MDT

System Center User Group: Netherlands – Update & Announcement

The Deployment Guys - Thu, 10/31/2013 - 20:08

Greatness of a small country: Client, Data, and Cloud Management

Today the System Center User Group Netherlands is proud to announce their new website with a wink to the past Dutch Clouds (painted by Dutch famous painters 1400-1600 century) and future cloud developments. The renewed website is part of a range of new initiatives to better server the Dutch community and beyond. In addition, the organization of the user group undergoing renewal with IT-pro’s Helmer Zandbergen (MCT), James van den Berg (MVP), Robert Smit (MVP) and Ronny de Jong (MCT). The System Center User Group NL was founded in 2006 by Maarten Goet (MVP).

The new website, updated logo and renewed team should ensure varied range of technical content around System Center, Hyper-V and Windows Azure and the prelude to closer cooperation with local and international user groups. As mentioned the user group has the ambition to better serve the community with various (new) initiatives, meetings, guest speakers, webcasts and intensify cooperation with various groups by organizing joint events like Experts Live and System Center Universe 2014.

Site: http://www.scug.nl

Twitter: @scug_nl

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | Cloud & Enterprise

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

New infection rate data for unprotected computers

Microsoft Deployment Toolkit Team Blog - Wed, 10/30/2013 - 00:11

​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

With Windows 8, we’ve made further improvements to help keep customers protected.

For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

Stay protected folks!

Holly Stewart

MMPC

Categories: MDT

New infection rate data for unprotected computers

The USMT team blog - Wed, 10/30/2013 - 00:11

​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

With Windows 8, we’ve made further improvements to help keep customers protected.

For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

Stay protected folks!

Holly Stewart

MMPC

Categories: MDT

New infection rate data for unprotected computers

​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

With Windows 8, we’ve made further improvements to help keep customers protected.

For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

Stay protected folks!

Holly Stewart

MMPC

Categories: MDT

New infection rate data for unprotected computers

The Deployment Guys - Wed, 10/30/2013 - 00:11

​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

With Windows 8, we’ve made further improvements to help keep customers protected.

For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

Stay protected folks!

Holly Stewart

MMPC

Categories: MDT

Faster Live Migration with Compression in Windows Server 2012 R2

Virtual PC Guy's WebLog - Tue, 10/29/2013 - 18:57

Last week I talked about the fact that we had introduced two new technologies for making live migration faster in Windows Server 2012 R2.  Today I would like to dig in deep on how one of these approaches, live migration with compression, actually works.

Live migration with compression is the default option for live migration in Windows Server 2012 R2.  Essentially what happens is that we compress any memory data before sending it over the network, and we decompress the memory on the destination side.  This has the effect of increasing the CPU utilization of a live migration, while decreasing the network utilization of a live migration.

In talking to many users – we have seen that most environments are currently bottlenecked on their network connectivity, but are still underutilizing the processing capabilities.  As such we expect that this functionality will have a significant impact in most situations.

That said – life is never that simple.

One of the secondary goals that we had with live migration with compression is that we wanted to be able to safely set it as the default option for live migration.  This meant that we wanted to be confident that using live migration with compression would not accidentally have any adverse effects on the system.

One obvious area for concern is: what happens if CPU resource is not available?  What if the virtual machines are actively using all the processor power I have available?

To handle this concern – we were very careful in the design of live migration with compression.  Throughout the entire process of a live migration we are now actively monitoring the CPU utilization and needs of all virtual machines on a Hyper-V server (even the virtual machines that are not being live migrated).  We then throttle our compression engine appropriately so that we only consume CPU resource that is not being actively used by the rest of the system.  This does mean that in a worst case scenario, where you attempt to live migrate a virtual machine on a system that is heavily utilizing its CPU, we may decide to not engage our compression engine at all and you would see no performance benefit.

The next obvious question is: just how much faster is live migration with compression?  Unfortunately, this is hard to answer.  There are two factors that effect the performance of live migration with compression.  The first one is the availability of CPU resource (as I have just discussed) but the second is the complexity of the memory inside the virtual machine.

This second factor is very hard to predict.  A virtual machine may be using a lot of memory – but the content of the memory may be easy to compress and the result would be a very fast live migration.  Alternatively, a virtual machine may be using only a portion of its memory – but that content may be complicated to compress, which would result in a small performance boost.

So to answer this question I can only share some data points from our own testing:

  1. With an idle virtual machine with no workload (best case for live migration with compression) we have seen up to a 6x performance improvement.
  2. With an virtual machine running an active SQL workload we have typically seen a 2x performance improvement.
  3. We have not been able to construct a virtual machine that was slower to migrate with compression enabled, than with it disabled.

One note to make here – in order to easily demonstrate live migration with compression in a realistic fashion – I run the following PowerShell snippet inside my virtual machine:

$memsize = 1GB
$Array = New-Object Byte[] $memsize
$random = [System.Security.Cryptography.RandomNumberGenerator]::Create()
$random.GetBytes($Array)
read-host

This puts 1GB of hard to compress memory inside my virtual machine, and slows down the migration of an otherwise idle workload!

The final piece of information that I have to share about live migration with compression is that we expose a number of performance counters that allow you to understand exactly what is happening in your environment:

You can use the counters to see how much data is being compressed, what sort of compression efficiency we are achieving and how much resource we are utilizing for compression.

Cheers,
Ben

Categories: MDT

Service Manager 2012 R2 – Fixes included

Microsoft Deployment Toolkit Team Blog - Tue, 10/29/2013 - 10:35

Thomas Ellermann posted a great breakdown on the updates in R2 for Service Manager 2012. The focus in R2 for Service Manager was to tackle some of the critical customer and MVP collected bugs. Service Managers R2 release saw no major performance improvements but we are targeting Console and Portal performance in the next update (UR) cycles. With that in mind a few of the R2 fixes are associated to improving console and workflow stability, and that can help a great deal with performance.

You can find Thomas’s post here: http://blogs.technet.com/b/thomase/archive/2013/10/29/service-manager-2012-r2-fixes-included.aspx

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | System Center

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

Service Manager 2012 R2 – Fixes included

The USMT team blog - Tue, 10/29/2013 - 10:35

Thomas Ellermann posted a great breakdown on the updates in R2 for Service Manager 2012. The focus in R2 for Service Manager was to tackle some of the critical customer and MVP collected bugs. Service Managers R2 release saw no major performance improvements but we are targeting Console and Portal performance in the next update (UR) cycles. With that in mind a few of the R2 fixes are associated to improving console and workflow stability, and that can help a great deal with performance.

You can find Thomas’s post here: http://blogs.technet.com/b/thomase/archive/2013/10/29/service-manager-2012-r2-fixes-included.aspx

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | System Center

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

Service Manager 2012 R2 – Fixes included

Thomas Ellermann posted a great breakdown on the updates in R2 for Service Manager 2012. The focus in R2 for Service Manager was to tackle some of the critical customer and MVP collected bugs. Service Managers R2 release saw no major performance improvements but we are targeting Console and Portal performance in the next update (UR) cycles. With that in mind a few of the R2 fixes are associated to improving console and workflow stability, and that can help a great deal with performance.

You can find Thomas’s post here: http://blogs.technet.com/b/thomase/archive/2013/10/29/service-manager-2012-r2-fixes-included.aspx

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | System Center

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

Service Manager 2012 R2 – Fixes included

The Deployment Guys - Tue, 10/29/2013 - 10:35

Thomas Ellermann posted a great breakdown on the updates in R2 for Service Manager 2012. The focus in R2 for Service Manager was to tackle some of the critical customer and MVP collected bugs. Service Managers R2 release saw no major performance improvements but we are targeting Console and Portal performance in the next update (UR) cycles. With that in mind a few of the R2 fixes are associated to improving console and workflow stability, and that can help a great deal with performance.

You can find Thomas’s post here: http://blogs.technet.com/b/thomase/archive/2013/10/29/service-manager-2012-r2-fixes-included.aspx

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | System Center

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

Infection rates and end of support for Windows XP

Microsoft Deployment Toolkit Team Blog - Tue, 10/29/2013 - 09:00

In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

  • Malware encounters (newly introduced in SIRv15) in comparison to infections.
  • Infection rates for supported and unsupported operating systems.
  • Impact of antimalware protection on supported and unsupported operating systems.

Malware encounters and malware infections

Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

A few possible reasons for the higher infection rate on Windows XP are:

  • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
  • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

Infection rates on unsupported operating systems

Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

Figure 2: Windows XP SP2 infection rate after end of support

In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

Impact of malware protection on supported and unsupported operating systems

One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

Figure 3: Average infection rate for computer with and without antimalware protection

As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

Holly Stewart
MMPC

Categories: MDT

Infection rates and end of support for Windows XP

The USMT team blog - Tue, 10/29/2013 - 09:00

In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

  • Malware encounters (newly introduced in SIRv15) in comparison to infections.
  • Infection rates for supported and unsupported operating systems.
  • Impact of antimalware protection on supported and unsupported operating systems.

Malware encounters and malware infections

Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

A few possible reasons for the higher infection rate on Windows XP are:

  • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
  • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

Infection rates on unsupported operating systems

Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

Figure 2: Windows XP SP2 infection rate after end of support

In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

Impact of malware protection on supported and unsupported operating systems

One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

Figure 3: Average infection rate for computer with and without antimalware protection

As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

Holly Stewart
MMPC

Categories: MDT

Infection rates and end of support for Windows XP

In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

  • Malware encounters (newly introduced in SIRv15) in comparison to infections.
  • Infection rates for supported and unsupported operating systems.
  • Impact of antimalware protection on supported and unsupported operating systems.

Malware encounters and malware infections

Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

A few possible reasons for the higher infection rate on Windows XP are:

  • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
  • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

Infection rates on unsupported operating systems

Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

Figure 2: Windows XP SP2 infection rate after end of support

In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

Impact of malware protection on supported and unsupported operating systems

One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

Figure 3: Average infection rate for computer with and without antimalware protection

As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

Holly Stewart
MMPC

Categories: MDT

Infection rates and end of support for Windows XP

The Deployment Guys - Tue, 10/29/2013 - 09:00

In the newly released Volume 15 of the Microsoft Security Intelligence Report (SIRv15), one of the key findings to surface relates to new insight on the Windows XP operating system as it inches toward end of support on April 8, 2014.

In this post we want to highlight our Windows XP analysis and examine what the data says about the risks of being on unsupported software. In the SIR, we traditionally report on supported operating systems only. For this analysis we examined data from unsupported platforms, like Windows XP SP2, from a few different data points:

  • Malware encounters (newly introduced in SIRv15) in comparison to infections.
  • Infection rates for supported and unsupported operating systems.
  • Impact of antimalware protection on supported and unsupported operating systems.

Malware encounters and malware infections

Earlier today we published a blog post that discussed a new metric for analyzing malware prevalence which was introduced in the latest report. This new metric, called the encounter rate, measures the percentage of computers protected with Microsoft real-time antimalware products that come into contact with malware. It is important to note encounters do not equate to infections. Although some computers do report active malware, the vast majority of these encounters represent blocked infections reported by our antimalware products. Another recent blog explained our metrics in more detail.

You can think of the encounter rate as a way to measure what percentage of computers are exposed to malware. In comparison, the infection rate (CCM) measures how many computers out of 1,000 scanned by the Microsoft Malicious Software Removal Tool (MSRT) actually got infected. What’s really fascinating about these data points is when you compare the two.

The following chart shows the encounter rate in comparison to the infection rate by operating system and service pack. While Windows XP SP3 computers encountered almost as much malware as other platforms, computers running Windows XP as a whole experienced a much higher infection rate. For example, although Windows 8 computers may encounter a similar amount of malware as Windows XP, people who use Windows XP are six times more likely get infected.

Figure 1: Malware Infection and encounter rates for Windows operating systems during 2Q13

A few possible reasons for the higher infection rate on Windows XP are:

  • Antimalware protection may not be active or up to date (more on this hypothesis in the last section).
  • Older technology lacks the protective measures built into more recently introduced operating systems, and therefore is challenged to defend against some attacks.

Windows XP was built more than 12 years ago and was architected to include security technologies that were innovative at the time. For example, Windows XP SP2 was released in 2004 and introduced Data Execution Prevention. However, the threat landscape has changed quite a bit since then and technologies that were built a decade ago, like DEP, are now commonly bypassed. A paper released earlier this year from Trustworthy Computing: Software Vulnerability Exploitation Trends helps illustrate this point. The paper also provides a comparison of security mitigations built into Windows 8 and compares them against the mitigations built into Windows XP.

Newer operating systems are not vulnerable to many of the exploitation techniques that are still widely used and remain effective against older platforms. Newer operating systems include a number of security features and mitigations that older versions were simply not designed for at the time.

Infection rates on unsupported operating systems

Once support ends, if Windows XP SP3 follows a trend similar to prior Windows XP versions which are unsupported now, we can expect infection rates to rise.

For example, support for Windows XP SP2 ended on July 13, 2010 (support notification). The dashed blue line in the following chart represents its infection rate after that time.

Figure 2: Windows XP SP2 infection rate after end of support

In the first two years after Windows XP SP2 went out of support, the infection rate disparity between the supported (Windows XP SP3) and unsupported (Windows XP SP2) service packs grew. In fact, the infection rate of the unsupported version was, on average, 66 percent higher than the supported version (Windows XP SP3).

After support ends, Microsoft security updates are no longer provided to address new vulnerabilities found, but that does not mean that new vulnerabilities won’t be discovered and exploited by attackers. For example, it will be possible for attackers to reverse-engineer new security updates for supported platforms to identify any that may exist in unsupported platforms. Tim Rains talked about the potential impact of doing so in his blog post this morning.

