Skip to navigation
Latest News

Microsoft accused of helping virus writers

Security

By Barry Collins

Posted on 22 Dec 2009 at 08:09

Security firm Trend Micro has accused Microsoft of giving malware writers a helping hand by advising users not to scan certain files on their PC.

In an article published on Microsoft's Support site the company claims it's safe to exclude certain file types from virus scans because "they are not at risk of infection". Microsoft claims ignoring these files will help improve scanning performance and avoid unnecessary conflicts.

Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning

However, Trend Micro warns that by making such information available, Microsoft is effectively creating a hit list for malware writers. "Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one," the company's researcher, David Sancho, writes on the Trend Micro blog.

"Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning or use a file name extension that is also in the excluded list."

"We find it sensible for users to aim for better system performance. However, we also think that excluding certain file types or folders from antivirus scanning is not something novice users should tinker with.

"Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system."

In a statement, Microsoft appears to concede the information may be outdated. "Microsoft has been made aware of a blog post by a security vendor regarding our recommendations that may help users protect a computer that is running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Microsoft Windows 2000, Windows XP, Windows Vista, or Windows 7 from viruses.

"To clarify, our recommendations contain information to help users minimise the effect of antivirus software on system and network performance. Although updated for recent product launches, the article in question was created in 2003 and is in the process of being reviewed. Further updates will take place if needed based on that review to reflect protection best practices in addition to performance.”

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Three letters, Trend Micro...

IDD

By Genesis on 22 Dec 2009

Just called Sophos, who provide our Anti-Virus software and they agree with MS and think it's a good idea.

By mlw321 on 22 Dec 2009

Too much security...

I recently installed AVG and during the installation was a screen saying "only 3% of problems are caused by traditional viruses" so yeah I too agree with Microsoft on this! You've got to draw a line at the point where virus software uses more system resources than a virus!

In fact I can't even remeber the last time I had a virus, maybe 3 years ago. I get cookies and spyware which are annoying but 95% of it cause no real damage.

By anthonysjones on 22 Dec 2009

who said exclude folders

Microsft didn't say anything about excluding folders they said file types. Trendmicro added the excluding folders

and yes i do agree with too much security. I repair computers and the first thing i do when i get one in is remove blotted software norton security and use the free trendmicro virus checker

By pickledham on 22 Dec 2009

From the original article, it would appear that the main reason to exclude some file types (no folders) is to reduce the possibility of conflicts.
Personally, I think it's a sensible compromise and Trend, as with other AV Vendors aren't exactly independent assessors

Colin

By Ex_Sailor on 22 Dec 2009

If virus writers know which folders are on the exclude list (thanks to M$ recommended folders) - they will no doubt take advantage and drop a bomb in that folder

By nicomo on 22 Dec 2009

Real time scanning and file exclusions

I have a comment concerning file extension exclusions for realtime scanning.

(Please note that I advocate no exclusions at all for off-line scanning such as manual or scheduled scans. In these cases performance is not as much of an issue as with realtime scanning.)

As of today, files with a .log extension are not executable under Windows and I don't see that changing very soon. As such .log files pose no direct threat to the security of any windows computer.

An interesting experiment would be to create a windows shortcut to an executable file and call it 'tst.log'. See if you can manage to execute the original executable file by means of 'tst.log' alone.

If these files were to be used as payload containers for illicit code, they would still need a loader/executer/interpreter to be effective. This loader/executer/interpreter would necessarily be contained in a executable file which can and will be inspected by ao anti-virus software.

Hence there is no actual benefit for the malware writer to use .log files as payload containers unless he would endeavour to create a loader/executer/interpreter that would be too generic to be detected by explicit virus definitions and not generic enough to be detected by heuristic rules. I consider it highly unlikely that such sofwtare could succesfully be made and excape detection from all realtime scanners.

Therefore I would indeed recommend to exclude any .log files from realtime scanning. In fact I would advocate to add exclusions for many more extensions: .txt, .cpp, .obj, .bmp and *.cfg to name but a few.

The main benefit is of course reclaiming the lost performance due to realtime scanning of files for which realtime scanning offers no security benefits.

Regards and season's greetings,
Erik Cumps

By ErikCumps on 23 Dec 2009

Real time scanning and file exclusions

I have a comment concerning file extension exclusions for realtime scanning.

(Please note that I advocate no exclusions at all for off-line scanning such as manual or scheduled scans. In these cases performance is not as much of an issue as with realtime scanning.)

As of today, files with a .log extension are not executable under Windows and I don't see that changing very soon. As such .log files pose no direct threat to the security of any windows computer.

An interesting experiment would be to create a windows shortcut to an executable file and call it 'tst.log'. See if you can manage to execute the original executable file by means of 'tst.log' alone.

If these files were to be used as payload containers for illicit code, they would still need a loader/executer/interpreter to be effective. This loader/executer/interpreter would necessarily be contained in a executable file which can and will be inspected by ao anti-virus software.

Hence there is no actual benefit for the malware writer to use .log files as payload containers unless he would endeavour to create a loader/executer/interpreter that would be too generic to be detected by explicit virus definitions and not generic enough to be detected by heuristic rules. I consider it highly unlikely that such sofwtare could succesfully be made and excape detection from all realtime scanners.

Therefore I would indeed recommend to exclude any .log files from realtime scanning. In fact I would advocate to add exclusions for many more extensions: .txt, .cpp, .obj, .bmp and *.cfg to name but a few.

The main benefit is of course reclaiming the lost performance due to realtime scanning of files for which realtime scanning offers no security benefits.

Regards and season's greetings,
Erik Cumps

By ErikCumps on 23 Dec 2009

Sorry for the double-post. Browser's back button mishap!

By ErikCumps on 23 Dec 2009

@nicomo

Did you not see the post from pickledham?

By greemble on 23 Dec 2009

@pickledham

If I had £1 for every time I heard somebody describe Norton security software as bloatware, I would be a rich guy!


Symantec has made huge improvements to its software from its 2008 version onwards.

Take a look at the A List; Symantec Internet Security 2010 won the labs test in the March 2010 issue (issue 185).

I urge people to check their facts before calling software “bloatware” when this issue was corrected years ago.

By Jimbo762 on 7 Feb 2010

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.