Archive

Archive for January, 2013

Update: Autoruns v11.42

January 31st, 2013 No comments
Categories: Autoruns Tags:

Join our Twitter Party and enter to win Windows 8

January 30th, 2013 No comments

If you’re a parent or educator concerned about online safety for you and your family, join us for the Connect with Respect Twitter Party. Meet online to share ideas about creating a safer digital world, and you can enter to win a copy of Windows 8 and other prizes.

Step 1: RSVP on our Facebook page.

Step 2: Create or sign in to your Twitter account and follow @Safer_Online

Step 3: On Tuesday, February 5, 2013 (between 11:00 a.m. and noon Pacific Time / 2:00 p.m. and 3:00 p.m. Eastern Time), sign in to your Twitter account and use the hashtag #SID2013 to participate in the Connect with Respect Twitter Party.

Step 4: Play the @Safer_Online scavenger hunt, answering all four questions (identified as Q1 through Q4).

Your answers do not have to be correct to be eligible for entry, but your tweets must:

  • Include the corresponding question number: Q1, Q2, Q3, or Q4; and
  • Include the hashtag #SID2013; and
  • Be relevant to the discussion topic; and
  • Use clean language.

All are welcome to participate in the Party. To be eligible for prizes, you must be 18 years of age or older and a legal resident of one of the 50 U.S. states or the District of Columbia. Download and read the Microsoft @Safer Online Twitter Party Sweepstakes Official Rules.

Learn more about Safer Internet Day.

Join our Twitter Party and enter to win Windows 8

January 30th, 2013 No comments

If you’re a parent or educator concerned about online safety for you and your family, join us for the Connect with Respect Twitter Party. Meet online to share ideas about creating a safer digital world, and you can enter to win a copy of Windows 8 and other prizes.

Step 1: RSVP on our Facebook page.

Step 2: Create or sign in to your Twitter account and follow @Safer_Online

Step 3: On Tuesday, February 5, 2013 (between 11:00 a.m. and noon Pacific Time / 2:00 p.m. and 3:00 p.m. Eastern Time), sign in to your Twitter account and use the hashtag #SID2013 to participate in the Connect with Respect Twitter Party.

Step 4: Play the @Safer_Online scavenger hunt, answering all four questions (identified as Q1 through Q4).

Your answers do not have to be correct to be eligible for entry, but your tweets must:

  • Include the corresponding question number: Q1, Q2, Q3, or Q4; and
  • Include the hashtag #SID2013; and
  • Be relevant to the discussion topic; and
  • Use clean language.

All are welcome to participate in the Party. To be eligible for prizes, you must be 18 years of age or older and a legal resident of one of the 50 U.S. states or the District of Columbia. Download and read the Microsoft @Safer Online Twitter Party Sweepstakes Official Rules.

Learn more about Safer Internet Day.

Git now fully supported and integrated into Team Foundation Service

January 30th, 2013 No comments

Here is great news for open source developers: Brian Harry announced today at the Microsoft’s ALM Summit that Git is now fully integrated into Visual Studio as well as the Team Foundation Service, Microsoft’s cloud-powered Application Lifecycle Management tool.

Here at Microsoft Open Technologies, Inc., we are excited to hear such news as this offers more choice and flexibility to development teams. We happen to work on a daily basis with developers on Git in the context of projects such as Node, Dash, Redis or Solr so we totally get the goodness of this news.

The Visual Studio Tools for Git work great against Git repositories locally, in Team Foundation Service, on GitHub, CodePlex, BitBucket etc. That’s all because they are using Git as the distributed source control solution and they talk to Git repositories via the open source library LibGit2. LibGit2 is a portable C library that runs on many different platforms including Linux and Mac.

Microsoft engineers in Brian’s team have been contributing to LibGit2 for a number of months now as they worked with the community to add Git support in Visual Studio – some of them earning committer rights on this popular and very active open source project. Even better as the team started testing the integration, all the bug fixes and security fixes that they found also have been contributed back to the project.

Therefore not only is Brian’s announcement good news for developers in Visual Studio wanting to use Git to contribute to open source projects, it’s also great news for others building on top of the LibGit2 library on any platform.

The Visual Studio Tools for Git are provided as an extension for Visual Studio 2012 but Brian also says that they should be included in the box with all editions of Visual Studio in a future release – including the Express editions.

I can tell you MS Open Tech engineers can’t wait to take full advantage of the Visual Studio Tools for Git in their daily interaction and collaboration with the open source developers’ community.

Categories: Git, Open Source, Visual Studio Tags:

MS12-060 – Critical : Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573) – Version: 2.1

Severity Rating: Critical
Revision Note: V2.1 (January 30, 2013): Clarified that customers with the KB2687323 update will be offered the KB2726929 update for Windows common controls on all affected variants of Microsoft Office 2003, Microsoft Office 2003 Web Components, and Microsoft SQL Server 2005. See the update FAQ for details.
Summary: This security update resolves a privately reported vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.

Categories: Uncategorized Tags:

MS12-060 – Critical : Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573) – Version: 2.1

Severity Rating: Critical
Revision Note: V2.1 (January 30, 2013): Clarified that customers with the KB2687323 update will be offered the KB2726929 update for Windows common controls on all affected variants of Microsoft Office 2003, Microsoft Office 2003 Web Components, and Microsoft SQL Server 2005. See the update FAQ for details.
Summary: This security update resolves a privately reported vulnerability in Windows common controls. The vulnerability could allow remote code execution if a user visits a website containing specially crafted content designed to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker’s website. The malicious file could be sent as an email attachment as well, but the attacker would have to convince the user to open the attachment in order to exploit the vulnerability.

Categories: Uncategorized Tags:

MS12-057 – Important : Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879) – Version: 2.1

Severity Rating: Important
Revision Note: V2.1 (January 30, 2013): Clarified that customers with the KB2553260 and KB2589322 updates will be offered the KB2687501 and KB2687510 updates respectively for Microsoft Office 2010 Service Pack 1. See the update FAQ for details.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file or embeds a specially crafted Computer Graphics Metafile (CGM) graphics file into an Office file. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

Watch out for fake Java updates

January 28th, 2013 No comments

You may have seen reports about security alerts for Java recently. Java is a commonly used piece of software from Oracle, so there’s a good chance you have it installed on your computer. Cybercriminals often use fake virus alerts to lure you into buying fraudulent antivirus software. These alerts state that your computer or other device is at risk, but clicking a link in one of them could lead you to downloading malicious software.

In the case of the fake Java updates, cybercriminals are taking advantage of news about security vulnerabilities in Java and recommendations to update Java immediately. We agree that if you use Java on your device you should update it directly from the Oracle website:  

If you don’t, then it’s a good idea to uninstall older versions of Java and disable Java in your browser like you would for any unused software.

Java is just one piece of software that cybercriminals target. It’s important to keep all the software installed on your system up to date. For Microsoft software, you can use the Microsoft Update service.

If you think you have a virus, visit the Microsoft Security Support Center for assistance.  

Watch out for fake Java updates

January 28th, 2013 No comments

You may have seen reports about security alerts for Java recently. Java is a commonly used piece of software from Oracle, so there’s a good chance you have it installed on your computer. Cybercriminals often use fake virus alerts to lure you into buying fraudulent antivirus software. These alerts state that your computer or other device is at risk, but clicking a link in one of them could lead you to downloading malicious software.

In the case of the fake Java updates, cybercriminals are taking advantage of news about security vulnerabilities in Java and recommendations to update Java immediately. We agree that if you use Java on your device you should update it directly from the Oracle website:  

If you don’t, then it’s a good idea to uninstall older versions of Java and disable Java in your browser like you would for any unused software.

Java is just one piece of software that cybercriminals target. It’s important to keep all the software installed on your system up to date. For Microsoft software, you can use the Microsoft Update service.

If you think you have a virus, visit the Microsoft Security Support Center for assistance.  

It’s an exciting day for me

January 28th, 2013 No comments

RossI’ve been involved with open source software for just shy of 15 years now. During that time I’ve seen open source software become a fundamental part of technology innovation.  It is that technology innovation that has fed me and my family for many years. I like to think I’ve given back and played a small part in the growth of open source software through my code contributions and my open source strategic consultancy services.  But, today I am presented with an opportunity to give back even more. From today onwards I will be joining Microsoft UK, where I’ll be serving a global role supporting the amazing team at Microsoft Open Technologies, Inc.

MS Open Tech, a wholly owned subsidiary of Microsoft, was set up to advance Microsoft’s investment in openness – including interoperability, open standards and open source. Those of you who know me through my open source work will know just what this means, but for those who don’t know me I guess a mini-bio might be in order.

I’ve held a variety of roles including software development, academic research, university lecturing and strategic consulting to both academic research community (via the OSS Watch service at the University of Oxford) and to the private sector (via OpenDirective, a small consultancy company). In all these roles open source software has been a fundamental part of my work. Through this work I’ve been able to contribute back to many projects, particularly within the Apache Software Foundation where I currently have the honour of standing on the Board of Directors.

More important than my history and my contributions, however, is what the open source experience has taught me. I can honestly say that I have learned far more from my open source engagements than I have in any other of my activities (including amazing experience such as being vice-captain of a national schoolboy sports team and not unsuccessful band manager). This new role is an opportunity to work in this new mixed IT world of devices and services; and play my part in maximizing Microsoft’s investments in openness.

This is the first of many exciting days, I am sure. I look forward to telling you about others in the near future.

Ross Gardler

Microsoft UK (Supporting Microsoft Open Technologies, Inc.)

Updates: Autoruns v11.41, Handle v3.51, Movefile v1.01, Procdump v5.13, Sigcheck v1.9

January 24th, 2013 No comments

Autoruns v11.41: This Autoruns update reports the hosting image target of link shortcut references.

Handle v3.51: This minor update to Handle, a command-line utility that dumps process handle tables, fixes a bug in its file share drive letter formatting.

Movefile v1.01: Movefile, a utility for scheduling file delete and rename operations for when the system reboots, now correctly handles 64-bit system paths.

Procdump v5.13: This update to Procdump, a command-line utility that generates on-demand and trigger-based process crash dump files, now supports triggers for when process CPU usage, memory consumption or arbitrary performance counters fall below a specified value.

Sigcheck v1.9: Sigcheck, a command-line file-version and signature verification tool, now reports certificate publisher names, capitalizes hash values, and fixes a certificate chain validation bug.

Categories: Autoruns, Handle, MoveFile, ProcDump, Sigcheck Tags:

Should I use more than one antivirus program?

January 22nd, 2013 No comments

You don’t need to install more than one antivirus program. In fact, running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

Windows 7 and Windows Vista include spyware protection called Windows Defender. To help fight both viruses and spyware, you can download Microsoft Security Essentials at no cost. If you download Microsoft Security Essentials, Windows Defender will be disabled automatically. Make sure to uninstall any other antivirus software (whether you installed it or it came preinstalled) on your computer first.

Windows 8 includes antivirus and antispyware protection called Windows Defender. Windows Defender for Windows 8 replaces Microsoft Security Essentials. It runs in the background and notifies you when you need to take specific action. If you install a different antivirus program, Windows Defender will be disabled automatically. 

Note: You might see a warning that Microsoft Security Essentials has been turned off because you have other antivirus software on your computer that automatically turns off Microsoft Security Essentials. This type of warning could also be a fake virus alert that attempts to fool you into downloading malicious software. For examples of such rogue security software, see our Real vs. Rogue Facebook app.

For more information, see How to boost your malware defense and protect your PC.

Should I use more than one antivirus program?

January 22nd, 2013 No comments

You don’t need to install more than one antivirus program. In fact, running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

Windows 7 and Windows Vista include spyware protection called Windows Defender. To help fight both viruses and spyware, you can download Microsoft Security Essentials at no cost. If you download Microsoft Security Essentials, Windows Defender will be disabled automatically. Make sure to uninstall any other antivirus software (whether you installed it or it came preinstalled) on your computer first.

Windows 8 includes antivirus and antispyware protection called Windows Defender. Windows Defender for Windows 8 replaces Microsoft Security Essentials. It runs in the background and notifies you when you need to take specific action. If you install a different antivirus program, Windows Defender will be disabled automatically. 

Note: You might see a warning that Microsoft Security Essentials has been turned off because you have other antivirus software on your computer that automatically turns off Microsoft Security Essentials. This type of warning could also be a fake virus alert that attempts to fool you into downloading malicious software. For examples of such rogue security software, see our Real vs. Rogue Facebook app.

For more information, see How to boost your malware defense and protect your PC.

A technical analysis of a new Java vulnerability (CVE-2013-0422)

January 21st, 2013 No comments

Recently, a 0-day vulnerability (CVE-2013-0422) was disclosed. Oracle promptly reacted on this 0-day vulnerability, and last weekend a new patch was made available. Here’s the advisory from Oracle. You can download latest JRE here. As the vulnerability is specific to Java 7, if you’re using JRE 7, you should apply the patch.

From our analysis, we’ve seen that it is a package access check issue which allows the untrusted Java applet to access the restricted class in trusted code. Using a vulnerable class and method, the exploit can find and load an internal class that is used to load the attacker’s own class with elevated privilege. The payload will disable security manager, and drop and run executable on the user’s system.

The problem lies in the MethodHandle feature that was introduced with Java 7. This feature is used to add better support for the dynamic language that works on JVM and gives flexible and faster way to access classes and methods in dynamic way. The MethodHandle feature can be used to create a handle for a method from an arbitrary class.

Every method handle will go through security check when they are first resolved. If you’re using the MethodHandle feature as it is intended, there will not be a security issue. The interesting fact is that you can create MethodHandles for classes from the MethodHandles package itself. The method handle created from some methods of MethodHandles Lookup class (java.lang.invoke.MethodHandles.Lookup class) itself has some problems in this perspective. MethodHandles Lookup class provides a way to lookup the constructor and methods from the target class where it tries to make a handle. For example, if the methods handle for findConstructor method of MethodHandles Lookup class is used to resolve a constructor method for an arbitrary class, the security check will not be enforced correctly. This can be an issue, if the target class is from a trusted code area, and it provides way to construct a user-defined class on the fly with arbitrary security context.

The payload class executes a dropped executable on the user’s system. As the vulnerability is more of an access check logic issue, the exploitation isn’t dependent on the platform and memory layout of the user’s machine. The exploitation success rate is very high compared to exploitation on memory corruption vulnerabilities if the user is using vulnerable software.

The first exploit was seen in late December 2012, and it showed very low activity during the time. However, since the public disclosure happened a few days ago, the samples and telemetry are increasing drastically, almost catching up with previous major Java vulnerabilities (CVE-2012-4681, CVE-2012-5076). The one notable thing is that we’ve started seeing multi-exploit samples combining CVE-2013-0422 and CVE-2012-1723. For example, a sample (SHA1: 5865004f90607f168f698984299a1ca8efbe0e07) was found to combine both exploits in one package. The strategy of this combined exploit is that by sending one exploit code, they can cover any vulnerable Java 6 installations (up to JRE 6u32) and vulnerable Java 7 installations (up to JRE 7u10) at one time. As for JRE 7, CVE-2012-1723 is only applicable up to JRE 7u4, they can abuse CVE-2013-0422 to cover JRE 7u5 to 7u10 for exploitation.

We detect this threat as Exploit:Java/CVE-2013-0422, and definition files from 1.141.3637.0 will thwart this threat. As we said, Java malware shows a high success rate in exploitation when you don’t use up-to-date JRE, so we strongly advise you to update your JRE immediately to be protected from these Java malware.

Jeong Wook (Matt) Oh

Categories: Uncategorized Tags:

A technical analysis of a new Java vulnerability (CVE-2013-0422)

January 21st, 2013 No comments

Recently, a 0-day vulnerability (CVE-2013-0422) was disclosed. Oracle promptly reacted on this 0-day vulnerability, and last weekend a new patch was made available. Here’s the advisory from Oracle. You can download latest JRE here. As the vulnerability is specific to Java 7, if you’re using JRE 7, you should apply the patch.

From our analysis, we’ve seen that it is a package access check issue which allows the untrusted Java applet to access the restricted class in trusted code. Using a vulnerable class and method, the exploit can find and load an internal class that is used to load the attacker’s own class with elevated privilege. The payload will disable security manager, and drop and run executable on the user’s system.

The problem lies in the MethodHandle feature that was introduced with Java 7. This feature is used to add better support for the dynamic language that works on JVM and gives flexible and faster way to access classes and methods in dynamic way. The MethodHandle feature can be used to create a handle for a method from an arbitrary class.

Every method handle will go through security check when they are first resolved. If you’re using the MethodHandle feature as it is intended, there will not be a security issue. The interesting fact is that you can create MethodHandles for classes from the MethodHandles package itself. The method handle created from some methods of MethodHandles Lookup class (java.lang.invoke.MethodHandles.Lookup class) itself has some problems in this perspective. MethodHandles Lookup class provides a way to lookup the constructor and methods from the target class where it tries to make a handle. For example, if the methods handle for findConstructor method of MethodHandles Lookup class is used to resolve a constructor method for an arbitrary class, the security check will not be enforced correctly. This can be an issue, if the target class is from a trusted code area, and it provides way to construct a user-defined class on the fly with arbitrary security context.

The payload class executes a dropped executable on the user’s system. As the vulnerability is more of an access check logic issue, the exploitation isn’t dependent on the platform and memory layout of the user’s machine. The exploitation success rate is very high compared to exploitation on memory corruption vulnerabilities if the user is using vulnerable software.

The first exploit was seen in late December 2012, and it showed very low activity during the time. However, since the public disclosure happened a few days ago, the samples and telemetry are increasing drastically, almost catching up with previous major Java vulnerabilities (CVE-2012-4681, CVE-2012-5076). The one notable thing is that we’ve started seeing multi-exploit samples combining CVE-2013-0422 and CVE-2012-1723. For example, a sample (SHA1: 5865004f90607f168f698984299a1ca8efbe0e07) was found to combine both exploits in one package. The strategy of this combined exploit is that by sending one exploit code, they can cover any vulnerable Java 6 installations (up to JRE 6u32) and vulnerable Java 7 installations (up to JRE 7u10) at one time. As for JRE 7, CVE-2012-1723 is only applicable up to JRE 7u4, they can abuse CVE-2013-0422 to cover JRE 7u5 to 7u10 for exploitation.

We detect this threat as Exploit:Java/CVE-2013-0422, and definition files from 1.141.3637.0 will thwart this threat. As we said, Java malware shows a high success rate in exploitation when you don’t use up-to-date JRE, so we strongly advise you to update your JRE immediately to be protected from these Java malware.

Jeong Wook (Matt) Oh

Categories: Uncategorized Tags:

TMG SP2 Rollup 3 available

January 17th, 2013 No comments

 

We are happy to announce the availability of Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 3 is available for download here: Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Please see KB Article ID: 2735208 for details of the fixes included in this rollup. The Build Number for this update is: 7.0.9193.575

To install this update, you must be running Forefront Threat Management Gateway 2010 Service Pack 2.

For more information about Forefront Threat Management Gateway 2010 SP2, please see the following Microsoft website:

Download information for Forefront TMG 2010 SP2

Thank you,

Forefront TMG Team

Categories: Uncategorized Tags:

TMG SP2 Rollup 3 available

January 17th, 2013 No comments

 

We are happy to announce the availability of Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 3 is available for download here: Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Please see KB Article ID: 2735208 for details of the fixes included in this rollup. The Build Number for this update is: 7.0.9193.575

To install this update, you must be running Forefront Threat Management Gateway 2010 Service Pack 2.

For more information about Forefront Threat Management Gateway 2010 SP2, please see the following Microsoft website:

Download information for Forefront TMG 2010 SP2

Thank you,

Forefront TMG Team

Categories: Uncategorized Tags:

TMG SP2 Rollup 3 available

January 17th, 2013 No comments

 

We are happy to announce the availability of Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 3 is available for download here: Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Please see KB Article ID: 2735208 for details of the fixes included in this rollup. The Build Number for this update is: 7.0.9193.575

To install this update, you must be running Forefront Threat Management Gateway 2010 Service Pack 2.

For more information about Forefront Threat Management Gateway 2010 SP2, please see the following Microsoft website:

Download information for Forefront TMG 2010 SP2

Thank you,

Forefront TMG Team

Categories: Uncategorized Tags:

TMG SP2 Rollup 3 available

January 17th, 2013 No comments

 

We are happy to announce the availability of Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2). TMG SP2 Rollup 3 is available for download here: Rollup 3 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Please see KB Article ID: 2735208 for details of the fixes included in this rollup. The Build Number for this update is: 7.0.9193.575

To install this update, you must be running Forefront Threat Management Gateway 2010 Service Pack 2.

For more information about Forefront Threat Management Gateway 2010 SP2, please see the following Microsoft website:

Download information for Forefront TMG 2010 SP2

Thank you,

Forefront TMG Team

Categories: Uncategorized Tags:

Key lessons learned from the latest test results

January 17th, 2013 No comments

AV-Test just published the results of their most recent antimalware vendor testing, and they didn’t grant Microsoft Security Essentials and Microsoft Forefront Endpoint Protection their “AV-Test Certified” status.

We conduct a rigorous review of the results whenever test results warrant it. We take the protection of our customers very seriously, and the investments we make to do these reviews is an example of that commitment.

Our review showed that 0.0033 percent of our Microsoft Security Essentials and Microsoft Forefront Endpoint Protection customers were impacted by malware samples not detected during the test. In addition, 94 percent of the malware samples not detected during the test didn’t impact our customers.

The antimalware world is challenging, for both antimalware companies protecting their customers and for independent testing organizations trying to determine the efficacy of antimalware products. We choose to meet that challenge by prioritizing our protection work based on prevalence and customer impact measures, as Dennis Batchelder discussed in his recent blog post on Customer-focused prioritization. It is also difficult for independent antimalware testing organizations to devise tests that are consistent with the real-world conditions that customers live in; AV-Test shared some of the difficulties and shortfalls in many of the independent industry tests in a presentation they gave at the AVAR (Association of Anti-Virus Asia Researchers) Security Conference in 2012. We agree with them, it is difficult to get the tests right.

This post reviews AV-Test’s results and their approach. In-depth details are provided below, but here are some key upfront data points to keep in mind:

  1. AV-Test reports on samples hit/missed by category. We report (and prioritize our work) based on customer impact.
  2. AV-Test’s test results indicate that our products detected 72 percent of all “0-day malware” using a sample size of 100 pieces of malware. We know from telemetry from hundreds of millions of systems around the world that 99.997 percent of our customers hit with any 0-day did not encounter the malware samples tested in this test.
  3. AV-Test’s test results indicate that our products missed 9 percent of “recent malware” using a sample size of 216,000 pieces of malware. We know from telemetry that 94 percent of these missed malware samples were never encountered by any of our customers.

Here’s how AV-Test does their scoring:

Test component

Our score

%
Weight of score

Protection

1.5/6.0

33%

Repair

3.0/6.0

33%

Usability

5.5/6.0

33%

The 1.5 protection score is the score we focused on. Here’s a breakdown of what goes into that score:

Protection component

Description

Files tested

%
Not detected

Our score

%
Weight of score

0-day malware

Malware seen for the first time, not to be confused with a previously undisclosed vulnerability

100

28%

0/1.5

50%

Recent malware

Malware that appeared in the wild over the last 2-3 months

215,999

9%

0/1.5

25%

Prevalent malware

Widespread malware according to AV-Test data

5,000

0%

1.5/1.5

25%

During the test, our products didn’t detect 28 of the 0-day malware samples, and 9 percent of the recent malware samples. AV-Test uses a minimum bar in their scoring: our results for these two areas fell under that bar. The missed samples in both of these sections were where we focused our analysis, as we wanted to ensure we weren’t missing anything impactful to our customers.

When we did our review, we found that our customer-focused processes had already added signatures that protected against 4 percent of the missed samples. These files affected 0.003 percent of our customers.

For the remainder of the missed files, we used a retrospective analysis to see if any of our customers encountered these files. We were looking for files that slipped through because of gaps in our telemetry or file collection process. And we found that 2 percent of these files existed across 0.003 percent of our customers.

The other 94 percent of the samples don’t represent what our customers encounter. When we explicitly looked for these files, we could not find them on our customers’ machines.

In December 2012, we processed 20 million new potentially malicious files, and, using telemetry and customer impact to prioritize those files, added protection that blocked 4 million different malicious files on nearly 3 million computers. Those 4 million files could have been customer-impacting if we had not prioritized them appropriately.

We continually evaluate and look at ways to improve our processes. We know from feedback from customers that industry testing is valuable, and their tests do help us improve. We’re committed to reducing our 0.0033 percent margin to zero.

 

Joe Blackbird
Program Manager
Microsoft Malware Protection Center

Categories: Uncategorized Tags: