31 July 2007

Good Things Here...

Technorati tags: ,

Some folks get it...

http://blogs.technet.com/secguide/archive/2007/07/12/malware-removal-starter-kit.aspx

Using the Windows Preinstallation Environment (Windows PE) in combination with free anti-malware programs, the kit provides you with a low-cost, effective strategy and tool recommendations that you can use to vanquish malware attacks

...while some folks don't:

http://blogs.msdn.com/rflaming/archive/2006/09/20/763960.aspx

From a security perspective, when you get owned running under a Machine-wide account, game is over and you have to flatten the machine to get back to a secure state. 

By "it", I mean the defense-in-depth concept that the battle doesn't end when malware gets into your PC.  Machines get "owned" all the time; the majority of spam is carried by botnets running on such systems, and surveys have indicated a high percentage of PCs are running malware. 

If the only option for such systems is to "just" flatten and rebuild, many consumers will simply shrug and prefer to stay infected.  After all, they tolerate rootkits dropped from audio CDs, DoS (activation) payloads built into their OS, adverts from all over the place, etc. so why should they mind if a smidgen of bandwidth is used to DDoS unpopular entities such as the RIAA, or send out the same spam they get every day, either way?

The problem with "just wipe and rebuild" is not the pessimism that a cleaned PC will really be clean, but the optimism that a rebuilt PC will stay clean.  In reality, both approaches are complex battles that may be lost.

Security Guides Blog

The first link is from SecGuide, who may be the first Microsoft team to offer end users the tools they need to formally manage malware on infected PCs.  They may not be as far down that road as some Bart-based solutions, of which an example is shown in this slide show, but in-house Bart projects are usually too complex to be offered as an off-the-peg solution for end users to download and use.

The SecGuide approach is based on WinPE 2.0, which is now available for end users via the WAIK.  The process of integrating tools into WinPE, and building a WinPE boot disk, is pretty daunting, so I was wondering if combining David Lipman's Multi-AV tool with Bart PE would be easier?

In the big picture, we need to market the clean state against the accepted state of living with resident malware.  A non-destructive cleaning approach is a key element, and it's good to see parts of Microsoft getting this.

Windows Installer

The second link is from Setup Sense and Sensibility, which is a fascinating insight into the Windows Installer and how this has developed in Vista in particular.  The perspective appears to be 100% rooted in the concerns of corporate networking, and centered on per-user permissions and control.

The trouble is, this approach just doesn't fit the outside world of free users and the one or few PCs they use.  There's no "admin" to "do things for" the user; no tight white-list of permitted applications, and the user should have full and unfettered control over the PC.  A single PC may represent the user's entire infrastructure, so there's no "easy way out" of wiping and rebuilding desktop systems while data is safe on the server. 

Moreover, the same user will do multiple different things in the same logon session that should have differentiated rights.  Simply giving all processes the same rights just because they occur in the same logon session is next to useless, as even the most limited user account rights will allow the user's data to be edited, overwritten or trashed.

I've covered aspects of this issue many times, such as the adverse effect of flattening natural obstacles and the janitor account concept.  UAC is a step in the right direction, as for the first time it leverages the user's control over automated processes - the reason it is so "ugly" is because it is so at odds with the assumptions underlying NT's development, i.e. that automation would always be done by "proper" entities and that the user should be swept aside to facilitate such automation.

No comments: