31 December 2006

Fair-Weather Scanners

I've used a few on-demand antivirus scanners and scanners for commercial malware (usually known as "anti-spyware") and generally they're just not designed for troubleshooting environments such as Safe Mode and Bart CDR boot.

Fancy display mode required

Common advice is to use these scanners from Safe Mode, where screen resolution is usually low (say, 640 x 480) and color depth is low, too (typically 16 colors).

A Squared is almost unusable in low res, because the dialog boxes ASSume you have at least 800 x 600 to play with - often the UI controls are below the edge of the display when in Safe Mode, so you have to guess the number of times to press Tab in order to keyboard the "go" button. The need for this high resolution has nothing to do with the amount of content that needs to be displayed on the screen, and everything to do with wasteful eye-candy UI design.

AdAware delights in using subtle colors that turn to stippled mud in Safe Mode's low color depth, and some needed UI cues (e.g. which UI control is selected) vanish completely.

Mouse required

Both AdAware and Spybot border on the unusable when a mouse is not present, as may be the case in troubleshooting conditions. Freshly-installed Spybot starts with a set of "wizard" dialogs that defy attempts to switch focus from the keyboard, and AdAware's keyboard navigation is highly ambiguous at best.

Installation required

The free BitDefender 8 on-demand scanner and MS Antispyware (now Windows Defender) both require Windows Installer to install, and that service is not present in Safe Mode. In order to use these tools, you first have to run normal Windows - so that the malware you are after is almost certain to be active and well-positioned to interfere with the installation and use of the scanners.

I haven't yet got the above tools, or AVG Antispyware (ex-Ewido), to run from a Bart CDR boot. Trend SysClean, A Squared, AdAware and Spybot are better there, with Spybot claiming the ability to scan relative to the inactive hard drive registry hives without needing RunScanner redirection. In practice, I find Spybot detects less when run from a Bart CDR boot than when it is run from Safe Mode.

21 December 2006

Vista vs. email

This blog post was interesting:

http://windowsvistablog.com/blogs/windowsvista/archive/2006/12/19/windows-vista-and-protection-from-malware.aspx#comments

It's an interesting expectation, that Vista would magically be immune to malware attacks - but that expectation is taken seriously in this post, which views the problem through the eyes of the totally inexperienced user. By blocking access to all incoming attachments, Vista's native Windows Mail is able to foil 8 of the 10 common attacks tested - the ones that got through, did so by using file types that some email applications don't block.

My expectations are far more modest:
  • System should be immune from clickless attack
  • User should receive accurate risk information
  • System should act within the bounds of that risk information
  • Should malware go active, user should be able to clean it
Jim's assessment treats the user as a passive component that has to be protected by the system acting on the user's behalf. I see that as unrealistic, and not only because it's a "mission impossible" task, but also because most users will disable total attachment blocking and then lose that degree of "protection". So what works for great disclaimable advertising copy - "used as directed, Windows Vista is immune to 8 out of 10 common email attacks" - works less well when users actually use the system to do real-world things.

For many (most?) users, blocking all attachments is too broad a sword to live with. What these users expect, is to look at an email message and attachment link, and assess whether the attachment is safe to "open". That in turn requires information about the attachment file type that is easy to understand (as a large number of raw .ext is not) and can be relied upon (in contrast to Vista's default "open based on hidden info rather than visible .ext" behavior).

Windows has been designed with many things in mind, but type discipline is not one of them. There's been great stress on per-user rights in NT, in keeping with the needs of corporate IT, but this maps poorly to consumer needs. The code/data distinction has been undermined, and the unrealistic objective of "you can do everything without having to know anything" assumes that consumers won't have the skills to assess and act upon file type risk information.

The last point, "should malware go active, user should be able to clean it", is a topic in itself, which goes about safety awarenss that stretches from maintenance OS through "Safe Mode" and into safe handling for suspect locations, such as newly-discovered drives or subtrees that are designated as holding risky material, much as "My Documents" is designated as holding "user data".

Here are a couple of unrelated quick things...

Screening spam

Another thing I'd like to see in an email application is better filtering, based on criteria other than various text matches. Specifically, I'd like to filter out "messages" that have under 100 characters of visible message text plus embedded (or remote) images. This is emerging as a common form of spam, with two effects; firstly, there's no text to filter/match, and secondly, the entire "message text" can be one huge clickable surface.

Firefox's killer feature

Spell checking within text edit fields - a must-have, in an age of online text composition e.g. blogging, forum posts, comments and web mail!

Up until now, Microsoft has positioned spell checking as part of MS Office, with the unique vendor advantage of integrating this application component into the OS (e.g. Outlook Express).

These happy days should be over, thanks to Firefox 2, just as free Google email killed the acceptability of the 1-2M email storage norm for paid-for ISP email "services".