34 posts in this topic

Posted

Do AV companies check each definition update against windows?

Every now and then an antivirus company releases a definition update which brings Windows to its knees. ( Example: When Webroot recently released an update which locked people out of their windows 8 machines) The AV accidentally flags a crucial system file as malicious and deletes it. How does this happen? I realize there are 100,000

Share this post


Link to post
Share on other sites

Posted

DO you pay for the AV?

NO: not hey don't check and AVG, Avira, Webroot and camp have all had issues several times where they have broken windows

YES: they generally test every update, unless it's McAffee or Panda or F-Prot which are all pretty terrible at checking. and also suffer from pretty bad coding and performance in general.

Share this post


Link to post
Share on other sites

Posted

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

2 people like this

Share this post


Link to post
Share on other sites

Posted

Also you have to remember that it's not about just scanning windows.

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

Share this post


Link to post
Share on other sites

Posted

DO you pay for the AV?

NO: not hey don't check and AVG, Avira, Webroot and camp have all had issues several times where they have broken windows

YES: they generally test every update, unless it's McAffee or Panda or F-Prot which are all pretty terrible at checking. and also suffer from pretty bad coding and performance in general.

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

Share this post


Link to post
Share on other sites

Posted

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

yeah, but AVG is horrible across the board. and they are able to give the free version away free because they don't spend as much resources on checking it.

Share this post


Link to post
Share on other sites

Posted

Also you have to remember that it's not about just scanning windows.

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

Microsoft has been digital signing since Windows XP...

Using the digital signature check is a safe bet as any modification will result in the file no longer being signed...

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

Well yes, right now they don't do it right hence the thread ;)

My point was a way they could stop breaking Windows with definition updates. There is no need to scan a Windows system file that has not changed and was published officially by Microsoft. They should save the resources and just skip scanning it altogether (I'm not talking about scanning the state of the application in memory, but the actual file on disk).

1 person likes this

Share this post


Link to post
Share on other sites

Posted

No AV company is going to trust anyone elses security measures, it goes against their very purpose.

Share this post


Link to post
Share on other sites

Posted

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

Recently i have come across infections that are able to look digitally signed, so that would automatically see them as clean

Share this post


Link to post
Share on other sites

Posted

No AV company is going to trust anyone elses security measures, it goes against their very purpose.

If they have problems with the way Digital Signatures work in Windows it would be beneficial to everyone if they publicized the problem and encouraged Microsoft to fix them.

If they are truly as scared as you claim then they should, at least, SHA256 hash all of the Windows files and compare against those to see if the content has changed. The point is, they need to whitelist the OS and report any security problems in unaltered OS files to Microsoft directly. They can't remove Windows security vulnerabilities and just removing a core OS file could lead to users being unable to use their machines. To me, killing a user's computer is a stupid end result for these products.

Recently i have come across infections that are able to look digitally signed, so that would automatically see them as clean

Yes, there are ways to try and spoof the name of the company signing the file to look at like like "Microsoft Corporation" or whatever, but the AV company should be using Microsoft's public key to compare against and not the name displayed to the user. A scammer can fake the name and anything else, but he can't fake the Microsoft public key without having the corresponding private key. This hasn't yet been cracked as the foundation for this is what all of our eCommerce transactions (and more) depend on daily to remain safe.

2 people like this

Share this post


Link to post
Share on other sites

Posted

That's why I use an MS antivirus with my MS operating system, plus its free and came with W8 so I had no need to install anything.

Share this post


Link to post
Share on other sites

Posted

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

Share this post


Link to post
Share on other sites

Posted

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

You don't seem to understand what he's saying. A file signed by Microsoft will not be of any sort of security concern. Microsoft isn't going to slipstream a virus into it's OS, so there's no point at all in scanning those core files. It's a waste of time and it leaves the door open for critical mistakes. As was already said, scan the state in memory or the hash, and that's all that will ever be needed.

3 people like this

Share this post


Link to post
Share on other sites

Posted

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

Give me an example in the case of Microsoft and signed files. We are talking about Microsoft and not the security of 3rd party applcations.

Share this post


Link to post
Share on other sites

Posted

From experience at work at least, I do not think they test the updates before they push them each day, i have seen to many episodes where computers are crippled by a bad update.

Share this post


Link to post
Share on other sites

Posted

Video added to first post

Share this post


Link to post
Share on other sites

Posted

Regarding digital signatures, Avast does have this option. Executables are still open for scanning though.

2012-12-26%2015_53_56-FILE%20SYSTEM%20SHIELD%20SETTINGS.png

Share this post


Link to post
Share on other sites

Posted

Regarding digital signatures, Avast does have this option. Executables are still open for scanning though.

2012-12-26%2015_53_56-FILE%20SYSTEM%20SHIELD%20SETTINGS.png

What setting is that under?

Share this post


Link to post
Share on other sites

Posted

What setting is that under?

File system shield's settings, under the Advanced tab.

Share this post


Link to post
Share on other sites

Posted

File system shield's settings, under the Advanced tab.

Sweet. Thanks. See it can be done!

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Sweet. Thanks. See it can be done!

Is that option on or off by default?

Share this post


Link to post
Share on other sites

Posted

Give me an example in the case of Microsoft and signed files. We are talking about Microsoft and not the security of 3rd party applcations.

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

Share this post


Link to post
Share on other sites

Posted

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

But no AV program is 100% successful anyway, so they cannot really guarantee that your system is 100% perfectly clean.

Share this post


Link to post
Share on other sites

Posted

oh, so they should just not bother then :facepalm:

seriously, that's your argument ?

and use a quality AV, which pretty much excludes all the free ones and you're pretty damn close to 100%, even on zero day viruses if you keep the heuristics on and at a decent setting

Share this post


Link to post
Share on other sites

Posted

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

Again, you're missing the context here. We are talking about files signed by Microsoft. Unless there is a disgruntled employee writing Windows, there is a 0% chance a stock Microsoft signed file will be infected with something. I see no reason why Microsoft couldn't be trusted for publishing clean files in their OS. There's no logic in believing this would be a security risk. Scanning these files only adds unnecessary reliability risks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.