DOH! Whose idea was that?

[Guest]

So I just added a 127.0.0.1 entry to my hosts file to stop one particular
site annoying me. I opened hosts in Notepad and added the appropriate entry.

A couple of seconds later AntiSpyware pops up and asks me if I approve of
this! Of course I do - I did it, myself, manually!

How DUMB is that?

 

[JoeM]

The is the best way of doing things (most secure way)

 

[Ira]

This is done in case you make a mistake you can correct it. Pretty Dumb
Huh!
: The is the best way of doing things (most secure way)
:
: : > So I just added a 127.0.0.1 entry to my hosts file to stop one
particular
: > site annoying me. I opened hosts in Notepad and added the appropriate
: > entry.
: >
: > A couple of seconds later AntiSpyware pops up and asks me if I approve
of
: > this! Of course I do - I did it, myself, manually!
: >
: > How DUMB is that?
:
:

 

[Guest]

So I just added a 127.0.0.1 entry to my hosts file to stop one particular
site annoying me. I opened hosts in Notepad and added the appropriate
entry.

A couple of seconds later AntiSpyware pops up and asks me if I approve of
this! Of course I do - I did it, myself, manually!

How DUMB is that?

So how does MSAS know that *you* made the change? Lots of malware will add
entries to the hosts file to prevent you from visiting certain sites,
especially those that will detect that malware or provide instructions on
eradicating the pest.

MSAS *polls* for changes in monitored settings or files. It does not
intervene! Until MSAS does its poll to check for changes, those changes go
undetected. That means whatever process made the change will be long gone
by the time MSAS detects the change. That is why MSAS never offers you the
choice of allowing or blocking that process from making the change because
that process doesn't exist anymore or have the file open anymore. When
someone throws a brick through your windows while you are out, you don't
find out about it until AFTER the incident when you happen to come back
home. WinPatrol works the same way by *polling* to detect the changes.

Prevx (the Home edition is free) instead intervenes with changes to critical
areas. This pends the process that is attempting to make the change until
you allow or block it. That means Prevx can identify to you which process
is trying to make the change AS it is trying to make the change. However,
like firewalls with application rules, you will get lots of prompts when you
first start using it to ask if the process is allowed to make the change or
not, and YOU will have to be expert enough to understand their prompt and
what is getting changed. Simply responding Yes or OK to every prompt
subverts the security offered by the product so you might as well as
uninstall it. Prevx Home can incur a performance penalty on some hosts.
Never happened on mine but others have reported a slowdown, but then an even
higher percentage of users have reported slowdowns after installing MSAS.

I used Prevx Home and MSAS together since there was something of one not
covered by the over. Eventually I dropped MSAS, and eventually I got rid of
Prevx since I'm expert enough a user not to get stuck with the malware in
the first place and these protections were too expensive in the resources
that they used to bother with them anymore.

For MSAS (and WinPatrol), realize that changes made to critical areas are
detected AFTER they occur so the cause cannot be identified. Changing MSAS
to intervene WHEN the change is attempted would require a huge paradigm
change in the behavior of the product and probably something Microsoft
doesn't want to do, especially for a freebie product. While preventing the
burglar from getting into your home is better, catching the burglar that got
into your home is okay, too.

 

[Guest]

The is the best way of doing things (most secure way)

As opposed to asking the user WHEN the change is attempted, huh? MSAS
detects the change too late and why it cannot identify the process that made
the change. It polls for changes. It does NOT intervene those changes.

 

[Bill Sanderson]

How would you propose that Microsoft Antispyware differentiate between your
scenario and one where that action was taken by a trojan in place, a remote
control tool, or a batch file triggered by a virus? The agent looks at
changes in the file, and asks whether you intentionally made those changes.
This isn't very different from any of the checkpoints that may be invoked
during software installation--you get a prompt that thus and such is being
installed, and if you did that intentionally, it's fine. If you had no idea
anything was being installed, you are alerted.

To create a mechanism that is both simple and robust, it may well be better
to reduce it to the minimum (i.e. did the file change) than to try to
monitor all the possible ways in which that change might be initiated, and
differentiate between "good" and "bad" possible causes.

 

[Bill Sanderson]

As opposed to asking the user WHEN the change is attempted, huh? MSAS
detects the change too late and why it cannot identify the process that
made the change. It polls for changes. It does NOT intervene those
changes.

Microsoft Antispyware can reverse that change, I believe. It's been a while
since I've tested this, but I believe if you deny, the line will be
commented out. (late is another issue--not sure about that.)

 

[Guest]

Microsoft Antispyware can reverse that change, I believe. It's been a
while since I've tested this, but I believe if you deny, the line will be
commented out. (late is another issue--not sure about that.)

Very true. If (actually when) you get the prompt from MSAS that appears
sometime AFTER the change has been made, MSAS will remove the change if you
deny it. In this case, undoing the change in the hosts file is okay because
it is unlikely that in the minute it takes MSAS to notify you that you
actually visited that site or haven't been trying long enough for the MSAS
prompt to appear. Sometimes the MSAS prompt appears about 10 seconds after
the change. I've seen it wait until almost a minute until after the change.
I've also seen it never popup its alert until you happen to kick it in its
butt by clicking on its tray icon whereupon a couple dozen of pending alerts
suddenly all appear and obliterate each other. Reversing a detected change
does not guarantee that the machine gets returned to exactly the same state
it was in before the change.

If you have the horsepower or don't mind the performance impact of running
multiple protection products, I'd use Prevx to block the burglar from
getting into my house and also use MSAS to catch them if they manage to
bypass the perimeter defenses. There is ProcessGuard which prevents ANY
program from loading that you didn't authorize to do so (since a program can
only execute when loaded into memory) along with a hash value recorded for
the process you allowed to prevent fire-holing or DLL injection. The
tighter you make the security, the more expert you need to be to understand
how to use the tool. So, yeah, you could have ProcessGuard trying to
prevent the burglar from "becoming" (i.e., prevent the timeline where the
burglar gets born), Prevx for permiter defense to catch it should it manage
to load and evade ProcessGuard by somehow infecting a file you authorized
before without changing its hash code, and MSAS as the last line of defense
to permit reversing changes that were made in the near past.

I know some folks that use the freebie version of ProcessGuard (which only
protects one process and must be manually updated when updates are applied)
to protect their anti-virus program to prevent any other process from
killing it. ProcessGuard is forward looking, Prevx is current looking, and
MSAS is past looking. But, geez, you really want all this crap sucking up
resources on your computer? Inevitably the security of the host comes down
to the user.

 

[Bill Sanderson]

I know some folks that use the freebie version of ProcessGuard (which only
protects one process and must be manually updated when updates are
applied) to protect their anti-virus program to prevent any other process
from killing it. ProcessGuard is forward looking, Prevx is current
looking, and MSAS is past looking. But, geez, you really want all this
crap sucking up resources on your computer? Inevitably the security of
the host comes down to the user.

I think that resource usage is probably at the heart of this issue. I know
from the test I have for real-time protection (cd \windows, md winlogon.exe)
that there's about a 15-18 second poll of some sort. There's probably a
limit to how fine-grained the control on the part of a user-mode app can
be. Beta2 will certainly have some portion running as a service. I also
know that from the WindowsOneCare.com beta, the two-way firewall in that app
stops traffic first and then asks the question. Much to the distress of
some.. I suspect Microsoft know how to do this better, and that we'll see
some changes in beta2.

 

[Guest]

Maybe not so Dumb as you think. I would have taken great reassurance in the
fact that MSAS provided me with a warning. Who cares if it was user initiated
because there are times when some people need protecting from their own
stupidity? At least it shows he is doing one of his many jobs by alerting you
(in this instance), to the possibility of unauthorised mods to your hosts
file.

Stu