Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Softpanorama Malware Protection Bulletin, 2006

Malware 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Top Visited
Past week
Past month


Old News ;-)

[Nov 1, 2006] Business and Financial News - New York Times -- The virus of greed infected McAfee

A former executive of McAfee agreed to pay about $757,000 to settle charges that he played a role in the company's $622 million accounting fraud.

[Oct 21, 2006] Panda Antivirus 2007 only 9.99

I think that even $9.99 is too much, but still it is at least reasonable price for this kind of software :-)

[Oct 20, 2006] Internet Explorer 7 optimized for Yahoo! Get the IE7 download.

IE7 shipped. The software can run on Windows XP Service Pack 2, XP 64-bit Edition and Windows Server 2003 Service Pack 1, according to Yahoo's Web site.
Especially valuable are countermeasures against phishing sites. IE7 includes powerful but mostly invisible changes to how IE handles URLs and scripts. It also provides for the user the ability to control IE add-ons. Microsoft also made significant default changes in the "Internet Zone" and "Trusted Sites" zone to provide defense-in-depth against most dangerous IE attack vectors. The Internet zone, where most users browse was tightened down with two very notable changes. It will run in Protected Mode on Windows Vista and has " ActiveX Opt-In" feature on old versions of Windows. It definitely will also help to reduce the spyware attacks in the internet zone. Also useful is that ability to scale fonts on any page (for long-sighted people that provides the ability to view pages without glasses), newer version of JavaScript engine and better compatibility with the W3C standards.
As you can see Yahoo immediately put it for download as they used to have problems with IE6 on their popular Finance site :-)

October 19, 2006 (IDG News Service) -- Yahoo Inc. put a customized version of Internet Explorer 7 on its Web site for downloading on Wednesday, before Microsoft Corp.'s own release of the browser.

The download page for the specialized final version of IE7 appeared during the afternoon on Wednesday, U.S. Pacific time. Microsoft, in Redmond, Wash., had given Oct. 18 as a tentative release date for the product but had not made the software available itself before Yahoo did.

Yahoo's version of IE7 includes the Yahoo toolbar and uses Yahoo's search tool as a default. It also features two home pages, Yahoo and Yahoo News, according to the company's Web site. It can be downloaded here.

[Oct 20, 2006] Slashdot Vista Security Discussions Get a Rocky Start

[Oct 8, 2006] Users differ over benefits of Microsoft's Patch Guard -- The Patch Guard technology is already included in 64-bit versions of Windows XP and Windows 2003

Users generally do not care. They just want better security at the lowest price and hassle possible.Symantec and McAfee are companies by-and-large created by Microsoft security blunders. And they are not interested in correcting them. It is easy to blame Microsoft but in this particular case limitations make sense. Actually there are a lot of problems with Symantec (and some other security vendors) approach as if I remember correctly they were accused using rootkit technology in their products.Also they are really dangerous as kernel co-developers: the quality of software is far from being perfect.

October 06, 2006 (Computerworld) -- IT managers have divided views of a simmering dispute between two major security vendors and Microsoft Corp. over the latter's Patch Guard technology, which prevents access to the 64-bit Windows kernel.

Security software vendors Symantec Corp. and McAfee Inc. say the Patch Guard technology prevents the use of certain features in third-party tools that would make Windows safer from hackers. McAfee this week took out a full-page advertisement in London's Financial Times newspaper and charged that Microsoft's use of Patch Guard is anticompetitive behavior.

Microsoft, meanwhile, contended that the technology itself closes the 64-bit Windows kernel to unauthorized access.

"This is a double-sided sword," said Andreas Wuchner, head of IT security architecture and strategy at Novartis Pharma AG in Basel, Switzerland. "Microsoft got blamed in the past for not being able to [better] protect their customers. Now that they are moving forward, everyone starts blaming them again for being a monopolist."

... ... ...

The Patch Guard technology is already included in 64-bit versions of Windows XP and Windows 2003, and it will be included in the 64-bit version of the next-generation Windows Vista operating system due out by early next year.

"In the 32-bit version of [Windows], there has always been these undocumented and unsupported ways of modifying the kernel while it is running," said Stephen Toulouse, senior product manager in Microsoft's security technology unit. Such access "introduced stability problems, performance problems and security problems," he said.

