
MS Security Essentials reporting false positives in the Bitcoin blockchain - zorked
https://answers.microsoft.com/en-us/protect/forum/mse-protect_updating/microsoft-security-essentials-reporting-false/0240ed8e-5a27-4843-a939-0279c8110e1c
======
nwh
So a joker decided to embed some Anti Virus bait in the blockchain, just a few
bytes is enough to make the software go nuts deleting a whole lot of files the
Bitcoin client needs. The solution the Bitcoin developers suggest is pure old-
school malware style, XOR the blocks to hide it from the Anti Virus suites.
Classic.

[https://github.com/bitcoin/bitcoin/issues/4069](https://github.com/bitcoin/bitcoin/issues/4069)

~~~
cjg
In one of the comments in that article: "I can't wait until someone legally
changes their name to one of these sequences and we find out that all sorts of
government databases didn't have functioning backups..."

~~~
cnvogel
I think you could put the "EICAR Test String" easily in a _lot_ of databases,
maybe as the answer to a security question, a special "delivery
instruction"...

[http://www.eicar.org/86-0-Intended-
use.html](http://www.eicar.org/86-0-Intended-use.html)

It's detected by almost any antivirus product, on my work computer the
corporate antivirus immediately quarantines a file with this content.

X 5 O ! P % @ A P [ 4 \ P Z X 5 (...)

~~~
maaarghk
Not EICAR because that has to be at the start of the file. But some other
signature, sure.

------
kijin
MSE was top-notch when it was first released. It aced all the malware
detection benchmarks, not to mention it was completely ad-free and extremely
lightweight, which was unheard of in the free antivirus market. The high
detection rate and low performance impact made lots of Windows users flock to
MSE, myself included.

Nowadays, MSE is still lightweight, but it sits at the bottom of every malware
detection benchmark. I've been recommending MSE to everyone around me, but
recently they started getting all sorts of malware despite keeping MSE up to
date. All of these were easily detected and removed by avast!, BitDefender,
and Malwarebytes, but MSE just sat there like a cow, oblivious to the
malware's presence.

Why has Microsoft let MSE rot like this? Now that MSE is built into Windows 8,
are they afraid of getting slapped with antitrust fines if they shipped an
antivirus that can actually compete with third-party offerings?

This year, I'm moving my family off of MSE. So long, it was good while it
lasted. But third-party antiviruses have caught up in the meantime, and now
they're just as lightweight as MSE.

~~~
nivla
Nah I will stick with MSE because the alternative for me is not to use an
antivirus. If you ever want to know how to bring a 8-core i7 to its knees,
install Norton. MSE is the only antivirus that is lightweight, stays out of
your way and the least annoying of everything out there and not to mention its
free with no ads. Sure, it doesn't have an heuristic scanning but it did once
do a good job of detecting a malware that both Avast and Norton missed, which
is good enough trust for me. The best feature is that it doesn't have a girl
screaming "Avast, Your database have been updated." or "Your license is about
to expire in 90days unless you pay $$$" every 4 hours.

Don't download anything sketchy, keep an updated version of your browser,
don't run yourself as root and your should be fine for 99.9% infections out
there. For the rest just keep MSE around.

~~~
ghshephard
You forgot the top two other pieces of advice - Make sure you have a decent
adaptive firewall, and run anything even slightly worrisome in a virtual
machine, never on your main operating system.

~~~
nivla
You are right, those too. I would also recommend Sandboxie[1], not sure on its
effectiveness but the convenience to just right click and run apps in its own
sandbox is huge. Does anyone know an open source alternative to it?

[1][http://www.sandboxie.com/](http://www.sandboxie.com/)

~~~
MichaelGG
Also on Windows, consider looking at Software Restriction Policies. For my
host partition, I have things configured to deny execute for anything not in
Windows (and excluding some temp/cache dirs). So if I step away for a minute
and someone tries to download and run an exe, Windows should prevent it. Would
also prevent me from drunkenly saving cute.jpg.exe to my desktop and running
it.

------
bobbles
I seem to remember just having some text copy+pasted into IRC channels used to
send peoples anti virus software into meltdown.. but this was sometime like
2000-2001

~~~
JimDabell
If I remember correctly, it used to be the case that if you could get the
string +++ATH0 transmitted to somebody in the clear, you could hang up their
dialup connection because it was a control code for Hayes modems that ended up
being standardised on. Badly written firmware in modems meant that this was
often interpreted even when it wasn't transmitted in a control code context.

~~~
thristian
Actually, it wasn't "badly written firmware". Hayes modems actually looked for
"+++", then a second or so of no traffic, before they would switch into
command-mode, and that delay was patented. So "Hayes-compatible" modems would
implement the system without the delay, and as a result were vulnerable to
remote DoS.

~~~
hosay123
To extend this a little further, various brands of modems (at least Rockwell)
supported it but came with it disabled by default. You could enable it before
dialling up by setting an S register

------
userbinator
I think this is another great example of how modern AV software can be used as
a tool of mass censorship. They can simply add signatures for any file
contents they disagree with (or some other organisation with the appropriate
power requests to do so), and it will disappear from their user's computers
under the pretense of being malicious. Users will trust them in order to "stay
safe".

That's why I believe in behavioural monitoring rather than signature-based
approaches, since what's malicious is really the activity itself.

------
afreak
The simple solution is to not allow your anti-virus software to scan anything
that cannot malware. There are exceptions to the rule of course such as MP3s
that had executable code, but why does it need to scan every single file on
your system?

Full disclosure: I used to work for an AV software company and personally
think that AV is a dead technology.

~~~
DerpDerpDerp
Could you elaborate on why you think it's a dead technology?

~~~
afreak
There are many articles describing why but really it comes down to this:
malware authors can pump out so many copies of their software at once that
signature-based detections in which the AV industry relies on are no longer
reliable or effective.

We're at a point now where what may have worked as a defence against stuff
being found on floppy drives just isn't able to scale for today's modern
infrastructure.

AV is really a last-line of defence against being forgetful, and nothing more.

~~~
wmt
I'm not sure what should I not forget when I visit a hacked web forum which
sends me to an exploit kit, that knows an unpatched, possible zero day,
vulnerability from my browser?

You're oversimplifying modern AV by acting like it's just a signature based
file scanner. That's just a one defence of many in a good AV product.

~~~
afreak
You're mixing apples and oranges here.

What the problem described in the story is that files are being picked up by
an overzealous AV scanner doing disk-based scanning. It's reading non-
executable data as executable and throwing alerts or performing whatever
actions are dictated as per policy.

AV is not there to stop zero-day attacks--if it were, I would not be having
this conversation today.

What you're describing is web filtering and this can be achieved using methods
either internal or external--an external example would be a solution from
OpenDNS and an internal can be whatever appliance makes you happy. AV vendors
have thrown in web filtering as a part of their suite, but it still relies on
your system being up to date and not already infected. An external solution to
your endpoint is a far better solution really.

I am not oversimplifying things when I say that AV is ineffective at stopping
CryptoLocker because file-based detections are useless when there are
thousands of copies of the malware generated every day.

AV is dead because there is not enough manpower and coverage to stop things
like CryptoLocker. It is better to spend those resources trying to prevent the
spread of malware using other methods.

------
nivla
OR they could have just used the string from EICAR test file [1].

Since I don't use bitcoin, let me ask, does everyone have to download the
whole blockchain to their computer in order to mine or receive/sent the coins?
Wouldn't the blockchain be in XX GB size by now?

[1]
[http://en.wikipedia.org/wiki/EICAR_test_file](http://en.wikipedia.org/wiki/EICAR_test_file)

~~~
bowmessage
Yes, they do. And yes its quite large! Over 10 GB.

~~~
Jach
No they don't. Mining software that connects to pools is independent of having
a blockchain copy. There are also several bitcoin wallet implementations that
don't require a full copy of the blockchain.

~~~
maaku
Strictly speaking, that is _hashing_ software. Mining software is what runs on
the pool, and it absolutely must download and verify the blockchain.

------
etiam
We actually received advance warning of this some time ago:
[https://news.ycombinator.com/item?id=7542920](https://news.ycombinator.com/item?id=7542920)

After some consideration and the feedback here
[https://news.ycombinator.com/item?id=7543196](https://news.ycombinator.com/item?id=7543196)
I decided to inform one major antivirus vendor about it. They offered their
thanks for the warning, but also the opinion that false alerts would be
strongly limited since the virus signatures are in files that would generally
not be scanned. The scope of this remains to be seen, but apparently at least
Microsoft Security Essentials doesn't handle this _entirely_ without problems.

------
izietto
The part I prefer:

> It appears to be a joke or prank, simply because this particular virus does
> nothing more than periodically show "YOUR COMPUTER HAS BEEN STONED" on one
> out of every eight computer boot-ups, and is over 25 years old.

When viruses were mainly jokes...

------
jamedjo
The Xkcd would go "We thought we sanitised our input but we still lost this
years student records. Did you really name your son Little Bobby Drop
[DOS/STONED]{16 byte malware Signature}?"

