Author Archive

Hi all, We ve gotten some great feedback from places like this blog and our support newsgroups about the recently released Windows Defender Beta 2. We really appreciate the enthusiastic participation! Some of this feedback has allowed us to identify a couple of problems with our setup on non English versions of Windows: nbsp; We have a problem installing on systems which don t have a group named Users . On these systems, the group typically exists but it is in another language. Sometimes the link to Windows Defender creates a new group called Programs at the top of the start menu. Our international users are very important to us and so we are currently testing an updated version that fixes these issues. nbsp; That update will be available soon through the same links where you installed the original version. Until we make this version available, users may follow the steps in KB915087 to workaround these issues and successfully install Windows Defender Beta 2. Another problem that was appearing in the newsgroups: Uninstalling and reinstalling can temporarily cause problems updating signatures. This will automatically get fixed in the next update of our signatures, which is scheduled for Tuesday. Please see KB915105 for more information. Finally, we have also received a few questions about the tray icon. A consistent point of feedback from Windows users is that there are just too many icons that appear in the system tray. nbsp; With this in mind, we decided not to display a system tray icon for Windows Defender if no action is needed. nbsp; This way, we can help the industry move towards a model where the items in the system tray are programs that need a user s attention instead of items that are simply running. nbsp; As always, your comments on this are welcome. Thanks again for all the support and please keep the feedback coming ! Adam

An updated version of Windows Defender Beta 2 is now available from the Microsoft Download Center. This update resolves the two issues described in the below blog post relating to non English versions of Windows and referenced in KB915087. nbsp; If you are running on a non English version of Windows, then we advise that you uninstall the previous installation and install the updated version. nbsp; If you are running on an English version of Windows, then no action is required. Also, a new definition update package is now available from Microsoft Update which should resolve the problem described in KB915105. nbsp; Users with Automatic Updates enabled will be notified of the availability of the release in a manner consistent with their Automatic Updates settings.

In Bill Gates keynote at RSA in February, one of the subjects he spoke on was the ability for Microsoft to have a comprehensive view of the evolving threat landscape using the information and feedback from such tools as Hotmail, Watson, the Windows Malicious Software Removal Tool, and Windows Defender. Each month, the Malicious Software Removal Tool runs on approximately 250 million computers, mainly via Windows Update and Automatic Updates. In February s release of the tool, we added the ability to detect and remove a worm called Win32 Alcan. We believed that Alcan would be moderately prevalent based on data from Windows Live Safety Center and Windows Live OneCare but we were genuinely surprised once we sifted through the data from the February release. During the course of that month, the tool detected Alcan and, specifically, Alcan.B on just over 250 thousand unique machines, easily the top detection for the month. Compare this to the Win32 Mywife.E worm aka CME 24 , which we removed from approximately 40 thousand computers in February. Alcan.B does not exploit any software vulnerabilities. Instead, it spreads through popular peer to peer applications and its prevalence is likely due to effective social engineering. Specifically, when sharing copies of itself over a P2P network, to name the copies, it contacts several websites to look for the names of recent, popular program cracks. Thus, the worm s name is always relatively up to date and attractive nbsp;to those surfing these networks for cracks. Also, when the worm is run, instead of displaying nothing or popping up 50 browser windows, it displays what appears to be a setup wizard window, as displayed in our write up. When the user clicks next, an error message is displayed. Thus, the user is fooled into thinking that what he or she just ran was a buggy or incomplete program, not a worm. Threats like this reinforce the idea that malware that exploits user weakness can be as dangerous as those threats which exploit software vulnerabilities and reinforces the value of up to date antivirus products as well as general user vigilance. Matt

Today, we released a refresh of Windows Defender Beta 2 which includes updates based on the customer feedback that we have received through this blog and the nbsp;newsgroups. This update also addresses some issues that have been brought to our attention around signature updating, improves upon the usability of Windows Defender and also improves our SpyNet reporting capabilities. First off, we have added a checkbox option to continually display the system tray icon. We heard your feedback loud and clear on this one, so those who want to see our icon with the little green check in their system tray as a sign of system health can now do so. We have also improved Windows Defender s ability to report more accurate data about potentially unwanted software through SpyNet so that we can help create better definition updates. Finally, we ve made some minor updates to the UI and we are on track to release our Japanese and German localized versions and expect to turn on the update notification for existing Beta 1 and Beta 2 customers soon so keep an eye out! I would also like to urge you to opt into the Advanced participation level in SpyNet. In this mode, you will not only be alerted of changes to critical system settings by recognized and potentially unwanted applications but you will also be notified of changes by applications that have not yet been classified. By choosing Advanced you can help combat spyware by sending back full reports and potential samples to our analysts. To the extent any personal information is included in an Advanced member report, this information will not be used to identify you or contact you in accordance with our privacy policy. For example, under the Basic setting, the SpyNet report will strip off the path to an executable it found, in case it was in a folder that contained your user name; however, knowing where potentially unwanted applications install is useful information. Thank you for helping us fight spyware and potentially unwanted software! With these upcoming changes to our reporting network and our core technology, we will improve our detection and removal capabilities even more in the upcoming months. Thanks, Adam