Symantec and McAfee argue that restricting access to Vista's kernel hampers their ability to deliver functions such as behavior-based virus blocking and rootkit detection. They also maintain that hackers have already gained access to the kernel of 64-bit Windows systems that are now shipping.

"The notion that by keeping everybody out of the kernel nothing will happen is false," said Sarah Hicks, vice president of consumer product management at Cupertino, Calif.-based Symantec.

A spokeswoman for Santa Clara, Calif.-based McAfee suggested that Microsoft at least allow security vendors to access the Vista kernel. She contended that giving security vendors access to 32-bit versions of Windows has led to the development of "sophisticated security technology."

... ... ...

Conversely, Lloyd Hession, chief security officer at BT Radianz, a New York-based telecommunications provider, said that Patch Guard appears to be a response to critics calling for such features in Microsoft operating systems.

"I don't think you'll find a lot of sympathy for Symantec and McAfee. They made their millions off other people's ill fortune, if you will," he said.

Hession predicted that as more security features are bundled into Vista, some of today's stand-alone security products will become irrelevant. "It's a positive for users," he said, "but it sucks to be a Symantec."

[Sep 25, 2006] USB memory sticks pose new dangers -- U3 technology when flash drive imitated CD/DVD autoexecution feature might means return of boot viruses on a new technological level

September 25, 2006 (Computerworld) The ability to use tiny USB memory sticks to download and walk away with relatively large amounts of data has already made the ubiquitous devices a potent security threat in corporate environments. Now, the emergence of USB flash drives that can store and automatically run applications straight off the device could soon make the drives even more of a security headache.

Demonstrating the potential danger, Hak.5, a security-related podcast, earlier this month showed how a USB memory stick can -- in just a few seconds -- be turned into a device capable of automatically installing back doors, retrieving passwords or grabbing software product codes.

Hak.5's "hacking framework" is called USB SwitchBlade and gives hackers a way to automate different payloads running on a USB flash drive, said Darren Kitchen, the Williamsburg, Va.-based co-host of Hak.5.

SwitchBlade takes advantage of a relatively new technology from Redwood City Calif.-based U3 LLC that allows software and applications to be executed directly from USB drives. U3's technology is designed to increase mobility by letting users store their personal desktops -- including their programs, passwords, user preferences and other data -- on a memory stick and then run it on any computer without worrying about whether those applications are installed on that system.

Unlike traditional USB flash drives, U3 memory sticks are self-activating and can auto-run applications when inserted into a system. They're part of an emerging set of "smart" flash drives becoming available from vendors such as Migo Software Inc. and Route 1 Inc.

But the same functions that allow for such mobility also give hackers another way to break into systems, said John Pescatore, an analyst at Gartner Inc. in Stamford, Conn. "Most people think of these things as storage sticks. But U3 is a little computer on a thumb drive" that could be dangerous in the wrong hands, he said.

Hak.5 has developed code that can replace parts of the original content on a U3 flash drive with a payload for "instantly" retrieving Windows password hashes when a memory stick is inserted into a computer, Kitchen said. Also available within the Hak.5 community are payloads that in seconds can retrieve AOL Instant Messenger and MSN passwords, browser histories and software products keys. Payloads can also be used to install back doors and Trojan horse programs on computers.

None of the hacker tools used in SwitchBlade are new. And security analysts have for some time now been warning that USB-connected devices such as flash drives and iPods can be used to sneak viruses and other malware into corporate environments,

But the fact that such tools can now be run automatically on a self-activating flash drive makes them far more accessible and easier to exploit, said Ken Westin, a security analyst at Centennial Software Ltd. a Swindon, England-based IT asset management company. "The combination is creating a perfect storm," he said.

The Hak.5 demonstration again highlights the need for companies to adopt holistic policies for managing USB ports, Pescatore said. "There is a growing awareness of this problem and a desire to do more port control," he said. The focus, however, should not just be on preventing data leaks but should also address other potential threats, he said.

The availability of such exploits also highlights the need for companies to disable the Windows AutoRun feature and limit administrative privileges on end-user systems. Kitchen said. One mitigating factor is that physical access to a computer is still required for someone to carry out an attack using USB drive, he said.

There are several options available to enterprises for securing USB ports on users' systems, said Jonathan Singer, an analyst at Yankee Group Research Inc. in Boston. Companies, for instance, can choose to disable USB ports through group policy management -- either on their own or through third-party vendor tools, he said. But that doesn't allow for a great deal of "granularity by system or by user," he said. Several tools are also available from vendors such as Centennial, SecureWave SA and SafeBoot NV, that let companies apply very granular and specific port control rules, he said.

Companies also need to pay attention to educating users about the potential security risks posed by USB flash drives he said.

"If you have sensitive data, you might want to institute some sort of USB control -- especially if you are in a regulated industry," Singer said. "You can have a user walk away with a whole bunch of information, or someone's PCs could get owned by a USB device they picked up in a parking lot," he said.

[Sept 9, 2006] TPCSv8 - Articles - What Slows Windows Down

The results of the security software were quite shocking. I've always known that being most involved with the system, antivirus and firewall programs are going to make things slower, but I was just completely astounded by the Norton result when compared against the other software on show.

Fonts were as, if not more, amazing. I know people always say not to install too many fonts (which is really hard when you have a DVD full of them), but this is the first proof I've seen that shows fonts have a massive effect on the windows load time.

One conclusion that we can take from this is software that makes many, many changes to the system when it installs is going to have a larger effect to windows boot timings. Examples of this were shown by the .NET runtime (both standalone and part of Visual Studio) and the fonts which get scooped up by system services. VMWare Workstation installs a lot of system drivers to emulate hardware properly which also goes a long way to slow down a computer. Furthermore, if that software loads at boot, this is going to have an added knock on effect, shown best by the antivirus programs and the chat clients.

[Jun 29, 2006] Microsoft offers Internet Explorer 7 Public Beta 3

Microsoft today posted a mildly revised and more secure Beta 3 version of Internet Explorer 7 free for public download.

New features and functionality in the Beta 3 release include:

[Jun 28, 2006] Slashdot News for nerds, stuff that matters

"SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are - users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

[Feb 23, 2006] Free Download Internet Explorer 7.0 Beta 2 Preview - The latest version of the world's most popular Web If beta is not available from Microsoft, it can be found on third party sites. Download Link 1

Download details Internet Explorer 7 Beta 2 Preview, Technology Overview Better late then never: Microsoft raised the security bar in IE7: all browser windows require an Address Bar. Because hackers often have abused valid pop-up window actions to display windows with misleading graphics and data as a way to convince users to download or install their malware, the requirement of an Address Bar in each window will help ensure that users always know more about the true source of information they are seeing. Internet Explorer 7 IDN rules force the display of the Punycode domain name format when multiple character sets are contained within a single domain name label. For example, the URL http://www.microsó would be displayed in punycode since it mixes both the French and English character sets in the same label portion. The address bar would display, alerting the user and calling attention to the suspicious URL. The URL http://ŵŵŵ would be displayed correctly because the language character sets are contained in separate labels.

Dynamic Security Protection

Web browsers perform a broad range of functions in the computing environment. They must be open and flexible enough to enable users to interact with multiple data sources housed on a range of systems around the globe and at the same time be secure enough to prevent unwanted data access or application behaviors. Managing this balance is a top priority for Microsoft's customers. The combination of the ubiquitous and essential nature of the Web browser with the requirement for bidirectional network communications gives browsers the unenviable responsibility of being both a critical element of the computing infrastructure and the primary attack point for malicious software.

Vulnerabilities exist in all sophisticated software code; the differences essentially come down to the degree of difficulty required to exploit them and what a hacker can do upon exploiting them. Further, some security vulnerabilities are not even technological in nature. For example, malicious individuals can exploit social behaviors and user misinformation techniques, resulting in users being tricked into turning over personally identifiable information through obscured Web sites, confusing dialog boxes and unexpected add-on behavior. Web browsers represent an alluring target for hackers because many users can be easily confused and, historically, have not applied all security updates in a timely manner.

Windows XP SP2 greatly improved security in the operating system and the browser. Internet Explorer 7 on Windows XP and Windows Vista goes well beyond those changes, providing a significantly strengthened browser by eliminating legacy code to deliver stronger and more secure software. Along with the Microsoft Windows Defender application (currently in beta testing and formerly known as Windows AntiSpyware), Internet Explorer 7 helps users achieve an unprecedented level of security protection.

Microsoft has two primary security objectives with Internet Explorer 7:

Protection Against Malware

Malware, short for malicious software, refers to software applications designed to damage or disrupt a user's system. The proliferation of malware and its impact on security is a driving force behind the design of Internet Explorer 7. The new version has been improved to reduce the potential for hackers to compromise a user's browser or system. In addition, Internet Explorer 7 includes several technical features designed to thwart hackers' efforts to lead users into giving away personal data when they should not. Core parts of the browser's architecture also have been fortified to better defend against exploitation and improve the way the browser handles data.

URL Handling Protections

Historically, attackers have taken advantage of internal code design issues within the Web browser to attack a system. A hacker would rely on a user clicking on an HTML link referencing some type of malformed URL that contains odd or excessive characters. In the process of parsing the URL, the system's buffer would overflow and execute some code the hacker wanted to install. Given the size of Web browser application code, the most efficient solution to fixing these types of attacks was to issue updates as each was discovered and the root cause identified. Yet even with only a handful of such updates required, the more optimal solution was to rewrite the baseline application code. Internet Explorer 7 benefits from these experiences and the analysis of attack signatures. Rewriting certain sections of the code has drastically reduced the internal attack surface of Internet Explorer 7 by defining a single function to process URL data. This new data handler ensures higher reliability while providing greater features and flexibility to address the changing nature of the Internet as well as the globalization of URLs, international character sets and domain names.

ActiveX Opt-In

Internet Explorer offers Web developers the ActiveX® platform as a mechanism to greatly extend browser capabilities and enhance online experiences. Some malicious developers have co-opted the platform to write harmful applications that steal information and damage user systems. Many of these attacks were made against ActiveX Controls shipped within the Windows operating system, even though the controls were never intended to be used by Internet-facing applications. Internet Explorer 7 offers users a powerful new security mechanism for the ActiveX platform. ActiveX Opt-In automatically disables entire classes of controls - all controls the user has not previously enabled - which greatly reduces the attack surface. This new feature mitigates the potential misuse of preinstalled controls. Users will now be prompted by the Information Bar before a previously installed but as-yet unused ActiveX Control can be accessed. This notification mechanism will enable users to permit or deny access when viewing unfamiliar Web sites. For Web sites that attempt automated attacks, ActiveX Opt-In protects users by preventing unwanted access and giving the user total control. If the user opts to permit loading an ActiveX Control, the appropriate control is easily enabled by clicking in the Information Bar.

Protection Against Cross-Domain Scripting Attacks

Cross-domain scripting attacks involve a script from one Internet domain manipulating content from another domain. For example, a user might visit a malicious page that opens a new window containing a legitimate page (such as a banking Web site) and prompts the user to enter account information, which is then extracted by the hacker. Internet Explorer 7 has been improved to help deter this malicious behavior by appending the domain name from which each script originates and limiting that script's ability to interact only with windows and content from that same domain. These cross-domain script barriers will help ensure that user information remains in the hands of only those the user intentionally provides it to. This new control will further protect against malware by limiting the potential for a malicious Web site to manipulate flaws in other Web sites and initiate the download of some undesired content to a user's PC.

Protected Mode

Available only to users running Internet Explorer 7 in Windows Vista, Internet Explorer Protected Mode will provide new levels of security and data protection for Windows users. Designed to defend against "elevation of privilege" attacks, Protected Mode provides the safety of a robust Internet browsing experience while helping prevent hackers from taking over the browser and executing code through the use of administrator rights.

In Protected Mode, Internet Explorer 7 in Windows Vista is completely unable to modify user or system files and settings. All communications occur via a broker process that mediates between the Internet Explorer browser and the operating system. The broker process is initiated only when the user clicks on the Internet Explorer menus and screens. The highly restrictive broker process prohibits work-arounds from bypassing the Protected Mode. Any scripted actions or automatic processes will be prevented from downloading data or affecting the system. Specifically, Component Object Model (COM) objects will only be self-aware and will have no reference information by which to identify and attack other applications or the operating system.

Internet Explorer Protected Mode helps protect users from malicious downloads by restricting the ability to write to any local machine zone resources other than temporary Internet files. Attempting to write to the Windows Registry or other locations will require the broker process to provide the necessary elevated permissions. Internet Explorer Protected Mode also offers tabbed browsing security protection by opening new windows - rather than new tabs - for content contained outside the current security zone.

