Without prejudice, but OneCare sucks big time

[Guest]

Without prejudice, but OneCare sucks big time – and yes, I do realise it’s a
beta. I’m using the Vista Ultimate RTM release, and OneCare could not detect
(let alone combat) one virus and one Trojan on our testbed system. OneCare’s
tuning option removes files nilly-wily without letting the user know what it
removed. Turned out it removed system files needed by other software to run!
OneCare’s firewall (which replaces the Vista firewall) is even less
dependable / customizable, even though it offers full bothy-way protection
out of the box. OneCare’s insistence on having Automatic Updates turned on is
also rather annoying; after all the user should have the option whether s/he
wants that feature or not – and a lot of people do not want to be alerted on
a daily basis about some minor crappy updates that do little, if anything, to
improve performance or security!

Microsoft really needs to rethink its strategy and approach to all aspects
of security as a matter of priority. By attempting to block third-party
vendors from supplying solid, reliable security software, Microsoft leaves
Vista wide open to code hackers and other malware suppliers. Quite frankly,
Microsoft’s reputation for delivering reliable and trustworthy security
applications is at best very, very low! Until people can trust Vista, Vista
sales will be slower than a snail on speed!

Personally, I am running Vista Ultimate with Nod32 for anti virus
protection, and make the most out of the inbuilt firewall, which - with a bit
of tuning - is well capable of monitoring and preventing traffic in both
directions. A little free utility called “Vista Firewall Control†from
Castlecops helps tremendously in that task.

But make no mistake, as soon as other software vendors have managed to
release reliable security software products for Vista (Agnitum, Kaspersky,
AVG et al) I will definitely employ one of their firewall products, dumping
Microsoft’s Defender and firewall for good! Unfortunately Trend Micro’s beta
security package expires on 31-12-2006. Though very capable, it was a massive
resource hog (+/-170MB) and did not allow any other antivirus program on the
system, which I frankly find rather off putting!

On a final note, I find Microsoft’s behaviour utterly disgraceful. Vista is
definitely a nice step up, but Microsoft’s blatant attempt of trying to
corner the security market is not only anti-competitive, but almost criminal,
given Microsoft’s poorer then poor history of OS security!

Let’s hope justice will be served in a similar manner as when Microsoft was
told to refrain from forcing people to use just their browser, just their
media player and so on!!!

 

[Guest]

Well -- I have to say that I can sympathize with you in respect to the
quality of the WLOC package, though I have to admit that I haven't tried the
version 1.5 beta under Vista RTM. My foray into dealing with WLOC was with
version 1 under Windows XP. I was truly astonished at how flakey the software
was. It had a tendency to kill communications between the wired and wireless
sides of home networks (or altogether, for that matter), it's definitions
update behavior was quirky, and it lacked granular control for some features
that I felt should have been exposed (at least for some users).

I kept hearing that Microsoft intended this product for people who were NOT
expert (nor, apparently, even very interested) in system security. That
seemed to be the answer for most of the criticisms I read on the design.
Okay, fair enough. I'll use something else. If they don't fix it soon I
foresee people staying away in droves. No one should be paying money for it
in its present condition.

However, I can't paint the entire suite of software with one brush. Though I
could certainly quibble with a few features of Windows Defender (available
separately for free for WinXP and built right in to Vista) I find it to be
reliable and effective. I would like a little more precise control (or just a
little more control) over some of its features, but I know of no
similar-functioning software with superior functionality. It was a basic
security function that Microsoft needed to put into their OS. I'm glad they
did it.

That brings us to your accusation that Microsoft is somehow trying to
prevent other vendors from providing security solutions for Vista. I don't
think I see evidence of that at all. I have certainly seen some major
foot-dragging on the part of a lot of security software purveyors who seem to
want to continue writing some the same sort of crappy pseudo-driver-ridden
junk that has been crippling Windows systems for years. I'm glad Microsoft
has put their foot down on this one, and I'm delighted to see that a number
of software houses have risen to the challenge. I suspect that, in the end,
I'll wind up wishing Microsoft had been even tougher about it.

The firewall issue is going to be a difficult issue for many software houses
to deal with because TCP/IP is, apparently, new from the ground up in Vista.
Are you thinking that Microsoft has deliberately worked to exclude this
possibiltiy? I don't know. And, frankly, I'm not sure I care about that. I'm
thinking the basic inbuilt firewall in Vista used prudently from behind a
router with NAT and SPI is a decently safe system.

I'll give you that the AV and the dumb (IMHO) tune-up app in WLOC are pretty
sloppy -- extraordinarily sloppy by Microsoft standards. And their
implementation, at my last sampling of it, of the firewall within that
application is horrific. I had to scrub that stuff off of every system on
which I tested it. And once you've removed the WLOC software from a system
you can find that you've got a heck of a problem trying to regain control of
the original firewall or to put other AV software (in a functional state)
back onto the system. They've even made a special uninstaller utility for it
-- that doesn't work very well.

I guess what I'm saying is that I think that controlling startup functions
(hence the ability of spyware, adware, etc. to screw up a system) and the
firewall really are the duty of the OS writer. The vulnerabilities that
Windows Defender and the Windows firewall cover are intrinsic to the design
of the operating system, and, so, should be dealt with by the people who
write the OS. Likewise, the idea of automatic security updates doesn't bother
me. I've seen some pretty darned good arguments for making them mandatory for
any system connected for general uses to the Internet. I'm with Microsoft on
these issues, and I think they're doing a pretty good job.

Their add-on WLOC application with its iffy AV functionality, disastrous
firewall controls, stupefyingly bad install/uninstall procedures -- eh, they
charge for it, and I ain't buying it -- at least not until they fix it.

 

[Kerry Brown]

Well said. A lot of WLOC sucks big time. Parts of it are OK. The one Vista
system I tried it on suffered from a dramatic slowdown. The AV wasn't very
effective. It missed several viruses scanning a purposely infected USB
drive. The firewall took over from the Vista firewall and is no where near
as good although it is easier to administer for a novice. To get it off the
system I had to format and do a clean install. Microsoft would have to make
some big changes for it to ever come near any of my computers again.

 

[Dale]

I am, for the most part, an expert user - even if not yet expert with Vista.
I am a MCSE, MCAD, MCDBA with many years as an IT professional and Windows
developer.

What I like about WLOC, Vista, and Vista's UAC, especially for my home, is
that I don't have to "work" on my home PC. For years, I have had to
manually worry about securing my several home PCs including anti-virus
patching, update patching, firewall management, and so on. It was like
being at work and seriously impaired my ability to enjoy the PC at home.

The combination of products (Vista/WLOC) appear, so far, to satisfy even my
demanding eye when it comes to home PC security and does it without me
having to think about it. That is, in my opinion, exactly what 90% of home
users need: something they don't have to think about.

If there are better firewalls but the home user has to become a firewall
expert to use them, they won't use them correctly, if at all. If there are
better anti-virus programs but the home user has to search them out, make a
choice, download, install, configure, and update them, then the home user
won't use them. Supporting these facts is the fact that there are literally
millions and millions of home PCs currently being used in bot networks and
for sending spam without the home computer owners' knowledge. The existing
availability of alternative firewalls, anti-spyware software, and anti-virus
software has done little to stop malware so far.

I'll concede one point against WLOC and Defender alone, in the absence of
UAC. Since Microsoft's attempt to purchase Gator, and subsequent removal of
Gator owned products from Defender's spyware list, I'm not real confident
that the inventor of spyware/adware is the one to trust to stop them. I am,
however, counting on UAC to at least let me know when something is being
installed so I can make the decision myself.

