Welcome to TechNet Blogs Sign in | Join | Help

Testing A New Definition Update Publishing Process for Windows Defender

Hi Folks,

Adam here from the antimalware team. I wanted to give you a heads-up that we will be testing a new definition update process in the next two weeks. Definition updates for Windows Defender (Windows Vista and current platforms) will be publishing daily (Monday-Friday) starting from August 1st and will continue for 2 weeks until August 15th, 2006. We are testing a new end-to-end definition update release pipeline that will allow us to publish definition updates at a higher frequency and we would like to get a better understanding of issues that may arise due to this higher frequency update process. At the end of this period, Windows Defender updates will return to our normal twice weekly schedule.

We have been working the last few months so that our new signature release process will be able to publish updates much more frequently and on a flexible schedule. As the next step, we will start releasing Windows Defender updates every day (Monday to Friday) within a trial period for the next two weeks ending August 15th, 2006. Again, we will return to a twice weekly release schedule after August 15th, but with this new process will be able to release updates on a more flexible schedule at any day including weekends and holidays for emergency situations. We want to understand how well the new process satisfies a daily release cycle, and receive customer feedback during this trial period, so please post your definition update experience to our newsgroups.

We hope that this test of our new process shows the progress that we’re making towards providing better and more timely protection for our customers as we head towards our final release.



Posted by blogmalware | 2 Comments

Antimalware Team Releases MSRT White Paper

Hello there. I'm writing to you from the Microsoft TechEd conference in Boston. This event attracts over 10,000 attendees interested in learning about current and future Microsoft products. It's also a great place for getting feedback from our customers and we'll share some of that feedback next week.

Yesterday, the Microsoft Antimalware team released a new white paper entitled "Windows Malicious Software Removal Tool: Progress Made, Trends Observed". The paper highlights Microsoft's uniquely broad understanding of the malware landscape, illustrating how the tool has removed 16 million pieces of malicious software from 5.7 million unique computers from January 2005 to March 2006. On average, the tool has removed at least one instance of malicious software from every 311 computers it has run on. A core objective of Microsoft's release of the tool is reducing the impact of malicious software on Windows customers and the report describes how removals of 41 of the 61 malware families have decreased with 21 of those families exhibiting a decrease by more than 75%.

The report goes onto highlight several trends related to malicious software categories, such as backdoor Trojans (including bots) and rootkits. For example, of the 5.7 million unique computers from which the tool has removed malware, a backdoor Trojan was present in 62% of the cases. We have noticed that there has been some confusion over this statistic so, to be clear, keep in mind that this percentage is of the population of infected computers. In other words, when the tool does find an instance of malware per every 311 computers, there is a 62% chance it will be a backdoor Trojan. This statistic does not mean that the tool has removed a backdoor Trojan from 62% of the computers the tool has run on.

What does this mean for our customers?  Our goal is to provide our customers and partners with an accurate understanding of the types of threats that exist so they can take appropriate action to ensure that they are protected.  It also means that we’re able to use this data, and data gathered from other resources, to continually evolve our understanding of the malware environment and to continually improving the way we respond to customers when faced with malicious threats.  

We hope that you find the data and guidance provided by the paper interesting and actionable. Any feedback is welcome and will be taken into consideration for future threat reports produced by the Microsoft Antimalware team.  


PS Below find a picture of some of the antimalware team at TechEd. From left to right: Adam Overton (Group Program Manager), Mike Chan (Senior Product Manager), Matt Braverman (Program Manager), Jason Joyce (Program Manager), and Sterling Reasor (Program Manager).

Posted by blogmalware | 8 Comments

Attending AusCERT

Hi, Ziv Mador here from the antimalware team at Microsoft. Last week I attended the AusCERT conference in Gold Coast, Australia. The conference was organized by the Australian Computer Emergency Response Team, AusCERT. We have worked with this team for a long time to maximize the detection of threats that exist in Australia. Some of the signatures for these threats are added to the monthly release of the Windows Malicious Software Removal Tool which is delivered to Windows systems in Australia and in other regions primarily through Automatic Updates.

During the conference, experts from Microsoft presented two sessions: Jesper Johansson gave a presentation entitled “Is that Application Really Safe?” about how to identify obvious security holes in software applications. Mark Estberg from Microsoft's IT team gave a keynote session on “Information Security as a Strategic Asset at Microsoft”. We also had an open Q&A session where delegates freely presented questions to folks from Microsoft, including myself. We received some great questions and the feedback following this session was positive. Some of the questions were around our enterprise and consumer anti-malware products and other questions focused on security features in Windows Vista.

- Ziv

Posted by blogmalware | 0 Comments

Windows Live OneCare Receives a Virus Bulletin 100% Award !

As many of you know already, Windows Live OneCare is now available at retail stores across the country and from http://onecare.live.com. As the provider of antimalware technology to Windows Live OneCare, our team is extremely excited to have this fantastic product available to our customers and look forward to any feedback.

In addition to the great news about the retail availability of Windows Live OneCare, we've also been recently notified that the product has been awarded a Virus Bulletin 100% Award, on the first submission attempt. Especially when combined with the certification news from my May 25 post, this achievement demonstrates the capability of Windows Live OneCare to effectively detect a wide range of malicious software affecting customers today.

- Matt

Posted by blogmalware | 1 Comments

Windows Defender for German Speaking Markets is Available !

Adam Overton here – Group Program Manager for the Antimalware team. Today, we shipped Windows Defender (Beta 2) for German speaking markets including Germany and Switzerland. We’re also close to launching our Japanese version for additional coverage in Asia so be on the lookout for that announcement. Windows Defender has been available in the English speaking markets for quite a while now and we’re proud to make Windows Defender (Beta 2) available to help protect computers against spyware and other potentially unwanted software in more of our international markets. Although German and Japanese will be the only languages we localize to for our Beta 2, we remain very committed to all our international customers and plan to release localized versions of our RTM release into all the major languages. We’re looking for folks to help test our localized Beta 2 versions in preparation for our final English locale release in the second half of 2006 followed by our localized releases, so get out there and install the German Windows Defender and give us your feedback by posting to our newsgroups.


Posted by blogmalware | 1 Comments

Windows Live OneCare is Certified !

We're certified !

This morning, Microsoft issued a press release describing how Windows Live OneCare has acquired multiple certifications for antivirus and firewall from ICSA Labs and West Coast Labs, two of the top labs for antimalware product testing. Windows Live OneCare utilizes the antimalware technology produced by our team and we are extremely proud to have received these key forms of recognition.

Our partners on Windows Live OneCare also have a blog, that I highly recommend, at http://spaces.msn.com/windowsonecare/blog.


Posted by blogmalware | 1 Comments

Antispyware Coalition Meeting in Ottawa

Eric and I attended the Antispyware Coalition Meeting and Workshop last week. It was a good opportunity to meet with many of our peers in the industry as well as a very pleasant trip overall. Ottawa, where the event was held, is a great city and in addition to everything else the trip afforded us the opportunity to enjoy some great native cuisine of the region. A common theme which ran between both the meeting and the workshop was the idea of sharing of intelligence. In the meeting we discussed a proposal based on ideas Eric suggested last month centering around the sharing of threat URLs between anti-spyware providers with a goal of improving capabilities across the industry.  The concept was endorsed and presented at the meeting by Symantec and ICSA Labs and seemed to be very well received. There are still a lot of things to be worked out but I'm excited about this kind of industry cooperation. 

In the workshop I had the opportunity to present as part of a panel on the topic of Public and Private Cooperation. On the panel with me was Joe Jarzombek, Director of Software Assurance at the US Department of Homeland Security as well as Christine Owen of Webroot and we were moderated by Neil Schwartzman of CAUCE Canada. Some of the points that Joe raised when discussing the mission of DHS with regard to protection of the Internet reinforced for me the importance of broad and deep industry collaboration when dealing with threats such as spyware and other malicious code. Other sessions at the workshop covered the various harms caused by spyware, where spyware comes from, legislative solutions and driving awareness of risks within both the consumer and enterprise spaces. Even better than the sessions were the many conversations and ideas shared between member attendees on a range of topics both technical and social relating to how we can all combat these various threats better.


Posted by blogmalware | 0 Comments

A Closer Look at Behavioral Classification

Hi, my name is Tony Lee. I am a virus researcher on the Microsoft Antimalware team. One of our top priorities is to conduct advanced research to combat malware problems. A significant challenge we have today is the large number of active malware samples, totaling in the order of tens of thousands, and increasing rapidly. It has become apparent to us that the traditional manual analysis process is not adequate in dealing with malware of this order of magnitude, and that we should seek automation technologies to aid human analysts. To address this challenge, we are conducting research on technologies which model human analysis, to enable autonomous processes that analyze and classify malware, in an automatic and adaptable manner.

As described by Matt’s EICAR recap post last week, my colleague Jigar Mody and I presented a paper on this research work at the EICAR conference at Hamburg, Germany. The subject was on automatic malware classification using runtime events and machine learning. The underlying approach we took involves capturing malware behavior in a time sequence of events, which is a knowledge representation we then used as input to a machine learning process to uncover similarity information across a large number of malware samples. The novelty in this research is the application of a distance-based clustering algorithm on behavioral data observed during malware execution. Past technologies and research attempts, such as rule-based, weights/thresholds and abstract feature set approaches, focus mostly on heuristics to detect generic categories of malware (e.g. malicious or not); common challenges include algorithms too generic to provide classification precision or difficult to scale to unaccounted characteristics.

Having looked into numerous research and technologies from the past, we decided to take a step back and approach the problem from ground zero. First, we conceptualized the classification process in terms of knowledge consumption, representation, learning, and application. We then tackled the basic problem of representing knowledge extracted from malware. By using event sequences as a representation, we were able to describe the ordered effects or system transition states observed from malware behavior. Unlike common statistics-based data mining techniques (association rules, Bayesian classifiers, term vector, etc.), we use instance-based learning, allowing objects represented in rich syntax (ordered sequence). We solved the object-distance problem by adapting Levenshtein distance to measure similarity between objects. We took an innovative approach to fine tune edit operation cost as a function of event type, values and operation type, in order to achieve optimal similarity precision. We then employed K-medoids clustering algorithm to construct semantic groups of malware objects based on similarity measure, classes to serve as the basis to family classification.

The preliminary tests, conducted among 3 to 11 families, with total over 700 variants, showed fairly high classification accuracy (up to 84%). The tests reveal a  consistent trend of improving results with respect to number of families, clusters and events. As the number of events used in the similarity measure increase, we see the increase in accuracy as we expected. We also found that number of clusters and families affect the classification accuracy positively, because, given proper similarity measure, the more semantic groups proposed, the more centers or space for data points to be drawn to the right groups. We also observe the outlier effects were contained to the degree in proportion to the number of clusters proposed, because of the stronger collective “gravitational forces” due to the increased number of centroids. For more detailed observations, please see the paper available for download from the Microsoft Download Center.

We are continuously working on optimizing the algorithms and techniques of this system, such as the similarity measure precision, clustering algorithm efficiency, malware replication system effectiveness, and applications in domains such as automated behavior descriptions and correlation analysis. The method we have proposed in the paper is one of the many routes towards a solution that addresses the challenge of a growing number of malware in the wild.


Posted by blogmalware | 4 Comments

Computers, Freedom & Privacy Conference

On my way back from EICAR I had the opportunity to stop in to the Computers Freedom & Privacy Conference in Washington DC and participate in a panel discussing the responsibilities of an adware provider. From the few sessions I was able to attend it looked to be a great conference- one that I'll try to attend in full next year. The panel I participated in was moderated by Eric Goldman - a law professor at Marquette University. Joining me on the panel was Ari Schwartz of CDT and the Anti-Spyware Coalition, Vishant Shah of CSIA as well as the general counsel of an adware company. Eric posed some great questions such as "When are advertisers responsible for adware vendors’ acts, and what steps do you think advertisers should take to satisfy this responsibility?" and "When do we know that users actually consented to install software on their computers? Specifically, what steps must a software vendor take to make sure users mean to install the software on their computers?". The audience was very engaged in the discussion and while I won't suggest that the questions were answered definitively I do think that some interesting points were raised.

One main item I took away from the discussion is that the industry would benefit from a set of commonly agreed to best practices for software. It would make categorizing software easier and it would also make it easier for software providers to see what types of things they ought to be doing if they want their customers to have a positive experience. Fortunately, best practices is a topic for the upcoming Anti-Spyware Coalition Workshop and meetings in Ottowa next week.


Posted by blogmalware | 0 Comments

Notes from EICAR

Hello folks. Jeff Williams, Tony Lee, Jigar Mody, and I have returned from the EICAR conference in Hamburg, Germany which, as a port city with a similar climate, reminded me of Seattle (but with more bratwurst). The event itself was well-organized and, at about 100 attendees, was a great size to enable networking in a close, comfortable environment. What is especially nice about this conference is that it attracts and encourages students and professors so there was a great mix of professionals and members of academia. Especially for the academics, in some cases, this is the only antimalware event they will attend so it was great to see and interact with some new faces.


Similarly, I found many of the sessions presented to be unique and interesting. For example, a paper entitled "TTAnalyze: A Tool for Analyzing Malware" by Ulrich Bayer of Ikarus Software and Christopher Kruegel and Engin Kirda of the Technical University of Vienna presented some neat techniques for investigating malware behavior in an automated fashion. This paper was recognized as the best academic paper by EICAR amongst a fairly competitive field.  Also, while I'm slightly biased, I thought that Tony and Jigar's presentation on Behavioral Classification was excellent. The session was well attended and attracted some healthy discussion afterwards which continued ad-hoc through the remainder of the conference. With the permission of EICAR, we're pleased to be able to make Tony and Jigar's paper available from the Microsoft Download Center, so enjoy ! 


Another interesting thread of sessions and discussions was on testing of anti-spyware applications. Both Larry Bridwell from ICSA Labs and Josh Harriman from Symantec offered presentations on this topic. Unlike the antivirus product testing and certification space, which is reasonably established, antispyware testing is still in its infancy. The number of different custom evaluations being conducted currently is dizzying with almost all offering different criteria. Microsoft is actively working with other entities in the security industry on making a set of more deterministic and reproducible evaluations. Along this vein, Jeff and Eric Allred will be at the Antispyware Coalition (ASC) meeting in Ottawa May 15-16, along with representatives from most of the other security vendors. If you have input into antispyware testing standards, I highly recommend you attend this event and chat with Jeff and Eric .... or reply to this blog post.



Posted by blogmalware | 1 Comments

VirusTotal Participation

Hi, this is Ziv Mador again from the Microsoft Anti-Malware team. This week, the folks over at VirusTotal added the Microsoft anti-malware engine to their service. VirusTotal is a free service that enables users to submit suspicious files to be scanned by several anti-malware engines. If you choose, files that are not identified as malicious are sent to the vendors who supply the anti-malware engines to this service to be analyzed. As of April 27, the Microsoft anti-malware scanner is included in the set of scanning engines used by VirusTotal. This scanner is based on the same technology found in Windows Live OneCare, the Windows Malicious Software Removal Tool, and Microsoft Antigen, and includes our full antivirus set of signatures. We are glad to be participating in this community opportunity.

Posted by blogmalware | 5 Comments

On the Road at Infosecurity Europe and EICAR

Eric Allred and I are in London for the Infosecurity Europe conference. We spent the last two days on the conference floor with the Microsoft UK team, talking to customers and partners about Windows Defender, Windows Live OneCare, Microsoft Client Protection, and the Windows Malicious Software Removal Tool. We've also been demoing Windows Vista to customers which includes a number of new security features to help protect from malware, spyware, and potentially unwanted software including Windows Defender, User Account Control, and Internet Explorer 7 with Protected Mode.
On Friday, we'll be flying to the European Institute for Computer Antivirus Research (EICAR) conference in Hamburg. Jeff Williams and two more of our colleagues, Tony Lee and Jigar Mody, will be joining us at this conference. Tony and Jigar will be presenting on Behavioral Classification on Monday, May 1. I've seen an early version of their presentation and it's some pretty interesting stuff. If you're planning to be at EICAR, please track us down and say hello ... and, naturally, come by Tony and Jigar's presentation on Monday.
Posted by blogmalware | 0 Comments

Windows Defender Beta 2 Refresh

Today, we released a refresh of Windows Defender (Beta 2) which includes updates based on the customer feedback that we have received through this blog and the newsgroups. This update also addresses some issues that have been brought to our attention around signature updating, improves upon the usability of Windows Defender and also improves our SpyNet reporting capabilities.

First off, we have added a checkbox option to continually display the system tray icon. We heard your feedback loud and clear on this one, so those who want to see our icon with the little green check in their system tray as a sign of system health can now do so. We have also improved Windows Defender's ability to report more accurate data about potentially unwanted software through SpyNet so that we can help create better definition updates.

Finally, we've made some minor updates to the UI and we are on track to release our Japanese and German localized versions and expect to turn on the update notification for existing Beta 1 and Beta 2 customers soon - so keep an eye out!

I would also like to urge you to opt-into the "Advanced" participation level in SpyNet. In this mode, you will not only be alerted of changes to critical system settings by recognized and potentially unwanted applications but you will also be notified of changes by applications that have not yet been classified. By choosing "Advanced" you can help combat spyware by sending back full reports and potential samples to our analysts. To the extent any personal information is included in an "Advanced" member report, this information will not be used to identify you or contact you in accordance with our privacy policy. For example, under the "Basic" setting, the SpyNet report will strip off the path to an executable it found, in case it was in a folder that contained your user name; however, knowing where potentially unwanted applications install is useful information. Thank you for helping us fight spyware and potentially unwanted software!

With these upcoming changes to our reporting network and our core technology, we will improve our detection and removal capabilities even more in the upcoming months.



Posted by blogmalware | 15 Comments

News on Alcan, Mywife.E

In Bill Gates' keynote at RSA in February, one of the subjects he spoke on was the ability for Microsoft to have a comprehensive view of the evolving threat landscape using the information and feedback from such tools as Hotmail, Watson, the Windows Malicious Software Removal Tool, and Windows Defender.

Each month, the Malicious Software Removal Tool runs on approximately 250 million computers, mainly via Windows Update and Automatic Updates. In February's release of the tool, we added the ability to detect and remove a worm called Win32/Alcan. We believed that Alcan would be moderately prevalent based on data from Windows Live Safety Center and Windows Live OneCare but we were genuinely surprised once we sifted through the data from the February release. During the course of that month, the tool detected Alcan (and, specifically, Alcan.B) on just over 250 thousand unique machines, easily the top detection for the month. Compare this to the Win32/Mywife.E worm (aka CME-24), which we removed from approximately 40 thousand computers in February.

Alcan.B does not exploit any software vulnerabilities. Instead, it spreads through popular peer to peer applications and its prevalence is likely due to effective social engineering. Specifically, when sharing copies of itself over a P2P network, to name the copies, it contacts several websites to look for the names of recent, popular program cracks. Thus, the worm's name is always relatively up-to-date and attractive to those surfing these networks for cracks. Also, when the worm is run, instead of displaying nothing or popping up 50 browser windows, it displays what appears to be a setup wizard window, as displayed in our write-up. When the user clicks next, an error message is displayed. Thus, the user is fooled into thinking that what he or she just ran was a buggy or incomplete program, not a worm.

Threats like this reinforce the idea that malware that exploits user weakness can be as dangerous as those threats which exploit software vulnerabilities and reinforces the value of up-to-date antivirus products as well as general user vigilance.


Posted by blogmalware | 4 Comments

Windows Defender Beta 2: Updated Version Available

An updated version of Windows Defender Beta 2 is now available from the Microsoft Download Center. This update resolves the two issues described in the below blog post relating to non-English versions of Windows and referenced in KB915087.  If you are running on a non-English version of Windows, then we advise that you uninstall the previous installation and install the updated version.  If you are running on an English version of Windows, then no action is required.

Also, a new definition update package is now available from Microsoft Update which should resolve the problem described in KB915105.  Users with Automatic Updates enabled will be notified of the availability of the release in a manner consistent with their Automatic Updates settings.

Posted by blogmalware | 4 Comments
More Posts Next page »