MSE worries

[UsernameIssues]

I had thought about splitting my ramblings off to a new thread...
...for fear of hijacking this one.


Nothing much new to report today. Nothing has changed on the status page for the file that I submitted several days ago.

I created a script a few days ago that downloads this infected file every few minutes. It has been running for 7 hours today and there have been 7 versions of the infected file. Sometimes 3 or 4 versions within one hour. I happened to be the first person to upload 3 of the files to virustotal.

I've stopped checking how MSE handles each version because it is always the same error shown in the video above or it is not detected at all.

I have Malwarebytes (free - not real time trial) installed in the virtual machine. Malwarebytes did not pickup 3 of the 7 files right away... but as of this post and the latest set of definitions, all 7 are detected.

 

[andrew129260]

I appreciated the information. Thank you very much usernameissues. I would rep you if I was able to.

 

[Lady Fitzgerald]

I appreciated the information. Thank you very much usernameissues. I would rep you if I was able to.

I just did it for you.

 

[urbanspaceman1]

Don't worry about taking over this thread: my initial question has been long-since dealt-with. This is fascinating stuff, even though, as I said earlier, I only understand the essence of the procedures and not the mechanics.

 

[UsernameIssues]

Thanks guys for the rep.

I'll ramble on a bit more in this thread.

By the end of yesterday's playing, I had 8 new versions. they all do the same thing, but they have been changed a tiny bit. My guess is the changes are meant to evade antivirus detections. Yesterday's pattern of changes was interesting. There was a version that was 58KB in size. The next version was 59, then 60, 61 and 62KB.

Before dumping these files, I installed MSE and scanned all 8 versions. None were detected as infected.

I then started with the 8th version and "installed" the infection. MSE did not indicate a problem.

This "installation" was repeated for each version and MSE did not indicate a problem - until the oldest version. MSE said it cleaned/quarantined the process, but the ransom note still took over the profile. And the same error appeared about MSE not being able to find the process/PID.

There has been no update to the status of the file submission that was made 10 days ago.

This TechNet Blog may be of interest:
Our protection metrics - September results - Microsoft Malware Protection Center - Site Home - TechNet Blogs

 

[UsernameIssues]

Sunday's playing yielded more disappointments with MSE. For Sunday's experiments, the Virtual Machine had access to the host's 4 cores, was assigned 2GB of RAM and is working from an SSD. It was quite responsive.


The infected file that I'm playing with only copies itself to one location, but other infections that I've seen make lots of copies. I changed the script that downloads the infected file so that it downloaded the file as fast as it could. Then I halted the downloading, installed/updated MSE, right clicked on the folder that contained the infected files and selected a scan by MSE.

It took MSE a while to chew thru the 3000+ files and MSE declared them all clean. I let one of the files infect the Virtual Machine and MSE declared the file as bad (but could not find/stop it). I manually cleaned up the infection.

I then told MSE to check for updates again. Since there was an update, I scanned that folder again. This time, each file was being flagged as bad. I let MSE quarantine each file, but the cleaning progress bar was moving painfully slow and resource monitor showed very little IO activity for MSE. Eventually, MSE hung up about 70% thru the process.

[Sidebar: To make sure that this hang was not a one time thing, I attempted to repeat the process today - but alas, today's version of the infected file is not detected as bad. During the infection process with today's file, MSE flags it (but cannot find or stop it).]

After MSE hung up yesterday, I restarted the Virtual Machine. MSE made a green popup stating that the computer was being cleaned. These popups continued every minute or two. Again, resource monitor showed very little IO activity for MSE scanning engine. I gave up and dumped the VM... which I regret doing; because I then wondered if the files were slowly being removed from the folder. There is always one more thing to check :-(

 

[urbanspaceman1]

I though that MS monitored the posts and threads on this forum.

 

[derekimo]

I though that MS monitored the posts and threads on this forum.

They would learn a lot if they did.

 

[Lady Fitzgerald]

I though that MS monitored the posts and threads on this forum.

They would learn a lot if they did.

I doubt it.

 

[UsernameIssues]

I though that MS monitored the posts and threads on this forum.

That would be nice, but I'm not sure one way or the other.
Maybe someone that has been here longer than I can speak to that.

This is from the main page:

Windows 7 Forums is an independent web site and has not been authorized,
sponsored, or otherwise approved by Microsoft Corporation.
"Windows 7" and related materials are trademarks of Microsoft Corp.

 

[urbanspaceman1]

When Virgin introduced their Tivo to the British public they had a lot of threads generated on their forum (which was official) but they also had design and development techs monitor the proceedings. They would address the public directly at times and explain why things were as they were and also keep tabs on calls for changes when stuff wasn't doing what was needed. Consequently, the Virgin Tivo system is as near to perfection as is possible now.
One of the responses I always encountered when complaining to manufacturers about their product was "You're the first complaint we've had!" Which is obviously because 99.9% of unhappy consumers simply switch to an alternative brand rather than waste their time trying to talk to manufacturers.

 

[UsernameIssues]

It would wise for a company to take advantage of all of our free labor and perhaps they do so silently. They would have to be careful about any posts that they make. We have seen Dell in these forums from time to time, but I've not seen them around lately. Layoffs?

I've looked at the Malwarebytes forum during this round of playing with an infected file and there are several forum members submitting samples of the very files that I'm playing with. It appears (I could be wrong) that Malwarebytes adds each file's signature to their database even if no one has ever been infected with the file. And yet the update that we download for Malwarebytes has not become too bloated.

MS has not changed/updated the status on the sample that I submitted on 17 Oct :-(

I might make another submission which includes an e-mail address just to see if some computer will reply that way.

 

[urbanspaceman1]

This thread began as an expression of concern regarding MSE which I had taken up as opposed to KAS13 which was troublesome. It has been round the bushes a few times but the nitty-gritty is beginning to become altogether too apparent thanks to your diligence and persistence. Still, I'm remaining in the MSE camp for now.

 

[andrew129260]

I love the thought process going into all of this.

 

[UsernameIssues]

~~~
I might make another submission which includes an e-mail address just to see if some computer will reply that way.

A submission with an e-mail address was processed in about 5 hours.

The original submission has not been processed.

 

[urbanspaceman1]

That's very good news. Well done: your tenacity has put my mind at rest; and probably quite a few others too. Thank-you.

 

[andrew129260]

~~~
I might make another submission which includes an e-mail address just to see if some computer will reply that way.

A submission with an e-mail address was processed in about 5 hours.

The original submission has not been processed.

Not bad, but they still should have looked at the original request.

 

[Diosoth]

MSE is rather basic. It can catch stuff, it has free real time protection, but everything I've been hit with was overlooked by MSE. I wouldn't run without it, but I'd not run with it exclusively.

At the very least I have MBAM and SAS on hand, Spybot's browser immunizations, and Adblock Plus and NoScript for Firefox.

 

[UsernameIssues]

MSE is rather basic. It can catch stuff, it has free real time protection, but everything I've been hit with was overlooked by MSE. I wouldn't run without it, but I'd not run with it exclusively.

At the very least I have MBAM and SAS on hand, Spybot's browser immunizations, and Adblock Plus and NoScript for Firefox.

There is a place in your system specs for listing your browser(s).

Were you using Firefox when you were hit wit stuff?

http://www.sevenforums.com/news/294816-internet-explorer-10-provides-safer-browsing.html
I had to turn off SmartScreen Filter to to download the files that I was playing with. I cannot find a drive by infection that works with IE10 with 64bit tabs and W7 (no antivirus protection) in a VM. I'm sure that they are out there, I just cannot find them.

 

[andrew129260]

The way it goes as of now (this post date-latest tests done), -note that this is just the browser built in protection, and not with addons.

--Firefox has best phishing protection
--Internet explorer has best protection against malware downloads, blocking 99.96% .
--Internet explorer 10 has the best privacy settings enabled by default.

See attached files.


Source:
https://nsslabs.com/reports/categories/test-reports/browser-security