30 Jan 2018 @ 9:02 PM 

Software and computer security has always been a rather important topic. As our systems become more interdependent and connected- and we expose ourselves and our important information more and more, it is becoming even more important. Operating System and Software updates are issued to address security problems, and these security problems are given the utmost importance as users are urged to install them as soon as possible. Many Operating Systems- such as Windows 10, disable or restrict the ability to prevent updates (it seems to require Pro to adjust the settings to update only when the user initiates it, for example). This is considered by many to be a positive change; the idea being that this will prevent systems from being compromised through those security exploits.

And, certainly, that is true. Installing security patches will, obviously, prevent the exploits that they resolve from being exploited for malicious purposes. However I think the impact that those exploits have in terms of your typical end user have been overstated.

Based on my own experiences, I an animate that the vast majority of end-user malware infections are not perpetuated or contributed to in any notable way by the sort of issues resolved by security updates. Those updates are more applicable to servers, data centers, and corporate environments. For end-user PCs, it is seldom heard of to find a malware infection that was not caused in some way by trojan horse malware — something which the user explicitly downloaded and ran themselves which had the unintended side effect of releasing malware onto their system. Pirated software; game mods, “keygens”, and so on and so forth. Screensavers, greeting card executables, applications that disguise as images. Something as seemingly innocuous as an aftermarket Windows Theme could very easily contain an unwanted payload, and it won’t matter if the system is fully up to date or not if you allow it to install.

The Security Circus

I call the general concept of overstating those concerns the “security circus”. It infects certain styles of thinking and sort of makes itself a self-perpetuating concept over time. As an example scenario, a user may come to an IT repairperson with issues on their PC; it may be determined that those issues are caused by malware. the “security circus” contribution to this scenario could be that the repair person discovers that the system is out of date and missing a number of critical security updates. Because they have learned, over time, that security updates are critical and prevent infections, they may — and very often do — assume that the malware made it’s way onto the PC via that infection vector. Over time these occurrences pile up and that particular IT staff can state, without any intention of lying, that they have seen plenty of systems that were compromised by vulnerabilities, even though, realistically, they don’t actually know if the vulnerabilities were even responsible.

The “Acts” of this security circus seem to largely stem around Fear, Uncertainty, and Doubt being spread and manipulated. Coincidentally, I notice that oftentimes these efforts work in favour of a number of corporate interests. Forced OS Updates for example benefit the OS manufacturer, particularly as updates may very well provide any number of other pieces of software which provide “diagnostic” information which can be used by that company for marketing efforts. Security updates benefit security firms and security software vendors, who’s products are used to “prevent” the problems that are caused until they receive that critical patch to fix the issue, or who release security “scanners” which analyze and report whether a system is susceptible to the vulnerability.

Some recent security scares come to mind when I think about the “security circus”.


The Wannacry ransomware provides some good examples of the operation of this “security circus”. Articles and postings on the issue are often decidedly vague about the extent of the vulnerability that causes it, and often overstate it’s capability; users are urged to update as soon as possible, and in some cases I’ve seen it argued that the vulnerability allows the malware to be installed over the Internet.

The reality, however, is that Wannacry had a distribution method that could exploit a vulnerability in SMBv1 within a LAN in order to spread to another system that was accessible on a LAN from the infected system. This means that a network that has systems that is vulnerable will have those vulnerable systems spread the infection if one get’s infected, however, that “patient zero” cannot be infected remotely. Wannacry would still only be installed and infect a “patient zero” LAN system through some other infection vector. and that infection vector was almost certainly through trojan-horse malware of some description.

