MSAS: A whish list

[ObiWan]

Ok, maybe this isn't the right group for this kind of post
but I didn't find a better group, so I'm posting my whish
list right here

Here we go:

1) The MSAS should be able to retrieve connection settings from
IE (e.g. dialup or not, proxy settings and so on) and btw should
also allow the user to change such settings if needed

2) The updater should use the BITS service to download all the
needed stuff, this will allow having MINIMAL impact on the client
bandwidth

3) The update checks should use a "zero server impact" approach
for example, something like the DNS/UDP check already used by
the ClamAV antivirus, the latter uses a DNS "TXT" record to store the
version informations, this allows the clients to retrieve such infos
using
a small UDP query/answer and this in turn reduces the load on the
servers (no connections) and allows for a more frequent check; for
details, run this query "nslookup -type=TXT current.cvd.clamav.net"
as you may see the returned string contains the various version infos
and has MINIMAL impact on the server (and btw Microsoft DNS servers
should be able to handle such traffic w/o too many problems)

4) The update patterns should use a "diff" mechanism so that the files will
just contain the "differences" between the local version and the
current
pattern/program; an example of such a mechanism may be found looking
at this s/w http://www.pocketsoft.com/rtpatch.htm

5) The MSAS should incorporate an LSP filter which should intercept (at
least)
all the HTTP/S communications and check for any phishing/malware site
and btw, block access to such sites using a list (or a realtime list
either); this
may also be useful to filter/remove any HTTP exploit or similar
malware; for
more details see also http://www.privoxy.org

6) There should be a "corporate" version of MSAS, the latter should be GPO
aware (allow admin to define behaviours, disallow users from changing
the
settings and so on) and also have an update mechanism similar to WSUS
so that one may install a central update server and setup things so
that the
clients will use it to pick the updates; also, imVHo the "home" version
should
remain free, while the "corporate" one should be commercial

There's more, but I'll stop here for now


--

* ObiWan

Microsoft MVP: Windows Server - Networking
http://www.microsoft.com/communities/MVP/MVP.mspx
http://italy.mvps.org

DNS "fail-safe" for Windows clients.
http://www.ntcanuck.com

Newsgroups and forums
news://news.ntcanuck.com
http://forums.ntcanuck.com

408+ XP/2000 tweaks and tips
http://www.ntcanuck.com/tq/Tip_Quarry.htm

 

[Bill Sanderson]

This is probably the right place. I can't speak for Microsoft, but I've got
some comments--we'll see what comes out of the oven when Beta2 appears....
(interspersed below)
--

1) The MSAS should be able to retrieve connection settings from
IE (e.g. dialup or not, proxy settings and so on) and btw should
also allow the user to change such settings if needed

I'm sure this will be better--some settings are already retrieved this way,
but it doesn't work right. (i.e. if you change the proxy settings it does
affect Microsoft Antispyware, but you can't fix the Suspected Spyware report
proxy error message this way, most of the time.)

2) The updater should use the BITS service to download all the
needed stuff, this will allow having MINIMAL impact on the client
bandwidth

I don't know the precise mechanism they'll use, but it seems to me likely
that they'll do something very much like what you suggest.

3) The update checks should use a "zero server impact" approach
for example, something like the DNS/UDP check already used by
the ClamAV antivirus, the latter uses a DNS "TXT" record to store the
version informations, this allows the clients to retrieve such infos
using
a small UDP query/answer and this in turn reduces the load on the
servers (no connections) and allows for a more frequent check; for
details, run this query "nslookup -type=TXT current.cvd.clamav.net"
as you may see the returned string contains the various version infos
and has MINIMAL impact on the server (and btw Microsoft DNS servers
should be able to handle such traffic w/o too many problems)

4) The update patterns should use a "diff" mechanism so that the files
will
just contain the "differences" between the local version and the
current
pattern/program; an example of such a mechanism may be found looking
at this s/w http://www.pocketsoft.com/rtpatch.htm

I believe this is on the agenda.

5) The MSAS should incorporate an LSP filter which should intercept (at
least)
all the HTTP/S communications and check for any phishing/malware site
and btw, block access to such sites using a list (or a realtime list
either); this
may also be useful to filter/remove any HTTP exploit or similar
malware; for
more details see also http://www.privoxy.org

Interesting idea--don't know what they'll do in this regard.

6) There should be a "corporate" version of MSAS, the latter should be GPO
aware (allow admin to define behaviours, disallow users from changing
the
settings and so on) and also have an update mechanism similar to WSUS
so that one may install a central update server and setup things so
that the
clients will use it to pick the updates; also, imVHo the "home"
version
should
remain free, while the "corporate" one should be commercial

This has been announced: see:

http://www.microsoft.com/athome/security/spyware/software/enterprise/default.mspx

http://www.microsoft.com/presspass/features/2005/oct05/10-06ClientProtection.mspx

and:

http://download.microsoft.com/downl...2945e472dda/TechInvestmentHelpCustomersWP.doc

"Security is a top companywide priority for Microsoft Corp. This paper
outlines Microsoft's security focus and technology solution road map for
mitigating security risks to customers."


So--the antispyware technology we are testing will be part of a number of
products:

There will be a standalone, free, client, analogous to what we are testing.

The technology will be part of two products which will cost: Windows
OneCare Live, and Microsoft Client Protection. (home user/business)

The technology will also be part of Windows Vista.

 

[Ron Chamberlin]

Hey Obi,
As usual, your comments are spot on!

Ron Chamberlin
MS-MVP

 

[ObiWan]

Hey Obi,

As usual, your comments are spot on!

Heh ... well Ron, I'm just trying to keep focused ;-)

 

[ObiWan]

This is probably the right place. I can't speak for Microsoft,

but I've got some comments--we'll see what comes out of the
oven when Beta2 appears.... (interspersed below)

Well. sure, but since Beta2 is still being worked, I thought that

<no thoughts>

Well, it's rather simple, the idea is that, instead of using an HTTP
connection
to a server, MSAS should use a connectionLESS protocol like UDP and an
existing service like DNS to quickly retrieve updates infos w/o overloading
the servers; this in turn may allow performing updates checks more
frequently
and may help quickly distributing MSAS updates in case of "0 days" exploits

I believe this is on the agenda.

I hope so, such a thing may reduce the size of the updates a whole lot and
allow
faster updates even for machines on "not-so-fast" connections

Interesting idea--don't know what they'll do in this regard.

I hope they'll listen to this one; aside from any security mechanism/filter
built
into IE7, having such a filter inside MSAS will help shielding out the
system in
an effective way and even "patching" HTML exploits

Regards