Eric Allred and I are in London for the Infosecurity nbsp;Europe conference. We spent the last two days on the conference floor with the Microsoft UK team, talking to customers and partners about Windows Defender, Windows Live OneCare, Microsoft Client Protection, and the Windows Malicious Software Removal Tool. We ve also been demoing Windows Vista to customers which includes a number of new security features to help protect from nbsp;malware, spyware, and potentially unwanted software including Windows Defender, User Account Control, and Internet Explorer 7 with Protected Mode. nbsp; On Friday, we ll be flying to the European Institute for Computer Antivirus Research EICAR conference in Hamburg. Jeff Williams nbsp;and two more of our colleagues, Tony Lee and Jigar Mody, will be joining us at this conference. Tony and Jigar will be presenting on Behavioral Classification on Monday, May 1. I ve seen an early version of their presentation nbsp;and it s some pretty interesting stuff. nbsp;If you re planning to be at EICAR, please track us down and say hello … and, naturally, come by Tony and Jigar s presentation on Monday. nbsp; Matt

Hi, this is Ziv Mador nbsp;again from the Microsoft Anti Malware team. This week, the folks over at VirusTotal added the Microsoft anti malware engine to their service. VirusTotal is a free service that enables users to submit suspicious files to be scanned by several anti malware engines. If you choose, files that are not identified as malicious are sent to the vendors who supply the anti malware engines to this service to be analyzed. As of April 27, the Microsoft anti malware scanner is included in the set of scanning engines used by VirusTotal. This scanner is based on the same technology found in Windows Live OneCare, the Windows Malicious Software Removal Tool, and Microsoft Antigen, and includes our full antivirus set of signatures. We are glad to be participating in this community opportunity.

Hello folks. Jeff Williams, Tony Lee, Jigar Mody, and I have returned from the EICAR conference in Hamburg, Germany nbsp;which, nbsp;as a port city with a similar climate, reminded me of Seattle but with more bratwurst . The event itself was well organized and, at about 100 attendees, was a great size to enable networking in a close, nbsp;comfortable environment. What is especially nice about this conference is that it attracts and encourages nbsp;students and professors so there was nbsp;a great mix of professionals and members of academia. Especially nbsp;for the academics, in some cases, this is the only antimalware event they will attend nbsp;so it was great to see and interact with some new faces. nbsp; Similarly, nbsp;I found many of the sessions presented to be unique and interesting. For example, a paper entitled TTAnalyze: A Tool for Analyzing Malware by Ulrich Bayer of Ikarus Software and Christopher Kruegel and Engin Kirda of the Technical University nbsp;of Vienna presented some neat techniques for nbsp;investigating malware behavior in an automated fashion. This paper nbsp;was recognized as the best academic paper nbsp;by EICAR amongst a fairly competitive field. nbsp; nbsp;Also, while I m slightly biased, I nbsp;thought that Tony and Jigar s presentation on Behavioral Classification was excellent. The session was well attended and attracted some healthy discussion afterwards which continued ad hoc through the remainder of the conference. With the permission of EICAR, we re pleased to be able to make Tony and Jigar s paper available from the Microsoft Download Center, so enjoy ! nbsp; nbsp; Another interesting thread of sessions and discussions was on testing of anti spyware applications. Both Larry Bridwell from ICSA Labs and Josh Harriman from Symantec offered presentations on this topic. Unlike the antivirus product testing and certification space, which is reasonably established, antispyware testing is still in its infancy. The number of different custom evaluations being conducted currently is dizzying with almost all offering different criteria. Microsoft is actively working with nbsp;other entities nbsp;in nbsp;the security industry on making a set of more deterministic and reproducible evaluations. Along this vein, Jeff and Eric Allred will be at the Antispyware Coalition ASC meeting in Ottawa May 15 16, along with representatives from most of the other security vendors. If you have input into antispyware testing standards, I highly recommend you attend this event and chat with Jeff and Eric …. or reply to this blog post. nbsp; Matt

On my way back from EICAR I had the opportunity to stop in to the Computers Freedom amp; Privacy Conference in Washington DC and participate in a panel discussing the responsibilities of an adware provider. From the few sessions I was able to attend it looked to be a great conference one that I ll try to attend in full next year. The panel I participated in was moderated by Eric Goldman a law professor at Marquette University. Joining me on the panel was Ari Schwartz of CDT and the Anti Spyware Coalition, Vishant Shah of CSIA as well as the general counsel of an adware company. Eric posed some great questions such as When are advertisers responsible for adware vendors acts, and what steps do you think advertisers should take to satisfy this responsibility? and When do we know that users actually consented to install software on their computers? Specifically, what steps must a software vendor take to make sure users mean to install the software on their computers? . The audience was very engaged in the discussion and while I won t suggest that the questions were answered definitively I do think that some interesting points were raised. One main item I took away from the discussion is that the industry would benefit from a set of commonly agreed to best practices for software. It would make categorizing software easier and it would also make it easier for software providers to see what types of things they ought to be doing if they want their customers to have a positive experience. Fortunately, best practices is a topic for the upcoming Anti Spyware Coalition Workshop and meetings in Ottowa next week. Jeff

