Thursday, February 24, 2005

MS Anti-Spyware: godsend or bad joke?

In the immortal words of James Hetfield, from the rock group Metallica, "it's so useless, heh hyeah." This, I believe, is axiomatic: if spywarexyz is detected, and then "removed" by an anti-malware tool, but on the very next boot it is detected again, then it wasn't really removed, was it? Claiming to remove the same [n] threats time after time is just plain dumb. Counting them incrementally -- claiming to have removed hundreds of threats, when in real life, it hasn't removed any -- now that's downright asinine! It just refinds the same infestations, pretends it has mitigated the threats, and assumes success. And then it wants credit for a job well done, riiighht. Process integrity? I think not! How hard would the tiniest bit of heuristics have been? A little internal effectiveness check? Some reason to believe you're doing absolutely anything more than putting the user on a treadmill? Maybe keep some stats on in-the-trenches workability? Wouldn't a level of tracking capable of detecting false success be both relatively easy and very important? How else would you know if/when it became appropriate -- call me crazy for this one -- to perhaps regroup and change your attack posture, because it has become overwhelmingly clear that you have FAILED, Microsoft, Giant... who-the-hell-ever, you have failed, most miserably and horribly... it's like a bad joke. Notice my expectations above made no mention of actually delivering an effective tool -- that seems way too much to expect at this point. Possibilities:
  • Why couldn't there be a special system mode, entered when shutdown is initiated (and invoked prior to shutdown as a user option) that locks the startup areas of the registry from updates and inserts? Allow read and delete so tools or techs can remove unwanted crap, and that's it, until the system restarts. What legitimate reasons could there be to alter such things as the system is shutting down?
  • How about a way to block/prompt for any process that performs i/o in response to shutdown, giving the user a chance to allow or ignore the i/o?
  • How about a log of all processes that either abort or initiate shutdown? Or better yet, give the user the final say, "Process xyz.exe has returned FALSE to WM_QUERYENDSESSION, do you wish to allow this, or should it be killed now without further notice?"
  • How about a special kill function, that neither gives the condemned app an indication of what's about to happen nor ample time to react. Unconditional full disclosure may be in the apps' best interest, but it isn't always in my best interest. I'm the user, it's my hardware, doesn't that count for anything?
(I will explore solutions when I continue this rant sometime in the near future...) -MM

No comments: