C
Cyberchipz
In a nutshell here is my problem, as reported in questionnaire submitted after visiting here: If you have trouble understanding it, I had a word count limitation on the questionnaire. So, I'm also testing the clarity of my report.
Subject: MSE behavior allows for possible re-infection.
Text of report:
I had an issue where MSE (Microsoft Security Essentials) was not able to remove an old file
(SmitfraudFix.exe), which is a trojan; I was unable to delete the file because MSE had locked it. It
simply stated that the file had been removed; however it had not. I was able to confirm that the file
persisting after the scan and delete was the same file; MSE continuously Rediscovered file after each
scan.
After MSE was told to allow the file and removed the lock it placed on it, I was able to copy it or delete
it. I could not remove the allow permission given to MSE as it wasn't listed as an exclude in MSE
anywhere.
I am concerned MSE could not or would not delete it, misrepresented the status after it said was deleted
and last, that I was only able to delete the Trojan myself after I told MSE to "Allow" it, and that rule
now exists in MSE. Future re-infection possible, no way to determine, due to 'allow' rule persisting.
-------
Having said that; I am also aware that 'this' trojan may no longer be a threat; but, based on the behavior, I can see possibilities where either a person may continuously get reports of being infected. Or, because the only way to remove the file was to remove MSE's lock on it by allowing the file, thus allowing for a possible re-infection by this or another file of this type at a future date. Would the file have run had I tried to run the executable? Unknown, and I didn't feel like finding out! I doubt it. But, there was nothing to indicate whether this was possible, at any time, as all security permissions and ownership of the file indicated that an Administrator could do all things with the file, in spite of the fact that attempts to delete or copy the file got "access denied'. In fact, the only permission allowed in the locked state was to rename the file which did not stop MSE from recognizing the file... (naturally this is true). Unless Run was also permitted, which was not tested (as stated previously). I would "presume" not. However, as to why the 'allow' permission wasn't listed in MSE's settings in "Excluded files and locations", "Excluded file types", or "Excluded Processes" so that I could activate MSE to recognize it again is beyond me.
Yes, I understand that "Exclude file types" and "Excluded Processes" doesn't apply for obvious reasons; I merely mentioned them to include all the potential locations for "Exclusions" and nothing was indicated for the existence of my "original" allow permisstion which I gave MSE, and could later revoke!
Then, let us not forget... BOCTAOE (But, of course there are obvious exceptions)! - Scott Adams..
Thanks for any help or insight. I don't think this problem is as simple as a quick read might suggest!
Added: Yes, I have read the behavior of this trojan and realize it modifies other areas; however for reasons too numerous to go into here, this never ran on my machine; but, the short version of this is that the file was part of an archived web site created a long time ago which had had an intrusion detected, apparently this trojan was missed at the time (2008).
(smacks head) Found the allow listed in the History under allowed files (not in exclude files). Told MSE to delete the file. However, it still cannot delete file, and continuously reports the infection. lol, no it is not a pet, just a controlled test.
I'll eventually delete it, or MSE will when it's fixed.
For obvious reasons, I do not want to explain why I think this file cannot be deleted by MSE, as we wouldn't want people to use this to cause a rash of problems.
Continue reading...
Subject: MSE behavior allows for possible re-infection.
Text of report:
I had an issue where MSE (Microsoft Security Essentials) was not able to remove an old file
(SmitfraudFix.exe), which is a trojan; I was unable to delete the file because MSE had locked it. It
simply stated that the file had been removed; however it had not. I was able to confirm that the file
persisting after the scan and delete was the same file; MSE continuously Rediscovered file after each
scan.
After MSE was told to allow the file and removed the lock it placed on it, I was able to copy it or delete
it. I could not remove the allow permission given to MSE as it wasn't listed as an exclude in MSE
anywhere.
I am concerned MSE could not or would not delete it, misrepresented the status after it said was deleted
and last, that I was only able to delete the Trojan myself after I told MSE to "Allow" it, and that rule
now exists in MSE. Future re-infection possible, no way to determine, due to 'allow' rule persisting.
-------
Having said that; I am also aware that 'this' trojan may no longer be a threat; but, based on the behavior, I can see possibilities where either a person may continuously get reports of being infected. Or, because the only way to remove the file was to remove MSE's lock on it by allowing the file, thus allowing for a possible re-infection by this or another file of this type at a future date. Would the file have run had I tried to run the executable? Unknown, and I didn't feel like finding out! I doubt it. But, there was nothing to indicate whether this was possible, at any time, as all security permissions and ownership of the file indicated that an Administrator could do all things with the file, in spite of the fact that attempts to delete or copy the file got "access denied'. In fact, the only permission allowed in the locked state was to rename the file which did not stop MSE from recognizing the file... (naturally this is true). Unless Run was also permitted, which was not tested (as stated previously). I would "presume" not. However, as to why the 'allow' permission wasn't listed in MSE's settings in "Excluded files and locations", "Excluded file types", or "Excluded Processes" so that I could activate MSE to recognize it again is beyond me.
Yes, I understand that "Exclude file types" and "Excluded Processes" doesn't apply for obvious reasons; I merely mentioned them to include all the potential locations for "Exclusions" and nothing was indicated for the existence of my "original" allow permisstion which I gave MSE, and could later revoke!
Then, let us not forget... BOCTAOE (But, of course there are obvious exceptions)! - Scott Adams..
Thanks for any help or insight. I don't think this problem is as simple as a quick read might suggest!
Added: Yes, I have read the behavior of this trojan and realize it modifies other areas; however for reasons too numerous to go into here, this never ran on my machine; but, the short version of this is that the file was part of an archived web site created a long time ago which had had an intrusion detected, apparently this trojan was missed at the time (2008).
(smacks head) Found the allow listed in the History under allowed files (not in exclude files). Told MSE to delete the file. However, it still cannot delete file, and continuously reports the infection. lol, no it is not a pet, just a controlled test.
I'll eventually delete it, or MSE will when it's fixed.For obvious reasons, I do not want to explain why I think this file cannot be deleted by MSE, as we wouldn't want people to use this to cause a rash of problems.
Continue reading...