MSE?

Does this include the millions of users who just run a vanilla IE9? Because it's supposed to be pretty safe these days.

Is this really true? Or just some egregious hyperbole?

I'm starting to wonder if this is really that much of a problem. If Microsoft 'harden MSE against termination' & bloat it considerably in the process I would probably look for a lighter AV anyway.

I am sure MS would be aware if MSE had such a huge design fault & would then deem it necessary to bloat its AV with termination hardening. Yet they have not. Maybe they don't believe it to be the problem many are spouting much hot air about.

 

What does IE9 have to do with MSE having self-protection? Are you considering IE9 the only threat gate? Even if that's the case, then we'd still have a problem with it - It won't run on Windows XP. Not to mention there's no MIC in Windows XP, which means no Protected Mode.

I'm actually wondering how many of the millions of Windows XP users are actually using a non-administrator account. Doing daily tasks in Windows XP, under a limited user account is simply a pain in the arse. I actually remember one of my relatives couldn't use his 3G modem, and simply because the program of the device was developed to have full permissions to Program Files, where configuration was stored. (Let's forget about things like SuRun.)

So... if MSE has no self-protection, and users run as full administrators in Windows XP... I'd hate to be one of such users.

Is it true? If you really want to know the answer, try it yourself. lol I'm just questioning it. On one hand, there's no self-protection. On the other hand, millions of Windows users probably have no freaking clue whether or not their antimalware application (including MSE) is running or not.

Maybe a couple years ago, I had a relative running another antimalware application entirely disabled. Someone (computer shop, most likely) installed a trial version and then it ran out. The system was simply and massively infected.

So, again... I'd hate to be the one suffering from such.

You believe antimalware apps shouldn't be hardened against termination? If that's the case, then I'm affraid ZeroAccess would still be able to kill something like HitmanPro, for example. They had to harden HitmanPro, otherwise ZeroAccess would always force HMP to kill itself and prevent its execution. This one is just an example. More antimalware apps were killed. Maybe even MSE, I don't remember. But, considering it doesn't have self-protection (judging by what I've been reading at this forum, in the past and present), I have to wonder if it stood its ground.

So, having self-protection, to prevent even a mediocre programmer from coding something to kill MSE, is bloating it?

This is from a BitDefender article: -http://www.malwarecity.com/blog/how-to-remove-zeroaccess-rootkitsirefef-from-your-pc-as-easy-as-1-2-3-1160.html

As I said, from what I've been learning here, MSE has no self-protection. So, can it stand against ZeroAccess? Or, can ZeroAccess (still) kill it?

 

If some malware is able to get past its realtime detection and is able to execute then what good is self defence? Much better to leave the AV running leaving the user oblivious to intrusion.

 

Actually, the point is that even if they do detect it, when they scan the file they are killed, as the ZeroAccess rootkit documentation shows.

So, I can also ask the following: What's the point of detecting, if the the piece of malware could just kill them, just by scanning it?

Which is why security vendors, such as SurfRight, hardened HitmanPro and their security tools, so that when they scan it, it won't be able to kill them.

 

Your first point is exactly how I've *always* felt about self-defense. Especially considering the first thing you do after it gets past your AV isn't to sit around, wait and hope that it gets updated, then cleans the infection. The first thing you do is download a program like MBAM and remove it.

Are you sure you read that properly? I'm having a hard time imagining how it would be logically possible for a program to execute code without actually BEING executed. I think you're confusing yourself with what happens AFTER the rootkit is installed and how the rootkit protects itself. We're talking about the file being detected as it was downloaded, before execution.

 

If it can detect then it can terminate it before it kills it. Again, if malware executes and happily attacks then who cares if the security app is still running when that is all that is doing?

 

Unless you're stating that this is wrong:

Source: -http://www.malwarecity.com/blog/how-to-remove-zeroaccess-rootkitsirefef-from-your-pc-as-easy-as-1-2-3-1160.html

So, it creates a harmless file, that when scanned, will force antimalware apps to kill themselves.

Are you saying this isn't accurate? If you are...

-edit-

I'm saying that if, even if at a later point the antimalware can detect it, the rootkit would kill the antimalware apps. Which is why I'm asking what's the point of detecting, if they can easily be killed?

 

What's "it"? A malicious file/dropper, which can be detected before it even creates a tripwire.

 

OK. Imagine the following.

Right now, your system is infected. You don't know it. Your AV doesn't know it either - it never had malware definitions to detect such.

Tomorrow, your AV supplier adds detections for that piece of malware. But, when your AV scans the harmless file (in ZeroAccess's case), then the rootkit will kill it.

So, what's the point of having malware definitions to detect it, if when scanning this harmless file, the rootkit can kill the AV?

Which is why I don't put any faith on AVs.

 

It's not wrong, you're reading it wrong. That's what happens after the malware has installed on the machine. Were talking about detecting the malware executable before it even does that, otherwise, the AV has failed and no self protection matters.

 

I never said it was before it got a chance to be installed. But, how can you say that self-protection doesn't matter? The reality is that now, despite being able to detect it, it can't do a damn thing about it. Not even alert the user, considering the rootkit kills it. Most likely, it would also be possible to hide any messages from Windows saying the AV was disabled. (I'm just wondering if such messages can be hidden... I'd imagine they can?)

