Yesterday evening, the antimalware team shipped a new tool which should be helpful to small and medium sized orgs. This guide is designed for IT professionals (who may be wearing many hats) in the small business setting. The kit provides recommendations and tools to assist in removing problematic malware from your environment.
You can find this tool at the following URL:
http://www.microsoft.com/technet/security/guidance/disasterrecovery/malware/default.mspx
If you have suggestions about this tool, send us e-mail to secwish@microsoft.com
While you are at it, feel free to also visit the Malware Protection Center Portal at the following URL:
http://www.microsoft.com/security/portal
I hope to make more posts as new technology is released to help our customers get and stay secure.
-steve
One of the cool things about Windows Defender is that we still give system administrators the ability to deploy definition updates by using WSUS. I have just written a KB article on setting up the WSUS server to download and deploy Defender definitions.
You can find this KB at: http://support.microsoft.com/kb/919772
As always, please feel free to comment on the ways we can make Windows Defender better for you all!
-steve
Over the last few months we have been working hard on creating the next version of the Microsoft anti-spyware technology. Today, we are announcing the new name for this technology… Microsoft Windows Defender. Does this mean a lot is changing?? Well... YES – and all for the better!! As part of our development process, we have been lurking in the newsgroups, listening and talking to customers to hear how we can make this release better.
It is going to be a part of VISTA!
The biggest announcement we are making is that Windows Defender will be a part of Vista when it releases. You will be able to run another spyware product instead of Windows Defender if you would like. Although I may shed a small tear, you will be able to disable or turn off Windows Defender and install whichever 3rd party anti-spyware application you would like. The really cool thing is that the Windows Security Center in Vista will be redesigned to detect if an Anti-Spyware application such as Windows Defender is running and operating normally.
New Signature Update Mechanism.
That’s great and all, but what about some technical info about Windows Defender? Well I have something for you folks as well…Instead of writing our own update engine for this technology, we have teamed up with Windows Update to deliver signatures to you through Automatic Updates. This is an excellent way of us utilizing an existing Microsoft technology to deliver spyware signature updates to you –neat!
There are many more cool items coming soon which I will blog about later. In the meantime, look for more announcements here and on the antimalware team blog (http://blogs.technet.com/antimalware).
-steve
If you read my blog off and on (more off recently), you may be interested in the team blog located at the following location:
http://blogs.technet.com/antimalware
Jason Garms has posted the first intro to this blog http://blogs.technet.com/antimalware/archive/2005/11/01/413466.aspx, and these blogs will be a good place to check in with the developers and program managers of some of the security products here at Microsoft.
-steve
Today we are announcing the new product line to help protect business systems against virus, spyware and rootkits. This new product line is called "Microsoft Client Protection." More information can be found at the following links:
Q&A With Mike Nash
http://www.microsoft.com/presspass/features/2005/oct05/10-06ClientProtection.mspx
Steve Balmer's Security Strategy
http://www.microsoft.com/presspass/press/2005/oct05/10-06SecuritySpeechPR.mspx
Today when I came in to the office, I was made aware of an issue which stated that a Microsoft Representative was quoted as saying Windows AntiSpyware would no longer be available for free.
The statement quoted in many forums is not true.
As we have been saying since day one, Microsoft Windows AntiSpyware will be available at no charge to licensed users of Windows. Users who validate their Windows install through WGA will be allowed to download the AntiSpyware beta, as well as the full standalone version of AntiSpyware when it releases to the web. This has not changed since Bill Gates announced this information at the RSA conference in February. The enterprise version of Windows AntiSpyware is targeted to companies who want to centrally manage their Windows AntiSpyware infrastructure. The enterprise version of Windows AntiSpyware will be available for a cost (which has not been determined yet). For users who want more services including AntiVirus, computer backup, and AntiSpyware we will be offering Windows OneCare live. Windows OneCare Live is currently in beta, but when it releases to the web it will be available to users with a cost.
There are many exciting security offerings coming from Microsoft over the next year and I am just glad they let me blog about these exciting things happening at Microsoft!
It has been a few weeks since the last update, and the A/S team needed some work to do so we decided that we should release build 615 to the web. Actually, we wanted to correct an issue found with the signature update mechanism and we wanted to get an updated build out there this week. Starting in the next hour or so, beta testers will be able to download the updated build from the web (http://www.microsoft.com/spyware) or wait for the automatic update to the software. Also addressed in this release is an improvement on how Windows AntiSpyware beta provides information to the user about processes running on a PC. Because of a limitation in the installer, users will have to reboot as soon as they update the package. We are working on reducing the reboot requirement for beta 2. We have been testing this new build for about a week now and it does resolve the signature update issue. Please post to the newsgroups if you see any issues or have any comments on this new build.
-steve
Claria has been receiving a lot of news lately, and so I figured I would re-post what is going on over here in regards to this. We put the following statement on our website as well (http://www.microsoft.com/athome/security/spyware/software/claria_letter.mspx):
"This week we received some questions around Microsoft's classification of Claria software in our Microsoft Windows AntiSpyware (Beta). We wanted to take this opportunity to clear up any misconceptions and explain our current policies and practices.
Microsoft offers all software companies the opportunity to request a review of how Microsoft classifies their products through our vendor dispute process. In January, Claria filed a request for Microsoft to reevaluate some of its products. Upon review of their software against our criteria, we determined that continued detection of Claria's products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors. At the end of March, we communicated to Claria the result of our analysis through our standard process.
We take software analysis for Windows AntiSpyware (Beta) very seriously and handle all vendor requests in the same manner. All software is reviewed under the same objective criteria, detection policies, and analysis process. Absolutely no exceptions were made for Claria. Windows AntiSpyware (Beta) continues to notify our users when Claria software is found on a computer, and it offers our users the option to remove the software if they desire.
Microsoft is committed to helping protect our customers from spyware and other unwanted software by providing guidance and technology solutions. We firmly believe that people should have complete control over what runs on their computers.
Today, anti-spyware vendors use different approaches, definitions, and types of criteria for identifying and categorizing spyware and other potentially unwanted software. This has limited the industry’s ability to have a broad, coordinated impact in addressing the problem. That is a key reason Microsoft is a founding member of the Anti-Spyware Coalition, a group of technology companies and anti-spyware companies working alongside public interest groups to address key spyware issues.
Meanwhile, Microsoft Windows AntiSpyware (Beta) is an initial beta release and we continue to receive valuable feedback from customers, which is helping our development of the final version of Windows AntiSpyware. We encourage people to provide feedback at WASFeed@microsoft.com and stay up-to-date on the latest developments on Windows AntiSpyware at Microsoft Windows AntiSpyware (Beta) Home."
Please do give us feedback in the newsgroup or in the e-mail alias as we are making decisions for future builds based on this feedback.
-steve
Just a few minutes ago, we released the latest build of Windows Antispyware to the public. This build will resolve issues which will make using this product better for users. Starting today, users will start to see the automatic update mechanism fire off and advise users know they have a new update available. Some of the big improvements are:
1) Software expiration will be extended to December 31, 2005.
2) Alerts Moving Quickly Across the Screen : Messages which move quickly off the screen when the start bar is not docked horizontally are also fixed. Users who dock their start bar on the sides of their screen will now be able to read messages generated from Microsoft Windows AntiSpyware (beta).
This issue is what we dubbed the “Flying Toast Issue” and one which I was passionate about getting fixed in this refresh build.
3) Support for Long Descriptions: Users of older builds only have access to the short descriptions which ship as part of the signatures. These short descriptions only provide limited information about potentially unwanted software. Long descriptions in build 613 will help users by giving them more information about the potentially unwanted software detected on their PCs.
4) Improved Winsock LSP removal mechanism: In some cases, removing spyware LSPs, or can disrupt network functionality. Through enhancements made in this beta refresh, we’ve lessened the chance that this problem will occur.
This is a very exciting release, and one which will greatly improve the user experience on this excellent product.
-steve
It has been a busy few months on the Anti-Spyware team, and I have learned a lot about the product while supporting millions of users in a newsgroup format. Here is a cool feature I ran into the other day…executing antispyware with switches through the command line!
To do this, open up a command prompt and change to the c:\program files\microsoft antispyware directory. Then use the switches below:
GIANTAntiSpywareMain.exe [-parameters] [-parameters]
-update : start an update check
-scan : scan [-optional scan parameters]
Optional scan parameters: [-withMainUI]
[-schedule]
[-withUI]
[-withResultUI]
Here is an example: “GIANTAntiSpywareMain.exe -scan –withui -withresultsui -schedule ”
Feel free to play with the switches and let me know if it is beneficial to be able to do this.
As a user of many anti-spyware applications over the years, one item has always bothered me when removed by antispyware applications. That item is "tracking" cookies. Many people in the industry know what cookies are, and how they can be used, but I do not think my parents would know anything about cookies. In my opinion, the industry has created a scare tactic in order to make a "problem" seem worse than it really is. I see this a lot when people are reporting that one program is better than another in respect to cookies. I really do not see how someone can make that argument. I can write a program which deletes n+1 files if I want until I reach a point where there are no more files to delete.
So why is this a problem?? Users do not know what files are good or bad, and therefore rely on the application to determine this for them. But if I am the programmer for another application, I could delete all good and bad files and then say... " We delete more files than Product X." The end user then says... "Of course..I want the other product...more is better!!" These users will then end up losing some settings which were never malicious in the first place. This leads me to the last thought...
Cookies by themselves are not malicious; they are text files with settings. Cookies can be a part of some application which calls on the text file in order to send information to a 3rd party, but end the end, they are only text files. In order for "tracking" cookies to be of use, a corresponding application needs to be running in the background and grab information off this file. I think this is where anti-spyware applications need to be focusing their efforts - removal of the application which uses these text files instead of blowing away all good and bad cookies.
I think the cookie argument will go on for a while, but as long as the end user cannot discern what is good versus what is bad, the industry needs to work on improving the logic of removing applications as opposed to deleting all cookies.