Which is not, of course, to understate that that is certainly a concern. If Little Jimmy runs an infected game mod installer, and their system get’s infected, Other vulnerable computers on the same network would eventually be compromised. However, I think the critical thing is not the security updates, but, in that scenario, the user education to avoid installing malicious software to begin with. In the scenario, for example, Why did Little Jimmy Trust the game mod installer? Should Little Jimmy even have user permissions to install software? What sort of education can be provided to allow users that have “vulnerable” habits to adjust those habits to avoid problems? Installing security Updates, Security software, firewall’s etc is, IMO, largely a way of avoiding that question, and unfortunately it pairs poorly because a user with “vulnerable” habits is often the sort who will happily disable their Anti-virus when say a game modification installer says it is a “false positive”, or who will happily give administrator permissions — if they can — to applications based in promised functionality.

Game “cheat” software often takes that approach, making a promise and then requesting elevation with that promise in mind is enough to convince some users to “take a chance”; thewse same “vulnerable” users are also susceptible to phishing scams or other things such as software programs stealing login information from say online accounts. A specific example of that would be for example simple applications which claim to “give op” to a Minecraft player. All you need to do is give your username and password! But of course it does not give you OP. Instead it simply E-mails your login information to a specified account. It doesn’t work, the user deletes the program, but perhaps never thinks about changing their login information because as far as they know the program just “didn’t work”. Until one day they cannot log in. Or, For MMOs, they suddenly find their character is poorly equipped or perhaps banned for activity because it was used for some nefarious in-game activity.

Speaking for myself, aside from the occasional Malwarebytes scan, I don’t run any sort of background AV software or firewall. In fact, I disable the built-in Windows software that provides those features. To my knowledge, I’ve not been infected in over 10 years.  And even then, what I was infected with, Virut/Sality, wasn’t being picked up by any Security software, even fully updated. Since then I’ve had systems that have lacked important security updates magically not be infected in the ways that the aforementioned “security circus” would have me believe. It seems — at least from where I am standing — that the implications of security vulnerabilities to your typical end-user system are vastly overstated, and the focus on those as a means to prevent people from getting infected may be a focus in the wrong area. Instead, Users should receive education such that their “vulnerable” habits can be eliminated or at the very least they can be made aware of them. Better education for computer systems in general can help as well; knowing the difference between an svchost.exe where it should be and an svchost.exe where it isn’t can make it possible to identify unwanted software even if any installed security software isn’t picking it up.


Another topic of some interest that has taken the security world by storm is the Meltdown and Spectre prefetch cache security problems found in many Microprocessors (Meltdown being specific to Intel chips). These security concerns relate to an ability to access memory that would be otherwise unavailable by exploiting speculative cache behaviour. Meltdown involves writing carefully crafted machine language instructions in order to trick the speculative execution into providing access to small pockets of memory that would not otherwise be accessible; there are kernel-mode pages that are part of that applications virtual address space. Spectre functions similarly but requires those carefully crafted machine code instructions in order to try to perform various memory operations and carefully measure them in order to guess at the data found in certain areas of those kernel-mode pages within that processes virtual address space.

I feel, again, that the security circus has somewhat overstated the dangers involved with these security problems; in particular, it is too common to see statements that t his could be exploited through web-based code, such as Javascript, which itself would require escaping the Javascript sandbox which has wider security implications anyway. Additionally, it seems ot presume that this could be used to steal web or system passwords, when realistically it will only enable viewing tiny pockets of driver-related process memory. and things like ASLR could very easily mitigate any directed attack looking for specific data.

But, the reality hardly sells articles, and certainly doesn’t sell security software- which, I might add, by sheer coincidence tends to be either a sponsor or major advertiser for many of the wider publicized security publications. Coincidence, no doubt.

Posted By: BC_Programming
Last Edit: 31 Jan 2018 @ 07:51 PM

EmailPermalinkComments Off on The Various Acts of the Security Circus
 08 Jul 2012 @ 11:52 PM 

Important Note: In a system management setting, Or a corporation, this is NOT something I prescribe. managing and dealing with a PC that only you would use is one thing, handling them for others is, well, another thing entirely. In those cases a good AV is required and keeping it up to date as well. (With the possible exception of Linux/BSD, where you still need to be aware of any problems that crop up in the software being used)

Personally I do not use a “On-demand” or background scanner. I do have tools such as MBAM and the like installed which I will run when I notice odd processes in task manager, svchost hogging resources, or general “odd” behaviour from my system. I’ve never felt it was worth the processing overhead; The task of AV scanning takes time, and having it occur on nearly every file access is a rather hefty price. And of course, even the best AV application isn’t going to catch everything, so you need to be cautious anyway, means that, for me, I’m actually safer when I don’t have an AV installed.

When I did have one installed (after a nasty Virut infection on Windows XP to keep me from reinfecting the system using existing executables on my data drive) I actually found that a lot of activity I found suspicious and thought “oh no, I’m reinfected” could be traced to the AV. While their purposes are far more noble and good, I’m sort of felt that AV software is sort of like “fighting fire with fire”; rather than a Virus or malware building a huge root system in your machine, the AV software does. That’s why they all seem to need special software to fully remove. That, and a lot of the systems I’ve fixed for others that they blamed on “Viruses” were in fact caused by the Anti-virus software they were using, which if you ask me is utterly unacceptable. (I’ll say I’ve only seen those issues with one or two “Free” offerings, Mcaffee, and older versions of Norton, though.

Basically, my “protection” amounts to healthy cynicism. Almost all malware infections these days are trojans. So few infect a system by way of things like exploits and “drive-by” stuff that it’s hardly worth the effort to waste time thinking about. More importantly, the first line of defense even for those is the same. After all, in order to download a trojan you need to trust a website, and in order to visit a web page, you need to trust the link. Typically, when dealing with an unfamiliar executable, I’ll just run it. (unless it has a blatantly suspicious name). I might run process explorer and keep track of what the program does as well to make sure there is no funny business. I usually have that running in the background anyway. If the program requests administrator permission- it doesn’t get it. Not at first. This has prevented a good lot of “infections” if you ask me, since you can’t well infect a machine without administrator permissions. Naturally, software installers do need those permissions so depending on the software I will allow. Or, if I’m in a forgiving mood I might just say yes and deal with whatever happens later. When I am infected, I usually catch on rather quickly and am able to either kill the malware processes, or, if they are the type where they autorespawn each other, suspend all the suspicious processes and kill them all at once. Visit regedit and delete the offending entries (generally in the Run key), reboot, and typically everything is back to the way it was. In 7-8 years I was only infected once, and since moving to Vista/7, I’ve had hardly any problems.

An important Note: Typically, “manual” Virus removal is not something that just anybody does. It really requires a intimate knowledge of how Windows software works, the PE file format, and of course a willingness to “get your hands dirty”. At the same time, it really is only an extension of what you should do even when you have a AV installed- keeping a system clean requires constant vigilance and you need to constantly be assessing what possible security repurcussions your actions could have. “Does this application REALLY need admin permissions?” type stuff. More importantly, a single screw-up can cost you dearly. This is NOT something I recommend. Heck I don’t even recommend it to myself. I just don’t like the “cloud” surrounding Windows being inherently insecure to the extent of requiring an AV to function, so I don’t use one.

BC’s tips for AV-free operation

Sometimes your applications will crash; this is pretty much inevitable. Sometimes you’ll need to run Task Manager for various reasons. While there, glance over the processes. Again, this requires a familiarity with the type and number of processes you would typically see running on your machine, so it’s useless unless you are familiar both with your operating system of choice as well as your “normal” software configuration. Things like rundll32.exe showing up in there out of nowhere will make me reach for Process Explorer, where I can determine the “threat” posed by that process.

As I type this, my desktop machine does in fact have a rundll32.exe process running. Which piqued my curiousity. You can use the “Select columns” menu in the view menu of Windows Task Manager to enable columns such as “command line” which can give additional information on the process. you can also use various features of Process Explorer for that same task, or further investigation of a suspicious process, such as examining it’s in-memory layout, stack frames, loaded Libraries, etc. in the case of this particular rundll32.exe, it turns out to be used to launch a function called “GameUXShim” in C:\Windows\System32′ gameux.dll, which according to it’s description, is “Games Explorer”. the parameters, and function name, passed make it clear this is designed to “Shim” an older game to work in the newer Windows 7 environment. Again, familiarity with the Windows System helps here, the compatibility settings provided by the windows shell itself pale in comparison to what is actually provided “under the hood” which involves a massive network of shims, compatibility hooks, and databases on the sorts of the two needed for various games and older applications that were, for lack of a better word, written badly. In this case, it seems to be for “Halo.exe” the executable for the popular Halo game, which I bought and never played hardly until yesterday where I played for 5 minutes and got stuck. Knowing that I played the game, and was no longer, I can safely terminate this process and know it wasn’t malicious, and is required for proper gameplay. Same for a variety of other older games I have. {Edit: As I discovered previously, this gameUX.dll mess was actually caused by something else}

Obviously, this isn’t for people that just want to “do work” on their computer; it’s more useful for people who want to learn about how it works, and I don’t purport it as being safe, or even really that smart. An AV solution is only as good as it’s user, which is a nice way of telling people “you keep getting infected because your stupid, not because your AV sucks”. Usually I can get them to understand.

More critical that what AV a person uses is learning how to use that AV software effectively. You can’t just install an AV and forget about it; they each have their own nuances and settings that you should configure to your unique usage scenario. Learning what causes their various “popups” to appear warning you about things and how severe they are is important, particularly since the way a lot of AV suites present their messages is using skinned messages and gaudy pop-ups with stupid images that depict “virus infections” or other images that are wholly unimportant. Installing an AV and blindly following it’s advice and getting all worked up because it says it quarantined something merely feeds the ignorance, it doesn’t absolve it. It just adds confusing terms. “Quarantine” for example, is just a silly term in a software environment. All it amounts it is a backup folder where the files are moved to. Why? Because AV software has false positives, so it moves it there so that if it turns out that “woops that wasn’t infected” it can be moved back. It’s sort of like the equivalent of a society where, if anybody is identified as “sick”, they are euthanised. (a bit harsh but that’s essentially the analogy as far as software goes). For “cleaning” and disinfecting files, basically at this point the analogy would be that they can cure your cold, but they will have to rip off all your limbs and cut off your ears. (the resulting program very rarely still works as it used to and you need to reinstall anyway). In such a scenario, false positives could be disasterous. Instead of just having a call to your house telling you that your test results were wrong and you don’t actually have the flu, the doctor would have to interrupt your funeral to say “oh, yeah turns out he wasn’t sick”, which usually means he is no longer invited to the reception. As such AV software does what might be done in such a scenario: instead of outright deleting/killing the victims, it moves them to a special holding area, where they are forgotten about and usually deleted anyway, but at least that way if the doctors/AV software balls’d up they can just release them back into society. This only outlines that AV software is far from perfect. using medical terminology like “quarantine” and “virus” and “heal” and “infection” only serves to confuse the issue, since it actually makes people think that the entire area of malware removal is a “profession” like your standard medicine on which the analogies are based. It’s not, certainly no where near the level of the field they have taken the terms from. At this point, Anti-Virus software as a “medical” field is about the equivalent of when we would drill holes in peoples heads to release their inner demons. That isn’t to say it’s useless, just that a lot of what it does is a tad drastic.

Posted By: BC_Programming
Last Edit: 21 Oct 2012 @ 12:02 AM

EmailPermalinkComments Off on Anti-Virus Programs
Tags: , , ,
Categories: Software

 Last 50 Posts
Change Theme...
  • Users » 47469
  • Posts/Pages » 391
  • Comments » 105


    No Child Pages.

Windows optimization tips

    No Child Pages.

Soft. Picks

    No Child Pages.

VS Fixes

    No Child Pages.

PC Build 1: “FASTLORD”

    No Child Pages.