Question: When should WD warn when weekly scans were missed?

[Joe Faulhaber[MSFT]]

Right now, WD is warning after three days with no scans when the scheduled
scans are run weekly. Which is probably not the best behavior.

My question for those of you who like the weekly scan is: how long would
you go without this scan before you want to be warned if it has not
occurred? I was thinking two weeks, but that's a long time, when
definitions are being released at least weekly. Is 10 days after the last
successful scan the best answer?

Thanks in advance,
Joe

 

[plun]

Hi Joe

Nice question......

YES !

After a definition update it would be nice to also have a "automagic"
scan and probably a "full scan".

So it must probably be 10 days for an alarm beacuse of different days
within a week for definition releases.


Can MS also try to explain RTP and how it works for some users that
loves scheduled scannings

For MSAS Beta 1 it was a good document describing RTP functionality.

regards
plun

 

[PA Bear]

7 days.

 

[Bill Sanderson]

Is more complex behavior possible?

How about a prompt that suggests a quickscan 3 days after the missed scan,
followed by an exclamation point warning 4 days later?

I think users are (perhaps justifiably) leery of the resource hit from
fullscans. If I'm correct about the faith that the team has in a quickscan
doing a good job on detecting in-place spyware, I'd like to see more
"education" towards more frequent quickscans, and only an occasional
fullscan.

 

[plun]

Is more complex behavior possible?

How about a prompt that suggests a quickscan 3 days after the missed scan,
followed by an exclamation point warning 4 days later?

I think users are (perhaps justifiably) leery of the resource hit from
fullscans. If I'm correct about the faith that the team has in a quickscan
doing a good job on detecting in-place spyware, I'd like to see more
"education" towards more frequent quickscans, and only an occasional
fullscan.

Hi Bill

Detecting in-place spyware ? If I was MS I put nearly all malware
engineers to just recognise and block malware recognising keyfiles
with RTP functionality.

For example all of these:

http://www.malwarecomplaints.info/index.php?sid=24726a59730978934769fcc0f458cbfb

When these engineers then have time they started to work with
detailed removals.

It´s much more important to block these pests with RTP. IMHO.

It´s really painful to see all of these hijacks within every
cleaning forum, it´s become a "subculture".

This would be the best present MS can give customers with
a real "Genuine Advantage".

regards
plun

 

[Bill Sanderson]

I agree--so why emphasize scanning at all?

I think scanning is still needed for the same reason as with antivirus--to
catch the new stuff that snuck in. I would hope that if the infection is
active, a quickscan will detect it--so I'd emphasize those and try to
encourage users to do them more frequently.
--

 

[Joe Faulhaber[MSFT]]

To refocus the discussion, my question is for weekly scans, specifically,
not the daily ones.

But you're right - we define quick scan as catching all spyware on a machine
that will run automatically - if you find spyware that autostarts that our
quickscan doesn't catch, let us know, it's a bug. Full scan is for
remnants, file shares, offline scanning, etc. I would recommend a full scan
after a cleaning, probably, but not necessarily as a scheduled scan.

RTP is indeed a great way to stop spyware - especially now that WD can block
at the browser, Outlook express, etc. For the spywares that travel in
herds, RTP can usually stop the first one and stop the infection from
happening. And those are some bad ones, definitely.
Rtp has a couple of fundamental problems, though, most important of these is
the fact that almost all spyware is a zero-day at some point. People have
to scan sometimes in case they got the stuff before it was known.
The other good news here is that most spyware uses the same ways to get in,
and WD RTP monitors those pretty well.

Regards,
Joe

 

[plun]

Hi Joe

Well, this is about scans and how often if I thrust RTP
functionality ie only detecting keyfiles I can reduce scanning
frequence.

Nearly all major protection vendors uses this tactic to first only
detect the malware and then fulfill it later with detailed removal
instructions within definitions, especially for ad/spyware with more
complicated installs then virus/worms.

Example Nail.exe and Aurora, I am running TrendMicros PC Cillin and
TM put a def block for Nail.exe but no removal for Aurora.

I have tested WD myself with Errorsafe and Spyfalcon, WD missed
Spyfalcon..........but it was OK nevertheless when I saw "WD in
action".
Great application !

Another great "Spywarewarrior" AndyM tested 25 common spyware and WD
took 20 with RTP.

Of course some users will be hit with 0-day malware and that cannot be
avoided but it´s important for MS to directly detect and block with
RTP.

The bad guys doesn´t change keyfiles so often for ad/spyware but then
we also have the carrier trojan problem but that is more a antivirus
problem.

For all unwanted programs as Spyaxe, Spyfalcon, Spywarestrike and so on
it must be really easy to create RTP blocks.

So with a good working RTP, 1 week or 10 days is enough for me for an
alarm.

But this is indeed a balance act...........

Thrustworthy computing !

regards
plun

 

[Eric Cross]

Personally, I rather do a scan run immediately aftering updating the
defination file or shortly after.

 

[plun]

Hi Eric

I wrote that in my first message and also to have a "automagic"
trigged scanning start after definition update would be nice.

But as Joe wrote this is a balance between a working RTP and
Bills "Detecting in-place spyware" and 0-day victims.

And of course how often the bad guys changes keyfiles for RTP
recognition.

It is also how much resources MS has for malware research and
I hope they soon can have Spynet "voting" in operation.

So for me RTP is much more important, I can use Adaware, Spybot, Ewido
etc for cleanings that MS maybe skipped for a while until their
malware research engineers have a complete removal instruction within
defs.

With MSAS Beta 1 it was so for a number of infests.......

regards
plun