Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

An idea to prevent AV Companies from bricking systems with bad def updates.


  • Please log in to reply
21 replies to this topic

#1 warwagon

warwagon

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 23 March 2015 - 01:55 PM

The recent Panda AV catastrophe got me thinking. Why aren’t safeguards in place to prevent bad definition updates from flagging and deleting core system files?

In the case of Panda, I read of some companies that had 1,400 systems which were broken by the bad update.

So how can we fix / prevent this from happening?

Some AV companies might be doing what I’m about to suggest below. If some are, it would be nice to have a list of the ones doing this and ones that are not.

1st

Some critical system files in Windows are signed by Microsoft. If 1 bit is changed, the certificate is invalidated. AV companies should be checking the status of the system file(s) certificate (if it has one) before it carelessly deleting it.

2nd

Create hashes of all of the Windows system files. This would be done not on the users system but either on the AV Company’s server or maybe Microsoft could host a server to the public that has API’s anyone can use.

It would work like this:

The database would include hashes of every version of every file which has ever been included in or added to Windows by Microsoft.

Scenario:

A bad definition file gets pushed out to a user’s machine. The AV gets the signal from the bad update saying “delete these infected Windows system files!!!” … the AV responds by saying “Umm. Ok, but these are critical windows system files, hold on one second while I hash the files in question and compare them to the hash database. I want to double check that we aren’t making a mistake.” It then checks the hash. “Oh crap… these system files are the real deal, not bad in anyway” … it then aborts the file deletion.

Thoughts?



BC AdBot (Login to Remove)

 


#2 BenjaminGordonT

BenjaminGordonT

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:37 PM

Posted 23 March 2015 - 02:42 PM

Panda Antivirus has had a lot of problems in their day. Remember when they detected their own files? Your comments are true, and there have been times where bad definitions have bricked computers. But unless they are flashing the BIOS (Which the AV company would have to be nuts to do), you can always restore the critical system files using System Restore or a System Image. When I had Avast I caught a virus that infected several critical system files, but Avast warned me that they were as such and asked me what to do, the preferred option was heal. I would hope that the AV would attempt to remove the infection from the file itself or at least make a backup so its not just deleting things willy-nilly.



#3 warwagon

warwagon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 23 March 2015 - 02:48 PM

Panda Antivirus has had a lot of problems in their day. Remember when they detected their own files? Your comments are true, and there have been times where bad definitions have bricked computers. But unless they are flashing the BIOS (Which the AV company would have to be nuts to do), you can always restore the critical system files using System Restore or a System Image. When I had Avast I caught a virus that infected several critical system files, but Avast warned me that they were as such and asked me what to do, the preferred option was heal. I would hope that the AV would attempt to remove the infection from the file itself or at least make a backup so its not just deleting things willy-nilly.

 

I think back in the day McAfee hosed over 100,000 machines .. don't quote me on that number. AVG has been hosing systems with bad updates for years. Practically every AV has had a bad update at some-point.

 

Now false positives will happen. Hate to keep picking on panda but that just happened and I know someone who was trying to fix a computer that had the issue. He got the repair tool to fix it, but couldn't boot into normal or safe mode to use it and there were no restore points to go back to.

 

Finally to help those people panda released an ISO you could boot from which I think would remove panda from the system and restore the quarantined files.

 

The average user would have never known how to do that.

 

Just a year or so ago didn't Malwarebytes hose a plethora of machines too?

 

I think what I mentioned in the 1st post would only be used if the AV was told to delete a core system file. It would be a fantastic safety net.


Edited by warwagon, 23 March 2015 - 02:49 PM.


