By recommending that users exclude some file extensions and folders from antivirus scans, Microsoft may put users at risk, a security company said.
In a document published on its support site, Microsoft suggests that users do not scan some files and folders for malware as a way to improve performance in Windows 2000, XP, Vista, Windows 7, Server 2003, Server 2008 and Server 2008 R2. “These files are not at risk of infection. If you scan these files, serious performance problems may occur because of file locking,” Microsoft states in the document.
Among the files and folders Microsoft tells users to exclude are those associated with Windows Update and Group Policy, and files with the .edb., .sdb and .chk extensions contained within the “%windir%\security” folder.
Trend Micro took exception — not with the list itself, but with Microsoft making it public. “Although it actually makes sense to stop checking Windows Update and some Group Policy-related files if you really want to speed up the system, we are concerned by the fact that this was released publicly,” said David Sancho, a malware researcher with Trend Micro, in an entry to his firm's blog.
Sancho argued that the list could be a boon to hackers. “Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,” he said. “Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning, or use a file extension that is also in the excluded list.”
At the least, Sancho continued, only experienced users who know the downside of such file “whitelisting” should consider excluding files and folders from security scanning. “Excluding certain file types or folders from antivirus scanning is not something novice users should tinker with,” Sancho said. “Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system.”
Andrew Storms, director of security operations at nCircle Network Security, backed Sancho on that. “I would agree with Trend that making any sort of whitelisting with your security software is not for the average user or the faint at heart,” Storms said in an interview conducted via instant message.
But Storms also downplayed the significance of Microsoft's publicly posting its exclusion recommendations. “Will the bad guys latch on to this and suddenly change their locations to hide malware? Probably not,” Storms said. “Where the malware is stored on the file system is the not the root of the conundrum with antivirus software…. It's that antivirus software is historically a post-event and blacklist kind of approach to security. It helps provide another layer of defense, but is it going to catch everything? No way.”
Trend has a history of butting heads with Microsoft. Like other third-party security vendors, it has dismissed Microsoft's moves in the antivirus market, most recently earlier this year when the Redmond, Wash. company released its for-free Security Essentials software. And in April 2008, Trend researchers disputed Microsoft's claim that the latter's Malicious Software Removal Tool (MSRT) had crushed the life out of the Storm botnet.
