While not broadly publicized, Microsoft has developed a tool to remove rootkits and other advanced malware from systems running these versions of the Windows operating system: Windows XP Service Pack 3; Windows Vista (RTM, Service Pack 1, or Service Pack 2, or higher); Windows 7 (RTM, Service Pack 1, or higher) in both 32-bit and 64-bit editions. The tool is called “Microsoft Standalone System Sweeper Beta.” Looks like it has been designed for use by support personnel.

Thank you for contacting Microsoft Support. You have been directed here to download and install the beta version of Microsoft Standalone System Sweeper Beta, a recovery tool that can help you start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can’t detect or remove malware on your PC.

Microsoft Standalone System Sweeper Beta is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start your PC due to a virus or other malware infection.

I haven’t tried it out yet, but it’s probably a good idea to download and build bootable media for both the 32-bit and 64-bit editions.

If anyone tests this before I do, please leave a comment.

The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

Note: The Microsoft Safety Scanner expires 10 days after being downloaded. To rerun a scan with the latest anti-malware definitions, download and run the Microsoft Safety Scanner again.

This appears to be a variation of the Malicious Software Removal Tool (MSRT) that Microsoft runs on your system each month if you have automatic updates turned on. From what I can determine, the Microsoft Safety Scanner (MSS) is simply an on-demand version of Microsoft Security Essentials (MSE) that also targets some of the specific MSRT targets. I guess that makes sense in some way? Why wouldn’t you just use MSE and turn on automatic updates? Seems like the same effect.

Some people have noted that McAfee has a comparable tool, also free, called Stinger. Trend Micro, Symantec, and Malware Bytes also offer on-demand scanners. Also noted is that MSS is a 67 MB download while Stinger is just under 8 MB. Why such a disparity? Does this indicate that MSS has a much larger malware signature file, or is it just typical Microsoft bloat?

I don’t plan on testing MSS, so if you have any comments on your experiences with it, please leave them here.

I take issue with that. Microsoft is only offering MSE download via update to Windows users who aren’t already running antivirus software. The commercial AV firms clearly are miffed because their products aren’t being offered for download. That’s just ridiculous.

I’ve long criticized Microsoft for poor security practices, but with MSE, they got it right. I’m certainly no apologist for Redmond, but all of this drivel about being anti-competitive has to come to a stop at some point. Why in the world should Microsoft be forced to market other firms’ products for free? And that’s exactly what the others are saying.

Juan Santana, CEO of Panda Security argues, “We agree with Microsoft; it’s better to have some protection than not having any at all. However, the way the guys in Redmond are executing the idea is risky from a security perspective and could very well make the malware situation much worse for internet users. That’s why we encourage Microsoft to continue using Windows/Microsoft Update but instead to push all free antivirus products available on the market, not just MSE.” (You can read his blog post.)

Horseapples! How in the world is putting protection in place where there is none going to make the malware situation worse for Internet users? The argument has no substance. It’s illogical in the extreme.

Shame on both Panda and Trend Micro (who have both lost credibility with me as a result of this). Wouldn’t time spent on promoting the advantages and/or superiority of their products be more productive than trying to force Redmond to do their marketing for them?

Stuxnet was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes. According to a PC World report, “… Ralph Langner, a well-respected expert on industrial systems security, published an analysis of the worm, which targets Siemens software systems, and suggested that it may have been used to sabotage Iran’s Bushehr nuclear reactor. A Siemens expert, Langner simulated a Siemens industrial network and then analyzed the worm’s attack.”

See Microsoft Security Bulletin Advance Notification for October 2010.

This was first revealed on June 10, 2010 in Microsoft Security Advisory (2219475). It was updated on June 15th.

Microsoft is investigating new public reports of a possible vulnerability in the Windows Help and Support Center function that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. Microsoft is aware that proof-of-concept exploit code has been published for the vulnerability. Microsoft is also aware of limited, targeted active attacks that use this exploit code.

This problem is related to the HCP protocol. It’s still not patched, but here is a workaround for it:

Unregistering the HCP Protocol prevents this issue from being exploited on affected systems.

Using the Interactive Method

1. Click Start, click Run, type Regedit in the Open box, and then click OK

2. Locate and then click the following registry key: HKEY_CLASSES_ROOT\HCP

3. Click the File menu and select Export

4.In the Export Registry File dialog box, enter HCP_Procotol_Backup.reg and click Save. Note This will create a backup of this registry key in the My Documents folder by default.

5. Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes.

We hope Microsoft will issue a patch shortly.

Source: Microsoft

I have never been an apologist for Microsoft’s security policies and practices; indeed, I’ve often criticized the firm and accused them of a laissez-faire attitude towards their development teams. I have to admit that they’ve been making some headway in the direction of basic security over the years, but I’ve wondered if they would ever get it right. Recently, I’ve had a love-hate relationship with Microsoft Security Essentials (See “Microsoft Security Essentials is a Game Changer” and “Microsoft’s Security Essentials Causes Performance Problems“), their most recent attempt at complete security protection for Windows™. I’m going back to the love relationship. My reason? The combination of  Windows 7 security enhancements, IE8 and Microsoft Security Essentials is very secure; it looks like Microsoft has finally done it right.

I migrated my laptop to that combination in mid-March. I have enjoyed nearly two months of secure computing with no performance issues, no security issues, and the freedom from having to worry about which third-party security solution I should implement. I still use Thunderbird for email and Firefox as my main browser, but that’s no longer because I’m concerned about using IE–IE8′s default settings have proven to be more than sufficient.

I’m not the only one who’s noticed. Fred Langa of Windows Secrets Newsletter recently ran a 120-day test of his own under some pretty tough conditions. You’ll want to read that article, of course, especially if you’re an advanced Windows user, but Fred’s results are worth mentioning:

Four months in, and no malware has infected my Win7 systems. I’ve experienced no malware-like misbehavior on my machines, and to the best of my knowledge, my systems remain clean and unhacked.

So I’m comfortable saying that the combination of the Win7 firewall, Microsoft Security Essentials, and fully current browsers and e-mail clients is proving to be a wholly acceptable security solution for routine use.

However, I’m not ready to recommend this combination to advanced users — especially those with demanding needs or who require the ability to easily customize their setup.

What’s your opinion? Leave me a comment.

Hi…thank you for the feedback. I’d like to inform you that currently, there is no plan to develop compatible version of Windows SteadyState for Windows 7.

This creates an upgrade dilemma for many public institutions: Stay with Windows XP for now (extended support for XP SP3 lasts until April 2014) and continue to use Steady State, or upgrade to Windows 7 and invest considerable extra expense on implementing some semblance of WSS functionality using Group Policy and third party software? It’s a no-brainer to me.

Consider this: A study conducted by University of Washington Information School, funded by the Bill and Melinda Gates Foundation, reports “Nearly one-third of Americans age 14 or older–-roughly 77 million people–-used a public library computer or wireless network to access the Internet in the past year….  In 2009, as the nation struggled through a recession, people relied on library technology to find work, apply for college, secure government benefits, learn about critical medical treatments, and connect with their communities.”

What are you thinking, Microsoft? Do you listen to your users? I have similar sentiments to these forum posters:

“Seems Microsoft has made another blunder with windows 7, we have decided to stay with XP and notify users that until Microsoft updates WSS to run with windows 7 that we will stay with xp and advise them to do the same, we have withdrawn all support for 7 and are advising people to downgrade if they are stuck with 7,  Its simply not viable, especially in this economy to spend the extra tens of thousands of dollars on the extra staff that would be needed to support a OS that we have came to the conclusion that even Microsoft [isn't] prepared to support fully.”

“Shame on MS for dumping such an essential OS feature for many IT environments. We have halted the upgrade to WIN 7 of around 12000+ PC  and will stay with XP until MS provides something equivalent to WSS in any upcoming OS.”

I don’t know what Microsoft charges for a Win 7 volume license for 12,000 PCs (can I get some help on that from someone?), but I’m sure it’s a significant amount.

Doesn’t make a whole lot of sense. But who am I to argue? I’m just a guy who will help save people money for the next four years–or until Microsoft figures this out.

According to Microsoft, in Microsoft Security Advisory (981374), “The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.”

When the advisory was issued, Microsoft was aware of targeted attacks attempting to use this vulnerability. Today, the Microsoft Security Response Center (MSRC) issued this statement:

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing security update MS10-018 tomorrow, March 30, 2010, at approximately10:00 a.m. PDT (UTC-8). MS10-018 resolves Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.

Be sure to apply the update if you are running IE 6 or IE 7. Better yet, just upgrade to IE 8 . Even better still, dump IE and use Firefox or Chrome.

Waledac Infections Worldwide

Microsoft isn’t playing around anymore.  Through legal action and technical cooperation with industry partners, they have managed to take down Waledac, a large and well-known spambot that is estimated to have infected hundreds of thousands of computers worldwide. According to their blog, “…Microsoft found that between December 3-21, 2009, approximately 651 million spam emails attributable to Waledac were directed to Hotmail accounts alone, including offers and scams related to online pharmacies, imitation goods, jobs, penny stocks and more.”

On February 22, in response to a complaint filed by Microsoft  (“Microsoft Corporation v. John Does 1-27, et. al.”, Civil action number 1:10CV156) in the U.S. District Court of Eastern Virginia, a federal judge granted a temporary restraining order cutting off 277 Internet domains believed to be run by criminals as the Waledac bot.

This is good news! Cutting them off at the .com domain level is a virtual beheading.

This action has quickly and effectively cut off traffic to Waledac at the “.com” or domain registry level, severing the connection between the command and control centers of the botnet and most of its thousands of zombie computers around the world. Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

Click here for a map of the infection.

I didn’t attribute this to MSE. Instead, I got rid of my background picture on the desktop, defragmented my registry, defragmented my page file and did all of those things I normally do to completely tune up a machine. No joy.

Then, Panda came out with version 1.0 of Cloud Antivirus and I commented on that: Panda Cloud Antivirus Emerges From Beta. I said “slight” performance issues had been evident with MSE. I was wrong: They were major, and I’m not the only one who has experienced that. Here’s a comment I just got on my Ask the Geek blog:

nothing was working for me…until I disabled microsoft security essentials – which apparenlty came with Windows 7! I prefer another malware program and virus program anyway…then I did a msconfig service cleanup of all the crap (including stopping ms sec essentials)….everything’s been loading great.

Evidently, MSE isn’t all it’s cracked up to be and I stand corrected. BTW, Panda is doing fine and I no longer have the performance problems. Microsoft, please get it right for once.

Who else is having problems? Comments welcome.