Rupert Goodwins' Diary

Monday 4/9/2006 Cack-handed security can be worse than no security at all. Take today's little message of joy: CA's anti-virus software had a hissy fit and turned on a component of Window's own security, declaring it a virus and deleting it.

Monday 4/9/2006

Cack-handed security can be worse than no security at all. Take today's little message of joy: CA's anti-virus software had a hissy fit and turned on a component of Window's own security, declaring it a virus and deleting it. Windows duly fell over.

The maligned file, lsass.exe, is the Local Security Authority Service. It helps with local logins and security policies. It's on just about every Windows system currently running — if you're the bold sort who thinks nothing of pressing Ctrl-Alt-Del to see your process list, then do so. It'll be there.

So how come CA failed to spot this? What sort of testing did they do? Could it have been somewhere in the region of none worth speaking of? Much more of this, and we'll start to see attacks that play on this sort of behaviour, with exploits designed to trigger anti-virus systems to turn on legitimate security mechanisms. There are plenty of biological analogies, where a parasite or pathogen subverts a host system to its own advantage: CA should take note of the Darwinian rewards for not evolving fast enough to avoid this.

Windows does itself no favours, though. That file might well have been a Trojan, or a keylogger, or anything like that. Microsoft won't tell you what it is, doesn't have any mechanism for digitally signing the file or providing it with some form of electronic fingerprint. Some of this is coming with Vista — some only with the 64-bit version, mind — but there could have been so much more the company could have done for XP. Even just a list of what files were on the system and what they did would have helped. Microsoft knew this, but wasn't telling — leaving the job to third parties who didn't have access to all the information.

It's not going to be easy keeping track of what's going on in Vista, mind. With some 16 versions in the retail channel, support and maintenance will be much more exciting than it was with XP with its fairly random Home and Professional editions. Having all those variations to test will make it more likely that companies such as CA will slip up: anyone expecting Vista to bring a new golden age of reliability in computing should put on their jetpacks, pop back to their paperless office and set their cryogenic hibernation units to 2050.