Archive

Archive for the ‘Microsoft Security Essentials’ Category

#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:

 

*Edited 11/17/2017 to include other Microsoft antimalware products

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Digging deep for PLATINUM

There is no shortage of headlines about cybercriminals launching large-scale attacks against organizations. For us, the activity groups that pose the most danger are the ones who selectively target organizations and desire to stay undetected, protect their investment, and maximize their ROI. That’s what motivated us – the Windows Defender Advanced Threat Hunting team, known as hunters – when we recently discovered a novel technique being used by one such activity group.

We have code named this group PLATINUM, following our internal practice of assigning rogue actors chemical element names. Based on our investigations, we know PLATINUM has been active since 2009 and primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers in South and Southeast Asia. The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.

Uncovering these kinds of techniques is true detective work, and finding them in the wild is a challenge, but with the wealth of anonymized information we can utilize from over 1 billion Windows devices, a broad spectrum of services, Microsoft’s intelligent security graph as well as advanced analytics and machine algorithms to surface suspicious behaviors, Microsoft is in the best position to do so.

Digging up the nugget

Through our advanced and persistent hunting, we discovered PLATINUM is using hotpatching as a technique to attempt to cloak a backdoor they use. Using hotpatching in the malicious context has been theorized [1], [2], but has not been observed in the wild before. Finding such techniques is a focus of the Microsoft APT hunter team, and we want to provide some brief insights on how the team dug up this PLATINUM “nugget”.

In the first part of this methodology, a hunter carves out some rough data sets from existing information and data that can be further analyzed. This could be based on rough heuristics, such as looking for files with high entropy, that were first observed recently, and that are confined to a geographic region that fits the profile of the activity group being investigated.

Carving the data still yields large data sets that can’t be manually analyzed, and advanced threat analytics can help in sorting through the data for meaningful information in the second step. Graph inferences through the Microsoft intelligent security graph can bubble pieces of information to the top of the queue for a hunter to choose from. In the PLATINUM investigation, we identified 31 files.

Lastly, the hunter works directly with the resulting set. During this stage of the PLATINUM investigation, a hunter found a file with unusual string (“.hotp1”). The hunter’s experience and intuition drove him to dig deeper. In this case, that further investigation led us to the malicious use of hotpatching by this activity group and the “nugget” was uncovered.

Deconstructing the attack

So what is hotpatching? Hotpatching is a previously supported OS feature for installing updates without having to reboot or restart a process. It requires administrator-level permissions, and at a high level, a hotpatcher can transparently apply patches to executables and DLLs in actively running processes.

Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread. Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.

What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.

Thwarting the bad guys

The Microsoft APT hunter team actively tracks activity groups like PLATINUM. We proactively identify these groups and the techniques they use and work to address vulnerabilities and implement security mitigations. The team builds detections and threat intelligence that are utilized by many of our products and services. Beta users of Windows Defender ATP can take advantage of this additional layer of protection and intelligence for a broad set of activity groups.

We’ve included a more technical exploration of  our research and detection of the hotpatching technique in the remainder of this blog.

You can also see a closer look at the PLATINUM activity group in our report PLATINUM: Targeted attacks in South and Southeast Asia. Windows Defender Advanced Threat Protection beta and preview users can also find the report, along with other APT activity group reports, in the Windows Defender ATP portal.

We continue to dig for PLATINUM.

The Windows Defender Advanced Threat Hunting Team

Hotpatching – a case study

We first observed the sample (Sample1) that is capable of utilizing hotpatching on a machine in Malaysia (which matches the general target profile of PLATINUM) on January 28, 2016 . The portable executable (PE) timestamp, which can be arbitrarily set by the adversary, dates back to August 9, 2015, while the unpacked version contains a PE timestamp for November 26, 2015.

It is a DLL that runs as a service and serves as an injector component of a backdoor. Interestingly, this sample not only supported the hotpatching technique described in this post, but was able to apply more common code-injection techniques, including the following, into common Windows processes (primarily targeting winlogon.exe, lsass.exe and svchost.exe):

  • CreateRemoteThread
  • NtQueueApcThread to run an APC in a thread in the target process
  • RtlCreatUserThread
  • NtCreateThreadEx

Hotpatching technique

For hotpatching, the sample goes through the following steps:

  1. It patches the loader with a proper hotpatch to treat injected DLLs with execute page permissions. This step is required for DLLs loaded from memory (in an attempt to further conceal the malicious code).
  2. The backdoor is injected into svchost using the hotpatch API.

Patching the loader is done by creating a section named “knowndllsmstbl.dll”. This DLL does not reside on-disk, but is rather treated as a cached DLL by the session manager.

It then proceeds to write a PE file within that section. The PE file will have one section (“.hotp1 “) with the hotpatch header structure. This structure contains all the information necessary to perform the patching of the function “ntdll!LdrpMapViewOfSection” used by the loader, such that the loader will treat created sections as PAGE_EXECUTE_READWRITE instead of PAGE_READWRITE. The patch is successfully applied by invoking NtSetSystemInformation.

The malware builds the information describing the first patch

Figure 1: The malware builds the information describing the first patch

 

The highlighted "push 4" is patched to "push 0x40", meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Figure 2: The highlighted “push 4″ is patched to “push 0x40″, meaning that the parameter for the following API call NtMapViewOfSection is changed from PAGE_READWRITE to PAGE_EXECUTE_READWRITE.

Now that the memory permission issue has been solved, the injector can proceed with injecting the malicious DLL into svchost. Again, it creates a (now executable) section named “knowndllsfgrps.dll” and invokes NtSetSystemInformation, causing the final payload to be loaded and executed within the target process (svchost).

Trying to hide the payload using hotpatching also falls in line with the last functional insights we have on the sample. It seems to have an expiry date of January 15, 2017 – at that point in time, the DLL will no longer perform the injection, but rather execute another PLATINUM implant:

C:program filesWindows JournalTemplatesCpljnwmon.exe –ua

This implant may be related to an uninstall routine. Note that we observed the sample last on the machine on September 3, 2015, which may indicate PLATINUM pulled the trigger earlier.

 


 

[1] http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Sotirov.pdf

[2] https://www.yumpu.com/en/document/view/14255220/alexsyscan13

Microsoft Malware Protection Center assists in disrupting Ramnit

February 25th, 2015 No comments

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

Infected machines in the last six months

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

Python implementation of DGA

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

  • Hook-Spy Module:

This core module does a sophisticated form of fraud referred to as a "web-injection" attack to capture the user's banking credentials. To achieve this goal, this module first downloads a configuration file which contains a list of websites to monitor. A majority of the websites we saw were banks. With this list, Ramnit continues to monitor websites on the list.

When Ramnit sees the user attempting to connect to one of the websites on the list, it silently captures the credential information and uploads it to the C&C server.

Configuration can also specify additional information to be collected from the user. User interface elements needed to collect this information are dynamically inserted into the web page that the user is visiting.

For the user, it appears as though the target website itself is requesting new information. For example, Figure 3 shows the effect of a Ramnit web-injection. The image on the left shows how the webpage would be presented to a user on an uninfected computer. The image on the right shows how the webpage would be presented to a user on a Ramnit-infected computer. 

The effect of Ramnit web-injection

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

    • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
    • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

    1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
    2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
    3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
    4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

The way Ramnit C&C servers are organized

Figure 4: A high-level flow of how Ramnit C&C servers operate

  • Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

  • Windows Firewall
  • Windows Update
  • Windows Defender
  • Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

  • FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

  • Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

  • VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

  • Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

The way Ramnit C&C servers are organized

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

Microsoft Malware Protection Center assists in disrupting Ramnit

February 25th, 2015 No comments

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit – The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

Infected machines in the last six months

 Figure 1: Ramnit infection trend from the past six months

 

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

Python implementation of DGA

  Figure 2: Sample Python code

 

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

  • Hook-Spy Module:

This core module does a sophisticated form of fraud referred to as a "web-injection" attack to capture the user's banking credentials. To achieve this goal, this module first downloads a configuration file which contains a list of websites to monitor. A majority of the websites we saw were banks. With this list, Ramnit continues to monitor websites on the list.

When Ramnit sees the user attempting to connect to one of the websites on the list, it silently captures the credential information and uploads it to the C&C server.

Configuration can also specify additional information to be collected from the user. User interface elements needed to collect this information are dynamically inserted into the web page that the user is visiting.

For the user, it appears as though the target website itself is requesting new information. For example, Figure 3 shows the effect of a Ramnit web-injection. The image on the left shows how the webpage would be presented to a user on an uninfected computer. The image on the right shows how the webpage would be presented to a user on a Ramnit-infected computer. 

The effect of Ramnit web-injection

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

    • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
    • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

    1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
    2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
    3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
    4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

The way Ramnit C&C servers are organized

Figure 4: A high-level flow of how Ramnit C&C servers operate

  • Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

  • Windows Firewall
  • Windows Update
  • Windows Defender
  • Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit – The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit – The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

  • FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

  • Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

  • VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

  • Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

The way Ramnit C&C servers are organized

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC

 

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

Can I run more than one antivirus program?

August 5th, 2014 No comments

Carole asks:

Is it OK to run Windows Defender with Norton or McAfee antivirus protection?

No. You should never run more than one antivirus program at the same time. The two programs could slow down your computer, and they might even identify each other as a virus, which could lead to file corruption or other conflicts and errors that make your antivirus protection less effective—or not effective at all.

We recommend that you use the antivirus protection that’s included in your version of Windows. Windows 8 includes antivirus and antispyware protection called Windows Defender. If you use Windows 7 or Windows Vista, you can download Microsoft Security Essentials at no cost.

For more information, see How to boost your malware defense and protect your PC.

New research shows rise in “deceptive downloads”

May 7th, 2014 No comments

According to the latest cybersecurity report from Microsoft, “deceptive downloads” were the top threat for 95 percent of the 110 countries surveyed.

What are deceptive downloads?

Deceptive downloads are legitimate downloadable programs (usually free) such as software, games, or music that cybercriminals bundle with malicious items.

For example, you might receive a file in email or through social networking, but when you try to open it you see a message that says you don’t have the right software to open it. You do a search online and come across a free software download that claims it can help you open the file. You download that software, but you unknowingly might also be downloading malicious software (also known as “malware”) with it. This malware might have the ability to access personal information on your computer or use your computer for cybercrime.

It could be months or even years before you notice your system has malware.

How can I avoid deceptive downloads?

What should I do if I think I’ve been a victim of a deceptive download?

Do a scan with your antivirus software. If your computer is running Windows 8 or Windows 8.1, you can use the built-in Windows Defender to check for and to help you get rid of a virus or other malware.

If your computer is running Windows 7 or Windows Vista, do the following:

What is the Security Intelligence Report?

The Microsoft Security Intelligence Report (SIR) covers research on computer security, including software vulnerabilities, exploits, and malicious and potentially unwanted software. Volume 16 of the report was released today. If you want to learn more about deceptive downloads and other key findings, please visit Microsoft.com/SIR.

How to get rid of malware that keeps coming back

March 27th, 2014 No comments

Windows Defender and Microsoft Security Essentials can get rid of most malware, but here’s what you can do if it comes back.

  1. Make sure you have automatic updating turned on. This feature ensures that you have the latest security improvements from Microsoft installed on your computer. If you’re using other antivirus software, make sure that it is up to date with the latest malware definitions.
  1. Restart your PC.
  2. Run a full scan:
    1. Open your Microsoft security software.
    2. On the Home tab, under Scan options, click Full.
    3. Click Scan now.

 A full scan can take an hour or more, depending on how many files you have on your PC.

Get more advanced troubleshooting for malware that keeps coming back.

Once your computer is clean, take these steps to help keep it clean.

How do I know if I already have antivirus software?

February 21st, 2014 No comments

If your computer is running Windows 8

If your computer is running Windows 8, you already have antivirus software. Windows 8 includes Windows Defender, which helps protect you from viruses, spyware, and other malicious software.

If Windows Defender is turned off and you don’t have another antivirus program installed (or your other antivirus program is not working), you will see a warning in the notification area on your taskbar.

If your computer is running Windows 7

Windows 7 includes spyware protection, but to protect against viruses you can download Microsoft Security Essentials for free.

To find out if you already have antivirus software:

  1. Open Action Center by clicking the Start button , clicking Control Panel, and then, under System and Security, clicking Review your computer’s status.
  2. Click the arrow button  next to Security to expand the section.

If Windows can detect your antivirus software, it’s listed under Virus protection.

Windows doesn’t detect all antivirus software, and some antivirus software doesn’t report its status to Windows. If your antivirus software isn’t displayed in Action Center and you’re not sure how to find it, try any of the following:

  • Type the name of the software or the publisher in the Search box on the Start menu.
  • Look for your antivirus program’s icon in the notification area of the taskbar.

If your computer is running Windows Vista

Windows Vista does not include virus protection. To protect against viruses, you can download Microsoft Security Essentials for free.

The status of your antivirus software is typically displayed in Windows Security Center.

  1. Open Security Center by clicking the Start button , clicking Control Panel, clicking Security, and then clicking Security Center.
  2. Click Malware protection.

If Windows can detect your antivirus software, it will be listed under Virus protection.

Windows does not detect all antivirus software, and some antivirus software doesn’t report its status to Windows. If your antivirus software is not displayed in Windows Security Center and you’re not sure how to find it, try any of the following:

  • Look for the antivirus software in the list of programs on the Start menu.
  • Type the name of the software or the publisher in the Search box on the Start menu.
  • Look for the icon in the notification area of the taskbar.

If your computer is running Windows XP

Click the security icon on the taskbar, or click Start, select Control Panel, and then double-click Security Center.

On April 8, 2014, Microsoft will end support for Windows XP. This means that after April 8, there will be no new security updates available through automatic updating for computers that are still running Windows XP.

Also on this date, Microsoft will stop providing Microsoft Security Essentials for download on Windows XP. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer provide security updates to protect it.)

For more information, see Support is ending soon.

Get more information about upgrading to Windows 7 and Windows 8.

I don’t know what operating system my computer is running

Find out what operating system your computer is running

 

 

Do I need anything besides Windows Defender?

January 16th, 2014 No comments

A reader asks:

If I have Windows Defender, do I need to buy anything else to protect my computer?

If your computer is running the Windows 8 operating system, Windows Defender will help protect you from viruses, spyware, and other malicious software. You don’t need to buy anything else. 

If your computer is running Windows 7, Windows Vista, or Windows XP, Windows Defender removes spyware, but to protect yourself from viruses, you’ll need to download antivirus software. You can purchase it from a third party, or you can download Microsoft Security Essentials for free.

More ways to protect against viruses and other malware

Run newer software. Advanced security technologies in modern operating systems are specifically designed to make it more difficult, more complex, more expensive, and therefore, less appealing to cybercriminals to exploit vulnerabilities.

Regularly install updates for all your software. Update your antivirus and antispyware programs, browsers (like Windows Internet Explorer), operating systems (like Windows), and word processing and other programs. Learn how to turn on automatic updating.

Make sure your firewall is turned on. A firewall will also help protect against viruses and hackers. Find out if your version of Windows has a built-in firewall.

For more information, see How to remove and avoid computer viruses.

Windows Defender and Microsoft Security Essentials: Which one do I need?

November 14th, 2013 No comments

Depending on which operating system your computer is running, you can use either Windows Defender or Microsoft Security Essentials to get rid of malicious software and viruses.

If your computer is running Windows 8, you can use the built-in Windows Defender to help you get rid of viruses, spyware, or other malware. If your computer is running Windows 7, Windows Vista, or Windows XP, Windows Defender only removes spyware. To get rid of viruses and other malware, including spyware, on Windows 7, Windows Vista, and Windows XP, you can download Microsoft Security Essentials for free.

In Windows 8, Windows Defender replaces Microsoft Security Essentials

You can’t use Microsoft Security Essentials with Windows 8 or Windows RT, but you don’t need to because Windows Defender already provides built-in protection.

What is Windows Defender Offline?

Some malicious software will not allow you to access Windows Defender or other antivirus software. To help detect and remove the malware, you can start your computer by using a Windows Defender Offline CD, DVD, or USB flash drive. 

Get step-by-step instructions for removing a virus.

EMET: A valuable tool for PC protection

October 18th, 2013 No comments

If you’re a regular reader of this blog, then you’ve probably already taken steps to help protect your PC. You have antivirus software that you trust and you keep it updated automatically. You’ve activated your firewall. You regularly install security updates. You know not to respond to suspicious emails or to click links with promises that seem too good to be true.

Today we’d like to tell you about an advanced tool that complements your existing defenses, making it even more difficult for malicious hackers and cybercriminals to get into your computer. If you feel comfortable performing more advanced computer tasks, consider downloading the free Enhanced Mitigation Experience Toolkit (EMET).

EMET is a free tool available for Windows 8, Windows 7, Windows Vista, and Windows XP. EMET works by taking advantage of security technologies that already exist on your PC, but might not be used by all of your programs. EMET helps protect your computer from new or undiscovered threats until they can be addressed through formal security updates. Katie Couric, a journalist and a talk show host, recently hosted a segment called Protect Your Computers from Hackers and recommended that families install and use EMET.

Download EMET now

Once installed, EMET works quietly in the background without interrupting your computer use. Like any security tool, EMET doesn’t guarantee that you’ll never have any problems, but it does make it much harder for an attacker to succeed.

Already using EMET? Get support or join the EMET forum.

My antivirus software won’t remove malware

October 17th, 2013 No comments

Windows Defender and Microsoft Security Essentials (antivirus software from Microsoft) can detect and remove most malware. If you’re running antivirus software and you’re still having trouble removing malware, follow these steps:

  1. Make sure you have automatic updating turned on. This feature ensures that you have the latest security improvements from Microsoft installed on your computer. If you’re using other antivirus software, make sure that it is up to date with the latest malware definitions.
  2. Manually update your security software, reboot your computer, and run a full scan.
  3. Check our malware encyclopedia for known issues with the malware and any additional cleaning instructions.

For more information about how to troubleshoot this problem, see My security software detects this malware but won’t remove it.

3 ways to speed up your PC

October 15th, 2013 No comments

Here are three ways to speed up a sluggish computer.

1.       Scan your computer for viruses

If your computer is slow or restarts often, it could be infected with a virus or other malicious software.

If you have Windows 8, you can use the built-in Windows Defender to help you get rid of a virus or other malware. If you have Windows 7, Windows Vista, or Windows XP, scan your computer with the Microsoft Safety Scanner. Or get help at the Virus and Security Solution Center.

For more information, see How to avoid and remove computer viruses.

2.       Turn on automatic updating

One of the easiest things you can do to speed up your PC is to make sure that your operating system and software are kept up to date. Learn how to get security updates automatically.

Is your computer sluggish, or is it just your web browser? The newest version of Internet Explorer is Internet Explorer 10. It’s included with Windows 8, and you can download it for free for other versions of Windows. Learn more about security in Internet Explorer 10.

 

3.       Upgrade your operating system

If you’re still using Windows XP, you could speed up your PC by upgrading to Windows 8 or Windows 7.

Support for Windows XP ends on April 8, 2014. You can get solutions to your Windows XP security issues now, but not for too much longer. If you’re still using Windows XP, you’re missing out on all kinds of security, productivity, and performance enhancements available in Windows 7 and Windows 8.

Find out what end of support for Windows XP means to you.

If your computer is still slow, you can try limiting how many programs run at start up, deleting software and files you don’t need, or following these additional tips to speed up your PC.

Get free or paid support for your malware problem

September 24th, 2013 No comments

Is your computer running slowly? Are programs starting unexpectedly? Is the activity light on your broadband or external modem constantly lit? Does it sound like your computer’s hard disk is continually working?

If you answered “yes” to any of these questions, your computer might be infected with malware.

Scan your PC for viruses

If you suspect that your computer has a virus, you can download the Microsoft Safety Scanner. The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software.

Download the Microsoft Safety Scanner

Get help from the Microsoft forums

If you’ve scanned your computer and you can’t get rid of the virus, you might be able to get free help from the Microsoft Community. Check out the Viruses and Malware forum.

Get help from a Microsoft Answer Tech for $99

If you want to pay for help, a Microsoft Answer Tech can help track down viruses, malware, and spyware.  

Chat with an Answer Tech now

Check security settings in Windows Vista

September 3rd, 2013 No comments

The newest version of Windows is Windows 8, but we know that many of you still use Windows Vista.

The best way to ensure that Windows Vista is as secure as it can be is to use the Windows Security Center, which is built into Windows Vista.

The Windows Security Center can help you check the status of several security features on your computer, including firewall settings, Windows automatic updating, anti-malware software settings, Internet security settings, and User Account Control settings.

To get to the Window Security Center, click the Start button , click Control Panel, click Security, and then click Security Center. If Windows detects a problem (for example, if your antivirus program is out of date), Security Center displays a notification and places a Security Center icon  in the notification area. Click the notification or double-click the Security Center icon to open Security Center and get information about how to fix the problem.

Download Microsoft Security Essentials

Windows 8 comes with Windows Defender to help protect your PC from viruses and other kinds of malware.

For Windows Vista, you can download Microsoft Security Essentials to help guard against viruses, spyware, and other malicious software.

Get more security information for Windows Vista

How do I keep my firewall on?

August 27th, 2013 No comments

Using a firewall is like locking the front door to your house—it helps keep intruders (in this case, hackers and malicious software) from getting in. Windows Firewall is included in Windows and is turned on by default.

If you see a warning that your firewall is turned off, it could be because:

  • You or someone else has turned off your firewall.
  • You or someone else has installed antivirus software that includes a firewall and that disables Windows Firewall.
  • The warnings that you see are fake alerts, caused by malicious software.

You do not need to turn off your firewall

There are two ways to allow an app or a program through a firewall. Both are risky, but not as risky as turning off your firewall. Learn how to allow an app through a firewall in Windows 8 or Windows 7.

Check your firewall settings in Windows 8

If you think your firewall is turned off, open Windows Firewall by swiping in from the right edge of the screen, tapping Search (or if you’re using a mouse, pointing to the upper-right corner of the screen, moving the mouse pointer down, and then clicking Search). Type firewall in the search box, tap or click Settings, and then tap or click Windows Firewall.

In the left pane, tap or click Turn Windows Firewall on or off . You might be asked for an admin password or to confirm your choice.

For more information, see Windows Firewall from start to finish.

Check your firewall settings in Windows 7 and Windows Vista

If you think your firewall is turned off, follow these steps:

  1. Open Windows Firewall by clicking the Start button , and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click Turn Windows Firewall on or off.  If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Below each network location type, click Turn on Windows Firewall, and then click OK. We recommend that you turn on the firewall for all network location types.

You don’t need antivirus software that includes a firewall

Because Windows comes with a firewall, you don’t need to install an additional one. You don’t need to buy or download antivirus software that includes a firewall.

Windows 8 also comes with built-in antivirus software that is turned on by default, so you do not need to install other antivirus software.

If your computer is running Windows 7, Windows Vista, or Windows XP, you may want to install antivirus software to help protect your computer. You can install Microsoft Security Essentials for free. If you’ve already installed other antivirus software, you will need to uninstall the other antivirus software before you install Microsoft Security Essentials.

Microsoft Security Essentials includes integration with Windows Firewall, so you can turn Windows Firewall on by using Microsoft Security Essentials.

Watch out for fake alerts

Rogue security software is malicious software that might display fake warnings telling you that your firewall is turned off, even if it isn’t. If you think your computer is infected with rogue secure software, use your antivirus software or do a free scan with the Microsoft Safety Scanner. For more information, read Watch out for fake virus alerts.

Why does my AV software keep turning off?

July 25th, 2013 No comments

Bob writes:

My antivirus software keeps turning off and I can’t get it back on.

Here are the most common reasons you might encounter this problem:

Your computer is already infected with rogue security software

The warning that you’re antivirus software is turned off might be a fake alert, also known as “rogue security software.” This type of warning is designed to fool you into downloading malicious software or paying for antivirus software. Take our Real vs. Rogue quiz to see if you can identify the difference.”

You have more than one antivirus program

Your antivirus software could turn off if you try to install another antivirus program. Running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

You might have a virus

Some viruses can disable your antivirus software or disable updates to your antivirus software. Viruses can also prevent you from going online to update or reinstall your antivirus software.

For troubleshooting help, see What to do if your antivirus software stops working.