Invariant Properties

  • rss
  • Home

Smart content + virus information = bad combo

Bear Giles | April 5, 2011

This morning I was greeted with an alert that my Win7 system was infected with the MyDoom virus. The first two questions are how? and how do I remove it?

So I hop onto my linux system, google it, and am quickly directed to a Microsoft site.  There I get the alert:

System Tip
This article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.

Great. The first rule of dealing with a virus is shutting down the system so it can’t do any more harm and the first thing Microsoft says is that I need to turn the system back on so I can be sure I get the necessary information. Same thing when I want to download their malware removal tool – I need to use the infected system.

To be “fair” I only need to use a system running the same version of their OS. The problem is that I don’t have another system with the same version of their OS. This is a 64-bit Windows 7 system. My only other windows systems are a netbook running XP and a mothballed desktop that also runs 32-bit XP. I suspect this is the case in most other households – you only get one new system every few years and they’ll have different OS versions.

(Sidenote: all of my Linux systems are at the same version (Ubuntu 10.10). It makes a big difference when you can upgrade your system for free in an evening.)

Smart content is usually a Good Idea but there needs to be a way to say “no, wait, you’re wrong. I want this other content.”

How it happened

What I think may have happened (and this is little more than a guess) is:

  1. I decided to use the highly-regarded Windows 7 security tool when I initially set up the system
  2. I tried to install the Cisco VPN client to access the system at work
  3. Unknown to me that installer also installed a Semantic “endpoint” product that quietly disabled the existing security software. I’m sure the lawyers would claim that on page 37 of the third click-through license that I acknowledge this would happen. Yeah, sure. Whatever.
  4. The installer failed for unknown reasons. It might have left me without any protection, it might have left me with just ‘endpoint’ protection but no general protection.
  5. The system was left in this exposed state for a few months until I decided to update the virus protection on my netbook and decided to update the windows 7 box as well.  That’s when I discovered that an unfamiliar  security package was installed instead.

Postmortem

This was a false alarm. For unknown reasons firefox downloaded the contents of my gmail spam folder and it contained 60-odd viruses. For some reason two of the messages couldn’t be deleted and that was why I had the alarming message.

There was some collateral damage. I had finished running a full scan in ‘safe mode’ when I somehow triggered a firefox launch. (Probably for documentation provided online.) There’s no network connection so all of the cached session information failed to load… and that meant that they were removed from the session. So I had a fresh new session when I restarted firefox.  Sigh. There went 20+ windows of things that were interesting enough to load but which I didn’t have time to read yet.

Categories
Uncategorized
Comments rss
Comments rss
Trackback
Trackback

« Disabling CA Certificates in Browsers System Integrity Checks Using Debian/Ubuntu Package Metadata »

Leave a Reply

Click here to cancel reply.

You must be logged in to post a comment.

Archives

  • May 2020 (1)
  • March 2019 (1)
  • August 2018 (1)
  • May 2018 (1)
  • February 2018 (1)
  • November 2017 (4)
  • January 2017 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (2)
  • March 2016 (1)
  • February 2016 (3)
  • January 2016 (6)
  • December 2015 (2)
  • November 2015 (3)
  • October 2015 (2)
  • August 2015 (4)
  • July 2015 (2)
  • June 2015 (2)
  • January 2015 (1)
  • December 2014 (6)
  • October 2014 (1)
  • September 2014 (2)
  • August 2014 (1)
  • July 2014 (1)
  • June 2014 (2)
  • May 2014 (2)
  • April 2014 (1)
  • March 2014 (1)
  • February 2014 (3)
  • January 2014 (6)
  • December 2013 (13)
  • November 2013 (6)
  • October 2013 (3)
  • September 2013 (2)
  • August 2013 (5)
  • June 2013 (1)
  • May 2013 (2)
  • March 2013 (1)
  • November 2012 (1)
  • October 2012 (3)
  • September 2012 (2)
  • May 2012 (6)
  • January 2012 (2)
  • December 2011 (12)
  • July 2011 (1)
  • June 2011 (2)
  • May 2011 (5)
  • April 2011 (6)
  • March 2011 (4)
  • February 2011 (3)
  • October 2010 (6)
  • September 2010 (8)

Recent Posts

  • 8-bit Breadboard Computer: Good Encapsulation!
  • Where are all the posts?
  • Better Ad Blocking Through Pi-Hole and Local Caching
  • The difference between APIs and SPIs
  • Hadoop: User Impersonation with Kerberos Authentication

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Pages

  • About Me
  • Notebook: Common XML Tasks
  • Notebook: Database/Webapp Security
  • Notebook: Development Tips

Syndication

Java Code Geeks

Know Your Rights

Support Bloggers' Rights
Demand Your dotRIGHTS

Security

  • Dark Reading
  • Krebs On Security Krebs On Security
  • Naked Security Naked Security
  • Schneier on Security Schneier on Security
  • TaoSecurity TaoSecurity

Politics

  • ACLU ACLU
  • EFF EFF

News

  • Ars technica Ars technica
  • Kevin Drum at Mother Jones Kevin Drum at Mother Jones
  • Raw Story Raw Story
  • Tech Dirt Tech Dirt
  • Vice Vice

Spam Blocked

53,793 spam blocked by Akismet
rss Comments rss valid xhtml 1.1 design by jide powered by Wordpress get firefox