MSE worries

[marsmimar]

I'm not a fan of MSE - but I still install it on most every computer that I support (and that is quite a few). MSE is easy on the resources and it gets along with other software. In particular, software that installs low level file filters like online backup apps.

What I really do not like about MSE is its heuristics. It lets stuff happen that should never happen. It should at least ask the user if it is okay to add a shell app to this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

I've been playing with a ransomware file for about a week now. I used Process Monitor to watch it infect an isolated virtual machine. MSE was fine with the download and the infection process. Uploading that tiny infected file to Google's Virustotal showed AVAST was okay with it, as was Malwarebytes. [A scan via Virustotal does not have any heuristics involved - so it is not a way to rate antivirus tools.]

I've been playing with malware like this for many years now and I have a feel for how the major AV tools work. AVAST flagged the ransomware file during the infection process (based on heuristics). As of this post, MSE is still fine with me installing this ransomware on a computer that it is "protecting".

Before MSE was around, I installed AVAST and AVG on lots of computers that I support. I stopped using AVG when they started loading their signature list into the SYSTEM process. This was crippling weaker hardware.

If AVAST would stop requiring repeated registration, I might use them for most of those that I support. My elderly users have incorrectly blamed that registration process for an uptick in SPAM and/or they call me to help them complete the annual reregistration :-(

Interesting information. Did you happen to report this to either the Microsoft Malware Protection Center or the Microsoft Security Response Center? If yes, did they have any comments?

Microsoft Malware Protection Center Home Page

Microsoft Security :: MSRC (Microsoft Security Response Center) | Security vulnerability

 

[UsernameIssues]

I have made those submissions many times in the past. I had not done so for this file (until now). I stopped giving MS an e-mail address on those submissions because the automated replies were not very interesting. Sometimes I save a link to the submission status page and check back from time to time.

Another turn off to submitting such files to MS:
About a year ago, I submitted a file to MS and had it confirmed as bad. Months later, I scanned multiple variations of that same file using MSE and none of them were flagged as bad. The infection method and the registry keys being changed were the same. As far as I could tell, the only changes to the infection were the IP addresses that it talked to.

I will admit:
1) That was only one series of bad files that I watched to see if MS would make a heuristic rule for. But my opinion that MSE's heuristics are poor comes mostly from a direct comparison with other AV tools against the same infected file.

2) I'm not a professional programmer, so I might not understand when a heuristic rule can safely be implemented and when doing so would cause problems. But for the registry key mentioned in my last post, I really don't see why MS would let that happen without a warning. That method of starting a kiosk like shell is old. It does not require admin rights to write to that key, so a standard user can mess up his/her profile without knowing the admin password.

3) It is probably a waste of my time to download known infections just to play with them

 

[Lady Fitzgerald]

...3) It is probably a waste of my time to download known infections just to play with them

Not when it's educational. Even if not educational, if you enjoy doing so, then it's not a waste of your time. Thanks for sharing.

 

[UsernameIssues]

~~~
2) I'm not a professional programmer, so I might not understand when a heuristic rule can safely be implemented and when doing so would cause problems. But for the registry key mentioned in my last post, I really don't see why MS would let that happen without a warning. That method of starting a kiosk like shell is old. It does not require admin rights to write to that key, so a standard user can mess up his/her profile without knowing the admin password.
~~~

Not to hijack this thread - but when I made those comments, I did not have time to dig up these references:

07 Jan 2013 - Mark Russinovich's Blog

A growing number of ransomware samples modify HKCU\Software\Microsoft\Window NT\CurrentVersion\Winlogon\Shell (or the HKLM location), however, which both Safe Mode and Safe with Networking execute. Safe Mode with Command Prompt overrides the registry shell selection, so it circumvents the startup of the majority of today’s ransomware and is the next fallback position:

17 Nov 2011 - Malware Protection Center

Trojan:Win32/Ransom.FS modifies the system registry so that it automatically starts at every Windows starts, even if Windows is restarted in Safe Mode:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Modifies value: "Shell"
From data: "explorer.exe"
To data: "<malware path and file name>"

That last one talks about HKLM vs. HKCU...
...but you see my point: MS knows this is an issue and does not warn when apps change that area. Maybe those of you that customize your OS can tell me if there is a good reason not to warn a user each time this area is changed?

 

[UsernameIssues]

...3) It is probably a waste of my time to download known infections just to play with them

Not when it's educational. Even if not educational, if you enjoy doing so, then it's not a waste of your time. Thanks for sharing.

I have applied some of what I've learned in scripts that I write.
e.g.:
a script to block network traffic unless a password was entered
ways to keep kids from killing that script

I probably could have learned that stuff quicker from books; hence my wondering if such playing was a waste of time. But such playing is indeed entertaining

Symantec's PC Tools antivirus was on the computers that ran that traffic blocking script of mine. PC Tools allows non-profits to use its AV app for free. AVG and AVAST charged non-profits. MSE was not around yet.

MSE has been on those computers for years now and I've had to clean up after several infections. Here are two from that office:
http://www.sevenforums.com/system-security/225755-mse-s-heuristics-scareware.html
http://www.sevenforums.com/system-security/239064-trojan-win32-fakesysdef.html
I do understand the problem of keeping out new threats, but both of those infections were from threats that had been in the wild for months. A 3rd infection spread throughout the network and wiped exe files from the server. Fortunately for them, I had daily backups.

By the way, I had to remove TeamViewer from those computers. TV charges non-profits too.

 

[andrew129260]

Thanks for sharing as well usernameissues

 

[urbanspaceman1]

Oh Dear!!!
Anyone care to throw me a line: I'm sinking fast here.

 

[marsmimar]

Oh Dear!!!
Anyone care to throw me a line: I'm sinking fast here.

Run several free on-demand scanners like Malwarebytes, Hitman Pro, ESET Online Scanner, Kaspersky tdss killer, etc. If all of these scans come back clean, create a system image. If you like MSE. continue using it. If MSE fails and your machine becomes infected, you can use the system image to restore it to a non-infected state. Then find a new AV.

 

[urbanspaceman1]

That makes sense: thank-you.
I have a system images stored on a separate HDD along with BU of files etc.
Every time I make a significant addition to my system I will have to repeat the procedure but that is a good thing anyway because laziness interfered with me doing that in the past.

 

[urbanspaceman1]

I have another question however: are you implying I may not know I am harbouring malware or viruses?
Is it not always apparent?

 

[marsmimar]

Since no anti-malware product 1s 100% effective 100% of the time, it's my belief that using only one product could let some malware in and it might not be detected by that product. By using multiple on-demand scanners to double, triple or even quadruple check the primary AV product, you're increasing the odds that your computer really is free of malware. If Product ABC misses something, hopefully Product DEF, or GHI, or XYZ will detect it. But even if I run 20 different scans on my computer and they all come back clean, I still wouldn't say my machine is absolutely, positively, guaranteed, 100% sure malware free. 99.999% sure? Probably. 100% sure? Nope.

But that's just me. Others may disagree and that's fine. All depends on one's paranoia.

 

[Lady Fitzgerald]

I have another question however: are you implying I may not know I am harbouring malware or viruses?
Is it not always apparent?

Most modern malware is designed to be silent. In other words, you will not see a slowdown of your computer and won't get any odd messages, such as popups saying "gotcha". Instead, they could be quietly uploading your data to the source of the malware. Often, the first clue you will get is your bank account has been cleaned out. Even malware that uses your computer to spread spam often limits the amount of traffic it instigates so your computer won't noticeably slow down. I suspect many, if not most, people who swear up and down they don't get viruses actually harbor one or more they are simply unaware of. People who think all one needs are good browsing habits to be safe from malware are living in a fools' paradise. I have seen AVs block malware when the browser is open but static on a safe website (of course, safe browsing habits mean less work for antimalware programs, reducing the chances for infections).

Even the best AVs and anti-malware will not catch everything. That's why it's important to use multiple compatible programs. What one misses, another one may catch. However, that doesn't mean one can back up a poor AV with another anti-malware program and expect to be safe. That's like driving a car with bad brakes, expecting the air bags to keep you safe.

I personally use the free version of Avast (btw, do not upgrade to the latest version; it probably works just fine but people are reporting problems with setting it up due to the new UI), the paid version of MBAM, SuperAntiSpyware, and Spybot S&D. I also have Secunia PSI to check for security related program updates.

 

[urbanspaceman1]

Ok, now I'm suitably paranoid and suitably armed but how often do you run all these checks because, let's face it, you scan to the nth degree tonight and something arrives tomorrow morning.
This was why I felt I was as safe as could be expected when I was using KAS which I can go back to anytime as my license is still valid but as I said it was having Sandbox issues that were getting in the way.
I'm going to run all the free programs as suggested and if I find anything I will have to reconsider but if I don't find anything I'll stay as I am.

 

[Lady Fitzgerald]

Ok, now I'm suitably paranoid and suitably armed but how often do you run all these checks because, let's face it, you scan to the nth degree tonight and something arrives tomorrow morning.
This was why I felt I was as safe as could be expected when I was using KAS which I can go back to anytime as my license is still valid but as I said it was having Sandbox issues that were getting in the way.
I'm going to run all the free programs as suggested and if I find anything I will have to reconsider but if I don't find anything I'll stay as I am.

Avast free and Spybot S&D (also free) provides full time protection. The paid version of MBAM ($50 for a lifetime license but often goes on sale for $25 or less) also provides fulltime protection. While mixing AVs is a bad idea, many anti-malware programs, such as the ones I listed, will play well with most, if not all, AVs.

As long as you have an AV that runs fulltime and updates itself frequently (one of my many complaints against MSE had to do with infrequent or no updates), one can limit their scans to once a week for each program. One way is to run a scan with one on one day of the wee, run a scan on the second one the next day, etc.; that reduces the amount of time spent on scans in any one day. Of course, if you suspect something may have snuck in, you can always run scans whenever you want.

I forgot to mention I also use Web of Trust (WOT) in my browser. It alerts me if I try to go to a questionable website.

 

[marsmimar]

Ok, now I'm suitably paranoid and suitably armed but how often do you run all these checks because, let's face it, you scan to the nth degree tonight and something arrives tomorrow morning.
This was why I felt I was as safe as could be expected when I was using KAS which I can go back to anytime as my license is still valid but as I said it was having Sandbox issues that were getting in the way.
I'm going to run all the free programs as suggested and if I find anything I will have to reconsider but if I don't find anything I'll stay as I am.

I think the answer to the question "how often do you run all these checks" is it's a matter of personal opinion. Some folks on this Forum have said they run supplemental on-demand scans once a week. Personally, I run Malwarebytes and Hitman Pro each night just before I shut down my computer. Each of the quick scans takes just a few minutes to run. I make my system images each Sunday and I run a full scan with Malwarebytes before making the images. I also run a couple of quick on-demand scans usually using Hitman Pro and my MSE. I'm comfortable with this schedule. But again, others may have a different regimen that works for them.

Just as a side note, I've noticed that MSE updates on average 3 times a day (based on running manual updates) but if you use the Windows Automatic Update feature you'll get updates once every 24 hours or so. As I've said before, I've used MSE since it was released to the public in Sep 2009. I haven't had any indications that any of my computers have been infected. Not through MSE and not through any of the other scanners I use. I'm of the belief that MSE is working and doing its job, contrary to all of the doom and gloom reports over the years. Either MSE is working as designed or every additional on-demand scanner I use has suffered catastrophic failures to identify malware. And I just don't think that's the case.

 

[UsernameIssues]

~~~
I haven't had any indications that any of my computers have been infected. Not through MSE and not through any of the other scanners I use.
~~~

The computer mentioned in this post has been infected with TrojanOS/Alureon.E since July of 2012.

It remains infected because those using it won't fix it (long story).

MSE happily states that it is clean.

I'm sure that other types of scans would detect it, but that it not the point of my post. I'm just adding info about MSE for the OP to consider.

 

[marsmimar]

~~~
I haven't had any indications that any of my computers have been infected. Not through MSE and not through any of the other scanners I use.
~~~

The computer mentioned in this post has been infected with TrojanOS/Alureon.E since July of 2012.

It remains infected because those using it won't fix it (long story).

MSE happily states that it is clean.

I'm sure that other types of scans would detect it, but that it not the point of my post. I'm just adding info about MSE for the OP to consider.

I completely understand and your input is highly valued. Everyone has to make their own decisions as to what is best for them. Your experiences certainly carry a lot of weight and I thank you for sharing those experiences.

 

[andrew129260]

Even with all the scans in the world, they only detect known malware. No programs, even all of them combined will detect 100% malware. There is always that 10% or so that's unknown. This means you could always be infected and never know it.
Not trying to scare you. But security is a myth. There is no such thing. I always say that anything you type on your computer, or put through the internet, can be monitored, seized, or used without you ever knowing.
Not trying to scare you. Just stating facts.

In short, use your computer as if you did not care who saw your screen all day.

Having said that though, anyone can be targeted and have everything taken from them.
Good news is, most people are not directly targeted.

I am not a paranoid person using my computer. I just understand the risks of using it.
I except the risk of online banking for instance.

Other notes:
2 factor authentication is defiantly the way further for a better security solution. A lot harder for a hacker to get both your cell phone number, your email and password and do it all at the same time. They would have to have all 3 on their possession and/or have your phone.

Notice I said "harder" -not impossible

Cheers,

-Andrew

 

[UsernameIssues]

Even with all the scans in the world, they only detect known malware....

I'm not picking at your wording here - but the main point of my posts in this thread is MSE's poor heuristics. Heuristics should be preventing some unknown malware. If an unknown app* wants to replace the OS shell, the AV tool should at least ask, "do ya really wanna do this?".


*an app not flagged based on it signature.

 

[urbanspaceman1]

It is telling that on the occasion of MS security coming under fire the whole can of worms regarding safety is opened.
Had this been a KAS or Norton issue I doubt there would be so much in depth debate.
My bank uses on screen selections as a secondary password, presumably to thwart key-logging, and even my password software can not deal with that, so I suppose there is some comfort in the banks efforts to protect us.
When I consider that large numbers of people are now using mobile online banking I suspect we PC folk may be more ignored; let's hope so anyway.