#4 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:01:37 PM

Posted 23 March 2015 - 02:56 PM

Hitman Pro, in their Early Warning Scan, displays a long list of Windows/[wherever] files.  Thankfully, I have default = ignore.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:37 PM

Posted 23 March 2015 - 05:45 PM

All security scanning software are susceptible to glitches, bugs, database issues and false positive detections from time to time which may remove critical system files resulting in unbootable computers or machines stuck in an endless reboot loop. Such mishaps have been reported for years to include even the major anti-virus vendors. In most cases when these issues occur, the anti-virus vendors and security tool developers take quick action to correct the problem and provide support to those users who have been affected.While some false positives on critical files can result in major damage to a system, other glitches and detections of legitimate files are not uncommon.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 24 March 2015 - 02:20 PM

Regarding 2:

 

National Software Reference Library

http://www.nsrl.nist.gov/Downloads.htm

 

That list is not small. About 5GB.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 24 March 2015 - 02:25 PM

Problem with 1: there have been a couple of malicious executables with valid digital signatures from Microsoft. They were fraudulent and have been revoked once detected, but before revocation, the signature was valid.

 

http://blog.didierstevens.com/2012/06/06/flame-authenticode-dumps-kb2718704/


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 warwagon

warwagon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 24 March 2015 - 02:26 PM

Problem with 1: there have been a couple of malicious executables with valid digital signatures from Microsoft. They were fraudulent and have been revoked once detected, but before revocation, the signature was valid.

 

http://blog.didierstevens.com/2012/06/06/flame-authenticode-dumps-kb2718704/

 

Accept the signature might lie but the hash wouldn't. Lets say it was a bad explorer.exe with a valid signature.

 

Hash it and compare it with hash database. ... No match.


Edited by warwagon, 24 March 2015 - 02:27 PM.


#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:07:37 PM

Posted 24 March 2015 - 02:38 PM

Accept the signature might lie but the hash wouldn't. Lets say it was a bad explorer.exe with a valid signature.
 
Hash it and compare it with hash database. ... No match.

Which takes us right back to problem #2... the hash database for Microsoft files is very big.

#10 warwagon

warwagon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 24 March 2015 - 02:41 PM

 

Accept the signature might lie but the hash wouldn't. Lets say it was a bad explorer.exe with a valid signature.
 
Hash it and compare it with hash database. ... No match.

Which takes us right back to problem #2... the hash database for Microsoft files is very big.

 

Well virus total, seems to have a large data base full of hashes of previous scans that it can search in a matter of seconds.



#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 24 March 2015 - 03:06 PM

 

Problem with 1: there have been a couple of malicious executables with valid digital signatures from Microsoft. They were fraudulent and have been revoked once detected, but before revocation, the signature was valid.

 

http://blog.didierstevens.com/2012/06/06/flame-authenticode-dumps-kb2718704/

 

Accept the signature might lie but the hash wouldn't. Lets say it was a bad explorer.exe with a valid signature.

 

Hash it and compare it with hash database. ... No match.

 

 

That's not a solution. What if Microsoft releases new patches and your hash database is not up to date? No match -> deleted.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#12 warwagon

warwagon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 24 March 2015 - 03:26 PM

 

 

Problem with 1: there have been a couple of malicious executables with valid digital signatures from Microsoft. They were fraudulent and have been revoked once detected, but before revocation, the signature was valid.

 

http://blog.didierstevens.com/2012/06/06/flame-authenticode-dumps-kb2718704/

 

Accept the signature might lie but the hash wouldn't. Lets say it was a bad explorer.exe with a valid signature.

 

Hash it and compare it with hash database. ... No match.

 

 

That's not a solution. What if Microsoft releases new patches and your hash database is not up to date? No match -> deleted.

 

 

If they provided the database, they would just add a version entry to the particular files. With the new hash.


Edited by warwagon, 24 March 2015 - 03:26 PM.


#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 24 March 2015 - 03:32 PM

You are aware that lately Microsoft is having quality issues with its patches and patching process?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 warwagon

warwagon
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 24 March 2015 - 03:33 PM

You are aware that lately Microsoft is having quality issues with its patches and patching process?

 

So?

 

update a file, post it's new hash.


Edited by warwagon, 24 March 2015 - 03:33 PM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:37 PM

Posted 24 March 2015 - 03:41 PM

 

You are aware that lately Microsoft is having quality issues with its patches and patching process?

 

So?

 

update a file, post it's new hash.

 

 

That is exactly my point. Lately, Microsoft has not been able to do something that you describe so simply with 100% accuracy.

 

Your idea in theory: OK

Your idea in practice: NOK.

 

Microsoft needs to get its patching act together before it can do what you suggest.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users