MSE worries

UsernameIssues said:

I'm not a fan of MSE - but I still install it on most every computer that I support (and that is quite a few). MSE is easy on the resources and it gets along with other software. In particular, software that installs low level file filters like online backup apps.

What I really do not like about MSE is its heuristics. It lets stuff happen that should never happen. It should at least ask the user if it is okay to add a shell app to this key:

Code:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

I've been playing with a ransomware file for about a week now. I used Process Monitor to watch it infect an isolated virtual machine. MSE was fine with the download and the infection process. Uploading that tiny infected file to Google's Virustotal showed AVAST was okay with it, as was Malwarebytes. [A scan via Virustotal does not have any heuristics involved - so it is not a way to rate antivirus tools.]

I've been playing with malware like this for many years now and I have a feel for how the major AV tools work. AVAST flagged the ransomware file during the infection process (based on heuristics). As of this post, MSE is still fine with me installing this ransomware on a computer that it is "protecting".

Before MSE was around, I installed AVAST and AVG on lots of computers that I support. I stopped using AVG when they started loading their signature list into the SYSTEM process. This was crippling weaker hardware.

If AVAST would stop requiring repeated registration, I might use them for most of those that I support. My elderly users have incorrectly blamed that registration process for an uptick in SPAM and/or they call me to help them complete the annual reregistration :-(

Interesting information. Did you happen to report this to either the Microsoft Malware Protection Center or the Microsoft Security Response Center? If yes, did they have any comments?

Microsoft Malware Protection Center Home Page

Microsoft Security :: MSRC (Microsoft Security Response Center) | Security vulnerability

I have made those submissions many times in the past. I had not done so for this file (until now). I stopped giving MS an e-mail address on those submissions because the automated replies were not very interesting. Sometimes I save a link to the submission status page and check back from time to time.

Another turn off to submitting such files to MS:
About a year ago, I submitted a file to MS and had it confirmed as bad. Months later, I scanned multiple variations of that same file using MSE and none of them were flagged as bad. The infection method and the registry keys being changed were the same. As far as I could tell, the only changes to the infection were the IP addresses that it talked to.

I will admit:
1) That was only one series of bad files that I watched to see if MS would make a heuristic rule for. But my opinion that MSE's heuristics are poor comes mostly from a direct comparison with other AV tools against the same infected file.

2) I'm not a professional programmer, so I might not understand when a heuristic rule can safely be implemented and when doing so would cause problems. But for the registry key mentioned in my last post, I really don't see why MS would let that happen without a warning. That method of starting a kiosk like shell is old. It does not require admin rights to write to that key, so a standard user can mess up his/her profile without knowing the admin password.

3) It is probably a waste of my time to download known infections just to play with them

UsernameIssues said:

...3) It is probably a waste of my time to download known infections just to play with them

Not when it's educational. Even if not educational, if you enjoy doing so, then it's not a waste of your time. Thanks for sharing.

UsernameIssues said:

~~~
2) I'm not a professional programmer, so I might not understand when a heuristic rule can safely be implemented and when doing so would cause problems. But for the registry key mentioned in my last post, I really don't see why MS would let that happen without a warning. That method of starting a kiosk like shell is old. It does not require admin rights to write to that key, so a standard user can mess up his/her profile without knowing the admin password.
~~~

Not to hijack this thread - but when I made those comments, I did not have time to dig up these references:

07 Jan 2013 - Mark Russinovich's Blog

A growing number of ransomware samples modify HKCU\Software\Microsoft\Window NT\CurrentVersion\Winlogon\Shell (or the HKLM location), however, which both Safe Mode and Safe with Networking execute. Safe Mode with Command Prompt overrides the registry shell selection, so it circumvents the startup of the majority of today’s ransomware and is the next fallback position:

17 Nov 2011 - Malware Protection Center

Trojan:Win32/Ransom.FS modifies the system registry so that it automatically starts at every Windows starts, even if Windows is restarted in Safe Mode:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Modifies value: "Shell"
From data: "explorer.exe"
To data: "<malware path and file name>"

That last one talks about HKLM vs. HKCU...
...but you see my point: MS knows this is an issue and does not warn when apps change that area. Maybe those of you that customize your OS can tell me if there is a good reason not to warn a user each time this area is changed?

Lady Fitzgerald said:

UsernameIssues said:

...3) It is probably a waste of my time to download known infections just to play with them

Not when it's educational. Even if not educational, if you enjoy doing so, then it's not a waste of your time. Thanks for sharing.

I have applied some of what I've learned in scripts that I write.
e.g.:
a script to block network traffic unless a password was entered
ways to keep kids from killing that script

I probably could have learned that stuff quicker from books; hence my wondering if such playing was a waste of time. But such playing is indeed entertaining

Symantec's PC Tools antivirus was on the computers that ran that traffic blocking script of mine. PC Tools allows non-profits to use its AV app for free. AVG and AVAST charged non-profits. MSE was not around yet.

MSE has been on those computers for years now and I've had to clean up after several infections. Here are two from that office:
https://www.sevenforums.com/system-se...scareware.html
Trojan:Win32/FakeSysdef
I do understand the problem of keeping out new threats, but both of those infections were from threats that had been in the wild for months. A 3rd infection spread throughout the network and wiped exe files from the server. Fortunately for them, I had daily backups.

By the way, I had to remove TeamViewer from those computers. TV charges non-profits too.

Oh Dear!!!
Anyone care to throw me a line: I'm sinking fast here.

urbanspaceman1 said:

Oh Dear!!!
Anyone care to throw me a line: I'm sinking fast here.

Run several free on-demand scanners like Malwarebytes, Hitman Pro, ESET Online Scanner, Kaspersky tdss killer, etc. If all of these scans come back clean, create a system image. If you like MSE. continue using it. If MSE fails and your machine becomes infected, you can use the system image to restore it to a non-infected state. Then find a new AV.

That makes sense: thank-you.
I have a system images stored on a separate HDD along with BU of files etc.
Every time I make a significant addition to my system I will have to repeat the procedure but that is a good thing anyway because laziness interfered with me doing that in the past.

I have another question however: are you implying I may not know I am harbouring malware or viruses?
Is it not always apparent?