Hello folks. Jeff Williams, Tony Lee, Jigar Mody, and I have returned from the EICAR conference in Hamburg, Germany which, as a port city with a similar climate, reminded me of Seattle (but with more bratwurst). The event itself was well-organized and, at about 100 attendees, was a great size to enable networking in a close, comfortable environment. What is especially nice about this conference is that it attracts and encourages students and professors so there was a great mix of professionals and members of academia. Especially for the academics, in some cases, this is the only antimalware event they will attend so it was great to see and interact with some new faces.

Today, we released a refresh of Windows Defender (Beta 2) which includes updates based on the customer feedback that we have received through this blog and the newsgroups. This update also addresses some issues that have been brought to our attention around signature updating, improves upon the usability of Windows Defender and also improves our SpyNet reporting capabilities.

First off, we have added a checkbox option to continually display the system tray icon. We heard your feedback loud and clear on this one, so those who want to see our icon with the little green check in their system tray as a sign of system health can now do so. We have also improved Windows Defender's ability to report more accurate data about potentially unwanted software through SpyNet so that we can help create better definition updates.

With these upcoming changes to our reporting network and our core technology, we will improve our detection and removal capabilities even more in the upcoming months.

Each month, the Malicious Software Removal Tool runs on approximately 250 million computers, mainly via Windows Update and Automatic Updates. In February's release of the tool, we added the ability to detect and remove a worm called Win32/Alcan. We believed that Alcan would be moderately prevalent based on data from Windows Live Safety Center and Windows Live OneCare but we were genuinely surprised once we sifted through the data from the February release. During the course of that month, the tool detected Alcan (and, specifically, Alcan.B) on just over 250 thousand unique machines, easily the top detection for the month. Compare this to the Win32/Mywife.E worm (aka CME-24), which we removed from approximately 40 thousand computers in February.

Alcan.B does not exploit any software vulnerabilities. Instead, it spreads through popular peer to peer applications and its prevalence is likely due to effective social engineering. Specifically, when sharing copies of itself over a P2P network, to name the copies, it contacts several websites to look for the names of recent, popular program cracks. Thus, the worm's name is always relatively up-to-date and attractive to those surfing these networks for cracks. Also, when the worm is run, instead of displaying nothing or popping up 50 browser windows, it displays what appears to be a setup wizard window, as displayed in our write-up. When the user clicks next, an error message is displayed. Thus, the user is fooled into thinking that what he or she just ran was a buggy or incomplete program, not a worm.

Threats like this reinforce the idea that malware that exploits user weakness can be as dangerous as those threats which exploit software vulnerabilities and reinforces the value of up-to-date antivirus products as well as general user vigilance.

Matt

Also, a new definition update package is now available from Microsoft Update which should resolve the problem described in KB915105.  Users with Automatic Updates enabled will be notified of the availability of the release in a manner consistent with their Automatic Updates settings.

We’ve gotten some great feedback from places like this blog and our support newsgroups about the recently released Windows Defender Beta 2. We really appreciate the enthusiastic participation!

Some of this feedback has allowed us to identify a couple of problems with our setup on non-English versions of Windows: 

• We have a problem installing on systems which don’t have a group named “Users”. On these systems, the group typically exists but it is in another language.
• Sometimes the link to Windows Defender creates a new group called “Programs” at the top of the start menu.

Our international users are very important to us and so we are currently testing an updated version that fixes these issues.  That update will be available soon through the same links where you installed the original version. Until we make this version available, users may follow the steps in KB915087 to workaround these issues and successfully install Windows Defender Beta 2.

Another problem that was appearing in the newsgroups:

• Uninstalling and reinstalling can temporarily cause problems updating signatures.

This will automatically get fixed in the next update of our signatures, which is scheduled for Tuesday. Please see KB915105 for more information.

Finally, we have also received a few questions about the tray icon. A consistent point of feedback from Windows users is that there are just too many icons that appear in the system tray.  With this in mind, we decided not to display a system tray icon for Windows Defender if no action is needed.  This way, we can help the industry move towards a model where the items in the system tray are programs that need a user's attention instead of items that are simply running.  As always, your comments on this are welcome.

Thanks again for all the support and please keep the feedback coming !

Adam