Suzi Turner at Spyware Confidential is blogging on how to disable the Windows Genuine Advantage antipiracy tool. Is this such a good idea? I’m wondering if this would be considered circumventing copyright protection which is specifically illegal under the DMCA.
Archive for June 2006
Qualys Quality – or lack there of
It seems like since Gerhard Eschelbeck left Qualys I’m spending more time correcting poor Qualys detections than fixing the problems on the servers. If the scan results are not reliable, I am forced to investigate each detection before taking action.
At any given moment it seems like I’ve got three cases opened asking them for a clarification of scan results. Here are a few examples:
- They are falsely detecting some computers as 64 bit because Emmulex creates a registry key Qualys thinks should only exist on a 64 bit computer.
- Flash falsely reported as vulnerable. It said I needed to be running 8a, but I was already running newer version 8b.
- Not reporting systems vulnerable to the latest Symantec Antivirus vulnerability
So tonight, I scan my servers after they were patched last night. On one computer it says the latest IE patch is not installed because HKLM\SOFTWARE\Microsoft\Updates\Internet Explorer 5.01\SP4\KB916281-IE501SP4-20060519.173353 ismissing. That’s nice and all, but that computer is running IE6 so there will be no Internet Explorer 5.01 registry key!
Then it says I’m ms06-024 vulnerable, a Windows Media Player png vulnerability because HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player 7.1\SP0KB917734_WMP7 is missing.
HKLM\SOFTWARE\Microsoft\Updates\Windows Media Player 9\SP0\KB917734_WMP8 is missing.
Well, which is it? I cant be running both Windows Media Player 7 and 8. It so happens I’m running Windows Media Player 9 so wrong on both counts.
If I’ve learned anything from my support tickets is that the “reason” field that appears to indicate the reason for detection, doesn’t always give the reason for detection. So who knows if this is really the reason for these false positives. All I know is I’m sick of it. I’ve been a huge Qualys supporter for years, but the past 8 months are really making me wonder what the other options are.
Alex is having a temper tantrum
Alex over at Sunbelt Software blog is having a temper tantrum over what he terms the predatory pricing of Microsoft Onecare and Frontbridge. Image what he’d be saying if they were giving it away as they probably should be.
I dont really follow this all that closely. I’m currently a user of Microsoft Antigen and the prices quotes for Frontbridge seem to be what I’m paying for Antigen now. So I dont see the predatory pricing. Further he says Microsoft has gone outside the norm in their pricing method. The reality is that Sybari was always a subscription based model where the software is license for a period of time only. This is not a change.
The Legacy antivirus vendors should be on notice. If they want to continue with the same crappy products bundled together for higher prices it will no longer work. Alex says that Microsoft will stiffle innovation. I say the opposite. AV companies need to get off the bench and create better products.
My OPML
I dont want to be responsible for Rod not finding out about sunbelt software’s webblog. So here’s my OPML file.
Inbound Trackbacks
Looks like inbound trackbacks aren’t working correctly. Comments are working though.
My webhost recently changed servers causing the problem. We’ll see if we can figure out how to fix this.
Zero Day Mania
Is it just me or is the term zero day being co-opted to mean ‘we’ve got product to sell’ instead of ‘an attack for which no patch is available.’
Stratacache
To beat the bear
In May 2005 I wrote about the security analogy about the bear, two guys one of home stops to put on running shoes. Its “good enough security.” I dont have to outrun the bear, I just have to outrun you. I opined that that good enough security is only good enough for when your security exists only so you can check off a requirement with a regulatory agency. In reality, targeted attacks destroy “good enough” security. What if the bear doesn’t care about your slower friend, what about when its personal.
In the June 2006 issue of SC Magazine, the opening editorial makes use of this analogy and makes the point that good enough security doesn’t work against internal attacks either. They would argue that the main defenses are policies such as job rotation, separation of duties and rotation of duties.
Can’t stop for a minute
I glanced at my blackberry during dinner and saw a whole mess of virus alerts such as the following:
The message sender was
alerts@CNN.com
The message originating IP was 81.168.6.17 The message recipients were user@$mydomain.com
The message was titled Osama Found Hanged The message date was Thu, 15 Jun 2006 22:02:54 -0700 The message identifier was (empty) The virus or unauthorised code identified in the email is:
/var/qmail/queue/split/0/attach/3384881_4X_AZ-D_PA2__Photo=20and=20Article.exe
Found the W32/Sdbot.worm.gen.as virus !!!
In case its not clear that is the admin notification when someone sends a virus. Looks like another run of viruses being spammed. How many times have they tried the Osama bin Virus since 2001.
Webroot Spysweeper Enterprise 3.0 Released
The server update contains the following changes:
- Improved navigation tree structure and UI
- Additional controls for new client functionality (see client changes below)
- Support for Informational definitions
- Support for Incremental definitions
- Numerous stability enhancements
- SQL Server 2005 Express Database Support
The client update contains the following changes:
- Completely new Kernel level driver engine
- Rootkit detection and removal capabilities
- 4 New Smart Shields
- ActiveX Shield
- Browser Helper Object Shield
- Spy Communication Shield
- IE Trusted Sites Shield - New Client Homepage
- Command-line access to client
- Support for Incremental Definitions
- Support for Informational Definitions
It now operates in a Kernel mode to offer protection much earlier in the boot process.
I think I’m kind of excited that development continues one what has always been a highly rated product. The activeX shield sounds like it will be a replacement for Spywareblaster. So that is less work for me monthly.
Got to check those typos
I’m searching the Microsoft knowledgebase for help in letting a ISA 2004 server get to Windows Update when I find a kb article on the subject. It has links that should be put in an “allow” destination set. One of the links is http://ntservicepack.micrososft.com. A quick who is query shows that the domain is not owned by Microsoft. I checked the site over in a text browser and it seems to just be loading ads, but I’m not 100% sure.
I’ve notified Microsoft using the link on the page for article errors.
