Anti-Malware Engineering Team

This blog provides information about what's happening in the anti-malware technology team at Microsoft. We're the team that builds the core antivirus, antispyware, anti-rootkit, and related technology, which is then used across a number of Microsof


Sony DRM Rootkit

  • Comments 114
  • Likes

I've been getting a lot of questions in the last week about Microsoft's position on the Sony DRM and rootkit discussions, so I thought I'd share a little info on what we're doing here. We are concerned about any malware and its impact on our customers' machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems.

We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.

I'll update you if any more information comes up.


Jason Garms
Architect & Group PM
Anti-Malware Technology Team
Microsoft Corporation

Team Blog:




  • Great work guys!

  • Thanks for doing the right thing!

  • Thank you Microsoft. This is the right thing to do.

  • Sony reserve the right to protect their intellectual property - but not at the risk of exposing our PC's to external threats.

    I applaud Microsoft for taking this path - as they do with any company that try this sort of thing - with no fear or favour.

  • I would like to see Windows fixed to not allow these types of programs to install in the first place.

  • Thanks a lot - perhaps it would also be useful if you put something into Windows to warn people when these things try to install, and require their permission before they get onto the system (at which point they become difficult to remove) - this way legitimate uses of rootkit technology (e.g. Kaspersky Antivirus) will be unaffected but any future unethical uses such as this will be prevented. In any case, it's good to see Microsoft finally taking a stand against big companies that think they have the right to install malware on Microsoft customers' machines, simply because they own a restricted intellectual right in a sound recording.

  • Are you all sheep or what ?

    They waited until sony itself said they would be stopping production of said cd's and try to remove it.

    Before that they were well ' we are evalutating what to do ' type b.s. For fear of being sued.

    Yet you are all here like they were mcaffee and said from the GET GO that they would be scanning for and removing.

    Microsoft does not have a backbone for the average consumer and you guys need to wake up..

  • Well done Microsoft!

  • Don´t praise them too loud guys.

    Of course this is the right thing to do, but I would take any bet, that in the not-so-far future there will be a "Microsoft-Certified" way to do very similar things...

  • Excellent, thank you MS for removing the rootkit portion of this software.
    However, it would be cleaner to remove the software entirely (just like you do with other dangerous software).
    Why treat Sony software as different to 180solutions or Claria?
    If the software is on the machine it should be vaped.

  • Great move. Kill all the malware, guys!

  • Well done.

  • I hope you remove the CodeSupport.ocx (required for their own uninstaller) as well, see my RebootMachine demo for a good reason to:

  • I understand that Sony-BMG used two different DRM software packages for different albums. One, called XCP is from First4Internet. The other is from SunnComm, called MediaMax. Will your solution remove both XCP and MediaMax?

  • But what does this mean?

    That you will just make visible the rootkit files?

    Or will you remove all or some of the program?

    Or will you (sceptic here) just recommend 'Ignore' when the rootkit is found.

    Toy Man

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment