Another Malware protection engine becomes Malware enabler engine
Summary: This time we have a PDF parsing issue with Microsoft's Malware detection engine, last week it was a UPX compressed executable compromising Trend Micro's Malware detection engine when parsed. Before that it was compressed ARJ files rigged to explode. This history of HEAP exploitation in antivirus packages is long and plentiful and every major antivirus vendor has been affected one time or another. It's like going to the doctor for minor stitches and the doctor uses an infected needle that gives you a fatal disease.
Nearly three months after being first released to the business market, Vista had a near perfect track record (excluding a design weakness in voice) against remote exploits until this Tuesday. Ironically the culprit happens to be Microsoft's Malware Protection which is used in all of Microsoft's antivirus products including Windows Defender for Vista. It's like going to the doctor for minor stitches and the doctor uses an infected needle that gives you a fatal diseaseThis is just another example where we have the software charged with scanning and detecting malicious code being tricked by a package rigged to explode when inspected.
Last May I said that running desktop-based anti-Malware protection is like having the bomb squad inspect a suspicious package inside your house. Antivirus is like any other software that any additional code added to a system merely adds more vectors for exploitation. In the case of antivirus or anti-spyware software it's even worse because the code is running with system level privileges so any exploitation of that code yields a system-level compromise. If it was merely a user-level application like Office running under Vista, an exploit still has to get the user to agree to elevate the code with UAC. If the anti-Malware code gets compromised, the malicious code is automatically granted the keys to the kingdom. Microsoft isn't alone in this regard and just last week we had a critical exploit for Trend Micro's antivirus software. In fact we still have worms actively trying to scan and exploit Symantec's antivirus engine.
This time we have a PDF parsing issue with Microsoft's Malware detection engine, last week it was a UPX compressed executable compromising Trend Micro's Malware detection engine when parsed. Before that it was compressed ARJ files rigged to explode. This history of HEAP exploitation in antivirus packages is long and plentiful and every major antivirus vendor has been affected one time or another. What's sad is that software that's suppose to protect you actually exposes you to being exploited even worse than if you hadn't had that "protection" software installed in the first place. It's like going to the doctor for minor stitches and the doctor uses an infected needle that gives you a fatal disease. If I didn't get bugged every few minutes for running Vista with Defender off, I'd have disabled it long ago. The fact that it was patched by Microsoft the day the vulnerability was announced doesn't make me feel a whole lot better or any of these anti-Malware solutions. The fact that Vista has added HEAP protection might improve this situation but we're still not clear if it mitigates this particular exploit or if it will protect against future HEAP exploits.
What I'm wondering is why don't the anti-Malware vendors run their parsing engines as a separate user-level process with access to a single folder on the hard drive. The main antivirus program should take inbound files and shove it in to that folder and let the parsing engine run a scan. If it blows up the worst thing that can happen is that the contents of that temporary folder gets incinerated which doesn't bother me one bit. Going back to our bomb squad analogy, it would be like installing a thick bomb containment chamber inside your home. When a suspicious package comes in, put it in the chamber and open the package inside the chamber. If it explodes then no harm done. If it's nothing dangerous take it out and declare it safe. The first antivirus vendor that sticks their file parsing engine in a bomb containment chamber has my personal blessing. Until then, they're all nothing but Malware enabler engines.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
NON-desktop-based anti-Malware protection
Open source IPCop and Copfilter
Here we have Vista which has so far been an impenetrable fortress for the last 3 months. We have Trend Micro AV and Microsoft?s AV/AS software acting like the dumb security guard that was tricked in to giving the outside attacker keys to the fortress including the money vault. Had you not employed any of those security guards, you?d have been safe. What I?m suggesting is that you can still have the security guard but don?t give the guard keys to the fortress and let that guard stand outside of the fort in a special containment area.
Done deal yet?
I'd definitely like to employ this kind of HW/SW protection plan on the router side and dump desktop level protection if it were cheap enough and quiet enough, so I've been trying to keep one eye open for something along these lines ever since you first suggested the idea. Sounds like a great home owner solution for those savvy enough to rig it up, in conjunction with Vista anyway.
Yes, here you go
http://blogs.zdnet.com/Ou/?p=360
http://blogs.zdnet.com/Ou/?p=406 (needs verification, soon)
Software how-to:
http://articles.techrepublic.com.com/5100-1035-6157458.html
Excellent
It's not your imagination
It's not your imagination that AV slows you down. In fact it often decrease your speed by much more than 50%.
another hardware option
higher functional needs.
http://www.emergecore.com/products/index.php
That pup looks nice ... but
From their own website:
[b]Boise, Idaho?August 2, 2005?[/b]In a move that further validates EmergeCore?s rising popularity among carriers and Internet Service Providers (ISPs), PC News Weekly Magazine has just named EmergeCore Network's IT-100 "IT IN A BOX"? its Editor?s Choice. This review, which is the eleventh major industry award for the IT IN A BOX, appears in the magazine?s July 25 issue and at http://www.pcnewsweeklymag.com.
The review noted: ?IT IN A BOX seems to us to be a unique product that provides hardcore solutions to an under-50 employee business.
The IT-100 sells for US$1,395.? ~ PC News Weekly
Nice but uh, no cigar me thinks. :(
Not to mention...
Zonelabs however does make a [url=http://www.zonelabs.com/store/content/catalog/products/z100g/index.jsp]simple firewall router[/url] with a subscription based gateway virus protection. At about $150, it might be a viable solution for ye mere mortal home users. :)
I have changed my tune a bit with regards to this.
What I see George doing sounds almost ridiculous. Let us seriously think about this.
We decide that we want to scan the entire system through pulling files through memory to put them into their exclusive folder, then put the files back in their place when they are done. This does what to an already executed virus? First, it is usually pretty hard to copy a file that has already been executed though it can be done. If we are talking about library files that malware may need, then we are talking about a file that can be moved and detected by an alternate process which could lead to replication. Then we are also talking about serious file defragmentation and a massive amount of I/O. Unless you want to defrag the disk while you are scanning, I wouldn't know why you would do it. Even then, what about your giant archive files? We are going to move a 4.5 GB ISo over to it's own folder?
Please explain in detail more how you expect this to work. A VM, or something of that nature seems better equipped to handle such a task, but also still too intensive of a scan. I still think locking down the desktop is the best solution.
You totally missed the point
Trend Micro and all the other AV vendors have had critical remote exploits. I don't think you can pin this on the fact that Malware protection engine is by Microsoft. The problem for Microsoft is that they acquired this technology from someone else and they probably didn't do the ground up security audits like they did for Vista and SQL Server 2005.
"We decide that we want to scan the entire system through pulling files through memory to put them into their exclusive folder, and then put the files back in their place when they are done. This does what to an already executed virus? "
No you totally missed my point. Copying an infected file coming from the outside world does not trigger an exploit. It's only when you actually try to open that package that it explodes on you. If it's an incoming compressed ARJ file (via email/ftp/http for example), you can move that file to a special folder which is the only place the AV parsing engine has access to. Then you tell the parsing engine to look at that ARJ file and then if there is a zeroday/unpatched exploit the worst thing that can happen is that the compromised parsing engine can nuke the contents of that special folder which is no harm done.
I understand the DMZ portion
That will only handle exploits that a user knowingly saves to their computer. What about for exploits?
If I were a virus creator, I would have the virus do something a little more subversive, such as create a open port and broadcast. Of course I would have to find a way to quiet the firewall because dropping it like the ludder worm is pure stupidity and causes alarm to a user who is smart enough keep the firewall enabled. The initial virus can and usually is painless, it is the several after that that become the pain in the neck.
We're not talking about DMZ or exploits
This is like Vista being an impenetrable (in first three months) fortress with a stupid security guard (Windows Defender) that was tricked in to handing over the keys to the fortress and the money vault to an outside attacker. Had we not had that security guard running, we'd have been safe. What I'm suggesting is that we place that security guard in a special chamber without keys to the rest of the fortress. Let him inspect incoming packages and if one explodes on him, too bad but at least the rest of the fortress is safe. I don't want the security guard walking around with keys to the kingdom.
User-level exploits in Vista applications (none so far) at least are handled by UAC. The Vista firewall blocks all inbound traffic by default.
DMZ was my comparison, not literal
That is both, functionality already built into Vista, and supposedly walled off from the rest of the computer.
Also, may not need to do an actual write to a folder
Bugs
I'll wait until SP1 and see what MS does about it along with a bunch of other things which will inevitably turn up.
In the meantime, I'll VM into Windows XP from SUSE Linux.
Loads up in 3 seconds flat on demand. Not too shabby.
Windows XP is more than good enough for now, thank you very much!
XP in 3 Seconds on a 286?
VMware on AMD Turion64 X2
suspendez ? la disquette et..resume..voyon, un, deux, trois...et voila!
Fantastique!
Merci beaucoup.
?No Comprehende!
My French sucks but:
Suspend the disk and resume. Watch 1,2,3 done.
Fantastic
Thank you very much.