Dale

 

[Guest]

Oh yeah, I forgot about the Gator thing, but that's really easy enough to
circumvent for those who care. But there really is (or at least was) much
more wrong with WLOC than Gator not being on the "list". I saw problems with
every WLOC installation on WinXP system on which it was installed last Fall.
At least at that stage in its development I would put it right up there with
Symantec's CrashGuard in the Crapware Hall of Fame. Maybe they've improved it
since then. I hope to heck they have. Anyone with even the slightest
variation from a bog standard WinXP setup was taking his system's life in his
hands when he installed WLOC at the time I was testing it. It was so bad I
just couldn't believe it. Haven't seen such a bad outing for such a highly
touted piece of software -- ever.

I'm running Vista Business RTM on two systems with NOD32 as the anti-virus
(with automatic scanning set). That plus automatic WinDefend scanning and the
decent disk cleanup and automatic defrag make for a pretty safe, care-free
pair of systems at home. I doubt that I spend any more time tending these
than you spend tending yours. And I doubt that they are any less safe.

IMO MS needs to make WLOC more effective and get rid of the bugs. They do
that, they may have a winner on their hands. Right now, it's a weiner.

Perhaps I'm bitter because I got caught in a trap with one with this
software. A friend in a distant city (one of those people who really doesn't
need a challenge) called me in September to ask about WLOC. I told her I
hadn't any experience with it, but that it included Windows Defender and a
supposedly improved version of the Windows firewall. I told her that I had
heard that it was nearly free of need for intervention from the user. She
said that sounded fine. She hosed both of her systems with it. NOT ready for
prime time, or even public beta for that matter. That they had the gall to
take her credit card number for a subscription was a bit much for me. I
pestered her about it until she got her money back. And I felt compelled to
fix the two systems for her. I thought maybe she had done something stupid to
cause the failures.

When I tried the software out for myself later on I found out that she had,
indeed, done something stupid -- installing the software. That's all it took
on the systems I tested, too.

I do realize that testing a piece of software on just a few boxes doesn't
produce compelling scientific assessment, but such a spectacular level of
failure with new software (that's being charged for) is rare in my
experience. And I've used computers every day of my life since 1963.

 

[Guest]

Without prejudice, which virus and which Trojan could OneCare not detect?
Have you reported that to Microsoft? Which system files did OneCare remove?
Have you reported that to Microsoft? In what specific way did OneCare's
firewall fail you? Have you reported that to Microsoft? And finally, it's
nice to see posts here on the windows.vista.general newsgroup, but if the
problem is with OneCare, are you reporting it on its own newsgroup? Since I
don't know if you're using 1.0 or 1.5, here's the link to the main OneCare
newsgroup page:

http://forums.microsoft.com/WindowsOneCare/default.aspx?ForumGroupID=28&SiteID=2

 

[Dale]

I have another point, inspired by David's questions about which virus and
which spyware.

I have done a lot of testing, reviews, and comparisons of anti-spyware and
anti-virus programs over the last several years. What those tests have
shown me that not a single anti-spyware or anti-virus program will find all
threats. Finding one that WLOC didn't find is meaningless unless you found
only one - in which case it would be a heck of a strong selling point for
WLOC.

There have been independent tests of anti-spyware and anti-virus
applications where the tests were intentionally skewed because the testing
company has carefully chosen the spyware/virus samples for the test in order
to benefit the company paying for the test so it is hard to judge even when
reading test results from supposedly independent tests.

I think that UAC is the key. UAC, along with any reputable anti-virus
program and automatic updates does as good of a job as one can ask for.
Unfortunately, some people will still automatically approve the requests by
UAC and nothing will protect them.

In my opinion, there are no reputable anti-spyware programs - they have all
either sold out to, or caved to threats from, at least one purveyor of
spyware.

Dale

 

[Guest]

I realize that your response is directed to the OP, but I will answer for
myself. I posted about the numerous issues I had with WLOC in the the
appropriate portions of the newsgroup. There were no solutions forthcoming.
The two modes of firewall failure I experienced on the test machines, and the
one which my friend experienced, were documented on those newsgroups and
quite well-known. Again, without any solution whatsoever being available. The
inability to uninstall the software correctly was another well-known issue.
The utility developed for (unsuccessfully in many cases) removing WLOC from
systems in which the Add/Remove Programs entry failed to work is posted in a
sticky post at the top of several of the newsgroup sessions, I believe.

I myself never saw an indication that the AV missed any viruses. On the
other hand, what I did witness was software that couldn't get out of its own
way. Software which defeated previously working network connections and
printer and file sharing. It was impossible even for experts to fix. I opened
two separate support issues on the software with no resolution coming from
either -- other than starting from bare metal. We've got testimony from an
MVP right in this thread who had to nuke Vista. I had to nuke 4 out of 7
systems on which I saw the software installed. How much worse couldl the
software have been? Frankly, I'd almost be as happy running unknown malware
as that software in the condition in which I witnessed it during the Fall.

I think that the WLOC idea is quite good. I think that the execution (up to
the point where I abandoned it) was unbelievably bad. I think that the folks
on the newsgroup were doing their dead level best to support a product which,
for more than a small percentage of users, was insupportable.

I abandoned any attempt at using WLOC before RTM of Vista. My experience
might predate a solid turnaround in the performance of the development and
support teams. But nothing less than such a turnaround, with at least a few
months' solid reputation behind it, could possibly get me to take it near
another system.

 

[Guest]

Very good points, all. Though I have no love for the version of WLOC I tried
I still have to admit that the idea is a good one -- if Microsoft can
implement it properly.

UAC isn't the only way to accomplish an improvement in the security stance
of Windows. I think Microsoft is trying to walk a very difficult path here. I
suspect that the UAC implementation was as close as they could get to being
strict without totally alienating a large portion of their user base.
Frankly, it tickles me (in a bad way) to see how many people are so
determined to deal UAC an immediate death blow the second they start using
Vista. I think anyone who really values the possibilities of new technology
should, perhaps, give that technology a chance to work as designed before
trying to force it into a different mode of behavior that suits an earlier
paradigm.

And, as you say, even those who don't turn UAC off are likely to start
clicking OK to anything and everything that pops up for confirmation. Oh
well, you can't protect those folks from themselves. And you won't be able
even to keep them from blaming Microsoft when their systems go up in smoke.

I, too, am not worried about an AV scanner missing the odd malware --
depending upon why it misses it. If the software itself is so busy stumbling
over itself that it wouldn't detect anything at all, then that becomes a
grave problem. As I said, I didn't see that behavior in my testing. What I
did see was software that took a few clean WinXP systems and turned them into
smoldering ruins. No exaggeration.

The anti-spyware thing? Well, I don't care what Microsoft calls Gator, or
what Ad-Aware or Spybot S&D or the others call this or that. All I need are
the tools that show me everything that runs on the system. Microsoft has,
essentially, given us that. The users who care to inform themselves will be
able to protect themselves. Those who don't care enough to inform themselves
cannot be protected by anything -- except a bad network connection.

 

[Michael D. Alligood]

I have thoroughly enjoyed reading this thread. You guys have stated your
case on both sides with professionalism and respect for each others
opinion. Thanks for that. Now my two cents! I am currently running
WLOC Version 1.1.1067.14 and Windows Defender Version 1.1.1593.0. I have
used both programs since available in early beta version from Microsoft
and have had ZERO issues with it. I have endlessly tested my lab
computers, and finalized the test by giving the computer to my 16 year
old step son. If that is not a test I do not know what is! The computer
is running flawlessly. Caring only about online gaming, chatting, and
p2p my son has come to get me a few times because WLOC has wanted
displayed spyware block windows, and he wanted to know if he infected
the computer. One this particular machine, I also have all of the
popular paid and free versions of Anti-Spyware as well as AVG. I run all
of these programs against WLOC and nothing is detected. Now, you might
think I just dug myself a hole with that last statement. However, as
much as I enjoy WLOC, I would not ANY program to be the end all
detection program.

