Microsoft Virus Scanning Recommendations Bring Risks | Malware Blog

June 2013
S	M	T	W	T	F	S
« May
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30

Dec21

Microsoft Virus Scanning Recommendations Bring Risks

8:07 am (UTC-7) | by David Sancho (Senior Threat Researcher)

We have recently received queries from customers about the official exclusion list recommendations from Microsoft. It seems that they have published a Knowledge Base entry that lists down recommendations to improve performance in Windows when running antivirus scanners.

This list recommends customers to exclude certain extensions and folders from antivirus scanning. Now, although it actually makes sense to stop checking Windows Update and some Group Policy-related files if you really want to speed up the system, we are concerned by the fact that this was released publicly.

This is an overview of these recommendations from Microsoft:

Certain files in the SoftwareDistribution folder
Certain specific file name (e.g., edb.chk)
A small extension list in certain specific folder (*.log)

Plus, some other similar lists for the Group Policy.

Following the recommendations does not pose a significant threat as of now but it has a very big potential of being one. Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning or use a file name extension that is also in the excluded list.

We find it sensible for users to aim for better system performance. However, we also think that excluding certain file types or folders from antivirus scanning is not something novice users should tinker with. Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system.

In line with this, we advise users to educate themselves fully about these recommendations before taking any action. We recommend users not to exclude any file unless there is a critical reason to do so and be aware of the risks entailed by such an action.

Share this article

This entry was posted on Monday, December 21st, 2009 at 8:07 am and is filed under Bad Sites . Both comments and pings are currently closed.

Pingback: La “withelist” de Microsoft bénéficie-t-elle aux hackers ? | my-forge.eu
http://charlesdavidshoes.net Benjamin Frost

Everytime I log onto this blog another person has commented a load of tripe (RUBBISH). When will we ever get any decent intelligent information / comments?
Pingback: Microsoft pode inadvertidamente ter ajudado produtores de vírus « Bancainfo – O Blog da Informação!
Pingback: Com ’status’ de provedor de internet, criminosos mantêm vírus no ar « DS DIGITAL
Pingback: Antivirus: Trend Micro conteste des recommandations faites par Microsoft • Calitel.eu
Pingback: Com ’status’ de provedor de internet, criminosos mantêm vírus no ar « Roun Chester Tecnologia
Pingback: Trend Micro says Microsoft encouraging viruses
Max

This is funny, because you (Trend Micro) recommend exactly the same (and many more) exclusions on your own website: http://trendedge.trendmicro.com/pr/tm/te/document/OSCE_8_0_MS_File_Exclusions.pdf
Pingback: Trend Micro desautoriza recomendación de seguridad publicada por Microsoft « Josmen's Blog
Pingback: TCDream » Microsoft pode inadvertidamente ter ajudado produtores de vírus
Erik Cumps

I have a comment concerning file extension exclusions for realtime scanning.

(Please note that I advocate no exclusions at all for off-line scanning such as manual or scheduled scans. In these cases performance is not as much of an issue as with realtime scanning.)

As of today, files with a .log extension are not executable under Windows and I don't see that changing very soon. As such .log files pose no direct threat to the security of any windows computer.

An interesting experiment would be to create a windows shortcut to an executable file and call it 'tst.log'. See if you can manage to execute the original executable file by means of 'tst.log' alone.

If these files were to be used as payload containers for illicit code, they would still need a loader/executer/interpreter to be effective. This loader/executer/interpreter would necessarily be contained in a executable file which can and will be inspected by ao anti-virus software.

Hence there is no actual benefit for the malware writer to use .log files as payload containers unless he would endeavour to create a loader/executer/interpreter that would be too generic to be detected by explicit virus definitions and not generic enough to be detected by heuristic rules. I consider it highly unlikely that such sofwtare could succesfully be made and excape detection from all realtime scanners.

Therefore I would indeed recommend to exclude any .log files from realtime scanning. In fact I would advocate to add exclusions for many more extensions: .txt, .cpp, .obj, .bmp and *.cfg to name but a few.

The main benefit is of course reclaiming the lost performance due to realtime scanning of files for which realtime scanning offers no security benefits.

Regards and season's greetings,
Erik Cumps
Confused by your logic

Having fully read the MS article, I find some of the references you make to it to be wrong, the KB article specifically says DO NOT exclude some of the file types you reference, and also mention specifically LOCKED FILES. This is the part I don't understand, if any AV, not just Trend Micro, can't access those files then how can any possible future malware do so.

Perhaps it may be time to actually open a dialogue with Microsoft about this, rather than attempting to cause fear from an as yet unknown or unspecified threat.

I am sure you are aware of how much publicity this blog has attracted, I find it amazing how much speculation can be drawn from an article that perpetrates sale by fear.

Others might call it scareware.
Pingback: Microsoft Policies Help Virus Writers, Says Security Firm, Security Firm stupid says SydneyTechGuy | Sydney Tech Guy
Pingback: Microsoft pode inadvertidamente ter ajudado produtores de vírus « Portal da Tecnologia – Uberlândia MG
http://francoisharvey.ca Francois Harvey

And… what about your own white paper. Take a lot at http://trendedge.trendmicro.com/pr/tm/te/document/OSCE_8_0_MS_File_Exclusions.pdf
Pingback: Francois Harvey » Blog Archive » MS Virus Scanning Recommendations or Trend Micro FUD ?
Pingback: Microsoft Policies Help Virus Writers, Says Security Firm | JetLib News
MowGreen

I've been helping Windows Users in the MS Public Windows Updates newsgroup for the past 8 years. Not *once* has a poster stated that their system was compromised or infected due to the locations mentioned in the Microsoft Knowledge Base article.
Here's a challenge, Trend … If you can provide *one* instance of one system being compromised or infected, I'll give you $100.
If you can't, you have to stop spreading FUD and author an AV that is compatible with Window's updating mechanism, since you apparently still haven't learned how to do that.
Deal ?
“Wild Bill” Joneston

Lame-lame-lame

Is this something that the writer just stuffed together for the holiday week so they could get credit for it?
Mike

This is really old news…there has been exclusion recommendations around for years from Microsoft….Find some other way to build a name for yourself..so-called Malware researcher! If you are really a researcher, you would know this!
Steve

It must be a slow news day. This article was first published in 2003. The article does say something to the effect of "Antivirus vendor recommendations supercede those of this article" The article was written before Microsoft and Antivirus vendors had a come-to-Jesus meeting regarding the stuff in the OS that the AV software broke and the OS stuff Microsoft allowed the AV vendors to see to make their software work better. One classic example is SYSVOL replication (NTFRS). AV software would slightly modify the file and trigger replication. If you were running AV concurrently on DC's, you would be succeptible to collision and otherwise, replication would be out of control. Since SYSVOL contains group policies, you would effectively break them and become less secure.
Susan

Do you run a server? I've seen antivirus scanning lose license files when we've not excluded the proper locations. Running antivirus on servers and workstations brings risk and a false sense of security as well.

The risk that antivirus products will scan and damage running servers and workstations is sometimes just as great if not more than the risk of viruses.

The more lengthly discussion of what should be excluded is here: http://myitforum.com/cs2/blogs/scassells/archive/2007/05/14/what-anti-virus-scanning-exclusions-should-be-considered-for-system-and-servers.aspx

Fixing the issue where the antivirus vendors can't stop the rogue antivirus, now that would be nice.
http://N/A Bob

I do not think any file/folder should be excluded from an AV's real-time scans; however, I do think that some files/folders/extensions should be excluded from on-demand scans in the interest of brevity. After all, it it didn't catch it real-time, how is it going to catch it on-demand?

Regards,
Scouris

Nice article
Have you, in your experience, ever seen or heard of a system that failled to work correctly as a result of an Antivirus solution scanning the folders that are listed in the MS Article? Microsoft allude to the fact that scanning those particular folders can cause a system to work harder, and possibly corrupt important, required, files, leaving a system that fails to work correctly. Is this feasible?
Scouris

In your experience, have you come across a situation like what they describe in the MS Article where a virus scan, scanning these folders, has caused a machine to fail to work correctly?

TrendLabs Malware Blog

Trend Micro

Targeted Attacks

Mobile

Recent Posts

Calendar