Alerting - Malicious software removal tool

November 29, 2008

From: "John Mason Jr" <notvalid@cox.net.invalid>

| But if the individual is running as root/admin privs then they must

| accept some level of responsibility.

| Though I do agree MS does have some level of responsibility mostly by

| ommision not making it clear to the new user where they could be vulnerable.

| The other software manufacturers should also bear part of the blame for

| not properly configuring their programs to run with an appropriate level

| of privileges.

| John

Don't forget the fact that if there is a vulnerability that can be exploited with a buffer

overflow, an elevation of privileges will allow malware to be installed even with a

Limited User Account (LUA).

{ Albeit it was mentioned in this thread the malware targeted by MRT is usually installed

via Social Engineering (human exploitation) and not the software vulnerability/exploit

vector }

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 29, 2008

David H. Lipman wrote:

> From: "John Mason Jr" <notvalid@cox.net.invalid>

>

> | But if the individual is running as root/admin privs then they must

> | accept some level of responsibility.

>

> | Though I do agree MS does have some level of responsibility mostly by

> | ommision not making it clear to the new user where they could be vulnerable.

>

> | The other software manufacturers should also bear part of the blame for

> | not properly configuring their programs to run with an appropriate level

> | of privileges.

>

> | John

>

> Don't forget the fact that if there is a vulnerability that can be exploited with a buffer

> overflow, an elevation of privileges will allow malware to be installed even with a

> Limited User Account (LUA).

> { Albeit it was mentioned in this thread the malware targeted by MRT is usually installed

> via Social Engineering (human exploitation) and not the software vulnerability/exploit

> vector }

>

>

True it would be nice if software run with appropriate privs and was

written securely.

That will only happen when customers start requiring it in purchasing

contracts and RFPs.

John

November 29, 2008

> I'm not here to argue with you, don't take it that way, but you've not

> posted anything to contradict my statement. You've only posted that

> people thing the MSRT is a great step, that it's removed malware, but

> you've not posted all the information that would be needed to show that

> it's a good tool.

I don't think either one of us is here to argue with the other. You describe

a few instances of where users have gotten themselves infected with malware,

which leads you to claim that the tool is completely useless. Yet the data

from the SIR shows the tool is very effective at what it does. I fail to see

what else is required to meet anyone's definition of "good tool." If by

"good" you mean "perfect" -- that is, capable of eliminating all malware --

then your expectations are too high. If by "good" you mean "unnecessary"

because all operating systems, all applications, and all users are free of

vulnerabilities -- then your expectations are beyond realistic. All these

are impossible tasks.

In another post, you wrote:

> I was actually hoping that MS would abandon the legacy idea when they

> came out with Vista - all of the crap they put into it to look pretty,

> to require Core 2 processors with 2GB ram, and 512MB video cards just to

> have a machine that performs as well as the 2.5Ghz P4, 512MB RAM, and a

> 128MB video card, but they failed again on changing the OS to be secure.

>

> We've all seen Vista machines compromised by the same crap that hits our

> XP machines, and yea, it's great that MS is trying to clean up the mess

> that gets ISP's residential networks black-listed for spamming/zombies,

> but they didn't address the core problem - THE OS ITSELF.

Again, the data in the SIR contradict your assertions. A chart on page 53

compares, by Windows type, the number of computers cleaned per 1000 MSRT

executions. Page 138 tabulates the numbers. Windows XP RTM shows 33.8,

Windows XP SP 3 shows 9.2, Windows Vista RTM shows 4.9, Windows Vista SP1

shows 4.5. If we "failed again" to make the OS secure, if "the same crap"

that infected XP also attacked Vista, wouldn't the numbers for Vista be

equivalent to those for XP?

Anecdotes are not data. Your few instances of machines getting infected

can't compare to the data reflecting research across tens of millions of

computers.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

Protect Your Windows Network: http://www.amazon.com/dp/0321336437

"Leythos" <spam999free@rrohio.com> wrote in message

news:MPG.2399c673207e1396989724@us.news.astraweb.com...

>

> Steve, you wrote that "CSO's and CTO's.... 'commented that the MSRT is

> one of the most responsible things they've seen us do..."

>

> I agree, it's great that you, Microsoft, put out a tool to clean malware

> off your OS that you have spend years not securing against that malware.

>

> Don't get me wrong, I own a company that is a MS partner, sells MS based

> solutions, never had a compromised computer on any of our customers

> networks, and I've been doing this since the late 70's.

>

> The only compromised PC's we see are ones from improperly guarded

> networks and or improperly guarded home networks (even if it's just a PC

> of one). Of those compromised machines, all of them were running Windows

> (mostly XP, but now even vista), all had major brand AV software

> actively working, some had stopped using IE because of the risks and

> switched for Fire Fox or Opera, but, the key point is that all of them

> were being used by people that COULD have learned more and didn't

> because they thought they had done enough.

>

> I'll give you an example of what happens to many HOME users - a nice

> lady owned a computer, running Windows XP + SP2 (sp3 was not released

> yet), used MS Works, had a single account, administrator level logon

> (which is the default for most computers), 1 kid, about 8 years old,

> using the computer also. They could not get it to respond properly, pop-

> ups, etc.... I attempted to clean it, decided that after 5 passes with

> different tools that it was not worth the "Time" to "clean" it and wiped

> and reinstalled XP.

>

> I provided three accounts for them to use "Administrator" with password,

> "Mom" and "Son", M/S were limited user accounts. Set IE to high-security

> Mode, bought them a NAT Router (no inbound Port forwarding), installed

> all updates and patches. Installed AVG Free (and updates), and several

> manual scanners. Automatic Updates enabled. I explained that they should

> not use the Administrator account except in rare cases where "MOM"

> needed to install an application that she could not install from

> her/son's accounts, that they were NOT to run anything as the

> "Administrator" account.

>

> I got the computer back in two weeks, hosed again. The "Mom" had let the

> kid use the administrator account because he could not get his "Games"

> to run under his account, etc.... Needless to say, it was compromised

> again in less than two weeks because the OS, using MS Suggested High-

> Security settings would not provide the user with what they needed to

> run the programs that they wanted to use while protecting them from

> malware.

>

> I installed Ubuntu, OO, and setup email and FireFox for them, machine

> has been used for almost a year now and it's doing all that they NEED,

> unable to play some of the games (online) that the kid wanted (since

> they need active-x), but the computer is STILL running smooth and no

> problems reported (and I check about once a month).

>

> While I was out of the state my mother-inlaw bought a PC and her oldest

> son installed it for her - XP Home, all updates, bought a Linksys NAT

> appliance, but they didn't install it, connected directly to cable modem

> for internet - Windows Firewall enabled.... By the time I got back the

> PC wasn't working, bad things on the screen, etc... All the typical

> signs of being hacked. The MS Firewall had default holes for

> File/Printer sharing setup by Dell, and software installed more holes

> for itself to use... Wiped her machine, installed NAT Router, setup

> three accounts "Admin", "XXXX" (her name), "Visitors", same as the one

> above - in this case she kept the computer clean, but she had to logon

> as Admin to run QuickBooks since it would not run as "XXXX" user as a

> limited account. She gave up things like the online game site POGO since

> it would not install/run as a limited account, and she's basically used

> the computer for QB, Browsing the web in IE HS Mode (which breaks many

> sites) and for email.....

>

> So, your story about the CSO/CTO is great, they appreciate that you've

> (Microsoft) taken a "Responsible" step, but what you didn't report is

> how many malware were removed from their networks by the MSRT.

>

> We all agree, the MSRT is a 'Responsible' step from Microsoft, but it's

> a day late and a $1 short. The problem is the OS lack of security

> against malware and a tool like the MSRT is not preventing anything,

> only reacting AFTER the compromise.

>

> Again, my company provides MS platform solutions all over the USA and

> India, we secure our networks and systems against threats and have

> managed to never have a compromised system on any of our managed

> networks. I am not a Linux advocate, don't believe it's ready for the

> masses, but I also see LOTS of compromised non-client systems and home

> systems each year, all of which would not have been compromised if MS

> had just bite-the-bullet and change the foundation to a more secure

> platform instead of trying to remain compatible.

>

> In "My" experience I've yet to see that MSRT clean a system, and I know

> this because after running it I can still experience problems that are

> cleaned up by other tools - SBS&D, Symantec, MBAM, Multi-AV, even

> registry edits manually.

>

> I'm not here to argue with you, don't take it that way, but you've not

> posted anything to contradict my statement. You've only posted that

> people thing the MSRT is a great step, that it's removed malware, but

> you've not posted all the information that would be needed to show that

> it's a good tool.

November 29, 2008

Pete, what is it about the SIR's explanation regarding geographic

distribution that you aren't ready to accept? My own work with customers in

various countries around the world tends to support the paragraph Dave

quoted.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

Protect Your Windows Network: http://www.amazon.com/dp/0321336437

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

news:ggpuhp$epq$1@news.motzarella.org...

> On 11/28/2008 12:04 AM, ~BD~ sent:

>> "1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

>> news:ggo4rq$6qk$1@news.motzarella.org...

>> <snip>

>>> One can't help but notice from the map, in the SIR, that Japan seems to

>>> have remarkably less reported detections, compared to all other

>>> countries. I wonder if this is a statistical anomaly or if another

>>> reason exists.

>>>

>>> Pete

>>> --

>>> 1PW

>>>

>>> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

>>

>> --

>>

>> Microsoft says ............

>> "As a general rule, more malware is proportionally found by the MSRT in

>> developing countries/regions than in developed countries/regions. For

>> example, the most infected country/region in Europe is Albania, while the

>> least infected countries/regions in Europe are Austria and Finland. In

>> the

>> Asia-Pacific region, the most infected countries/regions are Mongolia and

>> Vietnam, while the least infected countries/regions are Taiwan and Japan.

>> The United States is proportionally less infected than most of the

>> countries/regions in the Americas. This trend may occur because the

>> deployment of security products is generally wider in developed

>> countries/regions, and user education around computer safety is usually

>> better."

>>

>> HTH

>>

>> Dave

>

> Hello Dave:

>

> I know you were trying to be helpful. However, this was a follow-up to

> Steve Riley's post.

>

> I've read what you read. I am not quite ready to accept the above on

> its face value just yet. However, my mind will remain open.

>

> Let's let Mr. Riley expand on this, if he's a mind to.

>

> Thank you though Dave. Mr. Riley: If you would sir. Thank you.

>

> --

> 1PW

>

> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 29, 2008

On 11/28/2008 03:31 PM, David H. Lipman sent:

> From: "1PW" <barcrnahgjuvfgyr@nby.pbz>

>

> | Hello Dave:

>

> | I know you were trying to be helpful. However, this was a follow-up to

> | Steve Riley's post.

>

> | I've read what you read. I am not quite ready to accept the above on

> | its face value just yet. However, my mind will remain open.

>

> | Let's let Mr. Riley expand on this, if he's a mind to.

>

> | Thank you though Dave. Mr. Riley: If you would sir. Thank you.

>

> | --

> | 1PW

>

> Would be even better if Mr. R. Treit (Microsoft) would post some information. I haven't

> communicated with him since 11/'05.

>

> I don't know if Steve Riley works with Mr. Treit or not.

Hello David:

Might that be Randy Treit? randyt@online.microsoft.com Just Googling

gave me that.

I'm fascinated by the difference in country statistics from the SIR

world map. Apart from some difficulties, brought about by language

barriers, I can't yet understand why Finland's stats differ from Sweden

or Norway. Or why the Netherlands' stats are better than those of the

U.S. That's only a few of so many comparisons that beg further

explanation.

Should we be snapping up firewalls, routers, and anti-malware products

from Japan and Taiwan? Are the governments of Taiwan and Japan holding

a much tighter grip on their population's Internet access?

I would love to read an intelligent discourse, but I'm afraid it would

soon degenerate into some of the poorly chosen phrasing we see almost

everyday here. Pity.

A belated Happy Thanksgiving to you David, and to all who come our way.

Pete

--

1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 29, 2008

On 11/28/2008 07:40 PM, Steve Riley [MSFT] sent:

> Pete, what is it about the SIR's explanation regarding geographic

> distribution that you aren't ready to accept? My own work with customers

> in various countries around the world tends to support the paragraph

> Dave quoted.

>

Hello Steve:

Thank you for taking time for a response.

If one wishes to just compare developed countries, what is it about

Japan's and Taiwan's security products that would seem to leave them

much better protected than those of other developed countries?

In actual and real world practice, are we in the USA much less likely

to employ effective computer protection than those users in Finland or

the Netherlands?

Are folks in Canada and Australia more likely to be more security aware

when compared to the folks in Greenland? Malware doesn't know what a

political boundary is. Malware succeeds where computers aren't used

properly, nor well protected and well maintained. Malware is therefore

opportunistic.

Perhaps some of the other developed nations have better education

programs for their computer users. However, well intentioned use must

be matched with the proactive use of fine after market protective

applications, hardware, and keen attention to patches, updates and

upgrades.

I promise to keep my mind as open as can be. Thank you again sir.

Pete

--

1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 29, 2008

From: "1PW" <barcrnahgjuvfgyr@nby.pbz>

| Hello David:

| Might that be Randy Treit? randyt@online.microsoft.com Just Googling

| gave me that.

| I'm fascinated by the difference in country statistics from the SIR

| world map. Apart from some difficulties, brought about by language

| barriers, I can't yet understand why Finland's stats differ from Sweden

| or Norway. Or why the Netherlands' stats are better than those of the

| U.S. That's only a few of so many comparisons that beg further

| explanation.

| Should we be snapping up firewalls, routers, and anti-malware products

| from Japan and Taiwan? Are the governments of Taiwan and Japan holding

| a much tighter grip on their population's Internet access?

| I would love to read an intelligent discourse, but I'm afraid it would

| soon degenerate into some of the poorly chosen phrasing we see almost

| everyday here. Pity.

| A belated Happy Thanksgiving to you David, and to all who come our way.

| Pete

| --

| 1PW

Yes... That would be Randy Treit :-)

Back in '05 when I was communincationg with him he was the "Program Manager, Security

Technology Unit" of Microsoft.

Same to you Pete and your familly.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 29, 2008

From: "1PW" <barcrnahgjuvfgyr@nby.pbz>

| Hello Steve:

| Thank you for taking time for a response.

| If one wishes to just compare developed countries, what is it about

| Japan's and Taiwan's security products that would seem to leave them

| much better protected than those of other developed countries?

| In actual and real world practice, are we in the USA much less likely

| to employ effective computer protection than those users in Finland or

| the Netherlands?

| Are folks in Canada and Australia more likely to be more security aware

| when compared to the folks in Greenland? Malware doesn't know what a

| political boundary is. Malware succeeds where computers aren't used

| properly, nor well protected and well maintained. Malware is therefore

| opportunistic.

| Perhaps some of the other developed nations have better education

| programs for their computer users. However, well intentioned use must

| be matched with the proactive use of fine after market protective

| applications, hardware, and keen attention to patches, updates and

| upgrades.

| I promise to keep my mind as open as can be. Thank you again sir.

| Pete

| --

| 1PW

Maybe it isn't their security software but culture and philosophy that makes them practice

Safe Hex better then Westerners.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 29, 2008

In article <ggqek5$hai$1@news.motzarella.org>, barcrnahgjuvfgyr@nby.pbz

says...

> Should we be snapping up firewalls, routers, and anti-malware products

> from Japan and Taiwan? Are the governments of Taiwan and Japan holding

> a much tighter grip on their population's Internet access?

>

Maybe it's not their products, but that they are better protected by

their ISP's?

If you were to look at my clients, their MSRT would show nothing, yet

they are protected and don't have malware on their systems.

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

November 29, 2008

In article <ggpv7f$eba$1@nntp.motzarella.org>, notvalid@cox.net.invalid

says...

>

> But if the individual is running as root/admin privs then they must

> accept some level of responsibility.

Not really, since the default user level account is also an Admin level

account in XP and before XP.

> Though I do agree MS does have some level of responsibility mostly by

> ommision not making it clear to the new user where they could be vulnerable.

You need to think back, farther, to the start of the problem - the OS

was designed to make it EASY to work with, easy for users, easy to

manage, not to be secure as the first priority - that's the flaw that

they have maintained from early versions.

> The other software manufacturers should also bear part of the blame for

> not properly configuring their programs to run with an appropriate level

> of privileges.

Yes, but MS enables them to maintain that problem by making the default

account an Administrator.

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

November 29, 2008

In article <57D4615E-5548-4750-881B-FCB4AE478B12@microsoft.com>,

steve.riley@microsoft.com says...

[snip]

> Again, the data in the SIR contradict your assertions. A chart on page 53

> compares, by Windows type, the number of computers cleaned per 1000 MSRT

> executions. Page 138 tabulates the numbers. Windows XP RTM shows 33.8,

> Windows XP SP 3 shows 9.2, Windows Vista RTM shows 4.9, Windows Vista SP1

> shows 4.5. If we "failed again" to make the OS secure, if "the same crap"

> that infected XP also attacked Vista, wouldn't the numbers for Vista be

> equivalent to those for XP?

How many malware were left on/in those machines? Without that number

your stat is meaningless.

What this means is that, based on my experience, that MSRT does little

to actually "Clean" a machine. By clean, lets be clear, I mean that it

removes all malware from the machine.

Claiming that a tool is good because it removes malware while leaving X

items of malware still on the system is a misrepresentation of the

quality of the tool.

> Anecdotes are not data. Your few instances of machines getting infected

> can't compare to the data reflecting research across tens of millions of

> computers.

But it is valid - if we take the MSRT and run it on a compromised

machine, having it claim the machine is clean, then we run several other

anti-malware tools that show the machine to remain seriously

compromised, doesn't that indicate that the "Data" you are interpreting

as showing MSRT to be a good tool is seriously flawed?

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

November 29, 2008

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

news:ggr0js$dfl$1@news.motzarella.org...

> On 11/28/2008 07:40 PM, Steve Riley [MSFT] sent:

>> Pete, what is it about the SIR's explanation regarding geographic

>> distribution that you aren't ready to accept? My own work with customers

>> in various countries around the world tends to support the paragraph

>> Dave quoted.

>>

>

> Hello Steve:

>

> Thank you for taking time for a response.

>

> If one wishes to just compare developed countries, what is it about

> Japan's and Taiwan's security products that would seem to leave them

> much better protected than those of other developed countries?

>

> In actual and real world practice, are we in the USA much less likely

> to employ effective computer protection than those users in Finland or

> the Netherlands?

>

> Are folks in Canada and Australia more likely to be more security aware

> when compared to the folks in Greenland? Malware doesn't know what a

> political boundary is. Malware succeeds where computers aren't used

> properly, nor well protected and well maintained. Malware is therefore

> opportunistic.

>

> Perhaps some of the other developed nations have better education

> programs for their computer users. However, well intentioned use must

> be matched with the proactive use of fine after market protective

> applications, hardware, and keen attention to patches, updates and

> upgrades.

>

> I promise to keep my mind as open as can be. Thank you again sir.

>

> Pete

>

> --

> 1PW

>

> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

--

Hello again, Pete. style_emoticons/

Thank you for your recent ........ 'understanding'

You were correct - I was trying to be helpful!

Perhaps you'd like to explore this organisation for clues

Dave

The WildList Organization collects monthly virus reports from anti-virus

experts around the world. The data from the reports are compiled to produce

The WildList - a list of those viruses currently spreading throughout a

diverse user population. A virus that is reported by two or more of the

WildList reporters will appear in the top-half of the list and is deemed to

be 'In the Wild'.

In recent times, the list has been used by Virus Bulletin and other

anti-virus product testers as the definitive guide to the viruses found in

the real world.

An anti-virus product is expected to score 100% detection against this group

of viruses. The WildList homepage can be found at http://www.wildlist.org.

November 29, 2008

From: "Leythos" <spam999free@rrohio.com>

| How many malware were left on/in those machines? Without that number

| your stat is meaningless.

| What this means is that, based on my experience, that MSRT does little

| to actually "Clean" a machine. By clean, lets be clear, I mean that it

| removes all malware from the machine.

| Claiming that a tool is good because it removes malware while leaving X

| items of malware still on the system is a misrepresentation of the

| quality of the tool.

>> Anecdotes are not data. Your few instances of machines getting infected

>> can't compare to the data reflecting research across tens of millions of

>> computers.

| But it is valid - if we take the MSRT and run it on a compromised

| machine, having it claim the machine is clean, then we run several other

| anti-malware tools that show the machine to remain seriously

| compromised, doesn't that indicate that the "Data" you are interpreting

| as showing MSRT to be a good tool is seriously flawed?

MRT is much like McAfee's Stinger. It has a limited sub-set target list.

However unlike Stinger it is updated monthly and is downloaded on Patch-Tuesday as well as

can be manually downloaded.

There is ONLY ONE important point here...

MRT is a valuable supplemental "On Demand" scanner.

Will professionals suggest running MRT ? NO!

Why ?

Because it is automatically run and and there other On Demand scanners with a super-set of

trageted infectors.

My only concern is one of efficacy. One can state all the statistics about what it has

done to find and remove malware but without information concerning its possible failure

rates the statistics then are poinless.

If there are say 200 Million computers running MRT and 66 Million instances of removal,

what does that tell you ?

In my humble opinion, the statistics are more PR than factual w/o also stating failure

rates and the total number of computers actually running MRT.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 29, 2008

"Leythos" <spam999free@rrohio.com> wrote in message

news:MPG.239afe708447c68098972b@us.news.astraweb.com...

<snip>

> Maybe it's not their products, but that they are better protected by

> their ISP's?

>

That is a VERY good point, Leythos!

Dave

--

November 29, 2008

In article <uZPOpPiUJHA.6044@TK2MSFTNGP04.phx.gbl>,

DLipman~nospam~@Verizon.Net says...

> My only concern is one of efficacy. One can state all the statistics about what it has

> done to find and remove malware but without information concerning its possible failure

> rates the statistics then are poinless.

>

> If there are say 200 Million computers running MRT and 66 Million instances of removal,

> what does that tell you ?

>

> In my humble opinion, the statistics are more PR than factual w/o also stating failure

> rates and the total number of computers actually running MRT.

>

My point exactly, the numbers are marketing hype since they only include

one side of the equation.

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

November 29, 2008

Leythos wrote:

> In article <ggpv7f$eba$1@nntp.motzarella.org>, notvalid@cox.net.invalid

> says...

>> But if the individual is running as root/admin privs then they must

>> accept some level of responsibility.

>

> Not really, since the default user level account is also an Admin level

> account in XP and before XP.

Well ignorance is not really a valid excuse , but given the way

computers and software are marketed I understand it.

>

>> Though I do agree MS does have some level of responsibility mostly by

>> ommision not making it clear to the new user where they could be vulnerable.

>

> You need to think back, farther, to the start of the problem - the OS

> was designed to make it EASY to work with, easy for users, easy to

> manage, not to be secure as the first priority - that's the flaw that

> they have maintained from early versions.

It would be nice to have a sudo facility set up that is as easy to work

with for an end user as Ubuntu has currently

>

>> The other software manufacturers should also bear part of the blame for

>> not properly configuring their programs to run with an appropriate level

>> of privileges.

>

> Yes, but MS enables them to maintain that problem by making the default

> account an Administrator.

I think someone selling software should be better educated than the end

user about how stuff should work.

>

>

November 29, 2008

Why do you keep referring to "completely clean their machine"?

There is no ONE program that will do such. If there is - PLEASE - point all

of us to it. We would much appreciate it.

Why would you expect the Microsoft Malicious Removal Tool to be able to do

what other anti malware programs can not do?

Be reasonable and allow that it is/should be a part of a layered anti

malware approach and that what it does it does good!

--

Richard Urban

Microsoft MVP

Windows Desktop Experience

"Leythos" <spam999free@rrohio.com> wrote in message

news:MPG.239a081ebce8bf47989727@us.news.astraweb.com...

> In article <fva0j4h7ln2crtfa9kempmasq533i5ifu9@4ax.com>,

> geoff@invalid.invalid says...

>> On Fri, 28 Nov 2008 09:12:53 -0500, Leythos <spam999free@rrohio.com>

>> wrote:

>>

>> >I provided three accounts for them to use "Administrator" with password,

>> >"Mom" and "Son", M/S were limited user accounts. Set IE to high-security

>> >Mode, bought them a NAT Router (no inbound Port forwarding), installed

>> >all updates and patches. Installed AVG Free (and updates), and several

>> >manual scanners. Automatic Updates enabled. I explained that they should

>> >not use the Administrator account except in rare cases where "MOM"

>> >needed to install an application that she could not install from

>> >her/son's accounts, that they were NOT to run anything as the

>> >"Administrator" account.

>> >

>> >I got the computer back in two weeks, hosed again. The "Mom" had let the

>> >kid use the administrator account because he could not get his "Games"

>> >to run under his account, etc.... Needless to say, it was compromised

>> >again in less than two weeks because the OS, using MS Suggested High-

>> >Security settings would not provide the user with what they needed to

>> >run the programs that they wanted to use while protecting them from

>> >malware.

>> >

>> >I installed Ubuntu, OO, and setup email and FireFox for them, machine

>> >has been used for almost a year now and it's doing all that they NEED,

>> >unable to play some of the games (online) that the kid wanted (since

>> >they need active-x), but the computer is STILL running smooth and no

>> >problems reported (and I check about once a month).

>>

>> A very typical scenario. But the real security breach was the humans. The

>> mother let the kid use the administrator account and he was the source of

>> the original infection. You failed to analyze the root cause and correct

>> it

>> on the first iteration.

>

> No, I clearly understood the root cause - users that don't want to be

> locked down or "will not be" locked down. Users that want the freedom to

> use their computers to have fun.

>

>> The money they spent on your fixes would have been better spent on a new

>> computer for her and letting the kid use the old one with a reinstalled

>> OS.

>> So you installed an OS that neither of them understand and I'll bet you

>> didn't give them the root access password so neither of them can get very

>> far. You would have done just as well reinstalling XP and denying them

>> the

>> administrator password.

>

> It's not my computer, so the mother has the ROOT password, she has to

> have it in order to apply updates - Ubuntu needs root access to do

> updates. Your solution is not viable, not giving the password, in the

> real world.

>

> I didn't charge them, don't charge home users to fix their system.

>

> So, again, YOU missed the real root cause:

>

> 1) Root cause of compromised computers - OS with exploits and holes that

> can't be closed while allow the masses to easily use their computers

> without LOTS of extra effort that most are not willing to put out.

>

> 2) Humans that are not willing to use their computers in the MS

> recommended HIGH-Security settings mode, since most vendors apps for

> residential users won't install or run while HS mode is in use.

>

> I was actually hoping that MS would abandon the legacy idea when they

> came out with Vista - all of the crap they put into it to look pretty,

> to require Core 2 processors with 2GB ram, and 512MB video cards just to

> have a machine that performs as well as the 2.5Ghz P4, 512MB RAM, and a

> 128MB video card, but they failed again on changing the OS to be secure.

>

> We've all seen Vista machines compromised by the same crap that hits our

> XP machines, and yea, it's great that MS is trying to clean up the mess

> that gets ISP's residential networks black-listed for spamming/zombies,

> but they didn't address the core problem - THE OS ITSELF.

>

> I would be willing to pay $400 for a new 3 CAL license of XYZ OS from MS

> if they could keep the pretty stuff, find a way to run Office 2003

> (since 2007 is so dang bad) and to play the 1 or 2 games that I like -

> having it spawn them in a VM so that it's destroyed after the session

> ends, but only if they could ELIMINATE the threats for most users.

>

> Before you reply, consider your idea of the root cause against what MAC

> and Linux people have, and look at how some of them run as ROOT and

> don't experience the issues that masses of Win people experience.

>

> So, would the MSRT have prevented any of this - nope, would it have

> completely cleaned their machines - nope. So, we're back to the idea

> that the MSRT is not effective.

>

> --

> - Igitur qui desiderat pacem, praeparet bellum.

> - Calling an illegal alien an "undocumented worker" is like calling a

> drug dealer an "unlicensed pharmacist"

> spam999free@rrohio.com (remove 999 for proper email address)

November 29, 2008

In article <uaOjAilUJHA.1164@TK2MSFTNGP02.phx.gbl>,

richardurbanREMOVETHIS@hotmail.com says...

> Why do you keep referring to "completely clean their machine"?

>

> There is no ONE program that will do such. If there is - PLEASE - point all

> of us to it. We would much appreciate it.

>

> Why would you expect the Microsoft Malicious Removal Tool to be able to do

> what other anti malware programs can not do?

>

> Be reasonable and allow that it is/should be a part of a layered anti

> malware approach and that what it does it does good!

I keep bringing it up because someone keeps mentioning how good MSRT is,

but they can't provide any real data to prove that the MSRT is of any

real value.

If I provide a tool that removes 1% of malware from machines, that tool

reports back that it removed some malware, and I post that my tool has

removed malware from 8 billion machines, what does it appear that I'm

trying to do? I'm trying to sell you on the idea that my tool cleaned 8

billion machines - at least if you're jut following hype.

So, if 8 billion machines that the "tool" was run on, that means that

99% of malware remained, stealing personal data, spamming networks,

spreading, etc....

(NOTE: 8 Billion was my made up number and has not been suggested by

anyone)

As for "Why" should I expect something from MS that will clean my

machine? Well, to be honest, I don't and have yet to see anything

positive in this area from MS. Yes, I see political type posturing, but

nothing that could be considered a "Great" tool for removing malware.

Take the top 10 FREE anti-malware tools, take 10 infected machines,

compromised with 100+ different nasties, run the top 10 against the

MSRT.... Do you think that the MSRT will do a better job than any of the

10?

I believe that MS has the power and capability to properly secure the OS

against 99.999999% of the threats we see on a daily basis, that they can

do it while still allowing our applications to operate properly (for the

most part), but that they have no real interest in doing so.

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

November 29, 2008

"Leythos" <spam999free@rrohio.com> wrote in message

news:MPG.239b689c2e4a9ca98972f@us.news.astraweb.com...

[snip]

> I believe that MS has the power and capability to properly secure the OS

> against 99.999999% of the threats we see on a daily basis, that they can

> do it while still allowing our applications to operate properly (for the

> most part), but that they have no real interest in doing so.

Vista and MSRT both seem to aim at reducing the the pollution in the

cesspool we call the internet. The large marketshare MSFT enjoys is

part of the reason the computing environment is so "malware friendly".

LUA a la Vista is such a PITA for some that they reduce its security

to achieve "ease of use" - but its default condition is much less malware

friendly than previous versions. MSRT being loosely coupled to the

automatic update mechanism of Windows helps the unwashed masses

get checkups they wouldn't normally do on their own.

MSRT may not be the best, but it is good for all of us to have it as a

fallback point when the great unwashed don't take any responsibility

for security.

November 29, 2008

Oh Lord!

Even Unix and Linux are not 99.999999% secure. Some of the first

malware/virus were written for those platforms.

Man is fallible! If you think that you can develop an operating system that

is that secure, against threats that may be developed three years from now,

I will buy it from you - guaranteed!

But, it has to be backward compatible with the software available TODAY.

What I keep stressing about MRT is that it goes only after specific

targets - those that Microsoft considers the most pervasive. SO, if you have

two from the list on your computer, and 14 others, the 14 will not be

touched. How does that make the M/S Malicious Removal Tool "not worthy"? It

has done what it is purported to do. And looking at the numbers, it has

removed a hell of a lot of infections (while leaving those that it does not

target).

How is that hard to understand.

With that I am retiring from this thread. The beaten horse is dead.

