of us is here to argue with the other. You describe
    a few instances of where users have gotten themselves infected with malware,
    which leads you to claim that the tool is completely useless. Yet the data
    from the SIR shows the tool is very effective at what it does. I fail to see
    what else is required to meet anyone's definition of "good tool." If by
    "good" you mean "perfect" -- that is, capable of eliminating all malware --
    then your expectations are too high. If by "good" you mean "unnecessary"
    because all operating systems, all applications, and all users are free of
    vulnerabilities -- then your expectations are beyond realistic. All these
    are impossible tasks.

    Again, the data in the SIR contradict your assertions. A chart on page 53
    compares, by Windows type, the number of computers cleaned per 1000 MSRT
    executions. Page 138 tabulates the numbers. Windows XP RTM shows 33.8,
    Windows XP SP 3 shows 9.2, Windows Vista RTM shows 4.9, Windows Vista SP1
    shows 4.5. If we "failed again" to make the OS secure, if "the same crap"
    that infected XP also attacked Vista, wouldn't the numbers for Vista be
    equivalent to those for XP?

    Anecdotes are not data. Your few instances of machines getting infected
    can't compare to the data reflecting research across tens of millions of
    computers.

    --
    Steve Riley

    http://blogs.technet.com/steriley
    Protect Your Windows Network: http://www.amazon.com/dp/0321336437
     
    Steve Riley [MSFT], Nov 29, 2008
    #51
  12. Pete, what is it about the SIR's explanation regarding geographic
    distribution that you aren't ready to accept? My own work with customers in
    various countries around the world tends to support the paragraph Dave
    quoted.

    --
    Steve Riley

    http://blogs.technet.com/steriley
    Protect Your Windows Network: http://www.amazon.com/dp/0321336437
     
    Steve Riley [MSFT], Nov 29, 2008
    #52
  13. Jeepn

    1PW Guest


    Hello David:

    Might that be Randy Treit? Just Googling
    gave me that.

    I'm fascinated by the difference in country statistics from the SIR
    world map. Apart from some difficulties, brought about by language
    barriers, I can't yet understand why Finland's stats differ from Sweden
    or Norway. Or why the Netherlands' stats are better than those of the
    U.S. That's only a few of so many comparisons that beg further
    explanation.

    Should we be snapping up firewalls, routers, and anti-malware products
    from Japan and Taiwan? Are the governments of Taiwan and Japan holding
    a much tighter grip on their population's Internet access?

    I would love to read an intelligent discourse, but I'm afraid it would
    soon degenerate into some of the poorly chosen phrasing we see almost
    everyday here. Pity.

    A belated Happy Thanksgiving to you David, and to all who come our way.

    Pete
     
    1PW, Nov 29, 2008
    #53
  14. Jeepn

    1PW Guest

    Hello Steve:

    Thank you for taking time for a response.

    If one wishes to just compare developed countries, what is it about
    Japan's and Taiwan's security products that would seem to leave them
    much better protected than those of other developed countries?

    In actual and real world practice, are we in the USA much less likely
    to employ effective computer protection than those users in Finland or
    the Netherlands?

    Are folks in Canada and Australia more likely to be more security aware
    when compared to the folks in Greenland? Malware doesn't know what a
    political boundary is. Malware succeeds where computers aren't used
    properly, nor well protected and well maintained. Malware is therefore
    opportunistic.

    Perhaps some of the other developed nations have better education
    programs for their computer users. However, well intentioned use must
    be matched with the proactive use of fine after market protective
    applications, hardware, and keen attention to patches, updates and
    upgrades.

    I promise to keep my mind as open as can be. Thank you again sir.

    Pete
     
    1PW, Nov 29, 2008
    #54
  15. From: "1PW" <>

    | Hello David:

    | Might that be Randy Treit? Just Googling
    | gave me that.

    | I'm fascinated by the difference in country statistics from the SIR
    | world map. Apart from some difficulties, brought about by language
    | barriers, I can't yet understand why Finland's stats differ from Sweden
    | or Norway. Or why the Netherlands' stats are better than those of the
    | U.S. That's only a few of so many comparisons that beg further
    | explanation.

    | Should we be snapping up firewalls, routers, and anti-malware products
    | from Japan and Taiwan? Are the governments of Taiwan and Japan holding
    | a much tighter grip on their population's Internet access?

    | I would love to read an intelligent discourse, but I'm afraid it would
    | soon degenerate into some of the poorly chosen phrasing we see almost
    | everyday here. Pity.

    | A belated Happy Thanksgiving to you David, and to all who come our way.

    | Pete

    | --
    | 1PW

    Yes... That would be Randy Treit :)
    Back in '05 when I was communincationg with him he was the "Program Manager, Security
    Technology Unit" of Microsoft.