Impact of malware protection on supported and unsupported operating systems

One question I hear a lot when discussing unsupported versions of the OS is "So, won’t antivirus help protect my computer?" We absolutely encourage everyone to use real-time antimalware to help protect themselves against cybercriminal activity. In fact, the latest report shows that during the last quarter unprotected computers were 7.1 times more likely to be infected than protected computers.

That said, our data also tells us that running antimalware on out-of-support systems is not an equitable solution to protect against threats. The following chart compares the monthly infection rates for protected and unprotected computers on Windows XP SP2 and Windows XP SP3 in the last half of 2012 (this data for Windows XP SP3 was reported in the "Running unprotected" section of SIRv14).

The data shows that protected systems on Windows XP SP2 are twice as likely (2.2 times, to be exact) to be infected in comparison to protected Windows XP SP3 computers. Unprotected computers show a similar trend: you’re 2.5 times as likely to be infected on Windows XP SP2 in comparison to Windows XP SP3 when neither have up-to-date antimalware protection. 

Figure 3: Average infection rate for computer with and without antimalware protection

As past Microsoft Security Intelligence Reports have shown, running a well-protected solution means running up-to-date antimalware software, regularly applying security updates for all software installed and using a more modern operating system that has increased security technologies and mitigations. This advice remains consistent with the new data in SIRv15.

Of course this blog highlights just one of the many key findings in the latest report.   I encourage you to download the report today to learn all about the latest trends in the threat landscape.

Holly Stewart
MMPC

Categories: MDT

New Security Intelligence Report, new data, new perspectives

Microsoft Deployment Toolkit Team Blog - Tue, 10/29/2013 - 06:00

Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

We need to establish a metric that measured the impact of malware based on our real-time protection products.

We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

Figure 1: Infection and encounter rates for Windows operating systems

Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.

 

Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit www.microsoft.com/sir.

We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

Vidya Sekhar
MMPC

Categories: MDT

New Security Intelligence Report, new data, new perspectives

The USMT team blog - Tue, 10/29/2013 - 06:00

Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

We need to establish a metric that measured the impact of malware based on our real-time protection products.

We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

Figure 1: Infection and encounter rates for Windows operating systems

Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.

 

Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit www.microsoft.com/sir.

We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

Vidya Sekhar
MMPC

Categories: MDT

New Security Intelligence Report, new data, new perspectives

Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

We need to establish a metric that measured the impact of malware based on our real-time protection products.

We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

Figure 1: Infection and encounter rates for Windows operating systems

Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.

 

Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit www.microsoft.com/sir.

We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

Vidya Sekhar
MMPC

Categories: MDT

New Security Intelligence Report, new data, new perspectives

The Deployment Guys - Tue, 10/29/2013 - 06:00

Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.

During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.

We need to establish a metric that measured the impact of malware based on our real-time protection products.

We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.

To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.

For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.  

Figure 1: Infection and encounter rates for Windows operating systems

Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.  

In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.

We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.

As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent.  Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.

 

Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.

We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.

We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.

These are just a few of the many key findings contained in the latest report.  To download the Microsoft Security Intelligence Report Volume 15, visit www.microsoft.com/sir.

We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.

Vidya Sekhar
MMPC

Categories: MDT

Some thoughts about System Center 2012 R2

Microsoft Deployment Toolkit Team Blog - Mon, 10/28/2013 - 15:44

As I’m sure everyone is aware, last week we released System Center 2012 R2. With this new release, I thought it would be a good idea to call attention to a great article written by Steve Bucci, one of our top Senior Support Escalation Engineers here on our System Center team. He wrote the article back in February of this year and it talks about how System Center is a team of products, and how it’s important to remember that all these separate components were designed to work better together. To borrow a phrase from Aristotle, it’s one of those things where the whole is greater than the sum of the parts. Steve’s article brings up points that you may want to reconsider with the release of System Center 2012 R2 so if you get a free minute sometime this week I’d invite you to give it a quick read.

System Center Assemble! Create your team of heroes with System Center 2012 SP1

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

Some thoughts about System Center 2012 R2

The USMT team blog - Mon, 10/28/2013 - 15:44

As I’m sure everyone is aware, last week we released System Center 2012 R2. With this new release, I thought it would be a good idea to call attention to a great article written by Steve Bucci, one of our top Senior Support Escalation Engineers here on our System Center team. He wrote the article back in February of this year and it talks about how System Center is a team of products, and how it’s important to remember that all these separate components were designed to work better together. To borrow a phrase from Aristotle, it’s one of those things where the whole is greater than the sum of the parts. Steve’s article brings up points that you may want to reconsider with the release of System Center 2012 R2 so if you get a free minute sometime this week I’d invite you to give it a quick read.

System Center Assemble! Create your team of heroes with System Center 2012 SP1

J.C. Hornbeck | Solution Asset PM | Microsoft GBS Management and Security Division

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

Pages