Do AV companies check each definition update against windows?

By +Warwagon
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

Do AV companies check each definition update against windows?

Every now and then an antivirus company releases a definition update which brings Windows to its knees. ( Example: When Webroot recently released an update which locked people out of their windows 8 machines) The AV accidentally flags a crucial system file as malicious and deletes it. How does this happen? I realize there are 100,000?s of thousands of different windows applications which could accidentally be flagged, thus they can?t test each one, but windows?

I don?t know how they check each definition update, but to me it doesn?t sound that hard. Wouldn?t it be easy to setup a few quad core machines with 2+ SSD?s in raid 0. Then each computer would contain a different bare-bones version of windows, starting with a machine that has all the latest updates. Then before the update is released they scan each machine. Because the computer is a bare install and because it?s running on an SSD raid 0 setup, the scan should only take a few minutes. If they did this before they released each update I don?t see how they could accidentally release an update that kills thousands of machines.

That's just my 2 cents.

When I said Service pack 2 I meant to say Service pack 3!

Grand Master

HawkMan

Posted
Posted

DO you pay for the AV?

NO: not hey don't check and AVG, Avira, Webroot and camp have all had issues several times where they have broken windows

YES: they generally test every update, unless it's McAffee or Panda or F-Prot which are all pretty terrible at checking. and also suffer from pretty bad coding and performance in general.

Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

  • remixedcat and +Warwagon
  • Like 2
Grand Master

HawkMan

Posted
Posted

Also you have to remember that it's not about just scanning windows.

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

DO you pay for the AV?

NO: not hey don't check and AVG, Avira, Webroot and camp have all had issues several times where they have broken windows

YES: they generally test every update, unless it's McAffee or Panda or F-Prot which are all pretty terrible at checking. and also suffer from pretty bad coding and performance in general.

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

Grand Master

HawkMan

Posted
Posted

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

But the Free versions of the AV also use the same definitions of their paid counterparts. Example AVG free Vs AVG paid. ... I doubt even if that wasn't the case, that because they were giving it away for free that they wouldn't care to check.

yeah, but AVG is horrible across the board. and they are able to give the free version away free because they don't spend as much resources on checking it.

Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

Also you have to remember that it's not about just scanning windows.

you have to scan windows XP, Vista, 7 and 8. on top of that, EACH individual update to windows have to be tested as well as some of them change system files, and while it won't break one windows 7 SP1 system, it could break another one that has a different set of updates applied.

Microsoft has been digital signing since Windows XP...

Using the digital signature check is a safe bet as any modification will result in the file no longer being signed...

that's not how it works... AV scanners break windows because they falsely flag and remove system files. these need to be scanned as well.

Well yes, right now they don't do it right hence the thread ;)

My point was a way they could stop breaking Windows with definition updates. There is no need to scan a Windows system file that has not changed and was published officially by Microsoft. They should save the resources and just skip scanning it altogether (I'm not talking about scanning the state of the application in memory, but the actual file on disk).

Grand Master

Circaflex

Posted
Posted

Or they could take the easier route and automatically white-list any application that is digitally signed by Microsoft. All Windows files are digitally signed by MS.

Recently i have come across infections that are able to look digitally signed, so that would automatically see them as clean

Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

No AV company is going to trust anyone elses security measures, it goes against their very purpose.

If they have problems with the way Digital Signatures work in Windows it would be beneficial to everyone if they publicized the problem and encouraged Microsoft to fix them.

If they are truly as scared as you claim then they should, at least, SHA256 hash all of the Windows files and compare against those to see if the content has changed. The point is, they need to whitelist the OS and report any security problems in unaltered OS files to Microsoft directly. They can't remove Windows security vulnerabilities and just removing a core OS file could lead to users being unable to use their machines. To me, killing a user's computer is a stupid end result for these products.

Recently i have come across infections that are able to look digitally signed, so that would automatically see them as clean

Yes, there are ways to try and spoof the name of the company signing the file to look at like like "Microsoft Corporation" or whatever, but the AV company should be using Microsoft's public key to compare against and not the name displayed to the user. A scammer can fake the name and anything else, but he can't fake the Microsoft public key without having the corresponding private key. This hasn't yet been cracked as the foundation for this is what all of our eCommerce transactions (and more) depend on daily to remain safe.

  • +Warwagon and remixedcat
  • Like 2
Mentor

Colin McGregor

Posted
Posted

That's why I use an MS antivirus with my MS operating system, plus its free and came with W8 so I had no need to install anything.

Grand Master

HawkMan

Posted
Posted

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

Grand Master

Astra.Xtreme

Posted
Posted

The point isn't how secure thir digital signatures is. the point is that they are AV companies and their livelihood is guaranteeing security. No matter how secure another system is, they cannot trust someone elses systems to be secure, they need to scan everything for infections

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

You don't seem to understand what he's saying. A file signed by Microsoft will not be of any sort of security concern. Microsoft isn't going to slipstream a virus into it's OS, so there's no point at all in scanning those core files. It's a waste of time and it leaves the door open for critical mistakes. As was already said, scan the state in memory or the hash, and that's all that will ever be needed.

  • remixedcat, +LogicalApex and +Warwagon
  • Like 3
Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Look at the past history of security and how much worse a lot of infections would have been if every security company and AV company where to trust others security systems to be secure.

Give me an example in the case of Microsoft and signed files. We are talking about Microsoft and not the security of 3rd party applcations.

Grand Master

_neutrino Veteran

Posted
  • Veteran
Posted

From experience at work at least, I do not think they test the updates before they push them each day, i have seen to many episodes where computers are crippled by a bad update.

Grand Master

HawkMan

Posted
Posted

Give me an example in the case of Microsoft and signed files. We are talking about Microsoft and not the security of 3rd party applcations.

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

Veteran

xWhiplash

Posted
Posted

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

But no AV program is 100% successful anyway, so they cannot really guarantee that your system is 100% perfectly clean.

Grand Master

HawkMan

Posted
Posted

oh, so they should just not bother then :facepalm:

seriously, that's your argument ?

and use a quality AV, which pretty much excludes all the free ones and you're pretty damn close to 100%, even on zero day viruses if you keep the heuristics on and at a decent setting

Grand Master

Astra.Xtreme

Posted
Posted

The example doesn't have to be specifically about MS and signed files.

you're still asking a company who's primary job it is to provide security to lay their trust in a third party and not go all the way in providing security.

Imagine if big security firms when hired for huge contracts went ahead and just said "ok so you already installed door locks and alarms yourself ? ok, we'll just trust that those locks and alarms work fine, and provide you with some guards in case something should happen." Think about it.

The signed files may and probably is fine and would prevent any undetected changes, BUT the AV company CANNOT guarantee that, they CANNOT trust that.

Again, you're missing the context here. We are talking about files signed by Microsoft. Unless there is a disgruntled employee writing Windows, there is a 0% chance a stock Microsoft signed file will be infected with something. I see no reason why Microsoft couldn't be trusted for publishing clean files in their OS. There's no logic in believing this would be a security risk. Scanning these files only adds unnecessary reliability risks.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Price Drop: Save 86% on Microsoft Office 2021 Professional Plus lifetime digital license

      By News Staff · Posted

      Price Drop: Save 86% on Microsoft Office 2021 Professional Plus lifetime digital license by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 86% on a lifetime license to Microsoft Office 2021 for Windows. This bundle is for families and small businesses who want classic Office apps and email. It includes Word, Excel, PowerPoint, Outlook, Teams, and OneNote. A one-time purchase installed on 1 Windows PC for use at home or work. Lifetime license for MS Word, Excel, PowerPoint, Outlook, Teams, & OneNote One-time purchase installed on 1 Windows PC for use at home or work Instant Delivery & Download – access your software license keys and download links instantly Free customer service – only the best support! Microsoft Office Professional 2021 (for Windows) includes: Microsoft Office Word Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office Outlook Microsoft Office Teams Microsoft Office OneNote Microsoft Office Publisher Microsoft Office Access No faffing about with subscriptions, just classic apps that don't expire. Good to Know ONE-TIME PURCHASE INSTALLED ON 1 DEVICE Redemption deadline: redeem your code within 30 days of purchase Access options: desktop Full versions No subscriptions – no monthly/annual fees Version: 2021 Updates included* *Support for this version of Office ends on Oct 13, 2026 A lifetime subscription to Microsoft Office 2021 Professional normally costs $219.99, but this deal can be yours for just $29.97, that's a saving of $190. For full terms, specifications, and license info, click the link below. Get Microsoft Office Professional 2021 for just $29.97, or learn more Although priced in U.S. dollars, this deal is available for digital purchase worldwide. Support queries If you have queries or need support for any of the Neowin Deals, please use the contact form here. Neowin Deals are managed and sold by StackCommerce who represent Neowin on an affiliate basis. Why we post these deals We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. So for those that keep moaning and complaining, be thankful we're still online for you to even do that. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • The Trump administration doesn't want you to use OpenAI's GPT-5.6 without its approval

