dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
68
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

3 edits

2 recommendations

reply to siljaline

Re: MS Security Intel Report - 24% PCs Unprotected

Not sure if you're agreeing or disagreeing.

Either way what is the context? Are we talking home PC users? Organizations? A mix? What other security measures are in place besides A/V use? Are firewalls in use?

The point is that throwing out statistics is meaningless without knowing what they apply to.

PS: Yes I have the PDF of the report.

PPS: From the report.

quote:
The Microsoft Security Intelligence Report measures computer infection rates with a metric called computers cleaned per mille (CCM), which indicates the number of computers cleaned by the Microsoft Malicious Software Removal Tool (MSRT) for every 1,000 computers scanned by the tool. (See page v for more information about the CCM metric.)

Most computers that run the MSRT obtain each monthly release of the tool automatically through a Microsoft update service such as Windows Update. It executes in the background and automatically removes selected prevalent malware families from the computer. Recent releases of the MSRT collect and report details about the state of real-time antimalware software on the computer, if the computer’s administrator has chosen to opt in to provide data to Microsoft. This telemetry makes it possible to analyze security software usage patterns around the world and correlate them with infection rates.

On average, about 24 percent of computers scanned by the MSRT each month in 2H12 were not running real-time antimalware software or were running out-of-date antimalware software at the time they were scanned (referred to as “unprotected computers” in this section).

That's where the 24% figure came from. You decide if that figure means anything or not.

Disabling MSRT reporting

quote:
Q3. How can I disable the infection-reporting component of the tool so that the report is not sent back to Microsoft?

A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers. If this registry key value is set, the tool will not report infection information back to Microsoft.
Subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
 
Entry name: \DontReportInfectionInformation
Type: REG_DWORD
Value data: 1
 

http://support.microsoft.com/kb/891716

Other registry settings that seem to be related

SubmitSpynetReportResult
SubmitSpynetReport
--
Don't feed trolls--it only makes them grow!


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
said by StuartMW:

Not sure if you're agreeing or disagreeing.

Disagreeing as it is a little ambiguous.

However: »blogs.technet.com/b/mmpc/archive···are.aspx
»twitter.com/msftmmpc/status/3245···33920257


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
What I didn't know, until reading the report, was that (see above quotes) Microsoft uses MSRT as a data collection tool. The data in their report comes from it's "phoning home" each month.

It's a neat trick to offer, automatically, MRT each patch Tues and then collect data from it's use.

Now that's probably the best way to get real data (MS claims, in the report, that 600 million users run MRT every month) but IMO it still neglects many other relevant factors. The assumption is that use of an A/V product prevents malware infection. Of course it can but so do other mechanisms (firewalls, behavior etc).

I therefore find the "24%" and "5.5" figures indicators at best.
--
Don't feed trolls--it only makes them grow!


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
I feel that A/V has its place, but not as the be-all, end-all solution.

In its defense, there have been many legitimate sites hacked with malware exploits, and client and server application vulnerabilities are a popular attack vector.

Very often, these vulnerabilities remain unpatched even after exploits have been in the wild for some time. In these cases as well as with systems with careless or nontechnical users and systems with high value data, anti-malware applications provide a useful layer of security.

In the end, though, I feel Bruce Schneier said it best;

"Security is a process, not a product"
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
I agree that AV has it's place, and it certainly is not one and only product if one is really choosing to do anything. An AV is like underwear, but you wouldn't wear just your undies. Yes, indeed. It's that layering that can make the difference.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to EGeezer
said by EGeezer:

I feel that A/V has its place, but not as the be-all, end-all solution.

Exactly.

The MS report is pretty good as far as it goes. On the other hand (and see the report) they're in the business of selling anti-malware solutions. That's not to say that their report is biased but their statistics must be taken in that context.

Also, as I've already said, they're basing the figures on incomplete data. They cannot measure other factors.

As you said an A/V is just another layer.
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
reply to jaykaykay
said by jaykaykay:

...you wouldn't wear just your undies.

Yes well that too is contextual. There are places where only undies are worn
--
Don't feed trolls--it only makes them grow!


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

1 recommendation

reply to StuartMW
said by StuartMW:

That's where the 24% figure came from. You decide if that figure means anything or not.

That 100% of the infected machines were running MSRT.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
reply to StuartMW
Does anyone know where this phones home through? Is it through mrt.exe or another process?


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3
MRT.exe is a stand alone process (check Task Manager to see) so I assume it does the phoning-home. No idea what URL and port(s) it uses.
--
Don't feed trolls--it only makes them grow!


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
Reviews:
·Time Warner Cable

Re: MRT's phoning home from where?

said by StuartMW:

MRT.exe is a stand alone process (check Task Manager to see) so I assume it does the phoning-home. No idea what URL and port(s) it uses.

See, that's weird. I have never seen and currently do not see mrt.exe wanting network access in my Windows' firewalls (64-bit W7s' N360 and XP Pro. SP3's Outpost Firewall 2009). It must be phoning home from another process else. Hmm!
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:3

1 edit

1 recommendation

Here's some URL's found using the Sysinternals Strings utility on the May 2013 version of MRT.exe

https://spynet2.microsoft.com/AntiMalwareServices/2/SpynetReportSrvc.asmx

http://Microsoft.com/AntiMalwareServices/SpynetReportSrvc

FYI I think MRT.exe only reports if something is detected.
--
Don't feed trolls--it only makes them grow!


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:5
Reviews:
·Time Warner Cable
said by StuartMW:

Here's some URL's found using the Sysinternals Strings utility on the May 2013 version of MRT.exe

»spynet2.microsoft.com/AntiMalwar···rvc.asmx

»Microsoft.com/AntiMalwareService···portSrvc

FYI MRT.exe only reports if something is detected.

Both links failed:
»spynet2.microsoft.com/AntiMalwar···rvc.asmx link didn't work (blank web page with nothing in its source code).
»www.microsoft.com/AntiMalwareSer···portSrvc showed me "We are sorry, the page you requested cannot be found..."

Ah, it only phones home when it finds something? OK. I have not seen one before so far...
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to jaykaykay

Re: MS Security Intel Report - 24% PCs Unprotected

said by jaykaykay:

An AV is like underwear, but you wouldn't wear just your undies. Yes, indeed. It's that layering that can make the difference.

I guess going commando is risky? ...


intok

join:2012-03-15
said by Dustyn:

said by jaykaykay:

An AV is like underwear, but you wouldn't wear just your undies. Yes, indeed. It's that layering that can make the difference.

I guess going commando is risky? ...

Total freeballin'?

»www.youtube.com/watch?v=469KLGY6WCQ

--
You think theres no games for Linux? »desura.com »gameolith.com »humblebundle.com »playdeb.net »ubuntuvibes.com

Check out »youtube.com/user/TheBigPictureRT/videos »freespeech.org and »democracynow.org

zod5000

join:2003-10-21
Victoria, BC
Reviews:
·Shaw
reply to StuartMW
I've always gambled and not run active A/V. I have my PC setup to run two scans per week. (Weds & Sun) in the middle of the night.

If you testing my PC it would look there was no active A/V, but I do have regularly schedule passive A/V. It's a holdover from when PC's were slower, and active scanning would slow things down.