OK - this is definitely thorny--I've thought about it before..
Let me try to "see" what the flow would be for two or three hypothetical
situations.
1) My "backup of aunt mary's old win95 machine" that has the only PDF
copy of her last will and testament, with newdotnet in there for spice.
This is a zip, or maybe qic or .bkf file.
So--I install Windows Defender, and, being anal, I set scheduled scans to
do a full scan, since I can't tell what might be lying around that none
of my previous dozen or two antispyware apps have missed. Fortunately,
Aunt Mary had only a 4 gig drive, and didn't have much data, so her file
is 48 megs.
I've left settings at their default, so Windows Defender is set to take
the default action on a scheduled scan.
Scan is set for 11, and I'm still up, but by midnight the scan has hit
999,999 objects (I have a lot of .ISO files)--and I go off to bed.
Next morning--let's see if I can get this right--I should see an alert
from Windows Defender's icon in the system tray, and when I click and
open that, am I recalling it will take me to the history page--to show me
the scan results, essentially? This sounds perfect--It show's me that
"Aunt Marys backup.zip" was quarantined for newdotnet, and I say "oops--I
really need that--better get it back from quarantine." Retrieval from
quarantine works, and I'm in good shape.
Hmm --what additional actions do I take--I don't want to "always allow"
newdotnet. I could exclude the zip file from scanning (?) Am I back to
digging through System Events to find the path and file within the zip,
and removing that from the zip, to keep this from repeating?
Suppose I say--OK--that's fine, Aunt Mary's backup really isn't something
I plan on looking at soon, and it will be safe in quarantine, why don't I
just leave it there? Is it obvious in the quarantine UI that items age
out? This isn't something I'd heard before.
So--for that scenario, I'm doing a lot of nitpicking, but I think I like
this just fine.
Scenario 2 - pure malware--there's a .exe package lying around somewhere
that is an executable zip of some spyware--probably came attached to an
email message, and I saved it to try out the new game or whatever, and
then forgot about it.
Again--it only gets caught on a fullscan, but it does, and I see it in
the history, and say--yeah--I never used that "rogerrabbit.exe" anyway,
and know I know it was a baddy--lesson learned, thank you Windows
Defender, and maybe I'll visit quarantine and delete it just to keep from
being tempted.
I like that just fine too.
Scenario 3--I've just installed Windows Defender, it updated, and is
running a quickscan. At the end of the quickscan it has detected some
spyware on my system--including something in an exe like the previous
scenario. I think in 99% of cases, the archive detections are only
happening on full scans, but it is probably possible for something that
is "live" to have a zip archive as part of it's backstop mechanisms to
reinstall, or for such a zip to be in a location which a quickscan would
hit. I'm shocked at the long list of stuff detected and removed, and
when I go to quarantine, igfqwlx.exe from the Temporary Internet Files is
nothing I know I need, so I go one about my business, grateful to Windows
Defender for having saved my butt, and the file ages out of quarantine
and goes away and I never have to think about it again.
OK - final nits: Really - the only thing I see here is the need to be
sure the users know that quarantine ages out--I've never seen this in
another antivirus quarantine. I'm assuming that if the archive is too
big, we'll get an error message of some sort?
I'm sure there are some good corner cases I've missed here, so I hope all
the other lurkers here have thought this through from scratch without
being biased by my thinking, and will chime in!
I like it!
Joe Faulhaber said:
The 1372 engine will quarantine archives (under 50MB) when a threat
detection containing them is removed. So it will look like the threat
was deleted completely, but the history will say the action was
quarantine, and the quarantine package will be in the quarantine view in
the UI.
After 30 days, quarantined items age out.
I think this is a great solution to a thorny problem - but your feedback
would be appreciated, as usual.
Regards,
Joe
This should be exciting--I'm tempted to go out and grab some malware to
test, but I'm short of time--I'm trying to complete some budget work
for my church (our initial attempt is $30,000 out of balance!) and I
need to travel to a family funeral this weekend about 300 miles away.
So--I won't get much chance to look into this stuff 'til sometime next
week-of the 50 or so machines I work with regularly, only two have ever
seen any significant spyware--and I've got them clean at this point, so
I need some new customers.
--
Joe,
Care to elaborate on exactly what "archive cleaning" means within the
WD context? I know Mike Treit referred to "planning some changes to
improve the experience" when malicious files are discovered inside an
archive, but this is the first I've seen anyone refer to archive
cleaning using the 1.1.1372.0 Engine.
--
Regards, Dave
Joe Faulhaber[MSFT] wrote:
Donald's on the right track here...
We had to rev our setup a few times, but the underlying product
binaries
stayed the same. The revs were almost all due to our efforts to
provide
localized versions of WD, which we're still working on. The
localized
versions of the beta for those of you running German or Japanese
Windows
will have setup version > .6.
Back to the original question - 1347.0 is the correct WD version, the
1372
engine is current (with archive cleaning, very exciting!).
Regards,
Joe
