Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Diagnostic reporting, Spyware


  • Please log in to reply
12 replies to this topic

#1 RiE289x

RiE289x

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 16 January 2016 - 02:25 PM

There was this earlier version of the Windows 10 EULA that has generated a lot of flak

 

 

 

"We will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to protect our customers or enforce the terms governing the use of the services."

 

The accusation was this wording gave Microsoft leeway to upload your hard drive to their side.

 

In any case, most professional and commercial software come with some form of error reporting/logging feature that's supposed to send diagnostic info to the developers if you decide to report the error for troubleshooting service. Windows itself has this built in for submission with your permission.

 

My question is: what safeguards, if any, is there to scrutinize the myriad of popular commercial software (like browsers and Adobe) from helping themselves to some of your files when you click that submit button? When software is signed for publishing do the signature providers at all check for potentially malicious behavior written into the software? Is there anything built into windows or security software that flag supposedly legit third party programs when they try to access and send out random files on your computer?

 

Something like this 

 

http://the-digital-reader.com/2014/10/06/adobe-spying-users-collecting-data-ebook-libraries/

 

but much more insidious as it uploads your password.xml

 

I know most likely this is not to worry about, but I don't see much talk about scrutinizing globally adopted software until some bombshell drops when it's too late for millions.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 17 January 2016 - 11:40 AM

There was this earlier version of the Windows 10 EULA that has generated a lot of flak

When software is signed for publishing do the signature providers at all check for potentially malicious behavior written into the software?
 

 

Those signature providers don't know what is being signed, they have no way to check the software that is signed with the AuthentiCode cert they provided.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 RiE289x

RiE289x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 17 January 2016 - 12:10 PM

Ah, I see.

 

So if some software decides to take advantage of their well established trust with the public and liberally help itself to the contents of your hard drive (not just metadata), would it be flagged as malware activity?

 

Is it possible for an antivirus to distinguish between sending a genuine crash dump or a handful of some random files?



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 17 January 2016 - 12:23 PM

That's a very broad question, I don't know all the AV programs.

 

I would say it will not be flagged, except in some cases where you use a security suite that includes data loss prevention software that inspects the contents of the upload and looks for specific data like your SSN.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 RiE289x

RiE289x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 17 January 2016 - 01:35 PM

What do heuristic scans really look for when it passes all the programs in your computer? I was told it was supposed to go through all the operations of the program in a virtual environment?


Edited by RiE289x, 17 January 2016 - 01:36 PM.


#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 17 January 2016 - 02:04 PM

No, the AV does not go through all the operations of a program in a virtual environment, that would take way too long, and it would be impossible to try out all the possible combinations. It just goes through some of the operations, typically those at the start of a program.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 RiE289x

RiE289x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 17 January 2016 - 02:17 PM

So if a program does exactly what malware does but is run under the environment of something form a verified publisher then it gets a pass from most AV products?



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 17 January 2016 - 02:20 PM

I don't understand your last question.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 RiE289x

RiE289x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 17 January 2016 - 02:38 PM

You said the kind of behavior from a well known piece of software like Photoshop would simply slip through in most cases.

 

In other words, for any such software users would be more vulnerable and completely caught off guard if its developers decide to betray this trust. At least viruses would be caught as viruses.



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 17 January 2016 - 02:46 PM

Sorry, but you got me really lost here. I did not say anything about a well known piece of software like Photoshop.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 RiE289x

RiE289x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 17 January 2016 - 02:49 PM

That was my example. The original thread question was what procedures are there in the computing world to ensure that supposedly 'legit' software don't do such egregious things that rank them among the worst of the malware.

 

(other than trust)


Edited by RiE289x, 17 January 2016 - 02:49 PM.


#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,750 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 17 January 2016 - 02:57 PM

Yes, I understand now, you are going back to the different questions you started the thread with.

But I can only answer the question you had about code signing.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 RiE289x

RiE289x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 17 January 2016 - 03:16 PM

That explains it.

 

Does anyone know the answer to the OP?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users