Glad it helped. Hmm--I'm sure hoping that OneCare's quarantine doesn't
age in a similar fashion, because I believe that it is going to contain
some mail-store related files, and I've already got at least three angry
Thunderbird users in one of my clients who feel that OneCare has done in
their mail stores.
I think I know where to ask this question--just thinking out loud!
--
Good feedback, Bill.
I opened a bug for the quarntine retention thing - that indeed needs to
be documented in the product.
For archvies over 50MB, the experience will be like before - the
0x80508026 error be displayed.
Regards,
Joe
message
OK - this is definitely thorny--I've thought about it before..
Let me try to "see" what the flow would be for two or three
hypothetical situations.
1) My "backup of aunt mary's old win95 machine" that has the only PDF
copy of her last will and testament, with newdotnet in there for
spice. This is a zip, or maybe qic or .bkf file.
So--I install Windows Defender, and, being anal, I set scheduled scans
to do a full scan, since I can't tell what might be lying around that
none of my previous dozen or two antispyware apps have missed.
Fortunately, Aunt Mary had only a 4 gig drive, and didn't have much
data, so her file is 48 megs.
I've left settings at their default, so Windows Defender is set to
take the default action on a scheduled scan.
Scan is set for 11, and I'm still up, but by midnight the scan has hit
999,999 objects (I have a lot of .ISO files)--and I go off to bed.
Next morning--let's see if I can get this right--I should see an alert
from Windows Defender's icon in the system tray, and when I click and
open that, am I recalling it will take me to the history page--to show
me the scan results, essentially? This sounds perfect--It show's me
that "Aunt Marys backup.zip" was quarantined for newdotnet, and I say
"oops--I really need that--better get it back from quarantine."
Retrieval from quarantine works, and I'm in good shape.
Hmm --what additional actions do I take--I don't want to "always
allow" newdotnet. I could exclude the zip file from scanning (?) Am
I back to digging through System Events to find the path and file
within the zip, and removing that from the zip, to keep this from
repeating?
Suppose I say--OK--that's fine, Aunt Mary's backup really isn't
something I plan on looking at soon, and it will be safe in
quarantine, why don't I just leave it there? Is it obvious in the
quarantine UI that items age out? This isn't something I'd heard
before.
So--for that scenario, I'm doing a lot of nitpicking, but I think I
like this just fine.
Scenario 2 - pure malware--there's a .exe package lying around
somewhere that is an executable zip of some spyware--probably came
attached to an email message, and I saved it to try out the new game
or whatever, and then forgot about it.
Again--it only gets caught on a fullscan, but it does, and I see it in
the history, and say--yeah--I never used that "rogerrabbit.exe"
anyway, and know I know it was a baddy--lesson learned, thank you
Windows Defender, and maybe I'll visit quarantine and delete it just
to keep from being tempted.
I like that just fine too.
Scenario 3--I've just installed Windows Defender, it updated, and is
running a quickscan. At the end of the quickscan it has detected some
spyware on my system--including something in an exe like the previous
scenario. I think in 99% of cases, the archive detections are only
happening on full scans, but it is probably possible for something
that is "live" to have a zip archive as part of it's backstop
mechanisms to reinstall, or for such a zip to be in a location which a
quickscan would hit. I'm shocked at the long list of stuff detected
and removed, and when I go to quarantine, igfqwlx.exe from the
Temporary Internet Files is nothing I know I need, so I go one about
my business, grateful to Windows Defender for having saved my butt,
and the file ages out of quarantine and goes away and I never have to
think about it again.
OK - final nits: Really - the only thing I see here is the need to be
sure the users know that quarantine ages out--I've never seen this in
another antivirus quarantine. I'm assuming that if the archive is too
big, we'll get an error message of some sort?
I'm sure there are some good corner cases I've missed here, so I hope
all the other lurkers here have thought this through from scratch
without being biased by my thinking, and will chime in!
I like it!
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the
threat was deleted completely, but the history will say the action
was quarantine, and the quarantine package will be in the quarantine
view in the UI.
After 30 days, quarantined items age out.
I think this is a great solution to a thorny problem - but your
feedback would be appreciated, as usual.
Regards,
Joe
message
This should be exciting--I'm tempted to go out and grab some malware
to test, but I'm short of time--I'm trying to complete some budget
work for my church (our initial attempt is $30,000 out of balance!)
and I need to travel to a family funeral this weekend about 300
miles away. So--I won't get much chance to look into this stuff
'til sometime next week-of the 50 or so machines I work with
regularly, only two have ever seen any significant spyware--and I've
got them clean at this point, so I need some new customers.
--
Joe,
Care to elaborate on exactly what "archive cleaning" means within
the WD context? I know Mike Treit referred to "planning some
changes to improve the experience" when malicious files are
discovered inside an archive, but this is the first I've seen
anyone refer to archive cleaning using the 1.1.1372.0 Engine.
--
Regards, Dave
Joe Faulhaber[MSFT] wrote:
Donald's on the right track here...
We had to rev our setup a few times, but the underlying product
binaries
stayed the same. The revs were almost all due to our efforts to
provide
localized versions of WD, which we're still working on. The
localized
versions of the beta for those of you running German or Japanese
Windows
will have setup version > .6.
Back to the original question - 1347.0 is the correct WD version,
the 1372
engine is current (with archive cleaning, very exciting!).
Regards,
Joe