Fix My Settings

Knowing that most users are likely to install and operate applications using the default configuration, Internet Explorer 7 ships with security settings designed to provide the maximum level of usability while maintaining controlled security. There are legitimate reasons why a custom application may require a user to lower security settings from a default, but it is critical the user reverse those changes when they are no longer needed. Internet Explorer 7 introduces users to the new Fix My Settings feature to keep users protected from browsing with unsafe settings. This new feature in Internet Explorer 7 warns users with an Information Bar when current security settings may put them at risk. When a user makes changes in the security settings window, they will see settings automatically highlight in red if they modify certain critical items. In addition to dialog alerts warning the user about unsafe settings, the user will be reminded by the Information Bar as long as the settings remain unsafe. Users can instantly reset the security settings to the 'Medium-High' default level by clicking the 'Fix My Settings' option in the Information Bar.

Advanced Protection Against Spyware With Windows Defender

Microsoft Windows Defender enhances security and privacy protections when used with Internet Explorer 7. Extending the protections against malware at the browser level, Windows Defender helps prevent malware entering the machine via piggy-back download, a common mechanism by which spyware is distributed and installed silently along with other applications.

Although the improvements in Internet Explorer 7 cannot stop non-browser-based spyware from infecting the machine, using it with Windows Defender will provide a solid defense on several levels. Windows Defender is available in a beta release now for Windows XP SP2 and will also be in Windows Vista.

Personal Data Safeguards

Most users are unaware of how much personal, traceable data is transmitted with every click of the mouse while they are browsing the Web. The extent of this information continues to grow as browser developers and Web site operators evolve their technologies to enable more powerful and convenient user features. Similarly, most online users are likely to have trouble discerning a valid Web site from a bogus copy.

The extent to which convenience and discount pricing are available online gives users an attractive reason to click and buy. The Internet enables any large or small business to easily create an online storefront for selling goods, enabling the business to reach a consumer audience well beyond traditional physical and geographic boundaries. Search engine marketing efforts allow these Web sites to establish instant consumer credibility and reach millions of users through some of the largest search engines or portal Web sites. The combination of these factors creates situations in which consumers are dealing with distant businesses and left with fewer concrete mechanisms to differentiate legitimate businesses from those seeking to collect their information for improper gain. Another challenge facing users is the ability for malicious Web site operators to abuse the same search listing services to attract unsuspecting consumers to knockoff Web sites designed to mimic the appearance and function of well-known and trusted businesses.

A technique used by many malicious Web site operators to gather personal information is known as phishing - masquerading online as a legitimate person or business for the purpose of acquiring sensitive information. Such fake Web sites designed to look like the legitimate sites are referred to as spoofed sites. Over the past year, phishing attacks have been reported in record numbers, and identity theft is emerging as a major threat to personal financial security. In the past year, the number of confirmed phishing sites has grown fivefold - from 580 to more than 3,000 (source: Anti-Phishing Working Group, April 2005 report).

Unlike direct attacks where hackers break into a system to obtain account information, a phishing attack does not require technical sophistication but instead relies on users willingly divulging information such as financial account passwords or Social Security numbers. These socially engineered attacks are among the most difficult to defend because they require user education and understanding rather than merely issuing an update for an application. Even experienced professionals can be fooled by the quality and details of some phishing Web sites as hackers become more experienced and learn to react more quickly to avoid detection.

Internet Explorer 7 offers a range of enhancements and solutions to better protect against malicious Web site operators and help prevent users from becoming victims of confusing URLs. The new Security Status Bar, located next to the Address Bar, is designed to help users quickly differentiate authentic Web sites from suspicious or malicious ones. In addition, Internet Explorer provides a simple file cleanup utility.

Certificates also play an essential role for users in validating e-commerce Web sites and helping to thwart phishing scams. Internet Explorer 7's Security Status Bar enhances access to certificate information by placing it more prominently in front of users and providing single-click access to the certificate.

Security Status Bar

Over the past few years, Web browser users have been introduced to the concept of encrypted communications and secure sockets layer (SSL) technologies to better protect their information from being obtained by third parties. Although many users have become quite familiar with SSL and its associated security benefits, a large proportion of Internet users remain overly trusting that any Web site asking for their confidential information must be protected. With the explosion of small- and home-based business Web sites selling goods that span the pricing spectrum, users are even more likely to encounter unknown entities asking for their financial information. The combination of these factors creates a situation ripe for abuse. Internet Explorer 7 addresses this issue by providing users with clear, prominent, color-coded visual cues to the safety and trustworthiness of a Web site. With the assistance of Internet Explorer 7 to help identify legitimate Web sites, users can more confidently browse and shop anywhere on the Internet.

Previous versions of Internet Explorer placed a gold padlock icon in the lower-right corner of the browser window to designate the trust and security level of the connected Web site. Given the importance and inherent trust value associated with the gold padlock, Internet Explorer 7's new Security Status Bar places it more prominently in users' line of sight. Users can now view the certificate information with a single click on the padlock icon. The Security Status Bar also supports information about High Assurance (HA) certificates for those sites meeting guidelines for better entity identity validation. Users can benefit from support for HA certification by having instant visual access to the increased validation of authenticity for a given Web site. To provide users with another visual cue designed to help them recognize questionable Web sites, the padlock now appears on a red background if Internet Explorer 7 detects any irregularities in the site's certificate information. By contrast, trusted Web sites will clearly display the name of the certificate owner and a gold background to indicate that users can provide confidential data.

Microsoft Phishing Filter

Developers of phishing and other malicious activities thrive on lack of communication and limited sharing of information. Using an online service that is updated several times an hour, the new Phishing Filter in Internet Explorer 7 consolidates the latest industry information about fraudulent Web sites and shares it with Internet Explorer 7 customers to proactively warn and help protect them. The filter is designed around the principle that, to be effective, early warning systems must derive information dynamically and update it frequently.

The Phishing Filter combines client-side scans for suspicious Web site characteristics with an opt-in online service. It helps protect users from phishing scams in three ways:

1. It compares the addresses of Web sites a user attempts to visit with a list of reported legitimate sites that is stored on the user's computer.

2. It analyzes sites that users want to visit by checking those sites for characteristics common to phishing sites.

3. It sends the Web site address that a user attempts to visit to an online service run by Microsoft to be checked immediately against a frequently updated list of reported phishing sites.

Internet Explorer 7 uses the Security Status Bar to signal users (in yellow) if a Web site is suspicious.


Hi, my name is John Hrvatin and I'm the program manager for Internet Explorer setup. I'd like to share some of the ways setup in IE 7 helps keep you more secure and IE running smoothly.

Prior to installing IE 7, setup runs the Windows Malicious Software Removal Tool to clean your system of known malware and help prevent problems installing IE 7 or running it for the first time. If you keep your computer up-to-date using Windows Update, which hopefully everyone does, you will already have the latest version of the cleaner. In that case, setup will re-run the installed version; otherwise, it will download and run the latest version.

Setup also makes sure you have the latest-and-greatest by downloading and installing any available IE updates. In previous versions of IE, users had to install updates after IE installation and anyone who didn't was out-of-date. In IE 7, setup takes care of the updates so you can get right to using IE 7.

[Feb 17, 2006] Download details Windows® Defender (Beta 2) This is a new, better version of the tool that was known Microsoft Windows AntiSpyware (Beta). Upgrade is highly recommended...

Windows Defender (Beta 2) is a free program that helps you stay productive by protecting your computer against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.

This release includes enhanced features that reflect ongoing input from customers, as well as Microsoft's growing understanding of the spyware landscape.

Specific features of Windows Defender Beta 2 include:

Important Notes

[Feb 10, 2006] Slashdot Microsoft Anti-Spyware Removes Norton Anti-Virus Ms Antispyware is one of the best tools. Norton AV (home edition) is a very questionable bloatware. So removal is not a big deal. It might be even a "good thing"

Faster way to clean up Norton
(Score:5, Informative)

by TheGSRGuy (901647) on Saturday February 11, @07:07PM (#14696805)

If MS Antispyware wipes out your Norton install, the fastest and easiest way to clean out Norton to prepare for a reinstall is with Symantec's Norton Removal Tool, aka SymNRT. It's available for free from their website and is designed for situations like this where the install gets corrupted and you can't remove it.

The tool removes every trace of Norton from your system. It does a better job than the normal uninstaller.

Re:What problem?
(Score:5, Informative)

by dynamo52 (890601) on Saturday February 11, @06:43PM (#14696701)

Seriously. Considering how good NAV is at sucking up memory and CPU cycles, the only way anyone probably noticed was when their computer suddenly seemed much smoother and more responsive.

I agree. I am a computer services provider for mostly home users and I often find NAV and internet tools to be single greatest contributor to draining system resources. I usually recommend disabling NAV, using safe internet practices, and scanning weekly or if there appears to be a problem.

Re:What problem?
(Score:3, Interesting)

by AsbestosRush (111196) on Saturday February 11, @07:24PM (#14696891)
( | Last Journal: Wednesday October 27, @02:05PM)

That is most likely the Corperate version of Symantec AV, which is *far* better than the desktop version that most people usually purchase. The corp version just sits in the tray until something comes along that might need some attention.

Re:What problem?
(Score:5, Informative)

by spectre_240sx (720999) on Saturday February 11, @08:19PM (#14697151)

Well that's not surprising considering NAV runs at least 14 processes. I think it might be 15 including that glorified advertisement they call Norton Protection Center.

We're still selling it at the shop that I work at. I'm not sure why... We recommend AVG Free for most people, but for business users we sell NAV.

Re:What do you really expect it to do?
(Score:5, Funny)

by slashname3 (739398) on Saturday February 11, @10:22PM (#14697747)

Just because these products must use continuous system resources doesn't mean they need all of them. That would kind of defeat the purpose of having a computer.

But the purpose of having a computer is to run anti virus software, spy ware detectors, and firewalls. Between running those tools and updating the system there is not much time or resources for anything else.

Discussion Link
(Score:5, Informative)

by Mz6 (741941) * on Saturday February 11, @06:36PM (#14696653)
(Last Journal: Friday June 18, @11:45AM)

Here's a link to the actual discussion []. Looks like this has been corrected with the latest definitions.

But what if
(Score:4, Informative)

by ImaLamer (260199) <john.lamar@gm[ ].com ['ail' in gap]> on Saturday February 11, @06:37PM (#14696660)
( | Last Journal: Sunday June 05, @05:40PM)

Microsoft knows something we don't?

Norton/Symantec hasn't always been nice (are they now?) - remember when Norton Utilities couldn't be removed on DOS installations? The only option was to totally format the drive and start over. I know people who won't even try Norton/Symantec products after all of those years because of these types of problems.

But it's not really a beta...
(Score:5, Informative)

by vudufixit (581911) on Saturday February 11, @07:35PM (#14696950)

This was a full product called Giant Anti-spyware that MS acquired.
"Beta" is their term.

75% of my private client calls involve removing malware, and the MS product
is a champ at this task.

MS antispyware gives you a summary screen that breaks down each item it found,
assigns it a perceived threat rating, and gives you the choice to "Remove, Ignore, Quarantine."

So, anyone watching with any degree of care should notice that Norton was one of the choices
and simply select the "ignore" option.

Personally, I haven't seen this happen myself.

I agree with many other posters that Norton isn't that great of a product.
I've noticed their firewall suddenly,without provocation, start blocking
all websites.

I've also noticed their antivirus turn itself off for no reason, never
to be turned on again. Reinstalling is often interesting, since even the
least little trace of the product prevents an install/reinstall, but it
almost never uninstalls cleanly.

[Jan 25, 2006] Netscape 8.1 takes aim at spyware Tech News on ZDNet Netscape 8.1 adds protection against online scams such as spyware and phishing.

Netscape 8.1 offers built-in spyware and adware protection that scans files that Web users try to download as well as those that are sent to them without their interaction, according to a representative for Netscape, a division of Time Warner's America Online subsidiary. The updated browser will also let consumers run complete memory and disk scans.

Other security features include an updated blacklist of potential phishing sites and a security center people can access to see if they need to take action on their computer.

Netscape's move to increase security features comes as malicious attackers are increasingly targeting browser flaws, including vulnerabilities found last spring in Netscape's browser.

The latest version of the browser also offers updates designed to enhance its RSS (Really Simple Syndication) support. RSS feeds, for example, can be viewed within the browser rather than requiring a separate viewer.

In addition, a new profile manager is designed to let multiple Web users share the same browser but maintain different bookmarks, passwords and other customizations.

[Jan 12, 2006] Symantec, Kaspersky criticized for cloaking software - Computerworld "rootkit" cloaking techniques found in Symantec Corp. and Kaspersky Lab products

The Windows operating system expert who exposed Sony BMG Music Entertainment's use of "rootkit" cloaking techniques last year is now criticizing security vendors Symantec Corp. and Kaspersky Lab Ltd. for shipping software that works in a similar manner.

Mark Russinovich, chief software architect with systems software company Winternals Software LP, says that the techniques used by Symantec's Norton SystemWorks and Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques used by malicious software to avoid detection on an infected PC. There is "no good justification," for the use of such techniques, Russinovich said. "If the vendor believes that the implementation of their software requires a rootkit then I think they need to go back and re-architect it."

Both Symantec and Kaspersky concede that they have shipped software that hides information from system tools, but they told IDG News Service that they disagreed with Russinovich's use of the term rootkit, saying that because their software was not designed with malicious intent, it should not be lumped into the same category.

Still, both companies appeared sensitive to Russinovich's criticism.

Symantec on Tuesday issued a patch to SystemWorks that disabled the cloaking feature. On Thursday, a representative from Kaspersky said that it was possible that his company could take similar action. "I don't know whether we've got a plan to do that, but that's obviously one thing that we could do here," said David Emm, a senior technology consultant with Kaspersky.

Unlike Sony's XCP (Extended Copy Protection) software, the Symantec and Kaspersky products do not cloak the fact that certain pieces of software are running on the computer. Instead, they hide data

... ... ...

Kaspersky's use of cloaking software is more recent. With version 5 of its Kaspersky Anti-Virus software, first released about a year ago, the company used cloaking techniques to hide "checksum" information that the software used to determine which files on the computer it had or had not scanned.

... ... ...

While Russinovich agreed that the Symantec and Kaspersky cloaking techniques are not as dangerous as Sony's, which was ultimately exploited by virus writers, he said that all three vendors were engaging in a practice that was bad for users and IT professionals. "You don't want IT not knowing what's on the systems," he said. "Not being able to go to the system to do software inventory and disk space inventory, that's just not a good idea."

[Jan 3, 2006] Windows Metafile vulnerability - Wikipedia, the free encyclopedia

A new Windows Metafile (WMF) vulnerability potentially affects most versions of Windows (including 2000 and XP) , and could theoretically be exploited to allow to install arbitrary programs on the system by tricking a user into viewing a maliciously formatted Metafile image on computers with enabled shimgvw.dll (see below on how temporary disable it until the patch is available).

This is not an automatic self-propagating vulnerability, therefore even on unpatched PCs it potentially affects only naive users (children, senior people), very gullible users or users inclined to visit "grey" or "black" Internet sites or respond to unsolicited e-mail advertising:

Due to those mitigating factors Microsoft Corp. said today that it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January.

Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released the last week. The update will be available at Microsoft's Download Center. "Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in its statement. " Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the attacks are not widespread."

This attack is directed on a flaw in the way Windows handle malicious files in the WMF format. For example one such attack arrives in an e-mail message titled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file.

To protect yourself (especially important at home users where you are not protected by mail gateway and corporate firewall) you can execute the command on the command line (or via Start -> Run menu):

Windows 2000: regsvr32 -u C:\WinNT\system32\shimgvw.dll

Windows XP: regsvr32 -u C:\Windows\system32\shimgvw.dll

In case this leads to problems with applications (very unlikely) you need to register this DLL again using the command:

Windows 2000: regsvr32 C:\WinNT\system32\shimgvw.dll

Windows XP: regsvr32 C:\Windows\system32\shimgvw.dll

Please note that attacks can come in attachments with files that have any extension. For example, any graphic extension can be used. One reported attack used GPEG (extension .jpg). Even though the file has extension classifying it as a JPEG-file, Windows recognizes the content is actually a WMF and attempts to execute the code it contains.

Microsoft stresses that to exploit a WMF vulnerability by e-mail, "customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability."

We hope that there will be few such BASF users in view of recent training that everybody got with spam and fake financial letters.

Still please be careful as in this case following the links is as dangerous as clicking on the attachment. For example, even if you just attempt to visit an file site using Internet Browser viewing the list folders can trigger its payload as the attacker can maliciously put infected icons and they will be "executed" when you open the link.

Usual payload associated with this exploit is spyware. The file with working exploit that supposedly was already in the wild today was called "HappyNewYear.jpg". It attempts to download the Bifrose back door, researchers said.

General Recommendations

Before patch is applied to all systems please be especially vigilant with emails that contain attachments or if a email try to persuade you to follow some html link:

Recommended Links

Microsoft Security Advisory (912840) Published: December 28, 2005 | Updated: January 3, 2006

On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows platform.

Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement.

Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a security update for the WMF vulnerability on an expedited track.

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft's Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows' Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread.

Recommended Links

Google matched content

Softpanorama Recommended

Top articles


Links Recommended Books Recommended Skeptical Materials Independent Organizations and Publications Articles Vendors Reference