Lies, damn lies, and Apple marketing

Earlier today I retweeted The Guardian’s technology editor, Charles Arthur’s tweet about a Sophos blog post highlighting an undocumented change to Mac OS X, that appears to guard against a particular malware exploit.

The response I got was accusation of having a half-empty iGlass and being an iHater. To be fair, the “accuser” was a friend of mine, and the comments were probably tongue in cheek (maybe not, based on the number of follow-up tweets…) but I was sure I’d read something on the Apple website about Macs not getting viruses, so I had a quick look…

Here is a quote from the Apple website, on why you’ll love a Mac:

It doesn’t get PC viruses.
A Mac isn’t susceptible to the thousands of viruses plaguing Windows-based computers. That’s thanks to built-in defenses in Mac OS X that keep you safe, without any work on your part.”

Of course not – Macs (which these days have almost nothing, other than design aesthetics and operating system to distinguish them from any other PC – i.e. a personal computer running Windows, Linux or something else) don’t get the same viruses as Windows machines.  No, they have their own “special” sort of (admittedly rare) malware, that Apple is fortunate enough to be able to patch within the operating system.  That will be the “built-in defenses” (sic) they talk about then.  So why not be transparent and mention them in the release notes for the updates?

That’s the big text… then we get:

Safeguard your data. By doing nothing.
With virtually no effort on your part, Mac OS X defends against viruses and other malicious applications, or malware. For example, it thwarts hackers through a technique called “sandboxing” — restricting what actions programs can perform on your Mac, what files they can access, and what other programs they can launch. Other automatic security features include Library Randomization, which prevents malicious commands from finding their targets, and Execute Disable, which protects the memory in your Mac from attacks.

Download with peace of mind.
Innocent-looking files downloaded over the Internet may contain dangerous malware in disguise. That’s why files you download using Safari, Mail, and iChat are screened to determine if they contain applications. If they do, Mac OS X alerts you, then warns you the first time you open one.

Stay up to date, automatically.
When a potential security threat arises, Apple responds quickly by providing software updates and security enhancements you can download automatically and install with a click. So you’re not tasked with tracking down updates yourself and installing all of them one by one.

Protect what’s important.
Mac OS X makes it easy to stay safe online, whether you’re checking your bank account, sending confidential email, or sharing files with friends and coworkers. Features such as Password Assistant help you lock out identity thieves who are after personal data, while built-in encryption technologies protect your private information and communications. Safari also uses antiphishing technology to protect you from fraudulent websites. If you visit a suspicious site, Safari disables the page and displays an alert warning you about its suspect nature.

As a parent, you want your kids to have a safe and happy experience on the computer. Mac OS X keeps an eye out even when you can’t. With a simple setup in Parental Controls preferences, you can manage, monitor, and control the time your kids spend on the Mac, the sites they visit, and the people they chat with.”

Now, to be fair to Apple, with the exception of the bit about viruses (and let’s put aside the point that viruses are only one potential form of malware), they don’t suggest that they are unique in any of this… but the page does infer this, and talks about how Macs are built on the world’s most advanced operating system (really?). So let’s take a look at Apple’s bold claims:

  • Safeguard your data by doing nothing.  “Sandboxing” – Windows has that too.  It prevents malicious applications from accessing sensitive areas of the file system and the registry using something called User Access Control (UAC).  You may have heard about it – generally from people getting upset because their badly-written legacy applications didn’t work with Windows Vista.  Thankfully, these days things are much better.  And I’m sure my developer colleagues could comment on the various sandboxes that .NET and Java applications use – I can’t, so I won’t, but let’s just say OS X is not alone in this regard.
  • Download with peace of mind.  Internet Explorer warns me when I attempt to download an application from a website too.  And recent versions of Windows and Office recognise when a file has originated from the Internet.  I have to admit that the Safari/OS X solution is more elegant – but, if Macs don’t get viruses, why would I care?
  • Stay up to date, automatically.  Windows has Automatic Updates – and the update cycle is predictable: Once a month, generally, on the second Tuesday; with lots of options for whether to apply updates automatically, to download and notify, or just to notify.  Of course, if you want to patch the OS manually, then you can – but why would you start “tracking down updates yourself and installing all of them one by one”?
  • Protect what’s important.  I’ll admit that Windows doesn’t have a password manager but it does have all the rest of the features Apple mentions: encryption (check); anti-phishing (check); warnings of malicious websites (check); parental controls (check).

I’m sure that a Linux user could list similar functionality – Apple is not unique – this is run-of-the-mill stuff that any modern operating system should include.  The trouble is that many people are still comparing against Windows XP – an operating system that’s approaching its tenth anniversary, rather than any of the improvements in Vista (yes, there were many – even if they were not universally adored) and 7.

So, back to the point:

“@markwilsonit Seriously? We needed confirmation?! Apple often patches security holes. Your iGlass is still half empty, then? #ihater

[@alexcoles on Twitter, 18 June 2010]

Patching security holes in software (e.g. a potential buffer overflow attack) is not the same as writing signature code to address specific malware.  I’m not an iHater: I think it’s good that Apple is writing AV signatures in their OS – I’d just like them to be more open about it; and, as for the criticism that I don’t write much that’s positive about Apple, I see it as having an ability to see past the Steve Jobs Reality Distortion Field and to apply my technical knowledge to look at what’s really there underneath the glossy exterior.

I should add that I own two Macs, three iPods and a iPhone (I also owned another iPhone previously) and hope to soon have the use of an iPad. In general, I like my Apple products – but they’re far from perfect, despite what the fanboys and Apple’s own marketing machine might suggest.

Forefront Client Security

A couple of years back, Microsoft bought a load of security companies and since then we’ve seen them continue to offer FrontBridge services as Microsoft Exchange Hosted Services; Windows Defender was born out of the previous Giant Company anti-spyware product, and a couple of months back they released Forefront Client Security (FCS) – which I believe is based on the technology gained from the purchase of Sybari.

Yesterday, I spent some time working though a hands-on lab for Forefront Client Security and it seems pretty good. What follows is not a full product review (a demo is available on the Microsoft web site), but some of the highlights I picked out from the lab.

  • In line with most anti-virus clients, Forefront Client Security displays a taskbar icon to indicate status. Depending on the policies applied (from an FCS management console), this will allow a user to launch the client software.
  • Quick scans check for viruses and spyware in:
    • Processes loaded in memory.
    • User profile, Desktop, system folders and Program Files folder.
    • Common malware infection points (auto start registry entries, etc.)
  • FCS does not scan removable or network disks
  • Periodic quick scans should be scheduled in order to make use of the latest definitions to detect any malware that may have infected a computer between the previous scan and the application of new definitions.
  • Real time protection detects and prevents malware attacks immediately
  • Quarantined files are stored as encrypted files inside a .CAB in a subfolder under C:\Documents and Settings\All Users
  • Event log messages may include the acronym MCPAVAS (Microsoft Client Protection Anti-Virus Anti-Spyware)
  • Definition updates are stored at C:\Users\All Users\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{GUID}
  • To reduce the size of definition file transfers, FCS uses a system of base and delta definition files. Key files are:
    • mpengine.dll – malware scanning engine
    • mpasbase.vdm – antivirus base definition file
    • mpasdlta.vdm – antvirus delta definition file
    • mpavbase.vdm – antivirus base definition file
    • mpavdlta.vdm – antvirus delta definition file
  • Definition updates are available from Microsoft Update (or WSUS for internal deployments). Because WSUS uses a daily synchronisation schedule, FCS installs a service (the Microsoft Forefront Client Security Update Assistant service) that automatically connects WSUS to Microsoft Update every hour to retreive definition updates. This service also automatically approves updates for distribution and installation so that updates are always available within one hour of release (although it should be noted that there may be a further delay before updates are retrieved depending on the frequency of client update checks).
  • FCS policies (e.g. to control the level of user interaction and reporting, or to specify allowed applications) are managed using the Microsoft Forefront Client Security Console.
    • FCS policies can be deployed to organizational units (OUs), security groups, or manually (using a registry file). Group policy objects (GPOs) may also be created manually.
    • Upon deployment via OU or security group, FCS uses the group policy management console (GPMC) API to create a new GPO (named fcspolicyname-{guid} which is applied to the appropriate OU or filtered based on security group membership. This policy is unlinked and deleted when the FCS policy is undeployed. Group policy updates may need to be forced using the gpupdate /force command and Kerberos ticket renewal may delay group-based policy application.
    • For local policy file deployment (e.g. using a registry file), a tool is provided on the FCS product CD-ROM (fcslocalpolicytool.exe).
    • As with other group policies, settings deployed via FCS policies are unavailable to users (greyed out).
  • FCS also includes a report viewer for management purposes, e.g. for security state analysis.

It may be useful to note that the European expert group for IT security (EICAR) produces an anti-virus test file that can be useful for fine-tuning anti-virus processes and procedures. The Microsoft Malware Protection Center includes threat research and response information (similar to the services offered by other anti-virus vendors) as well as details of the latest definition updates.

Links

Forefront Client Security team blog.

Crowdsourcing for advice on PC security software

What would you do if you received a message that started like this?

Hi chaps,

In a somewhat strange experiment, you have found yourself BCC’d on this e-mail as the people whose technical and professional opinion I value the most. If that doesn’t feel right to you, perhaps Outlook auto-complete ended up selecting the wrong person from the GAL or my Personal Address Book! ;-)

If your spam filters hadn’t already picked it out you might stop reading right there, except that this was the start of a message from one of my colleagues, who was experimenting with an alternative method of gathering information – crowdsourcing. The theory is good – after all, why spend hours reading lots of highly subjective reviews of software, probably biased by the vendors public relations efforts, when you can ask some trusted colleagues to spend ten minutes telling you what they think (in this case, which anti-virus/anti-spam/personal firewall products they use and why they use them?). For those who are unconvinced by this method of research and say that those ten minutes are valuable and that you could be doing something worthwhile instead, think about this… we’re talking about people who trust one-another’s advice here – one day that favour will be returned.

In this case, my colleague returned the favour by sharing the information – and allowing me to post it here! What follows is the Garry Martin guide to selecting PC security software:

Anti-virus
Most of you swear by AVG Free and those that don’t, use “commercial” products instead (such as those from Symantec, McAfee or Microsoft etc.) that were either free, or that they have paid very little for under various special offer programmes. Only two of you appear to have paid retail prices for a product. Whilst there was some anecdotal evidence of issues with different programs, no one strongly warned me away from a particular product or manufacturer.

Anti-spyware
Again, most of you use the free Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx) and those that don’t, use the anti-spyware capability of their “commercial” suite products (Symantec, McAfee etc.). Some of you supplement this real-time scanning with the occasional run of Ad-Aware 2007 Free or the freeware Spybot – Search and Destroy just to be sure. Many of you have found things that Windows Defender has let through using this method.

Firewall
Most of you are happy with the Windows Firewall built in to Windows XP and Windows Vista. Those of you that use something different do so generally because it is part of your “commercial” suite. Many of you mentioned that you were happy anyway as you were also behind the hardware firewall of your ADSL router.

Content Filtering
Only one of you uses web content filtering. This use is primarily to protect the prying eyes of little ones, and the product used is CyberPatrol.

Others
One notable mention from me is that I also use the freeware CCleaner to clear my tracking cookies on every boot and through a batch file when required. CCleaner allows you to tag cookies you want to keep, so is very effective in protecting your privacy. I’m sure it has hundreds of other features, but this is the only one I use it for and it works very well.

So in summary, my personal “crowdsourcing” experiment worked, and worked very well. I didn’t need to research this myself, and hopefully in the process have put together some useful information for all of you. Result. Oh, and hopefully my PC is now at least as secure as your PC is!

[I was one of the mugs who paid retail prices for a product… although in fairness it was for my wife’s business…]

Garry’s experiment doesn’t have to stop there though – if you have any views on either the crowdsourcing concept or on PC security software, please leave a comment on this post.

Totally protected

Password to remove Symantec AntiVirus

I’m just in the process of installing Microsoft Windows Live OneCare on my Mum’s laptop but first of all I needed to remove Symantec AntiVirus 8 Corporate Edition. I had some trouble though as it needed a password for removal and the password I use for managing the anti-virus infrastructure here wasn’t working. I even reinstalled the software to reattach the client to my Symantec AntiVirus Server installation but it still didn’t work.

Luckily, I’m not the first to have experienced this issue. Thanks to BarryVG for posting the password on TechRepublic and for anyone else who needs it, try symantec – it worked for me!

This is how easy it is to fall into the malware trap

Last year, I wrote about the perils of being an IT professional – namely being expected to fix family and friends’ PCs for free… well, for the last 24 hours, I’ve been removing malware from what was possibly the worst-infected PC I’ve ever seen!

Some time ago, I gave an old laptop to my Mum and her partner as they wanted to learn to use e-mail and the Internet. I set them up with Windows XP, Firefox and Thunderbird (on reflection I should have used Outlook Express – it may be a poor e-mail client but it’s what all the text books for Windows XP will assume) and they have become quite attached to it.

At first they had a dial-up connection but they recently upgraded to high-speed ADSL (as did my in-laws… how come all the silver surfers in my family have a faster Internet connection than I do?) and that’s where the trouble started.

First of all “a friend” installed some software for them. Nothing unusual, just stuff to clog up a system that was never going to be very fast (an aging Compaq Evo N410c with a 1GHz Pentium 3 Mobile processor and 256MB RAM) – free stuff like Google Pack and AVG Anti-Virus software. I got a call to say the PC was taking an age to start up and when I investigated, I found that AVG was performing a full scan on startup (which was probably causing conflicts with the copy of Symantec AntiVirus that I had already installed). I removed the offending software and startup times returned to normal.

Then, today, I was told that the PC was reporting that it had a “Trojan” installed and it kept on opening adult websites. “Oh dear”, I thought… “bring it over and I’ll take a look”, I said.

First, I disconnected all of my other computers from the network! Next, I removed all the unnecessary software. Then, I connected to the Internet and ran the Windows Live OneCare Safety Scanner… except that after 6 minutes it was only 6% complete, so I left it for a couple of hours, ignoring the pop-ups which kept appearing (in spite of Internet Exploder Explorer 7’s pop-up blocker).

When I came back, there were 50 instances of Internet Explorer (IE) running – or more accurately 50 instances of IE that were hogging resources and had hung…

Time for plan B. Open Firefox and run Trend Micro HouseCall – using a non-Microsoft browser would mean no ActiveX and therefore I could safely crash IE if necessary without losing the results of the scan (HouseCall can use Java with browsers without ActiveX support). This time I stayed with the PC and was amazed at the popups that appeared – some of them could easily fool a novice user into thinking that they were real:

Fake security warning
Fake security warning
Fake security warning
Fake security warning

Fake security applications such as Live Safety Center, WinAntiVirusPro 2006 and DriveCleaner sound quite authentic really, as do notifications claiming to have detected fake malware such as Trojan-Spy.Win32@mx and NetWorm-i.Virus@fp, inviting the user to click and install “official security software”. Similarly, for many users, an ActiveX warning which reads This website wants to install the following add-on: ‘WinAntiSpyware2007FreeInstall.cab’ from ‘WinSoftware Corporation, Inc.’. If you trust the website and the add-on and want to install it, click here. would be pretty convincing.

Eventually, I realised that if I closed IE, leaving HouseCall running within Firefox, the popups stopped (although the fake notifications continued). Unfortunately, HouseCall failed at the cleaning stage, so time for plan C.

Plan C was to download, install and run AdAware SE Personal Edition. Normally this would have been the first tool I used but I figured that the malware on this system would detect something as well known as AdAware and prevent it from installing. Not so – after a few minutes it had identified 67 critical objects (including two Trojans with with TAC ratings of 10) and cleaned them from the computer. Then, just to be sure, I restarted the system and ran AdAware again (just two critical objects this time). Then, I ran the Windows Live OneCare Safety Scanner again to give a full system check.

It took a few attempts to finally remove everything (as well as manually removing a suspect registry entry from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ and running cleanmgr to launch the Windows XP Disk Cleanup utility and delete all but the most recent system restore points) but after getting the all clear from two separate tools, I was satisfied that the PC had been disinfected.

Cleaning up this mess has taken a whole evening, a good chunk of last night, and most of today too so how can I stop this from happening again? “Don’t click on anything that you don’t expect to see” is all very well but if you’re a novice then how do you know what is expected and what isn’t?

I don’t know the answer but it’s bl**dy annoying. Needless to say I’ll be removing the existing anti-virus software from that PC and installing something a little more comprehensive. Windows Live OneCare has a 90 day free trial – maybe I’ll give that a go.

Windows Live OneCare Safety Scan

Based on the content I write, I imagine that most readers of this blog will be IT professionals. That generally means two things:

  • Your family don’t understand what you do (e.g. “Mark works in computers”).
  • Your family and friends think that because you “work in computers” that you can fix their PC.

I fell foul of this a couple of times over the last few days. The first time was no big deal – a few months back, I had given my parents an old laptop and now they are really getting into e-mail and the web; however it was booting very slowly because a well-intended friend of theirs had installed the popular (and free for non-commercial use) AVG Anti-Virus (along with a load of unnecessary applications) and it was performing a full scan on every boot (I had already installed Symantec AntiVirus which was working quite nicely in a far less obtrusive manner). Once I removed AVG, performance was back to normal… so much for well-intentioned friends.

The second instance was last night, when my brother said he’d applied some updates to his PC and now he couldn’t get into Excel. That was easy enough (Microsoft Office XP required the original media to complete installation of an update), but I decided to check out the general state of the PC and was a little alarmed. Because the PC is only connected to the Internet via a modem, downloading updates takes a long time – automatic updates will trickle feed and my brother had kept his anti-virus definitions up-to-date but it still needed a lot of attention. Microsoft Update told me that it would need most of the night to download it’s updates, so I took it home (disconnected everything else from my LAN as a precaution) and hooked it up to my ADSL line, before spending the next couple of hours downloading and applying 61 Microsoft updates (as well as updating AdAware SE Personal Edition, which was over 700-days out of date).

Having given the PC a clean bill of health with AdAware (luckily the dial-up connection had minimised the spyware threat and it just had 52 tracking cookies to remove), I decided to check out another tool that, ironically, an Apple support page had alerted me to the existence of – the Windows Live OneCare Safety Scan.

Other antivirus vendors have online scanners (e.g. McAfee, Symantec and Trend Micro) but the advantage of the Microsoft version is that the full scan checks for viruses, spyware, disk fragmentation, temporary files, redundant registry data, and open network ports – what would appear to be a fairly thorough healthcheck, all through one ActiveX control.

Another feature is that you can run individual scans for protection, cleaning up or tuning the system (each effectively a component of the full scan described above). Finally, for Windows Vista users, the Windows Live OneCare site also provides a beta for a Vista-aware full service safety scan.

Message hygiene principles for Microsoft Exchange Server

Whilst researching my post on the Microsoft Exchange intelligent message filter a couple of months back, I came across the following message hygiene architectural principles, which Microsoft promotes as best practice:

  • Anti-spam filtering must be performed before anti-virus filtering.
  • Anti-spam filtering should be performed for inbound mail only.
  • Anti-spam filtering should remove messages (cf. quarantining messages).
  • Anti-virus filtering must scan both inbound and outbound mail.
  • Anti-virus filtering must be mail-direction aware.
  • Anti-virus filtering must block messages that it cannot scan.
  • Anti-virus and anti-spam filtering system must integrate with Exchange Server.

Updating Windows Defender Beta 2 using WSUS

Last year I blogged that Microsoft were pushing updates to their Windows AntiSpyware Beta, to extend the expiry date past the end of July 2005. Since then, there have been a number of updates (including renaming the product to Windows Defender) and even though Windows Defender is included in recent Windows Vista builds, my XP clients have still been running Windows AntiSpyware Beta v1.0.701 (which expires at the end of July 2006).

That started to change tonight, when one of my XP machines updated itself to Windows Defender Beta 2, and although the product is now at v1.1.1347 (engine v1.1.1303.0), the definitions went backwards from update 5841 (5 May 2006) to a new definition numbering scheme (v1.0.0.0), dated 25 January 2006. Strangely, checking for updates reported that there were no updates available for download.

Microsoft knowledge base article 915105 describes an issue with Defender does not download updates but the resolution didn’t work for me; however, I did discover that Windows server update services (WSUS) now supports Windows Defender (Microsoft knowledge base article 915597 has more details of the update delivery mechanism).

After enabling Windows Defender updates in WSUS and synchronising, I found that there were three definition updates waiting for me to approve – v1.14.1408.8 (25 April 2006), v1.14.1410.10 (27 April 2006) and v1.14.1436.4 (3 May 2006). A few minutes later, checking for updates resulted in a successful download from WSUS.

Windows Defender seems to be in an extraordinarily long beta program (considering the original Giant Company product that Microsoft bought was so well regarded), but it seems pretty solid to me. Let’s hope that the US DOJ and the EU don’t force Microsoft to unbundle important security features like this from Windows.

Installing CA eTrust EZAntivirus on Windows Vista

CA eTrust EZAntivirus

My usual anti-virus software (Symantec AntiVirus 8 Corporate Edition) does not seem to install on Windows Vista – which is not really a problem as Vista is still in beta and so the PC will be rebuilt every few months anyway, leaving me free to use a trial version of something else. I found that CA is offering Microsoft customers a 1-year trial of the eTrust EZAntivirus product, free of charge, so I downloaded and installed that on Windows Vista (December CTP: build 5270). Installing this was not as easy as I expected – initial attempts to install failed part way through with the following message (even though I was logged in as Administrator):

Setup Error

Setup failed to copy necessary system files. Please make sure you have administrator permissions.

I eventually kicked the installation into life by running in compatibility mode for Windows XP Service Pack 2 (for reference, my EZAntivirus product version is 7.0.8.1 with engine 11.9.1 and virus signature 9633).

Previously I’ve had problems getting the Microsoft Windows AntiSpyware beta to load on Vista but I’m pleased to see that the December CTP includes Windows Defender so I’m already covered.

Now that I’ve got all the requisite IT prophylatics in place, it should be safe to go online…

A quiet news day?

Today must be a “quiet news day”. We see precious little IT news in the national press, and I know it’s the middle of August, but Metro, the UK’s free newspaper for commuters in and out of our major cities, is really scraping the barrel with its IT reporting this morning. On page 21, a sixth of a page is given over to a story about a worm attacking Windows 2000 (Hackers target Windows 2000) – an officially unsupported operating system. I wouldn’t mind that such a non-event is reported if only it were accurate. According to the Metro article:

“The basic effect of the worm is not damaging but irritating – it forces the computer to repeatedly shut down and reboot, clogging networks.”

Since when did a reboot clog up a network? (A few bytes of DHCP traffic; an increased number of logons). Allegedly, “ABC News producers were forced to use electronic typewriters to prepare TV scripts”. It seems to me that the most pertinent point of the article was the quote from a security expert from McAfee who said that the time between vulnerability exposure and exploit is lessening – something we’ve known for some time now. Microsoft’s advice on what to do about this exploit, known as Zotob indicates that “only a small number of customers have been affected… [with] no indication of widespread impact to the Internet” (although Sophos lists a dozen types of malware exploiting the MS05-039 vulnerability used by Zotob).

The Metro reporter, Sarah Hills, needs to do some research – perhaps instead of alarming a generally computer-illiterate public she should point out that Windows 2000 is old and those organisations affected should tighten up their anti-virus protection! More to the point, the exploit also affects Windows XP and Windows Server 2003 – not just Windows 2000!

In the same paper, immediately below the “Hackers target Windows 2000” piece, is another one about how “Bluetooth thieves log your laptop”, scanning parked cars for Bluetooth devices locked in the boot. Isn’t Bluetooth off when my laptop is switched off?

I know it’s all about stories being newsworthy, but what I’d really like to see is the occasional IT piece in the national press which is both accurate and timely, without being alarmist.