MDT

New in Software Assurance: Problem Resolution Support Web

Microsoft Deployment Toolkit Team Blog - Wed, 11/13/2013 - 14:43

Hi everyone, this is Siddharth Jha from the DPM team and I wanted to bring a product support related update to your attention.

Microsoft has added a new type of support incident that has an email-only support option. We offer this as a part of our paid Microsoft Software Assurance Support program in order to make sure that you can get the help you need while you test, implement and use our products.

What these incidents provide

These email-only incidents are free of charge to customers with Software Assurance, and assistance is provided via email rather than a phone call or remote support (e.g. connecting to your server).  Every response from us occurs within approximately 24 hours (excluding weekends). This new offering is a wonderful option for general issues like how to do a certain thing with the software or what the best practices around a feature of product may be.

Situations where these incidents may not be the best choice

This new email based support option is not ideal for extremely complex technical scenarios where a support engineer may need access to the server on a real time basis. In other words, this support option is NOT for situations when you require urgent, real-time or phone-based interactions.

If you need phone based support, real-time assistance or the issue is very urgent, you can still call our support center and have a Customer Service Representative create a phone based Service Request just like you always could before. Here are the phone support numbers for the different regions:

If you are located in US or Canada, please call 1-800-936-4900

If you are located in India, please call 1-800-419-5666

If you are located in other countries or regions, please go to the website below and select the appropriate product to find the proper instructions for your area:

http://support.microsoft.com/select/?target=assistance

Siddharth Jha

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

New in Software Assurance: Problem Resolution Support Web

The USMT team blog - Wed, 11/13/2013 - 14:43

Hi everyone, this is Siddharth Jha from the DPM team and I wanted to bring a product support related update to your attention.

Microsoft has added a new type of support incident that has an email-only support option. We offer this as a part of our paid Microsoft Software Assurance Support program in order to make sure that you can get the help you need while you test, implement and use our products.

What these incidents provide

These email-only incidents are free of charge to customers with Software Assurance, and assistance is provided via email rather than a phone call or remote support (e.g. connecting to your server).  Every response from us occurs within approximately 24 hours (excluding weekends). This new offering is a wonderful option for general issues like how to do a certain thing with the software or what the best practices around a feature of product may be.

Situations where these incidents may not be the best choice

This new email based support option is not ideal for extremely complex technical scenarios where a support engineer may need access to the server on a real time basis. In other words, this support option is NOT for situations when you require urgent, real-time or phone-based interactions.

If you need phone based support, real-time assistance or the issue is very urgent, you can still call our support center and have a Customer Service Representative create a phone based Service Request just like you always could before. Here are the phone support numbers for the different regions:

If you are located in US or Canada, please call 1-800-936-4900

If you are located in India, please call 1-800-419-5666

If you are located in other countries or regions, please go to the website below and select the appropriate product to find the proper instructions for your area:

http://support.microsoft.com/select/?target=assistance

Siddharth Jha

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

New in Software Assurance: Problem Resolution Support Web

Hi everyone, this is Siddharth Jha from the DPM team and I wanted to bring a product support related update to your attention.

Microsoft has added a new type of support incident that has an email-only support option. We offer this as a part of our paid Microsoft Software Assurance Support program in order to make sure that you can get the help you need while you test, implement and use our products.

What these incidents provide

These email-only incidents are free of charge to customers with Software Assurance, and assistance is provided via email rather than a phone call or remote support (e.g. connecting to your server).  Every response from us occurs within approximately 24 hours (excluding weekends). This new offering is a wonderful option for general issues like how to do a certain thing with the software or what the best practices around a feature of product may be.

Situations where these incidents may not be the best choice

This new email based support option is not ideal for extremely complex technical scenarios where a support engineer may need access to the server on a real time basis. In other words, this support option is NOT for situations when you require urgent, real-time or phone-based interactions.

If you need phone based support, real-time assistance or the issue is very urgent, you can still call our support center and have a Customer Service Representative create a phone based Service Request just like you always could before. Here are the phone support numbers for the different regions:

If you are located in US or Canada, please call 1-800-936-4900

If you are located in India, please call 1-800-419-5666

If you are located in other countries or regions, please go to the website below and select the appropriate product to find the proper instructions for your area:

http://support.microsoft.com/select/?target=assistance

Siddharth Jha

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

New in Software Assurance: Problem Resolution Support Web

The Deployment Guys - Wed, 11/13/2013 - 14:43

Hi everyone, this is Siddharth Jha from the DPM team and I wanted to bring a product support related update to your attention.

Microsoft has added a new type of support incident that has an email-only support option. We offer this as a part of our paid Microsoft Software Assurance Support program in order to make sure that you can get the help you need while you test, implement and use our products.

What these incidents provide

These email-only incidents are free of charge to customers with Software Assurance, and assistance is provided via email rather than a phone call or remote support (e.g. connecting to your server).  Every response from us occurs within approximately 24 hours (excluding weekends). This new offering is a wonderful option for general issues like how to do a certain thing with the software or what the best practices around a feature of product may be.