Can websites, particular spyware, or viruses be documented to
substantiate these feelings toward WLOC? I am not disagreeing with any
ones opinion, but I am a facts guy; black and white documentation.

Thanks again for your professionalism. It has been an earlier Christmas
present in the MS newsgroups as of late.

--
Michael D. Alligood
MCSA, MCDST, MCP, A+,
Network+, i-Net+, CIW Assoc.,
CIW Certified Instructor

 

[Dale]

Actually, there is one big hole in the tools Microsoft gives you for
identifying running processes. That big hole is rootkits. As I said in my
blog article on rootkits at
http://www.dalepreston.com/Blog/2005/04/rootkits-and-hooks.html, Microsoft
could eliminate that entire class of threats as simply as providing an
unhookable API call that allows the enumeration of all hooks.

Until they do that, they haven't given you the tools to see what's running
on your PC.

Dale

The anti-spyware thing? Well, I don't care what Microsoft calls Gator, or
what Ad-Aware or Spybot S&D or the others call this or that. All I need
are
the tools that show me everything that runs on the system. Microsoft has,
essentially, given us that. The users who care to inform themselves will
be
able to protect themselves. Those who don't care enough to inform
themselves
cannot be protected by anything -- except a bad network connection.



"Dale" wrote:

<snip>

 

[Daze N. Knights]

Do you have any speculation to offer on why MS might have chosen not to
do that, Dale?

 

[Dale]

Well, that question sure seems like troll-bait but here goes, just the same:

It could have been an oversight in early Windows versions that just has not
been addressed yet or it could be that Microsoft sees rootkits as a valid
mechanism for enforcing DRM, just as Sony does.

Another point on hooks is that all keylogging applications depend on them.
Just having the means of enumerating hooks would give anti-virus software
makers an excellent new means of identifying previously unknown trojan horse
software like that.

Dale

 

[Daze N. Knights]

Interesting. I have a very limited understanding of these things, but
the notion that, perhaps, as you suggest, "it could be that Microsoft
sees rootkits as a valid mechanism for enforcing DRM" was the
possibility that was occurring to me when I asked for your speculation.
And if, as you say, "all keylogging applications depend on [hooks],"
enumerating them for us would also alert, say, office workers to the
fact that their bosses were spying on them, etc. would it not?

 

[Daze N. Knights]

And BTW: Thanks for mentioning, and providing a link to, your
interesting and informative article.

Interesting. I have a very limited understanding of these things, but
the notion that, perhaps, as you suggest, "it could be that Microsoft
sees rootkits as a valid mechanism for enforcing DRM" was the
possibility that was occurring to me when I asked for your speculation.
And if, as you say, "all keylogging applications depend on [hooks],"
enumerating them for us would also alert, say, office workers to the
fact that their bosses were spying on them, etc. would it not?

Well, that question sure seems like troll-bait but here goes, just the
same:

It could have been an oversight in early Windows versions that just
has not been addressed yet or it could be that Microsoft sees rootkits
as a valid mechanism for enforcing DRM, just as Sony does.

Another point on hooks is that all keylogging applications depend on
them. Just having the means of enumerating hooks would give anti-virus
software makers an excellent new means of identifying previously
unknown trojan horse software like that.

Dale

 

[Dale]

There are hardware keyloggers that don't use hooks so your employer might
still be spying on you. Some of those can be embedded in any keyboard so
you can't even see it. But hardware keyboards are out of the realm of
influence of Microsoft and Windows.

Also, your employer can easily monitor all internet traffic, including every
single web form you fill out (except, so far, https forms). If you use any
internet chat program, they can log anything you do on that as well. While
I have been tasked to install keystroke loggers (commercially available and
semi-user visible in that the program is an advertised program and shows in
the Program Files folder and in the Add/Remove programs list) those are
pretty rare cases by seriously paranoid management.

I worked for a large automotive parts supplier company at one time who used
Microsoft SMS server to watch employees' screens using the remote control
capability. There's always a way to watch what you're doing when someone
has physical access to the PC, especially in a business situation where IT
has administrative rights to the PC.

The gain from using a hook enumerating API function would be more for
protection of individual PCs and PCs on the Internet.

Dale

Interesting. I have a very limited understanding of these things, but the
notion that, perhaps, as you suggest, "it could be that Microsoft sees
rootkits as a valid mechanism for enforcing DRM" was the possibility that
was occurring to me when I asked for your speculation. And if, as you say,
"all keylogging applications depend on [hooks]," enumerating them for us
would also alert, say, office workers to the fact that their bosses were
spying on them, etc. would it not?

Well, that question sure seems like troll-bait but here goes, just the
same:

It could have been an oversight in early Windows versions that just has
not been addressed yet or it could be that Microsoft sees rootkits as a
valid mechanism for enforcing DRM, just as Sony does.

Another point on hooks is that all keylogging applications depend on
them. Just having the means of enumerating hooks would give anti-virus
software makers an excellent new means of identifying previously unknown
trojan horse software like that.

Dale

 

[John Barnes]

Now employers MUST be able to provide ALL electronic activity and be able to
produce it in court in the U.S.
Sure provides incentive for them to monitor it also.

There are hardware keyloggers that don't use hooks so your employer might
still be spying on you. Some of those can be embedded in any keyboard so
you can't even see it. But hardware keyboards are out of the realm of
influence of Microsoft and Windows.

Also, your employer can easily monitor all internet traffic, including
every single web form you fill out (except, so far, https forms). If you
use any internet chat program, they can log anything you do on that as
well. While I have been tasked to install keystroke loggers (commercially
available and semi-user visible in that the program is an advertised
program and shows in the Program Files folder and in the Add/Remove
programs list) those are pretty rare cases by seriously paranoid
management.

I worked for a large automotive parts supplier company at one time who
used Microsoft SMS server to watch employees' screens using the remote
control capability. There's always a way to watch what you're doing when
someone has physical access to the PC, especially in a business situation
where IT has administrative rights to the PC.

The gain from using a hook enumerating API function would be more for
protection of individual PCs and PCs on the Internet.

Dale

Interesting. I have a very limited understanding of these things, but the
notion that, perhaps, as you suggest, "it could be that Microsoft sees
rootkits as a valid mechanism for enforcing DRM" was the possibility that
was occurring to me when I asked for your speculation. And if, as you
say, "all keylogging applications depend on [hooks]," enumerating them
for us would also alert, say, office workers to the fact that their
bosses were spying on them, etc. would it not?

Well, that question sure seems like troll-bait but here goes, just the
same:

It could have been an oversight in early Windows versions that just has
not been addressed yet or it could be that Microsoft sees rootkits as a
valid mechanism for enforcing DRM, just as Sony does.

Another point on hooks is that all keylogging applications depend on
them. Just having the means of enumerating hooks would give anti-virus
software makers an excellent new means of identifying previously unknown
trojan horse software like that.

Dale

Do you have any speculation to offer on why MS might have chosen not to
do that, Dale?


Dale wrote:
Actually, there is one big hole in the tools Microsoft gives you for
identifying running processes. That big hole is rootkits. As I said
in my blog article on rootkits at
http://www.dalepreston.com/Blog/2005/04/rootkits-and-hooks.html,
Microsoft could eliminate that entire class of threats as simply as
providing an unhookable API call that allows the enumeration of all
hooks.

Until they do that, they haven't given you the tools to see what's
running on your PC.

Dale


<snip>

The anti-spyware thing? Well, I don't care what Microsoft calls
Gator, or
what Ad-Aware or Spybot S&D or the others call this or that. All I
need are
the tools that show me everything that runs on the system. Microsoft
has,
essentially, given us that. The users who care to inform themselves
will be
able to protect themselves. Those who don't care enough to inform
themselves
cannot be protected by anything -- except a bad network connection.



:
<snip>

 

[Daze N. Knights]

Hmm. I would guess so. Then the employers-spying-on-employees angle
doesn't really have much to do with the concerns about which Dale has
written . . .

Now employers MUST be able to provide ALL electronic activity and be
able to produce it in court in the U.S.
Sure provides incentive for them to monitor it also.

There are hardware keyloggers that don't use hooks so your employer
might still be spying on you. Some of those can be embedded in any
keyboard so you can't even see it. But hardware keyboards are out of
the realm of influence of Microsoft and Windows.

Also, your employer can easily monitor all internet traffic, including
every single web form you fill out (except, so far, https forms). If
you use any internet chat program, they can log anything you do on
that as well. While I have been tasked to install keystroke loggers
(commercially available and semi-user visible in that the program is
an advertised program and shows in the Program Files folder and in the
Add/Remove programs list) those are pretty rare cases by seriously
paranoid management.

I worked for a large automotive parts supplier company at one time who
used Microsoft SMS server to watch employees' screens using the remote
control capability. There's always a way to watch what you're doing
when someone has physical access to the PC, especially in a business
situation where IT has administrative rights to the PC.

The gain from using a hook enumerating API function would be more for
protection of individual PCs and PCs on the Internet.

Dale

Interesting. I have a very limited understanding of these things, but
the notion that, perhaps, as you suggest, "it could be that Microsoft
sees rootkits as a valid mechanism for enforcing DRM" was the
possibility that was occurring to me when I asked for your
speculation. And if, as you say, "all keylogging applications depend
on [hooks]," enumerating them for us would also alert, say, office
workers to the fact that their bosses were spying on them, etc. would
it not?

Dale wrote:
Well, that question sure seems like troll-bait but here goes, just
the same:

It could have been an oversight in early Windows versions that just
has not been addressed yet or it could be that Microsoft sees
rootkits as a valid mechanism for enforcing DRM, just as Sony does.

Another point on hooks is that all keylogging applications depend on
them. Just having the means of enumerating hooks would give
anti-virus software makers an excellent new means of identifying
previously unknown trojan horse software like that.

Dale

Do you have any speculation to offer on why MS might have chosen
not to do that, Dale?


Dale wrote:
Actually, there is one big hole in the tools Microsoft gives you
for identifying running processes. That big hole is rootkits. As
I said in my blog article on rootkits at
http://www.dalepreston.com/Blog/2005/04/rootkits-and-hooks.html,
Microsoft could eliminate that entire class of threats as simply
as providing an unhookable API call that allows the enumeration of
all hooks.

Until they do that, they haven't given you the tools to see what's
running on your PC.

Dale


<snip>

The anti-spyware thing? Well, I don't care what Microsoft calls
Gator, or
what Ad-Aware or Spybot S&D or the others call this or that. All
I need are
the tools that show me everything that runs on the system.
Microsoft has,
essentially, given us that. The users who care to inform
themselves will be
able to protect themselves. Those who don't care enough to inform
themselves
cannot be protected by anything -- except a bad network connection.



:
<snip>

 

[Dale]

That's probably just cover so they can say they got the data from your
employer rather than the NSA.

Dale

Now employers MUST be able to provide ALL electronic activity and be able
to produce it in court in the U.S.
Sure provides incentive for them to monitor it also.

There are hardware keyloggers that don't use hooks so your employer might
still be spying on you. Some of those can be embedded in any keyboard so
you can't even see it. But hardware keyboards are out of the realm of
influence of Microsoft and Windows.

Also, your employer can easily monitor all internet traffic, including
every single web form you fill out (except, so far, https forms). If you
use any internet chat program, they can log anything you do on that as
well. While I have been tasked to install keystroke loggers
(commercially available and semi-user visible in that the program is an
advertised program and shows in the Program Files folder and in the
Add/Remove programs list) those are pretty rare cases by seriously
paranoid management.

I worked for a large automotive parts supplier company at one time who
used Microsoft SMS server to watch employees' screens using the remote
control capability. There's always a way to watch what you're doing when
someone has physical access to the PC, especially in a business situation
where IT has administrative rights to the PC.

The gain from using a hook enumerating API function would be more for
protection of individual PCs and PCs on the Internet.

Dale

Interesting. I have a very limited understanding of these things, but
the notion that, perhaps, as you suggest, "it could be that Microsoft
sees rootkits as a valid mechanism for enforcing DRM" was the
possibility that was occurring to me when I asked for your speculation.
And if, as you say, "all keylogging applications depend on [hooks],"
enumerating them for us would also alert, say, office workers to the
fact that their bosses were spying on them, etc. would it not?

Dale wrote:
Well, that question sure seems like troll-bait but here goes, just the
same:

It could have been an oversight in early Windows versions that just has
not been addressed yet or it could be that Microsoft sees rootkits as a
valid mechanism for enforcing DRM, just as Sony does.

Another point on hooks is that all keylogging applications depend on
them. Just having the means of enumerating hooks would give anti-virus
software makers an excellent new means of identifying previously
unknown trojan horse software like that.

Dale

Do you have any speculation to offer on why MS might have chosen not
to do that, Dale?


Dale wrote:
Actually, there is one big hole in the tools Microsoft gives you for
identifying running processes. That big hole is rootkits. As I said
in my blog article on rootkits at
http://www.dalepreston.com/Blog/2005/04/rootkits-and-hooks.html,
Microsoft could eliminate that entire class of threats as simply as
providing an unhookable API call that allows the enumeration of all
hooks.

Until they do that, they haven't given you the tools to see what's
running on your PC.

Dale


<snip>

The anti-spyware thing? Well, I don't care what Microsoft calls
Gator, or
what Ad-Aware or Spybot S&D or the others call this or that. All I
need are
the tools that show me everything that runs on the system. Microsoft
has,
essentially, given us that. The users who care to inform themselves
will be
able to protect themselves. Those who don't care enough to inform
themselves
cannot be protected by anything -- except a bad network connection.



:
<snip>

 

[Proconsul]

Without prejudice, but OneCare sucks big time – and yes, I do realise
it’s a beta. I’m using the Vista Ultimate RTM release, and OneCare
could not detect (let alone combat) one virus and one Trojan on our
testbed system. OneCare’s tuning option removes files nilly-wily
without letting the user know what it removed. Turned out it removed
system files needed by other software to run! OneCare’s firewall
(which replaces the Vista firewall) is every, very low! Until people
can trust Vista, Vista sales will be slower than a snail on speed!

But make no mistake, as soon as other software vendors have managed to
release reliable security software products for Vista (Agnitum,
Kaspersky, AVG et al) I will definitely employ one of their firewall
products, dumping Microsoft’s Defender and firewall for good!
Unfortunately Trend Micro’s beta security package expires on
31-12-2006. Though very capable, it was a massive resource hog
(+/-170MB) and did not allow any other antivirus program on the system,
which I frankly find rather off putting!

On a final note, I find Microsoft’s behaviour utterly disgraceful.
Vista is definitely a nice step up, but Microsoft’s blatant attempt
of trying to corner the security market is not only anti-competitive,
but almost criminal, given Microsoft’s poorer then poor history of OS
security!

Let’s hope justice will be served in a similar manner as when
Microsoft was told to refrain from forcing people to use just their
browser, just their media player and so on!!!

Another complainer without an argument.....

Don't like One Step? Don't buy it......

Prefer something else, use that instead.....

What in the world is disgraceful about MS marketing a competing product
in the security market? Nothing - no more "disgraceful" than Norton,
Kaspersky, AVG and many others from competing....

There seems to be no limit to the lengths to which the "I hate MS
crowd" will go to try to criticize the company. Be thankful for the
gift you were given when Gates, et al, marketed their products for mere
pennies that allow you to operate your computer and do useful work with
it.....

PC