Hi, my name is Tony Lee. I am a virus researcher on the Microsoft Antimalware team. One of our top priorities is to conduct advanced research to combat malware problems. A significant challenge we have today is the large number of active malware samples, totaling in the order of tens of thousands, and increasing rapidly. It has become apparent to us that the traditional manual analysis process is not adequate in dealing with malware of this order of magnitude, and that we should seek automation technologies to aid human analysts. To address this challenge, we are conducting research on technologies which model human analysis, to enable autonomous processes that analyze and classify malware, in an automatic and adaptable manner. As described by Matt s EICAR recap post last week, my colleague Jigar Mody and I presented a paper on this research work at the EICAR conference at Hamburg, Germany. The subject was on automatic malware classification using runtime events and machine learning. The underlying approach we took involves capturing malware behavior in a time sequence of events, which is a knowledge representation we then used as input to a machine learning process to uncover similarity information across a large number of malware samples. The novelty in this research is the application of a distance based clustering algorithm on behavioral data observed during malware execution. Past technologies and research attempts, such as rule based, weights thresholds and abstract feature set approaches, focus mostly on heuristics to detect generic categories of malware e.g. malicious or not ; common challenges include algorithms too generic to provide classification precision or difficult to scale to unaccounted characteristics. Having looked into numerous research and technologies from the past, we decided to take a step back and approach the problem from ground zero. First, we conceptualized the classification process in terms of knowledge consumption, representation, learning, and application. We then tackled the basic problem of representing knowledge extracted from malware. By using event sequences as a representation, we were able to describe the ordered effects or system transition states observed from malware behavior. Unlike common statistics based data mining techniques association rules, Bayesian classifiers, term vector, etc. , we use instance based learning, allowing objects represented in rich syntax ordered sequence . We solved the object distance problem by adapting Levenshtein distance to measure similarity between objects. We took an innovative approach to fine tune edit operation cost as a function of event type, values and operation type, in order to achieve optimal similarity precision. We then employed K medoids clustering algorithm to construct semantic groups of malware objects based on similarity measure, classes to serve as the basis to family classification. The preliminary tests, conducted among 3 to 11 families, with total over 700 variants, showed fairly high classification accuracy up to 84 . The tests reveal a nbsp; consistent trend of improving results with respect to number of families, clusters and events. As the number of events used in the similarity measure increase, we see the increase in accuracy as we expected. We also found that number of clusters and families affect the classification accuracy positively, because, given proper similarity measure, the more semantic groups proposed, the more centers or space for data points to be drawn to the right groups. We also observe the outlier effects were contained to the degree in proportion to the number of clusters proposed, because of the stronger collective gravitational forces due to the increased number of centroids. For more detailed observations, please see the paper available for download from the Microsoft Download Center. We are continuously working on optimizing the algorithms and techniques of this system, such as the similarity measure precision, clustering algorithm efficiency, malware replication system effectiveness, and applications in domains such as automated behavior descriptions and correlation analysis. The method we have proposed in the paper is one of the many routes towards a solution that addresses the challenge of a growing number of malware in the wild. Tony

Eric and I attended the Antispyware Coalition Meeting and nbsp;Workshop last nbsp;week. It was a good opportunity to meet with many of our peers nbsp;in the industry as well as a very pleasant trip overall. Ottawa, where the event was held, is a great city and in addition to everything else the trip afforded us the opportunity to enjoy some great native cuisine of the region. A common theme which ran between both the meeting and the workshop was the idea of sharing of intelligence. In the meeting we discussed a proposal based on ideas Eric suggested last month centering around the sharing of threat URLs between anti spyware providers with a goal of improving capabilities across the industry. nbsp; The concept was endorsed and presented at the meeting by Symantec and ICSA Labs and seemed to be very well received. There are still a lot of things to be worked out but I m excited about this kind of industry cooperation. nbsp; In the workshop I had the opportunity to present as part of a panel on the topic of Public and Private Cooperation. On the panel with me was Joe Jarzombek, Director of Software Assurance at the US Department of Homeland Security as well as Christine Owen of Webroot and we were moderated by Neil Schwartzman of CAUCE Canada. Some of the points that Joe raised when discussing the mission of DHS with regard to protection of the Internet reinforced for me the importance of broad and deep industry collaboration when dealing with threats such as spyware and other malicious code. Other sessions at the workshop covered the various harms caused by spyware, where spyware comes from, legislative solutions and driving awareness of risks within both the consumer and enterprise spaces. Even better than the sessions were the many conversations and ideas shared between member attendees on a range of topics both technical and social relating to how we can all combat these various threats better. Jeff