Microsoft whitelist a boon to hackers, says security firm

By recommending that users exclude some file extensions and folders from antivirus scans, Microsoft may put users at risk, a security company said today.

In a document published on its support site, Microsoft suggests that users do not scan some files and folders for malware as a way to improve performance in Windows 2000, XP, Vista, Windows 7, Server 2003, Server 2008 and Server 2008 R2. “These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking,” Microsoft states in the document.

Among the files and folders Microsoft tells users to exclude are those associated with Windows Update and Group Policy, and files with the .edb., .sdb and .chk extensions contained within the “%windir%\security” folder.

Trend Micro took exception — not with the list itself, but with Microsoft making it public. “Although it actually makes sense to stop checking Windows Update and some Group Policy-related files if you really want to speed up the system, we are concerned by the fact that this was released publicly,” said David Sancho, a malware researcher with Trend Micro, in an entry to his firm’s blog.

Sancho argued that the list could be a boon to hackers. “Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,” he said. “Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning, or use a file extension that is also in the excluded list.”

At the least, Sancho continued, only experienced users who know the downside of such file “whitelisting” should consider excluding files and folders from security scanning. “Excluding certain file types or folders from antivirus scanning is not something novice users should tinker with,” Sancho said. “Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system.”

Andrew Storms, director of security operations at nCircle Network Security, backed Sancho on that. “I would agree with Trend that making any sort of whitelisting with your security software is not for the average user or the faint at heart,” Storms said in an interview conducted via instant message.

But Storms also downplayed the significance of Microsoft’s publicly posting its exclusion recommendations. “Will the bad guys latch on to this and suddenly change their locations to hide malware? Probably not,” Storms said. “Where the malware is stored on the file system is the not the root of the conundrum with antivirus software…. It’s that antivirus software is historically a post-event and blacklist kind of approach to security. It helps provide another layer of defense, but is it going to catch everything? No way.”

Trend has a history of butting heads with Microsoft. Like other third-party security vendors, it has dismissed Microsoft’s moves in the antivirus market, most recently earlier this year when the Redmond, Wash. company released its for-free Security Essentials software. And in April 2008, Trend researchers disputed Microsoft’s claim that the latter’s Malicious Software Removal Tool (MSRT) had crushed the life out of the Storm botnet.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs