Trend Micro Concerned at Microsoft’s Release of AV Scan Whitelist
In October Microsoft released a Knowledge Base entry describing which files on a Windows system were not necessary to scan with anti-virus products. These files are not at risk of infection and scanning them can lead to performance problems because the files are frequently locked. Some files, like group policy files, may be inappropriately flagged as being changed, leading to excessive replication in Active Directory.
Trend Micro agrees with the advice not to scan certain files, but they are concerned that the list was released publicly. Uneducated users could take the advice too far, and attackers could use the file and folder names to help conceal malicious files.
Trend’s advice seems mushy to me; exactly what you are supposed to do, other than to understand the subject thoroughly, is unclear. And Microsoft could not keep such information secret and still have it useful.
The MS advice is years old - 2007 and only meant for Windows 2000, XP and Server 2003. When you use these systems, security is not your first priority. And in the advice it says that you shoud not excluse files on basis of extensions.
Meant locations are normally not accessible with write to rights. If you could do so the system has been compromised anyway and malware is already active on that specific OS.
Exclusion can be necessary for admins and there are better attack points to be found.
Anyway good information to know,
This article contains recommendations that may help you protect a computer that is running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Microsoft Windows 2000, Windows XP, Windows Vista, or Windows 7 from viruses. This article also contains information to help you minimize the effect of antivirus software on system and network performance.
[b]
Article ID: 822158 - Last Review: October 16, 2009 - Revision: 12.1[/b]
so why:
The MS advice is years old - 2007 and only meant for Windows 2000, XP and Server 2003
That was a comment on the MS policy for this had not changed since 2007…the whole issue was not generally known outside IT circles and is another proof of what is generally known as a policy known by the name of “security through obscurity” something that is inherent to keeping closed software closed.
Vista and W7 were added later - the policy was meant to save time for admins and also be beneficial for MS…
In this light also see the dll help index of MS being taken off as per Febr. 2010. Questions, questions for developers etc.
But this has always been there also in history. In the days of Julius Cesar every courier had part of the password, so roasting their feet by Celts or members of Germanic tribes did not help much to reveal all of it. But when what is obscure becomes public then it is no longer secure anymore but that also works the other way round what has been public is not secure also for malcreants. Some even go further and predict that in the coming two years XP SP3 will become the malware getto OS for those that haven’t made the switch to W7: http://www.f-secure.com/weblog/archives/00001835.html *news taken from the F-secure horrorscope for 2010. But the same has been said about W7: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/trend_micro_2010_future_threat_report_final.pdf
Just some accompanying thoughts I give you here to consider to be able to see the wider picture, my friend,
Another example from the past for XP and Vista obscure dll patching silent like the Google Chrome way - Re: http://www.hacking-101.com/?p=6
Microsoft responded stating that the update is a consumer only release that addresses specific issues found after the previous release of Windows Updates. Even so, Microsoft has yet to disclose what these issues are that the patches addressed.
Vista Files Updated:
wuapi.dll
wuapp.exe
wuauclt.exe
wuaueng.dll
wucltux.dll
wudriver.dll
wups.dll
wups2.dll
wuwebv.dll
Windows XP Files Updated:
cdm.dll
wuapi.dll
wuauclt.exe
wuaucpl.cpl
wuaueng.dll
wucltui.dll
wups.dll
wups2.dll
wuweb.dll
It’s important that we note that there’s nothing harmful about the updated files. There’s been no reports of roll-backs being required or issues after the update was installed. The real issues isn’t if the patch was necessary but how Microsoft was handling that patching, without user authorization or consent.
“[b]Windows Update Software 7.0.6000.381 is an update to Windows Update itself[/b]. It is an update for both Windows XP and Windows Vista. Unless the update is installed, Windows Update won’t work, at least in terms of searching for further updates. Normal use of Windows Update, in other words, is blocked until this update is installed.”
in this case a silent install, without user’s approval and consent seems normal.
But anyway, I agree with the TrendMicro blog poster, no system folder should be excluded from AV scanning, as malicious stuff could take the opportunity to slip in.