| Trend OfficeScan spyware detection issues |
|
 |
Index ‹ Windows XP ‹ Windows XP Security
|
- Previous
- 1
- 2
- Windows XP >> devldr keeps having errorsAs soon as windows starts up, i keep getting messages
asking if i want to send an error report, which i do, but
then i get a window saying that devld has generated
errors and needs to shut down, and that its making and
error report, which says either canel or ok after its
finished.
this pops up every so often, sometimes as soon as i start
a program, and often when doing something that cant have
interruptions, please help!
its all started ever since i installed some drivers for
my soud blaster live! card, and ever since then its
happened, i dont want to have to get rid of the drivers
again, but i want to know if its all i can do to roll
them back again, ive got 5.1 speakers and want to use all
5 of them, not just two! and they arent working properly
anyway!
- 3
- Windows XP Security >> Gaining accses to folders on old hard driveMy operating system failed on an old machine (win 98) I have taken the hard
drive out and copied it to a new machine.
I am trying to access my desktop which has links to all my i tunes info etc,
but the folders will not open " as I do not have permission".
How can I open these folders?.
Thanks
- 4
- Windows XP Update >> Why am I being offer 2007 Office Service Pack 1 when I don't have it?Hi,
Most likely you has Office 2003 Web Components which are updated by Office
2007 SP1.
See http://support.microsoft.com/kb/937961/en-us
The Microsoft Office Compatibility Pack Service Pack 1 (SP1) is a separate
update and is covered in KB 940289.
http://support.microsoft.com/kb/940289/en-us
Please let us know if one of the above is not the cause of the SP1 prompt
from MU.
Thank you
Eric
- 5
- 6
- 7
- Windows XP Support >> System hang/slowdown during bootHello, I have a problem. Whenever I try to boot my computer, it SOMETIMES
boots without problem but like 70% of boots result in system freeze, the
winxp moving loading bar scrolls for a while, but after the numlock etc..
flashes, it either hangs totally or moves forward like 1 bar/1minute. Also I
noticed that bootlog isnt written if I select it to be. Anyone got a solution
to this problem?
- 8
- Windows XP Hardware >> Serial ports is nor reconized in WindowsXPHello all
Iâ??m using Microsoft MSCOMM activeX control and hyperterminal for RS232 in
several Windows systems.
Particularly in Windows XP when I connect to a Mettler scale and turn off
the PC and restart it again the serial ports disappear. Hyperterminal and the
MSCOMM control can't find the serial ports.
To recover from it is necessary to disconnect from power every thing, and
start the PC first, before the scale.
This behavior just happens in Windows XP.
Please anyone whith ideas of how can this problem be fixed.
Thanks a lot.
Federico Eslava
- 9
- Windows XP Setup >> RegistryI exported parts of the registry into files like LOCAL_MACHINE.reg. I
can view them with Notepad. I would like to edit this file to get the
settings for a particular program. I tried this, and created a new reg
file. Regedit would not accept it. Is there any way other than manually
adding each setting in regedit?
- 10
- Windows XP >> Problem with e-mail notifocationHello :-)
For several months now, everytime I get an e-mail notification of replies to
something I posted, the "read the response" links to
http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsxp.general
instead of linking straight to the message and if I click on the "Click this
link to continue receiving notifications for this thread," I get "No posts
available for this thread"
What's wrong?
Thanx in advance :-)
- 11
- Windows XP Hardware >> Cannot set Power Management for Limited UsersI have setup Power Management settings in the Administrative Account. It
seems that since the Admin account is controlling these settings, that they
should be applied to the other Limited Accounts? When I log on as a Limited
User, however, the Power Management settings are set to never and it will
not let me change them from within the Limited Account.
Can someone please advise on how to set this up properly?
- 12
- 13
- Windows XP Security >> windowsxp home not able to registeri have a pc at home loaded with authenticated windows xp
home edition with original cd rom. this was registered
with windows during december 2003. the pc has crashed
during march 2004 i have to reload the windows xp home
software again and i wanted to register after 10days of
use. but i could try only on 27th day . the 27th to 30th
day i tried sevaral times the message finally will say
micro softserver is busy. i am not in a position to use my
pc for the last 1month. any solutions? whom to contact?
kindly advice .
- 14
- 15
|
| Author |
Message |
Gordon
|
 Posted: Tue Jun 28 13:40:08 CDT 2005 |
Top |
Windows XP Security >> Trend OfficeScan spyware detection issues
I spent 3 hours on the phone yesterday with Trend Micro working on a problem
that we observed.
The short synopsis is that their OfficeScan V7.0 spyware/adware/greyware
detection and remediation application is, in my opinion, badly broken and can
wreak havoc in an enterprise.
OfficeScan corporate edition version 7.0 includes a spyware/adware/greyware
detection and cleanup feature. After our upgrade installation of V7.0, we
noticed a significant detection rate (~50%) of HKTL_Bruteforce.A,
SPYW_Csnoop.A, SPYW_Marketscore.A, and SPYW_Gator, among others. I started
looking into these detections and became alarmed at what I found. Searching
Trend's website for information on these detections told me that I should be
seeing as many as 20 or so different files that has been placed on the
supposedly infected machine by the exploit. When I checked the client logs,
there was only one file and in some cases a few registry values/keys that had
been identified and deleted. Here are some details on the files that were
deleted:
Bruteforce.A: C:\WINNT\system32\regobj.dll
Csnoop.A: C:\WINNT\uninst.exe
Marketscore.A: C:\WINNT\system32\sporder.dll
Gator: C:\WINNT\system32\wbem\Logs\wmiadap.log
I did some more research on these files and found that these were all
legitimate system files that were used by other processes and were actually
part of our base image. These files are used by VB app runtimes,
InstallShield uninstall routines, Winsock LSP chains, and WMI providers and
readers.
There were also a number of registry keys/values that were deleted during
this detection. (most reg entries were in HKLM\software\classes and consisted
of guids.)
I contacted Trend's customer support to find out why their product was
deleting these files without any cross-checking with the virus pattern files
to determine if the files being deleted were indeed malicious.
Long story short, they donâ??t check. If even one file from the detection
definition matches the pattern definition, it triggers the anti-spyware
action. This includes legitimate system files.
It would be easy to write a spyware app that drops a perfectly legit copy of
ntoskrnl.exe or something like that which would then be detected and deleted.
I asked Trend if they had a fix for the machines that had had these system
files and registry entries deleted. Their answer, after well over an hour of
checking, was "you need to copy the files from a good system back to the
damaged system. You need to recreate the registry entries by hand as well."
They do not have a tool to fix the problems that their app causes. They
admitted that this product was broken.
They did know about the regobj.dll problem, and had labeled that as a false
positive already. They opened a case to look into the additional false
positives, since they said their engine shouldn't have done what it did.
There is an updated spyware engine and client pattern file available that
supposedly prevents the regobj.dll detection, but there's a catch on that.
Most of us set our AV apps to update from the manufacturer once per day or
once per hour. We then know that our pattern files will be as current as
possible.
Problem is, the DCS component, which is what performs the automatic updates
for the spyware engine (as compared to the AV engine), requires purchase of a
different product (the DCS product) in order to be fully operational (as in
allowing automatic updates), even though the anti-spyware interface is
installed and functional as part of the OfficeScan console install, is not
greyed out, and that additional purchase requirement is not documented in
their manuals. So, unless I want to purchase their DCS component, I have to
manually get the files from Trend each time I want to update, and then
manually install them on the server and restart the master service. I can use
the anti-spyware component, but can't update it.
New buzzword - hostageware.
So, to recap, I believe that the spyware detection component of Trend
Micro's OfficeScan V7.0 is badly broken. Not only does it not perform
detailed inspection of possible spyware, it deletes legitimate system files
and registry entries. It also does not allow for automatic updates that could
correct this type of problem unless you are willing to purchase another
license that isn't mentioned in your admin or installation manual. Oh, and
when it does damage your systems, you have to touch each one and fix it
manually. No fix tool.
Thankfully, we have not yet migrated our servers running Trend's
ServerProtect to the recommended OfficeScan product. So far our only effect
is on client PCs.
I am awaiting further explanations/fixes from Trend on this issue. My
recommendation in the meantime is that if you are running Trend OfficeScan
v7.0, you inspect your settings to see if you are scanning for
spyware/adware/greyware and evaluate whether this scanning method and its
ramifications are going to adversely affect your environment. If you are
seeing similar actions in your environment, I would contact Trend and ask
them why they are using this method to detect spyware and how they are going
to fix it.
Trend's AV product has been pretty good to us over the years. Their new
version, however, specifically the spyware detection app, does not seem to
have anywhere near the quality that we are used to from them. The abysmal
detection logic and inability of Trend's technical support to adequately
address this issue have lead us to begin evaluating other antivirus vendors.
Charlie
Windows XP404
|
| |
|
| |
|
Galen
|
| Posted: Tue Jun 28 13:40:08 CDT 2005 |
Top |
Windows XP Security >> Trend OfficeScan spyware detection issues
In news:EMail@HideDomain.com,
falconerck1 <EMail@HideDomain.com> had this to say:
> New buzzword - hostageware.
Thank you very much for the warning. Have you considered letting some of
your peers in the IT industry know by forwarding your findings to the
various magazines for potential inclusion? It's been my recommendation that
people avoid "suites" for security software, this strengthens my resolve so
once again thank you for sharing. Would you have any objections if I copied
that, in it's entirety, and placed it into a forum with your name still
attached?
Galen
--
"But there are always some lunatics about. It would be a dull world
without them."
Sherlock Holmes
|
| |
|
| |
|
falconerck1
|
| Posted: Tue Jun 28 13:55:04 CDT 2005 |
Top |
Windows XP Security >> Trend OfficeScan spyware detection issues
I have. I've forwarded this to an NT Systems Admin Issues list I'm on,
Windows IT Pro magazine, and the office of the CEO and PR departments at
Trend. I also plan on forwarding it to Redmond mag. Any other suggestions?
Which forum did you want to post it to?
"Galen" wrote:
> Thank you very much for the warning. Have you considered letting some of
> your peers in the IT industry know by forwarding your findings to the
> various magazines for potential inclusion? It's been my recommendation that
> people avoid "suites" for security software, this strengthens my resolve so
> once again thank you for sharing. Would you have any objections if I copied
> that, in it's entirety, and placed it into a forum with your name still
> attached?
>
> Galen
> --
>
> "But there are always some lunatics about. It would be a dull world
> without them."
>
> Sherlock Holmes
>
>
>
|
| |
|
| |
|
Galen
|
| Posted: Tue Jun 28 15:19:32 CDT 2005 |
Top |
Windows XP Security >> Trend OfficeScan spyware detection issues
In news:EMail@HideDomain.com,
falconerck1 <EMail@HideDomain.com> had this to say:
> I have. I've forwarded this to an NT Systems Admin Issues list I'm on,
> Windows IT Pro magazine, and the office of the CEO and PR departments
> at Trend. I also plan on forwarding it to Redmond mag. Any other
> suggestions?
>
> Which forum did you want to post it to?
Just this one here:
http://kgiii.info/phpBB2/index.php
It's pretty empty (it's not really even supposed to be "live" at the moment
but a couple of people joined in as the link was on one of the pages even
though we're still really just designing the site and not too worried about
content yet) but it would make a decent thread starter in the security
section perhaps and is really well composed and informative.
Galen
--
"But there are always some lunatics about. It would be a dull world
without them."
Sherlock Holmes
|
| |
|
| |
|
| |
|
Index ‹ Windows XP ‹ Windows XP Security |
- Next
- 1
- Windows XP Setup >> can't view a .chm fileI have two comiled HTML help files in .chm format. When I click one it
displays ok. When I select the other I get a list of the sections on the
left side but the right side says Action canceled. Internet Explorer was
unable to link to the Web page you requested.
I've copied the .chm to my hard drive, so I don't see why it is talking
about a link to a web page. Any idea what I can do to fix this??
Bob
- 2
- 3
- Windows XP Security >> w32.spybot.worm virusMy Symantec antivirus software detected this virus in
numerous files on July 1, 2003. I was able to quarantine
and delete all files except the wupdmgr32.exe file that
is a Microsoft windows upgrade marketing file. Symantec
cannot clean or quarantine and cannot delete. It appears
to delete, but reappears back into the original file
within seconds after it hits the recycle bin. I am using
Windows XP. Help....S. Green
- 4
- Windows XP >> COVER LETTERS RESUME EXAMPLES AND CV EXAMPLES AVAILABLEResumes and CV's examples written by people in the industry. They are
the ones who know best what to write in a resume for that industry.
High Tech people writing technical resumes and CV examples, and
Teachers writing and advising teaching resumes examples and CV
examples. Do you really want a example written by someone who has
never been a teacher or someone who has never been in High Tech?
Cover Letter is included. Experienced High Tech Resumes and CVs as
well as teacher resumes and CV's.
www.resumewritersguide.com
http://www.resumewritersguide.com/resumeexampur.htm
- 5
- Windows XP >> Uninstalling ProblemI installed a legal copy of Ulead PhotoImpact 5 on my XP computer and all
went well until I wanted to uninstall it.Then I find that the application is
not mentioned in Control Panel's Add/Remove nor does the folder in Program
Files have an uninstaller.I tried 'Uninstaller' and 'My Uninstaller' but
neither could locate or remove the application.Yet if I click on
Start>Programs>PhotoImpact 5 the application opens ready for use,just as it
should.I have tried to reinstall the program from the disk,in the hope of
finding an uninstall but to no avail.Am I stuck with is program or is there
any way of removing it surreptiously? TIA.
Alan
- 6
- Windows XP Setup >> Registry won't record change to gina.dllNew Dell GX620 systems are not accepting change to registry by a reputable
computer management program - all my library's other Dells, Gateways, HP
work fine. Even if I manually edit the registry with the new gina.dll, upon
reboot it's as if I never did anything. All Dell could suggest was
reinstalling Windows? I completely deleted the primary partition, reinstalled
Windows and drivers - then the gina change worked fine! But that's a whole
lot of wasted time. Anyone know what about this particular Dell model could
be locking the registry? Thanks.
- 7
- Windows XP >> Microsoft: ¿cazador cazado?La noticia de hoy seguramente alegrará el día a buena parte de las pequeñas
empresas dedicadas al ensamblaje y venta de ordenadores clónicos.
Y es que la Sección Séptima de la Audiencia Provincial de Alicante, con
sede en Elche, ha confirmado la sentencia absolutoria que dictó en su día
un Juzgado Penal de Orihuela, por la que se absolvía a los responsables de
un pequeño negocio de informática de Torrevieja. Dicho negocio había sido
denunciado por Microsoft, empresa que se valió "de un detective
privado -como se resalta en las actuaciones- para conseguir por la
denunciante en aquel momento, que los acusados le presupuestaran y
construyeran un pc con software que no ha satisfecho los debidos tributos,
[lo que] podría estar casi en el borde del delito provocado", según afirma
la propia sentencia...
De este modo los tribunales españoles han puesto en su sitio a la
multinacional, mediante una sentencia que pone punto y final a un proceso
de más de nueve años. Un proceso del que ha sido víctima una pequeña
empresa española, que quizás podría ahora a su vez iniciar acciones
judiciales frente a Microsoft por los perjuicios causados.
De ser ése el caso, los tribunales decidirán en el ámbito jurídico. En lo
que se refiere a los aspectos éticos de la cuestión, tienen la palabra
nuestros lectores.
REFERENCIAS:
>> Sentencia original [Bufet Almeida].
>> Sentencia confirmatoria [Bufet Almeida].
http://www.kriptopolis.org/node/4296
- 8
- 9
- customize >> 98 on XPcan i install win98 on my comp while running XP Pro
and do i get a double boot option?
if yes
how
thanx
rodney@rodney.be
- 10
- Windows XP >> XP Pro and Help don't match up in Disk ManagerI'm trying to install a new (2nd) disk into my XP
system. This disk has all my old files, etc. from my old
computer, which is no longer functioning. The disk was
setup as a FAT32 disk under Windows 98 v1. The XP system
recognizes the drive in Device Manager and Disk
Management, but it does not have a drive letter and won't
recognize the file structure.
Help says:
To initialize new disks
Open Computer Management (Local).
In the console tree, click Disk Management.
Where?
Computer Management (Local)
Storage
Disk Management
Right-click the disk you want to initialize, and then
click Initialize Disk.
In the Initialize Disk dialog box, select the disk(s) to
initialize.
If you are running Windows XP 64-Bit Edition, you can
select whether to use the master boot record (MBR) or
GUID partition table (GPT) partition style.
The disk is initialized as a basic disk.
When I right click the disk the only highlighted option
is to "Delete Partition." "Initialize Disk" is not even
an option on the menu. I certainly don't want to delete
my partition and lose all my data. What can I do? And
why doesn't the Help agree with the program?
Thanks!
- 11
- Windows XP Setup >> Sysprep ignoring computername; assigning random nameHello,
I know that when using sysprep, we can use Computername =*
to allow sysprep to choose a random name. But we find
that on a certain percentage of computers, even though we
have supplied a specific name, we end up with a random
name anyway. (At least they all look random and start
with THE-)
Anybody know why this is happening?
Thanks,
Lisa.
- 12
- 13
- Windows XP Perform Maintain >> Event 55hello,
i tried the knowledge base with the error but it retuned nothing.
eventviewer event
source: Ntfs
Category: Disk
Type: error
Event ID: 55
0000: 00 00 00 00 02 00 4e 00 ......N.
0008: 02 00 00 00 37 00 04 c0 ....7..Ã?
0010: 00 00 00 00 32 00 00 c0 ....2..Ã?
0018: 18 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
when i click the link for more information it tells me that the error
occcured in this file
IoLogMsg.dll
there is an error that is occuring along with this error it may be
significant
source: Service Contrlo Manager
Type: Error
Event ID: 7000
description:
The Parallel port driver service failed to start due to the following error:
The service cannot be started, either because it is disabled or because it
has no enabled devices associated with it.
The error does not appear to be affecting the day to day running of my
machine but it means i cannot run dskdfg and its a little anoying that it
runs chkdsk every time i turn the pc on then it reboots and starts normally.
i am running two maxtor 120GB disks on the Promise fasttrack controller as a
raid 0 confiuration.
please contact me if you need more info
- 14
- Windows XP Network >> firewall and junoI have two computers networked both running XP, I have to enable the firewall each and every time I log on to the Internet, the settings are never saved, is this something to do with Juno ?
- 15
- Windows XP Support >> Computer RestartsHello
I have a huge problem..
My computer restarts when i play any game
And i have been looking around for help on the internet but i cant find any.
Everyone site has been telling me to "Uncheck Autorestart" and when i do i
only get a blue screen,when you supposed to get a blue screen with text on.
Please help me!
|
|
|