      By ad47uk · Posted

      The only reason I want to know where you from is because if you are not from the U.K, then why should you care what we in the U.K do or don't do? Racist I am not, I am fed up with the amount coming over here and feel they can come over here and think we need to support them. Do you know how much it costs this country to support these people coming over here? Even when we give them a place to live it is not good enough. We had a barge that was being used to house immigrants, oh but that was not good enough. A mate said to me at the time, when he was homeless, he would have been happy to live on the barge, instead of ending up sleeping on a bench on the beach. I am not scared to say what my family heritage is, unlike you who is scared to say where they are from or where they live. Father side U.S, mother side Wales, still have family living in the U.S. A mate who sadly died a few years ago, had a load of people from different races recording in his studio, I got on with all of them. Skin colour don't bother me, where they are from don't bother me. Religion don't bother me as long as they don't push it onto me and it is not crazy stuff. I am not religious. But if you are not living in the U.K, then why should you care if we are in the E.U or not? This the problem, too many people poking their noses into where it don't belong. But you believe what you believe, if you think I am racist, then be it, I really do not care. Just grow a pair
    • Why it's almost impossible to produce a smartphone in the United States

      By dismuter · Posted

      If he hasn't been able to figure that out, then why is he obsessed with tariffs? Because that's one of the most prominent tools to level the playing field when you have high cost of labor.
    • Microsoft released Windows 11 KB5102558, KB5095615 Setup and Recovery updates

      By hellowalkman · Posted

      Microsoft released Windows 11 KB5102558, KB5095615 Setup and Recovery updates by Sayan Sen This past week Microsoft released the newest preview update (C-release) under KB5095093. Alongside those, Microsoft also released new dynamic updates. For those who may not know, dynamic updates bring improvements to the Windows Recovery process in the form of Windows Recovery Environment (WinRE) updates, which are also called Safe OS updates. The dynamic updates also affect the Setup file binaries in the form of Setup updates. These Dynamic Update packages are meant to be applied to existing Windows images prior to their deployment. Dynamic Updates also help preserve Language Pack (LP) and Features on Demand (FODs) content during the upgrade process. VBScript, for example, is currently an FOD on Windows 11 24H2. This time both recovery and setup updates were released for Windows 11. The company writes: "KB5095186: Safe OS Dynamic Update for Windows 11, version 26H1: June 23, 2026 This update makes improvements to the Windows recovery environment (WinRE). After installing this update, the WinRE version installed on the device should be 10.0.28000.2335. KB5102558: Setup Dynamic Update for Windows 11, versions 24H2 and 25H2: June 23, 2026 This update makes improvements to Windows setup binaries or any files that setup uses for feature updates in Windows 11, version 24H2 and Windows 11, version 25H2. KB5095615: Safe OS Dynamic Update for Windows 11, versions 24H2 and 25H2: June 23, 2026 This update makes improvements to the Windows recovery environment (WinRE). After installing this update, the WinRE version installed on the device should be 10.0.26100.8737." Microsoft notes that both the Recovery and Setup updates will be downloaded and installed automatically via the Windows Update channel.
    • Politically funny images of the World

      By +Edouard · Posted

  • Recent Achievements

    • Conversation Starter
      jessse3334 earned a badge
      Conversation Starter
    • Reacting Well
      JuvenileDelinquent earned a badge
      Reacting Well
    • One Month Later
      Excellence2025 earned a badge
      One Month Later
    • Week One Done
      Excellence2025 earned a badge
      Week One Done
    • Week One Done
      flexorcist earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      507
    2. 2
      +Edouard
      200
    3. 3
      PsYcHoKiLLa
      151
    4. 4
      Steven P.
      73
    5. 5
      macoman
      62
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!