--

Richard Urban

Microsoft MVP

Windows Desktop Experience

"Leythos" <spam999free@rrohio.com> wrote in message

news:MPG.239b689c2e4a9ca98972f@us.news.astraweb.com...

> In article <uaOjAilUJHA.1164@TK2MSFTNGP02.phx.gbl>,

> richardurbanREMOVETHIS@hotmail.com says...

>> Why do you keep referring to "completely clean their machine"?

>>

>> There is no ONE program that will do such. If there is - PLEASE - point

>> all

>> of us to it. We would much appreciate it.

>>

>> Why would you expect the Microsoft Malicious Removal Tool to be able to

>> do

>> what other anti malware programs can not do?

>>

>> Be reasonable and allow that it is/should be a part of a layered anti

>> malware approach and that what it does it does good!

>

> I keep bringing it up because someone keeps mentioning how good MSRT is,

> but they can't provide any real data to prove that the MSRT is of any

> real value.

>

> If I provide a tool that removes 1% of malware from machines, that tool

> reports back that it removed some malware, and I post that my tool has

> removed malware from 8 billion machines, what does it appear that I'm

> trying to do? I'm trying to sell you on the idea that my tool cleaned 8

> billion machines - at least if you're jut following hype.

>

> So, if 8 billion machines that the "tool" was run on, that means that

> 99% of malware remained, stealing personal data, spamming networks,

> spreading, etc....

>

> (NOTE: 8 Billion was my made up number and has not been suggested by

> anyone)

>

> As for "Why" should I expect something from MS that will clean my

> machine? Well, to be honest, I don't and have yet to see anything

> positive in this area from MS. Yes, I see political type posturing, but

> nothing that could be considered a "Great" tool for removing malware.

>

> Take the top 10 FREE anti-malware tools, take 10 infected machines,

> compromised with 100+ different nasties, run the top 10 against the

> MSRT.... Do you think that the MSRT will do a better job than any of the

> 10?

>

> I believe that MS has the power and capability to properly secure the OS

> against 99.999999% of the threats we see on a daily basis, that they can

> do it while still allowing our applications to operate properly (for the

> most part), but that they have no real interest in doing so.

>

> --

> - Igitur qui desiderat pacem, praeparet bellum.

> - Calling an illegal alien an "undocumented worker" is like calling a

> drug dealer an "unlicensed pharmacist"

> spam999free@rrohio.com (remove 999 for proper email address)

November 29, 2008

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

news:ggr0js$dfl$1@news.motzarella.org...

> If one wishes to just compare developed countries, what is it about

> Japan's and Taiwan's security products that would seem to leave them

> much better protected than those of other developed countries?

Consider the subset of malware that the tool addresses. Then consider

the vectors used by that lot of malware. It is possible that the language

barriers' influence is amplified. Add this to the likelihood that those

users

have no "security" software - but may be immune to (or not exposed to)

the social engineering aspects of the vectors used for ingress.

A fake AV alert pop-up from a website written in sanscrit isn't going to

fool anyone I know into downloading and executing a trojan. If this is

the normal vector (trojan) that MSRT addresses, then I can understand

why the data is so skewed.

November 29, 2008

In article <uwkFVfmUJHA.2644@TK2MSFTNGP03.phx.gbl>,

richardurbanREMOVETHIS@hotmail.com says...

[snip]

> But, it has to be backward compatible with the software available TODAY.

No, it doesn't - if they promised as secure a platform as most Linux

systems while having support for the top 10% of applications, people

would snap it up like hotcakes.

> What I keep stressing about MRT is that it goes only after specific

> targets - those that Microsoft considers the most pervasive. SO, if you have

> two from the list on your computer, and 14 others, the 14 will not be

> touched. How does that make the M/S Malicious Removal Tool "not worthy"? It

> has done what it is purported to do. And looking at the numbers, it has

> removed a hell of a lot of infections (while leaving those that it does not

> target).

And my comment was the it's not taken seriously as a viable tool in

cleaning malware off machines by most of the anti-malware community -

for the exact reason you state - it only targets a limited amount of

malware.

> How is that hard to understand.

It's not, that's why I made my statement about it not being a respected

tool. It's just another crap-shoot in the dark that most people don't

even know is running. The only reason it's done as many removals as it

has is because it's downloaded each update cycle.

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

November 30, 2008

There are no specific Japanese or Taiwanese security products included in

the numbers here. Page 148 lists the various products from which we gather

data (called "telemetry" in the report): MSRT, Windows Defender, Windows

Live OneCare, Windows Live OneCare Safety Scanner, Forefront Client

Security, and Exchange Hosted Services. We take reports from these products

in all countries where they're installed.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

Protect Your Windows Network: http://www.amazon.com/dp/0321336437

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

news:ggr0js$dfl$1@news.motzarella.org...

> On 11/28/2008 07:40 PM, Steve Riley [MSFT] sent:

>> Pete, what is it about the SIR's explanation regarding geographic

>> distribution that you aren't ready to accept? My own work with customers

>> in various countries around the world tends to support the paragraph

>> Dave quoted.

>>

>

> Hello Steve:

>

> Thank you for taking time for a response.

>

> If one wishes to just compare developed countries, what is it about

> Japan's and Taiwan's security products that would seem to leave them

> much better protected than those of other developed countries?

>

> In actual and real world practice, are we in the USA much less likely

> to employ effective computer protection than those users in Finland or

> the Netherlands?

