"cquirke (MVP Win9x)" wrote in message
That will scan for files, but unless the Scanner is smart enough to be able
to both find and open the registry files on the drive, the scatter registry
entries won't be cleaned up.
Yep; part of two general problems:
- maintenance OS compatibility with installed OS (Knoppix)
- maintenance OS "sees" the wrong installation (Bart, hosted)
It's possible to build an awareness of these things into a
CDR-bootable NT or installed NT seeing an alien HD for the same time,
but it's not been done so far.
Also, imperfect/incomplete support for the file system can leave
certain items unscanned - and that applies both to mOS and av on it.
There are ways for malware to defend against all three methods of
removal, but malware can't defend itself against formal detection,
because that process doesn't leave any footprints for the malware to
react to. That's why I advocate formal scan, research, then clean.
You should probably ask any of the Security MVPs about that, considering
they just flew in from all over the world to spend a week at Redmond to deal
with this stuff back in November. MS is not "ignoring" anything.
I've pulled down the presentations, and the subject titles do suggest
that we are worried about the same things, which is good.
The issues is deciding the right approach when you have so many
"special interest" pulling you in different directions when you can
only choose one. Home users want "easy to use" and they want
all the "goodies",...some businesses, especially if heavily "sales"
driven want all the features and "security be damned", other
organizations want all the security and the "features be damned"
Some of these issues are easy to play Solomon with. For example;
should XP restart on errors by default, for the benefit of unattended
server use? Under most conditions, the answer is No, because pro IT
will know how to turn on that feature, while Joe Sixpack will not know
where to turn it off. Under one condition - crashes that occur before
the OS has completed booting - the answer is always No. There's no
point in restarting an unbootable OS, you just bit-rot the HD for nil.
But at the end of the tube, there is the one crunch that *defines* the
difference between Home and Pro: Who wins, the guy sitting at the
keyboard, or a notional "admin" on the 'net? Different answers there.
There are also "legalities" involved because the users "agreed" to the EULAs
of some of this Spyware at installation time because they weren't sharp
enough to know what they were agreeing to. AV companies like Symantec &
McAfee can face the possibility of law suites for declaring the stuff
"spyware" or other negative names and removing or quarantining it.
Things are getting murkier here - you have:
- clicked installs that pass through an EULA
- clickless installs that bypass an EULA
- "genuine" commercial software products
- commercial vendors that are out of jurisdiction
- traditional malware faking commercial status as SE
- traditional malware faking commercial status to delay av
Yes, av balk at crunching commercial malware. This has discredited
them and created the anti-cm industry to fill the gap; in fact, the
trend is currently to catch-up by forging alliances with anti-cm, etc.
And yes, commercial malware vendors have sued anti-cm vendors, who
sometimes drop detection as a result.
The solution to this is reposition the anti-cm tool as one used to
remove unwanted software - i.e. tone down the rhetoric so that the cm
vendor has nothing to sue about. All the anti-cm vendor says is "we
offer to remove programs ppl don't want. The fact that ppl have
indicated they don't want your sware and want it removed, is the need
we meet. We make no comment on the value or otherwise of your sware."
MS has been prudent in calling this stuff "unwanted software" rather
than malware or "spyware", to avoid the business plan that goes:
- write commercial malware
- provoke MS into crunching it
- sue MS for the millions you might have made
That's why I don't see "unwanted software" as the same sort of weak
understatement as "prank macro" from the Concept days.
Traditional malware may wave a few commercial signs around, delaying
av response while the av tries to follow these up to figure out
whether the sware is a "real" product or not.
OTOH, one day we'll see a PoC that waves an EULA at the user, which
the user consents to, even tho the malware is classicly "virus". We
have already seen a PoC that describes itself as "This is a VIRUS!!".
For example:
The contents have been password protected to maintain your security.
The password is: "I CONSENT TO WHATEVER THIS VIRUS DOES TO MY PC".
-------------------- ----- ---- --- -- - - - -
Reality is that which, when you stop believing
in it, does not go away (PKD)
