Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MSE worries


16 Oct 2013   #21

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
I'm not a fan of MSE - but I still install it on most every computer that I support (and that is quite a few). MSE is easy on the resources and it gets along with other software. In particular, software that installs low level file filters like online backup apps.

What I really do not like about MSE is its heuristics. It lets stuff happen that should never happen. It should at least ask the user if it is okay to add a shell app to this key:
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
I've been playing with a ransomware file for about a week now. I used Process Monitor to watch it infect an isolated virtual machine. MSE was fine with the download and the infection process. Uploading that tiny infected file to Google's Virustotal showed AVAST was okay with it, as was Malwarebytes. [A scan via Virustotal does not have any heuristics involved - so it is not a way to rate antivirus tools.]

I've been playing with malware like this for many years now and I have a feel for how the major AV tools work. AVAST flagged the ransomware file during the infection process (based on heuristics). As of this post, MSE is still fine with me installing this ransomware on a computer that it is "protecting".

Before MSE was around, I installed AVAST and AVG on lots of computers that I support. I stopped using AVG when they started loading their signature list into the SYSTEM process. This was crippling weaker hardware.

If AVAST would stop requiring repeated registration, I might use them for most of those that I support. My elderly users have incorrectly blamed that registration process for an uptick in SPAM and/or they call me to help them complete the annual reregistration :-(
Interesting information. Did you happen to report this to either the Microsoft Malware Protection Center or the Microsoft Security Response Center? If yes, did they have any comments?

Microsoft Malware Protection Center Home Page

Microsoft Security :: MSRC (Microsoft Security Response Center) | Security vulnerability

My System SpecsSystem Spec
.

17 Oct 2013   #22

W7 Pro SP1 64bit
 
 

I have made those submissions many times in the past. I had not done so for this file (until now). I stopped giving MS an e-mail address on those submissions because the automated replies were not very interesting. Sometimes I save a link to the submission status page and check back from time to time.

Another turn off to submitting such files to MS:
About a year ago, I submitted a file to MS and had it confirmed as bad. Months later, I scanned multiple variations of that same file using MSE and none of them were flagged as bad. The infection method and the registry keys being changed were the same. As far as I could tell, the only changes to the infection were the IP addresses that it talked to.

I will admit:
1) That was only one series of bad files that I watched to see if MS would make a heuristic rule for. But my opinion that MSE's heuristics are poor comes mostly from a direct comparison with other AV tools against the same infected file.

2) I'm not a professional programmer, so I might not understand when a heuristic rule can safely be implemented and when doing so would cause problems. But for the registry key mentioned in my last post, I really don't see why MS would let that happen without a warning. That method of starting a kiosk like shell is old. It does not require admin rights to write to that key, so a standard user can mess up his/her profile without knowing the admin password.

3) It is probably a waste of my time to download known infections just to play with them :-)
My System SpecsSystem Spec
17 Oct 2013   #23

Win 7 Ultimate 64 bit
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
...3) It is probably a waste of my time to download known infections just to play with them :-)
Not when it's educational. Even if not educational, if you enjoy doing so, then it's not a waste of your time. Thanks for sharing.
My System SpecsSystem Spec
.


17 Oct 2013   #24

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
~~~
2) I'm not a professional programmer, so I might not understand when a heuristic rule can safely be implemented and when doing so would cause problems. But for the registry key mentioned in my last post, I really don't see why MS would let that happen without a warning. That method of starting a kiosk like shell is old. It does not require admin rights to write to that key, so a standard user can mess up his/her profile without knowing the admin password.
~~~
Not to hijack this thread - but when I made those comments, I did not have time to dig up these references:

07 Jan 2013 - Mark Russinovich's Blog
Quote:
A growing number of ransomware samples modify HKCU\Software\Microsoft\Window NT\CurrentVersion\Winlogon\Shell (or the HKLM location), however, which both Safe Mode and Safe with Networking execute. Safe Mode with Command Prompt overrides the registry shell selection, so it circumvents the startup of the majority of today’s ransomware and is the next fallback position:
17 Nov 2011 - Malware Protection Center
Quote:
Trojan:Win32/Ransom.FS modifies the system registry so that it automatically starts at every Windows starts, even if Windows is restarted in Safe Mode:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Modifies value: "Shell"
From data: "explorer.exe"
To data: "<malware path and file name>"
That last one talks about HKLM vs. HKCU...
...but you see my point: MS knows this is an issue and does not warn when apps change that area. Maybe those of you that customize your OS can tell me if there is a good reason not to warn a user each time this area is changed?
My System SpecsSystem Spec
17 Oct 2013   #25

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Lady Fitzgerald View Post
Quote   Quote: Originally Posted by UsernameIssues View Post
...3) It is probably a waste of my time to download known infections just to play with them :-)
Not when it's educational. Even if not educational, if you enjoy doing so, then it's not a waste of your time. Thanks for sharing.
I have applied some of what I've learned in scripts that I write.
e.g.:
a script to block network traffic unless a password was entered
ways to keep kids from killing that script

I probably could have learned that stuff quicker from books; hence my wondering if such playing was a waste of time. But such playing is indeed entertaining :-)

Symantec's PC Tools antivirus was on the computers that ran that traffic blocking script of mine. PC Tools allows non-profits to use its AV app for free. AVG and AVAST charged non-profits. MSE was not around yet.

MSE has been on those computers for years now and I've had to clean up after several infections. Here are two from that office:
MSE's heuristics & Scareware
Trojan:Win32/FakeSysdef
I do understand the problem of keeping out new threats, but both of those infections were from threats that had been in the wild for months. A 3rd infection spread throughout the network and wiped exe files from the server. Fortunately for them, I had daily backups.

By the way, I had to remove TeamViewer from those computers. TV charges non-profits too.
My System SpecsSystem Spec
17 Oct 2013   #26

Windows 7 Professional x64 Sp1
 
 

Thanks for sharing as well usernameissues
My System SpecsSystem Spec
18 Oct 2013   #27

windows 7 premium home 64bit
 
 

Oh Dear!!!
Anyone care to throw me a line: I'm sinking fast here.
My System SpecsSystem Spec
18 Oct 2013   #28

Microsoft Community Contributor Award Recipient

Win 7 Pro 64-bit
 
 

Quote   Quote: Originally Posted by urbanspaceman1 View Post
Oh Dear!!!
Anyone care to throw me a line: I'm sinking fast here.
Run several free on-demand scanners like Malwarebytes, Hitman Pro, ESET Online Scanner, Kaspersky tdss killer, etc. If all of these scans come back clean, create a system image. If you like MSE. continue using it. If MSE fails and your machine becomes infected, you can use the system image to restore it to a non-infected state. Then find a new AV.
My System SpecsSystem Spec
18 Oct 2013   #29

windows 7 premium home 64bit
 
 

That makes sense: thank-you.
I have a system images stored on a separate HDD along with BU of files etc.
Every time I make a significant addition to my system I will have to repeat the procedure but that is a good thing anyway because laziness interfered with me doing that in the past.
My System SpecsSystem Spec
18 Oct 2013   #30

windows 7 premium home 64bit
 
 

I have another question however: are you implying I may not know I am harbouring malware or viruses?
Is it not always apparent?
My System SpecsSystem Spec
Reply

 MSE worries




Thread Tools



Similar help and support threads for2: MSE worries
Thread Forum
Panda Security: Viruses Are the Least of Your Worries Security News
Installation worries?! Installation & Setup
Newb question: Office 2007 worries > Office 2003 Microsoft Office
Windows 7 7004; compatibility worries; performance beats Vista News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 01:04 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33