>

> Are folks in Canada and Australia more likely to be more security aware

> when compared to the folks in Greenland? Malware doesn't know what a

> political boundary is. Malware succeeds where computers aren't used

> properly, nor well protected and well maintained. Malware is therefore

> opportunistic.

>

> Perhaps some of the other developed nations have better education

> programs for their computer users. However, well intentioned use must

> be matched with the proactive use of fine after market protective

> applications, hardware, and keen attention to patches, updates and

> upgrades.

>

> I promise to keep my mind as open as can be. Thank you again sir.

>

> Pete

>

> --

> 1PW

>

> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

December 1, 2008

When the MSRT runs, if it finds what it looks for, it removes it and reports

that removal to Microsoft. If it finds nothing, it exits. Neither I nor the

tool nor the SIR make any claims that the MSRT completely cleans a machine.

As others have pointed out, it is one element of an effective arsenal of

tools to help improve security.

Here's something interesting, which might even surprise you: this month

(November 2008) the single most prevalent piece of malware the tool detects

is Win32/FakeSecScan (rogues that mimic the Security Center). As of 13

November, we've tracked 811,000 removals. This includes some FakeSecScan

threats that were no longer active when detected -- meaning that they were

incompletely cleaned manually or by other AV products, and the MSRT

successfully cleaned out the remaining bits.

I have a proposal for you -- actually, for everyone reading this thread. The

MSRT creates a log file in %WINDIR%\Debug. KB 890830 describes its output.

If you ever encounter an instance of where the tool fails to properly clean

a machine, the Microsoft Malware Protection Center is ready to help. Go to

http://www.microsoft.com/security/portal, click on "Submit a Sample," and

please send us your MRT.LOG file and a sample of the malware, if you can.

We'd love to work with everyone to make sure the tool is as effective as

possible.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

Protect Your Windows Network: http://www.amazon.com/dp/0321336437

"Leythos" <spam999free@rrohio.com> wrote in message

news:MPG.239b003461fbb6ab98972d@us.news.astraweb.com...

> In article <57D4615E-5548-4750-881B-FCB4AE478B12@microsoft.com>,

> steve.riley@microsoft.com says...

> [snip]

>> Again, the data in the SIR contradict your assertions. A chart on page 53

>> compares, by Windows type, the number of computers cleaned per 1000 MSRT

>> executions. Page 138 tabulates the numbers. Windows XP RTM shows 33.8,

>> Windows XP SP 3 shows 9.2, Windows Vista RTM shows 4.9, Windows Vista SP1

>> shows 4.5. If we "failed again" to make the OS secure, if "the same crap"

>> that infected XP also attacked Vista, wouldn't the numbers for Vista be

>> equivalent to those for XP?

>

> How many malware were left on/in those machines? Without that number

> your stat is meaningless.

>

> What this means is that, based on my experience, that MSRT does little

> to actually "Clean" a machine. By clean, lets be clear, I mean that it

> removes all malware from the machine.

>

> Claiming that a tool is good because it removes malware while leaving X

> items of malware still on the system is a misrepresentation of the

> quality of the tool.

>

>> Anecdotes are not data. Your few instances of machines getting infected

>> can't compare to the data reflecting research across tens of millions of

>> computers.

>

> But it is valid - if we take the MSRT and run it on a compromised

> machine, having it claim the machine is clean, then we run several other

> anti-malware tools that show the machine to remain seriously

> compromised, doesn't that indicate that the "Data" you are interpreting

> as showing MSRT to be a good tool is seriously flawed?

>

> --

> - Igitur qui desiderat pacem, praeparet bellum.

> - Calling an illegal alien an "undocumented worker" is like calling a

> drug dealer an "unlicensed pharmacist"

> spam999free@rrohio.com (remove 999 for proper email address)

December 2, 2008

In article <E9E27F95-9391-42AF-8CEF-5770F5500C99@microsoft.com>,

steve.riley@microsoft.com says...

> I have a proposal for you -- actually, for everyone reading this thread. The

> MSRT creates a log file in %WINDIR%Debug. KB 890830 describes its output.

> If you ever encounter an instance of where the tool fails to properly clean

> a machine, the Microsoft Malware Protection Center is ready to help. Go to

> http://www.microsoft.com/security/portal, click on "Submit a Sample," and

> please send us your MRT.LOG file and a sample of the malware, if you can.

> We'd love to work with everyone to make sure the tool is as effective as

> possible.

>

Steve, with all due respect, there are companies that have a single

business of removing malware, they do a better job at removing MORE than

the MSRT.

My entire point was that most people don't take the MSRT seriously as it

removes a fraction of the malware out there, there are better tools

already on the market that are free, and they get better feedback from

other tools than from the MSRT.

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

Sign In

Alerting - Malicious software removal tool

Recommended Posts

Guest David H. Lipman

Popular Days

Popular Days

Guest John Mason Jr

Guest Steve Riley [MSFT]

Guest Steve Riley [MSFT]

Guest 1PW

Guest 1PW

Guest David H. Lipman

Guest David H. Lipman

Guest Leythos

Guest Leythos

Guest Leythos

Guest ~BD~

Guest David H. Lipman

Guest ~BD~

Guest Leythos

Guest John Mason Jr

Guest Richard Urban

Guest Leythos

Guest FromTheRafters

Guest Richard Urban

Guest FromTheRafters

Guest Leythos

Guest Steve Riley [MSFT]

Guest Steve Riley [MSFT]

Guest Leythos

Join the conversation

Browse

Activity

Support