    Same to you Pete and your familly.
     
    David H. Lipman, Nov 29, 2008
    #55
  16. From: "1PW" <>


    | Hello Steve:

    | Thank you for taking time for a response.

    | If one wishes to just compare developed countries, what is it about
    | Japan's and Taiwan's security products that would seem to leave them
    | much better protected than those of other developed countries?

    | In actual and real world practice, are we in the USA much less likely
    | to employ effective computer protection than those users in Finland or
    | the Netherlands?

    | Are folks in Canada and Australia more likely to be more security aware
    | when compared to the folks in Greenland? Malware doesn't know what a
    | political boundary is. Malware succeeds where computers aren't used
    | properly, nor well protected and well maintained. Malware is therefore
    | opportunistic.

    | Perhaps some of the other developed nations have better education
    | programs for their computer users. However, well intentioned use must
    | be matched with the proactive use of fine after market protective
    | applications, hardware, and keen attention to patches, updates and
    | upgrades.

    | I promise to keep my mind as open as can be. Thank you again sir.

    | Pete

    | --
    | 1PW

    Maybe it isn't their security software but culture and philosophy that makes them practice
    Safe Hex better then Westerners.
     
    David H. Lipman, Nov 29, 2008
    #56
  17. Jeepn

    Leythos Guest

    Maybe it's not their products, but that they are better protected by
    their ISP's?

    If you were to look at my clients, their MSRT would show nothing, yet
    they are protected and don't have malware on their systems.
     
    Leythos, Nov 29, 2008
    #57
  18. Jeepn

    Leythos Guest

    Not really, since the default user level account is also an Admin level
    account in XP and before XP.
    You need to think back, farther, to the start of the problem - the OS
    was designed to make it EASY to work with, easy for users, easy to
    manage, not to be secure as the first priority - that's the flaw that
    they have maintained from early versions.
    Yes, but MS enables them to maintain that problem by making the default
    account an Administrator.
     
    Leythos, Nov 29, 2008
    #58
  19. Jeepn

    Leythos Guest

    [snip]
    How many malware were left on/in those machines? Without that number
    your stat is meaningless.

    What this means is that, based on my experience, that MSRT does little
    to actually "Clean" a machine. By clean, lets be clear, I mean that it
    removes all malware from the machine.

    Claiming that a tool is good because it removes malware while leaving X
    items of malware still on the system is a misrepresentation of the
    quality of the tool.
    But it is valid - if we take the MSRT and run it on a compromised
    machine, having it claim the machine is clean, then we run several other
    anti-malware tools that show the machine to remain seriously
    compromised, doesn't that indicate that the "Data" you are interpreting
    as showing MSRT to be a good tool is seriously flawed?
     
    Leythos, Nov 29, 2008
    #59
  20. Jeepn

    ~BD~ Guest

    --

    Hello again, Pete. :)

    Thank you for your recent ........ 'understanding'
    You were correct - I was trying to be helpful!
    Perhaps you'd like to explore this organisation for clues

    Dave

    The WildList Organization collects monthly virus reports from anti-virus
    experts around the world. The data from the reports are compiled to produce
    The WildList - a list of those viruses currently spreading throughout a
    diverse user population. A virus that is reported by two or more of the
    WildList reporters will appear in the top-half of the list and is deemed to
    be 'In the Wild'.
    In recent times, the list has been used by Virus Bulletin and other
    anti-virus product testers as the definitive guide to the viruses found in
    the real world.

    An anti-virus product is expected to score 100% detection against this group
    of viruses. The WildList homepage can be found at http://www.wildlist.org.
     
    ~BD~, Nov 29, 2008
    #60
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.