They're 100% worthless. 100% worthless because they won't always detect most of the infections. 100% worthless because they can be easily killed, and then not even alert the user that an infection is present.

So, useless. No good. In my book, anyway. I don't consider something that can be easily killed, and not alert the user for an infection, a great security measure.

-edit-

I'm not necessarily talking about MSE. I'm talking about any AV.

 

No offense m00n, but if you read my original post, it explains clearly how I think self-protection doesn't matter, and what the average user does after they get infected.

It also explains that me and Cudni were talking explicitly about preventing malware before it runs.

To summarize, I feel that AV is worthless as anything other than a backup prevention wall. No one ever relies on their current AV after infection, whether it's still running or not. Infact I'd be willing the bet the first thing average joe does after cleaning an infection is swap to a different AV under the notion that the current one failed them - human nature. What good does self protection do then?

 

The moment it executes then what it can do is only limited by the malware coder's knowledge. The bottom line is that AV failed the moment its detection fails. It is irrelevant that is still running thanks to its self defence awaiting the latest detection to then remove the malware it missed. The damage has been done.

 

My thoughts exactly! I wish I could explain things like this!

 

I was assuming that most people running Windows were running IE9, maybe that was a bad assumption IDK, either way, most malware has to get past the browser first right?

Hence why UAC was invented. If I were running XP I would have a battery of antimalware solutions, as well as MSE.

Yes, but by your own admission this could happen to any AV. So your point is a bit moot.

Well, I deny the rather obvious straw man of "You believe antimalware apps shouldn't be hardened against termination?" of course, but MS have taken precautions against this form of termination & how do I know that it isn't as effective as any other form?

I'm sure MS know what they're talking about in this respect. As I said, any bloatier & I would be looking for something else on my notebook.

I'm beginning to believe that this is essentially a non-issue.

 

Yeah, I'm with funky on this, this sounds about right. Like I thought, all this convected warm air about MSE not having a self-defence module is a tad irrelevant.

 

This was the reason why I took off MSE. I actually liked it and thought it ran great on my pc. However, 2 separate pc's that I know of, had MSE installed got hosed by some kind of ransomware pgm. Two different pc's vista 32 and win7 32. Both had UAC off. When I looked at their pc's, MSE was nowhere to be found. I had to restart in safe mode and run MBAM on one to remove the infection and SS on the other to remove it's infection. When windows came back up, MSE was there! The ransomware actually paused or stopped MSE from working correctly.

I believe had UAC been turned on this would have been avoided but it scared me enough to put on another AV. I still think MSE is a good AV and could only get better.

Ice

 

I see...

So, there isn't any different between, let's say, being part of a botnet for a day or being part of it, for as long as the botnet lasts?

I'd take the 1 day over the 1 year, for example. But, that's just me. Now, if you really believe that it doesn't make a difference... Well... lol

It's like having a illness. Sometimes your body will protect itself, sometimes it won't. The damage is done, but wouldn't you still want to know about the damage, rather than let the damage continue its work until you eventually die? lol Or, just because you know you'll die, it's useless to fight, say cancer? We're fighting cancer after the damage is done... so... I suppose it's useless to fight it... because the damage is done?

-edit-

At least with computers, if you still get to know about the infection... you can "resurrect" the computer. A nice thing, no?

 

Yet once again you hit it right on my friend! +1000

MSE must be hardened.

And as for ZeroAccess vulnerability, it must be vulnerable, because MS does not believe in self-protection other than LUA and file permissions. When you combine their epic lack of self-protection with the fact that they are going to be the most popular AV in the world being included in Windows 8, you have an antivirus monoculture disaster waiting to happen!

 

Too bad you just missed a $6.99 5-PC Webroot SecureAnywhere license. Pretty much the lightest AV/suite and has great self-protection. Serves as definite proof self-protection can be achieved without "bloat".

 

I'm glad Of course the fact that malware is technically capable of circumventing self defence is neither here nor there.

 

Jeez, that's under a fiver (£4.40p). I'm never that lucky. I guess I'll carry on with the unhardened MSE. I have MBAM as well.

 

I think with this point you're referring to the fact that the user doesn't know they are infected. Right?

What do you think would be better to get their attention to that. Their AV icon disappearing completely, thus making them wonder "WTF", or their AV icon sitting there like normal arousing no suspicion whatsoever on the off chance that it *might* get the update and *might* be able to fully clean it (something which nearly all AVs fail at and nearly always takes a specialized cleaning tool).

 

This is the essential question - what exactly happens when AV and malware come into contact? It is possible for AV to detect malware but be unable to remove it. It is equally possible for malware to be active on a system but be unable to kill the AV. It is far better for the AV to remain functional. I saw exactly this situation a year or two ago where Norton detected one of the TDSS rootkits - it kept flagging it but couldn't remove it. That's a lot better than being killed by it. The active warning made it easy for me to remove the rootkit with a different tool. Even while the system was infected with TDSS the Norton software was actively protecting it against other malware. Personally I prefer an AV that can protect itself and continue to at least partially function to no AV at all. The game is not completely over once a particular malware infects the system.

 

Whether the game is over really depends on malware if it is allowed to execute.