Running program files on XP with non-executable extension?

[Leythos]

From: "Leythos" <[email protected]>


|
| That's great for them and you - not being snide here, but, as I said
| before, never seen a false positive on more than 1500 systems, and we'll
| continue to use it scanning all files on access.
|

{ just to stir the pot a bit... }

Since I monitor many virus News Groups, including Symantec's, I have come across *many*
False Positive declarations from many AV vendors.

I recently (10/6) dealt with one situation by Symantec in reference to; iun6002.exe which
was falsely declared as a Trojan.Dropper.

Then there was the case of Symantec falsely declaring Backdoor.Graybird (9/16) in was a temp
file created by Spy Sweeper.

I'm still wondering when Avast will stop falsely declaring the VBS/RedLof in Trend Micro's
sysclean utility.

Which does not change the fact that I've not had the experience of false
positives - I've never said they don't happen, but I do find that having
"scan on accessed" tends to find things other than the obvious.

 

[Dustin Cook]

Funny, how many networks have you designed and maintain that have NEVER
been compromised?

For myself, several. Still using a small one at home.. heh.

Zvi Netiv's claim to fame is invircible, and his remarkable knowledge
of drive data layout. The guys good at recovering from many nasty
things... He's also (shudder, I can't believe I'm saying this, He's a
sworn enemy of mine) a respected Antivirus side person. But, like I
said before man, You don't need to take our words for it. Do as you
wish.

Regards,
Dustin Cook

 

[James Egan]

For myself, several. Still using a small one at home.. heh.

Both you and pax admitted (on usenet) to accidentally infecting your
own machines.


Jim.

 

[Winged]

Depends on the environment, not everyone has data they don't care about.




Funny, how many networks have you designed and maintain that have NEVER
been compromised?

Afraid we too scan everything. While I agree this is wasteful of
resources, it really doesn't have enough impact in real world
environment to be an issue.

We scan files on write, open and modify. Overkill yes, but our flip
flops have yet to unionize.

We wake our system on weekends (during non-work hours) to do full scans.
One advantage to this is it is an easy way to flag something that is
talking outbound when it's not supposed to, yes it does happen.

We even open IE on a intranet page to ensure something doesn't
communicate that wasn't caught with other methods. Pretty easy to
identify the firewall communication.while this method is by no means a
check for much, it is surprising it finds sometimes. When the net is
loaded with users it can hide activity when your dealing in multiple t3s
and T9s and dual gigabit between subnets.

We wake our machines nightly as required for patching. CPU cycles are
pretty cheap these days. Afraid I have not issue wasting the computer
time, they work cheap.

If you are not careful things hide in JAR files or other places may be
easily missed. Easiest to scan everything and march on. AV is the
easiest to manage these days, now if someone can just stop those damn
patches from breaking stuff I would be happy.

The idea here is to avoid doing system maintenance tasks that impact
user operations, that gets expensive very fast. You have to avoid
system downtime when it costs $100,000 an hour to bring networks down
due to a virus event.

Winged

 

[Leythos]

Afraid we too scan everything. While I agree this is wasteful of
resources, it really doesn't have enough impact in real world
environment to be an issue.

We scan files on write, open and modify. Overkill yes, but our flip
flops have yet to unionize.

We wake our system on weekends (during non-work hours) to do full scans.
One advantage to this is it is an easy way to flag something that is
talking outbound when it's not supposed to, yes it does happen.

We even open IE on a intranet page to ensure something doesn't
communicate that wasn't caught with other methods. Pretty easy to
identify the firewall communication.while this method is by no means a
check for much, it is surprising it finds sometimes. When the net is
loaded with users it can hide activity when your dealing in multiple t3s
and T9s and dual gigabit between subnets.

We wake our machines nightly as required for patching. CPU cycles are
pretty cheap these days. Afraid I have not issue wasting the computer
time, they work cheap.

If you are not careful things hide in JAR files or other places may be
easily missed. Easiest to scan everything and march on. AV is the
easiest to manage these days, now if someone can just stop those damn
patches from breaking stuff I would be happy.

The idea here is to avoid doing system maintenance tasks that impact
user operations, that gets expensive very fast. You have to avoid
system downtime when it costs $100,000 an hour to bring networks down
due to a virus event.

Sorry for quoting it all, but those are the exact reasons we do the same
- scan on access, nightly full system scans of ALL files. We've never
had a virus/malware related downtime issue, ever.

 

[Dustin Cook]

Both you and pax admitted (on usenet) to accidentally infecting your
own machines.

One machine James, not a LAN.

The LAN has never been infected by anything. The computer used for
virus work was a standalone unit. It had no access to the network.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[Zvi Netiv]

Overkill, and time wasteful.

[snip]

God forbid.

Funny, how many networks have you designed and maintain that have NEVER
been compromised?

There is no necessity to first be a sheep in order to become a shepherd. ;-)

Regards

 

[Dustin Cook]

Both you and pax admitted (on usenet) to accidentally infecting your
own machines.

One machine James, not a LAN.

The LAN has never been infected by anything. The computer used for
virus work was a standalone unit. It had no access to the network.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[Zvi Netiv]

|
| That's great for them and you - not being snide here, but, as I said
| before, never seen a false positive on more than 1500 systems, and we'll
| continue to use it scanning all files on access.

{ just to stir the pot a bit... }

[...]
Which does not change the fact that I've not had the experience of false
positives

The reason could be little experience, or assuming that all the alerts that you
saw were true positives, without confirming that they are indeed. Your
assertions do not sound credible.

Regards, Zvi

 

[Leythos]

As I said, I've been in the vx side for many years. I'm well versed on
both aspects of it, from antivirus perspective as well as vx
perspective. I'm not giving my opinion per say, I'm giving that of the
general consensus of both the Av and Vx side of things.
|
| That's great for them and you - not being snide here, but, as I said
| before, never seen a false positive on more than 1500 systems, and we'll
| continue to use it scanning all files on access.

{ just to stir the pot a bit... }

[...]
Which does not change the fact that I've not had the experience of false
positives

The reason could be little experience, or assuming that all the alerts that you
saw were true positives, without confirming that they are indeed. Your
assertions do not sound credible.

I agree, if I was some slouch, I would think it not credible too, but as
I've been doing this type of work since the mid 70's, I would think that
I know a little about security by now I've designed everything from
small 5 node SOHO's to 400 node medical centers, of all the ones we
manage, not one has been compromised, and I've only see a virus on two
that we didn't manage, but that was due to letting a unclean laptop into
the network, none of the other nodes were compromised.

As for alerts of any type, they are always checked against two or three
AV products, so I feel comfortable that my statements are true on our
networks.

 

[Zvi Netiv]

support@replace_with_domain.com says...
[...]

The reason could be little experience, or assuming that all the alerts that you
saw were true positives, without confirming that they are indeed. Your
assertions do not sound credible.

I agree, if I was some slouch, I would think it not credible too, but as
I've been doing this type of work since the mid 70's, I would think that
I know a little about security by now I've designed everything from
small 5 node SOHO's to 400 node medical centers,

So you say. How do I know that you aren't just boasting? Your stories sound
too fantastic to me. Do you claim that all the users of the 1500 networks that
you designed or managed are security super-aces like you and never blew it?

of all the ones we
manage, not one has been compromised, and I've only see a virus on two
that we didn't manage, but that was due to letting a unclean laptop into
the network, none of the other nodes were compromised.

As for alerts of any type, they are always checked against two or three
AV products, so I feel comfortable that my statements are true on our
networks.

What are the alerts upon, since you claim that the systems you manage were never
compromised?

Regards, Zvi

 

[Leythos]

support@replace_with_domain.com says...
[...]

Which does not change the fact that I've not had the experience of false
positives

The reason could be little experience, or assuming that all the alerts that you
saw were true positives, without confirming that they are indeed. Your
assertions do not sound credible.

I agree, if I was some slouch, I would think it not credible too, but as
I've been doing this type of work since the mid 70's, I would think that
I know a little about security by now I've designed everything from
small 5 node SOHO's to 400 node medical centers,

So you say. How do I know that you aren't just boasting? Your stories sound
too fantastic to me.

I was boasting, and I'm damn proud that I can say it and say it honestly
too.

Do you claim that all the users of the 1500 networks that
you designed or managed are security super-aces like you and never blew it?

The users are just normal users, but that's not the issue, they are
protected from downloading crap in HTTP sessions, attachments that could
be malicious are deleted and those that pass through are scanned, etc...
It's all about knowing your threat base and your exposure. They only get
outbound access that is for a "business" need, we block inbound by
country at the first layer, by type, then by content, etc...

What are the alerts upon, since you claim that the systems you manage were never
compromised?

That's the entire point, on those networks, ones we manage, we've not
had any, on unmanaged networks, even unmanaged ones we've designed,
we've seen them, valid ones, still not seen any false positives.

It sounds like you think no-one could understand the real-world threats
and then build layers of security around their networks to keep from
being exposed at the internal layer. I'm sorry that you feel that way,
but there are many examples of it in the security world, in the Intel
world, and in many Medical centers and other locations.

 

[Flash Gordon]

That's great for them and you - not being snide here, but, as I said
before, never seen a false positive on more than 1500 systems, and we'll
continue to use it scanning all files on access.

It may be rare, but it does happen.
http://www.google.co.uk/search?clie...in+virus+false+alarm&meta=&btnG=Google+Search
I've actually seen a tarball from Cygwin be reported as a virus.

Having said that, on corporate machine I would generally set it to scan
all files myself.

 

[Dustin Cook]

Since I monitor many virus News Groups, including Symantec's, I have come across *many*
False Positive declarations from many AV vendors.

I don't know why you bother Dave. They won't listen to Ex Vx or AV.
They feel false positives are extremely low. They don't write the
products they use, but they know more about them then the rest of us.
Even the creators. *grin*

I recently (10/6) dealt with one situation by Symantec in reference to; iun6002.exe which
was falsely declared as a Trojan.Dropper.

Symantec foobared too eh? I recently had to remove that from BugHunter
as well, My own fault. It was an executable in the wrong folder, meant
for anaylsis, not inclusion quiet yet.

I'm still wondering when Avast will stop falsely declaring the VBS/RedLof in Trend >Micro's
sysclean utility.

Same here.

Regards,
Dustin Cook
http://bughunter.atspace.org

 

[Leythos]

I don't know why you bother Dave. They won't listen to Ex Vx or AV.
They feel false positives are extremely low. They don't write the
products they use, but they know more about them then the rest of us.
Even the creators. *grin*

I talk with David on a personal/email level once a week or so, and I'm
not some kid/hack that doesn't have a clue, but I don't need to know how
Symantec AV works internally, only that it works in our environments.
I'm sure you don't know how ALL AV products work at the internal levels
either, or if you think you do, you're just what you claim I am.

I've not had an issue with false positives with Symantec Corp edition
software, at least not in the last 5 years, and we've not had a single
virus inside our protected networks - and we test the servers and select
workstations on a schedule with different vendors products, so I'm
confident in saying that.

I'm sorry you believe it can't be true, maybe you should look at how to
secure entry points a little better and then you might understand how
easy it is.

 

[Dustin Cook]

I talk with David on a personal/email level once a week or so, and I'm
not some kid/hack that doesn't have a clue, but I don't need to know how
Symantec AV works internally, only that it works in our environments.
I'm sure you don't know how ALL AV products work at the internal levels
either, or if you think you do, you're just what you claim I am.

Thats' great. David can verify who I claim to be quiet easily. Isn't it
fun dropping names for credibility? As for knowing how AV products work
internally, Back when I was active in VX; it was sorta my job to know
how the enemy worked at an intimate level as to avoid/disable/kill the
enemy before they could get me. As I said originally, I'm a coder.
Software is my thing. Your right tho, I never learned how Ewido's
routines work internally, but NAV I do.

I've not had an issue with false positives with Symantec Corp edition
software, at least not in the last 5 years, and we've not had a single
virus inside our protected networks - and we test the servers and select
workstations on a schedule with different vendors products, so I'm
confident in saying that.

In all fairness, I'm not attacking you or your methods. So please don't
misunderstand my intentions. If more individuals like yourself took
security that seriously, I'd be a happier camper, as would many others.

I'm sorry you believe it can't be true, maybe you should look at how to
secure entry points a little better and then you might understand how
easy it is.

I didn't say I don't believe it to be true, Only that what your
claiming just seems a bit far fetched; Not the security of your
networks, but the no false alarms thing. That's all.

 

[Roadkil]

grrrrrr =)=) i tend to remember all my dir's getting renamed during
beta testing!! "go ahead and change the date!!" =)=) worked perfectly
hehehehe

 

[Solly]

Windows 98 SE
Word 2000

Will start up word and load a document regardless of file
extension.

Renaming it to book.xyz still opens it.

What this shows ia the parser must be looking not just
at the file name but inside the file content.

just one more reason not to trust any microsoft software.

I wonder what other applications do this.

If you cant tell how your software behaves you can never
have a secure system no matter what you do with fire walls.

Not even a "vaguely" secure system. You are wide open.

Solly
-------------

 

[Roger Wilco]

Windows 98 SE
Word 2000

Will start up word and load a document regardless of file
extension.

Renaming it to book.xyz still opens it.

What this shows ia the parser must be looking not just
at the file name but inside the file content.

Could be that to support OLE the OS must have this ability - they should
have unregistered extensions (and no extension) default to give the
"open with" dialog box instead of just invoking Word based on the file.
You can still edit the registry to do this, but I don't know the
particulars of how to do so.

just one more reason not to trust any microsoft software.

To me, the whole idea of association by extension is wrong. Associations
really should be by actual filetype (what you are complaining about) and
the associations by extension kept to a minimum.

I wonder what other applications do this.

You could experiment with other OLE(2?) enabled applications..

If you cant tell how your software behaves you can never
have a secure system no matter what you do with fire walls.

Absolutely, and installing and running additional software on the
machine is not the right approach to increasing security.

 

[Guest]

Could be that to support OLE the OS must have this ability - they should
have unregistered extensions (and no extension) default to give the
"open with" dialog box instead of just invoking Word based on the file.
You can still edit the registry to do this, but I don't know the
particulars of how to do so.


To me, the whole idea of association by extension is wrong. Associations
really should be by actual filetype (what you are complaining about) and
the associations by extension kept to a minimum.


You could experiment with other OLE(2?) enabled applications..


Absolutely, and installing and running additional software on the
machine is not the right approach to increasing security.

Interesting...I tried this and a couple other experiments and found some
interesting results:

1) Double-clicking on the file on the desktop (instead of opening it inside
of Word) does cause the pop-up box asking what program to use to open the
file.

2) Tried to open a shortcut on the desktop (from inside Word) to WinZip and
what appeared looks like a 208 page document of code (not very readable,
just a lot of gobbledygook like "fÄj$høFLV<uVjèõ").

3) Tried to open an actual program executable (an EXE file) and once again
saw a bunch of code.

Apparently Word tries to open each and every file regardless of the type
(tested this with Word 2000 on Win2000 system).