33 replies to this topic 1 votes

[warwagon]

Do AV companies check each definition update against windows?

Every now and then an antivirus company releases a definition update which brings Windows to its knees. ( Example: When Webroot recently released an update which locked people out of their windows 8 machines) The AV accidentally flags a crucial system file as malicious and deletes it. How does this happen? I realize there are 100,000’s of thousands of different windows applications which could accidentally be flagged, thus they can’t test each one, but windows?

I don’t know how they check each definition update, but to me it doesn’t sound that hard. Wouldn’t it be easy to setup a few quad core machines with 2+ SSD’s in raid 0. Then each computer would contain a different bare-bones version of windows, starting with a machine that has all the latest updates. Then before the update is released they scan each machine. Because the computer is a bare install and because it’s running on an SSD raid 0 setup, the scan should only take a few minutes. If they did this before they released each update I don’t see how they could accidentally release an update that kills thousands of machines.

That's just my 2 cents.

When I said Service pack 2 I meant to say Service pack 3!

[HawkMan]

DO you pay for the AV?
NO: not hey don't check and AVG, Avira, Webroot and camp have all had issues several times where they have broken windows
YES: they generally test every update, unless it's McAffee or Panda or F-Prot which are all pretty terrible at checking. and also suffer from pretty bad coding and performance in general.

[LogicalApex]

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

[HawkMan]

Also you have to remember that it's not about just scanning windows.

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

[warwagon]

HawkMan, on 26 December 2012 - 17:59, said:

DO you pay for the AV?
NO: not hey don't check and AVG, Avira, Webroot and camp have all had issues several times where they have broken windows
YES: they generally test every update, unless it's McAffee or Panda or F-Prot which are all pretty terrible at checking. and also suffer from pretty bad coding and performance in general.

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

[HawkMan]

LogicalApex, on 26 December 2012 - 18:00, said:

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

warwagon, on 26 December 2012 - 18:01, said:

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

yeah, but AVG is horrible across the board. and they are able to give the free version away free because they don't spend as much resources on checking it.

[LogicalApex]

HawkMan, on 26 December 2012 - 18:01, said:

Also you have to remember that it's not about just scanning windows.

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

Microsoft has been digital signing since Windows XP...


Using the digital signature check is a safe bet as any modification will result in the file no longer being signed...

HawkMan, on 26 December 2012 - 18:04, said:

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

Well yes, right now they don't do it right hence the thread

My point was a way they could stop breaking Windows with definition updates. There is no need to scan a Windows system file that has not changed and was published officially by Microsoft. They should save the resources and just skip scanning it altogether (I'm not talking about scanning the state of the application in memory, but the actual file on disk).

[HawkMan]

No AV company is going to trust anyone elses security measures, it goes against their very purpose.

[Circaflex]

LogicalApex, on 26 December 2012 - 18:00, said:

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

Recently i have come across infections that are able to look digitally signed, so that would automatically see them as clean

[LogicalApex]

HawkMan, on 26 December 2012 - 18:12, said:

No AV company is going to trust anyone elses security measures, it goes against their very purpose.

If they have problems with the way Digital Signatures work in Windows it would be beneficial to everyone if they publicized the problem and encouraged Microsoft to fix them.

If they are truly as scared as you claim then they should, at least, SHA256 hash all of the Windows files and compare against those to see if the content has changed. The point is, they need to whitelist the OS and report any security problems in unaltered OS files to Microsoft directly. They can't remove Windows security vulnerabilities and just removing a core OS file could lead to users being unable to use their machines. To me, killing a user's computer is a stupid end result for these products.

Circaflex, on 26 December 2012 - 18:18, said:

Recently i have come across infections that are able to look digitally signed, so that would automatically see them as clean

Yes, there are ways to try and spoof the name of the company signing the file to look at like like "Microsoft Corporation" or whatever, but the AV company should be using Microsoft's public key to compare against and not the name displayed to the user. A scammer can fake the name and anything else, but he can't fake the Microsoft public key without having the corresponding private key. This hasn't yet been cracked as the foundation for this is what all of our eCommerce transactions (and more) depend on daily to remain safe.

[Colin McGregor]

That's why I use an MS antivirus with my MS operating system, plus its free and came with W8 so I had no need to install anything.

[HawkMan]

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

[Astra.Xtreme]

HawkMan, on 26 December 2012 - 18:41, said:

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

You don't seem to understand what he's saying. A file signed by Microsoft will not be of any sort of security concern. Microsoft isn't going to slipstream a virus into it's OS, so there's no point at all in scanning those core files. It's a waste of time and it leaves the door open for critical mistakes. As was already said, scan the state in memory or the hash, and that's all that will ever be needed.

[warwagon]

HawkMan, on 26 December 2012 - 18:41, said:

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

Give me an example in the case of Microsoft and signed files. We are talking about Microsoft and not the security of 3rd party applcations.

[+littleneutrino]

From experience at work at least, I do not think they test the updates before they push them each day, i have seen to many episodes where computers are crippled by a bad update.