Situations where these incidents may not be the best choice

This new email based support option is not ideal for extremely complex technical scenarios where a support engineer may need access to the server on a real time basis. In other words, this support option is NOT for situations when you require urgent, real-time or phone-based interactions.

If you need phone based support, real-time assistance or the issue is very urgent, you can still call our support center and have a Customer Service Representative create a phone based Service Request just like you always could before. Here are the phone support numbers for the different regions:

If you are located in US or Canada, please call 1-800-936-4900

If you are located in India, please call 1-800-419-5666

If you are located in other countries or regions, please go to the website below and select the appropriate product to find the proper instructions for your area:

http://support.microsoft.com/select/?target=assistance

Siddharth Jha

Get the latest System Center news on Facebook and Twitter:

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Categories: MDT

Windows 7 VDI? Here are some hotfixes you should be installing…

cluberti.com - Tue, 11/12/2013 - 17:14

Microsoft PFE Robert Smith has published a list of hotfixes recommended be tested and deployed, if no issues arise, on Windows 7 installations used for VDI. Find the data at the link, here:
http://social.technet.microsoft.com/wiki/contents/articles/20893.windows-7-vdi-image-hot-fixes.aspx

Categories: MDT

Error in policypv.log after upgrade to ConfigMgr 2012 R2

Coretech Blog » Kent Agerlund - Tue, 11/12/2013 - 14:32
Ran into an interesting error today after updating ConfigMgr 2012 SP1 to ConfigMgr 2012 R2. The hierarchy is a CAS and 3 primary sites (but I do not believe that the error is releated to having multiple primary sites). *** insert DepPolicyAssignment (PADBID, PolicyAssignmentID, PolicyID, DepPADBID, DepPolicyAssignmentID, DepPolicyID, IsTombstoned, LastUpdateTime) values (67118015, N’{ccff0eb1-db33-49c3-9dd3-c704c3a638f8}’, N’PS120012-PS10013D-6F6BCC28′, 67689129, […]
Categories: MDT

MSRT November 2013 - Napolar

Microsoft Deployment Toolkit Team Blog - Tue, 11/12/2013 - 12:00

​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines.

Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix.

As shown in the chart below, Napolar was hitting ~220K unique machines during the week of August 23rd.

Napolar is a trojan that can download and run files, utilize your machine’s resources to conduct a DDoS attack or serve as a SOCKS proxy, monitor network traffic, and steal credentials for FTP, POP3 and websites.  There is also a plugin infrastructure designed in Napolar, but we haven’t seen much usage of it.

Figure 1: Napolar infected machines in August/September 2013

The major infection vector used by Napolar during the spike of the week of August 23rd was a spammed link sent in a Facebook message.

The group behind this major  distribution chose to use public file sharing services (such as 4shared and mediafire) to host their malware. They also utilized computers infected by another family, Win32/Dorpiex, to send the malicious links to their Facebook friends.

The links redirect to a Napolar executable hosted on the file share service. The  files downloaded from those links  have a name and icon that make them look like an image (see example below) to lure people into opening it.

Although this is an old and well-known social engineering trick, sadly it still seems to trick a decent number of victims for the bad guys.

Figure 2: An example of the downloaded file containing win32/Napolar

Napolar installs itself in a similar way as other bots, but it takes a further step to install a user-mode rootkit to hide its file presence in the system and inject itself into newly created processes by hooking system native APIs (Ntdll!NtResumeThread and Ntdll!NtQueryDirectoryFile).

The chart below demonstrates a typical process found in Napolar. With newer variants, the main module name “lsass.exe” and plugins folder name “SlrPlugins” are changed to a random schema. There is more information on this in our Napolar family description.

Napolar starts when a user logs, because the Napolar file is located in the %Startup% folder. The  file is hidden by the user-mode rootkit so it can’t be seen directly with Windows Explorer. To be even stealthier, the main payload is injected and run in the explorer.exe process. The payload does the main tasks like communicating with a C&C, download files/plugins, etc. We have seen it download Win32/Dorpiex, which does further spreading, as well as Win32/Vicenor which does bitcoin mining.

Figure 3: A typical process found in Win32/Napolar

When running in web browsers and processes where ws2_32.dll is loaded, Napolar monitors network traffic and captures credentials by matching given patterns. Default strings ‘USER’ and ‘PASS’ are used to capture credentials from unencrypted FTP and POP3 traffic, and more patterns can be given by a C&C to capture credentials from websites.

Besides hiding itself, Napolar also tries to block changes to the following registry key paths with its rootkit functionality:

  • Microsoft\Windows\CurrentVersion\Run
  • Microsoft\Windows NT\CurrentVersion\Windows\run
  • Microsoft\Windows NT\CurrentVersion\Windows\load
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • Microsoft\Windows NT\CurrentVersion\Winlogon
  • Microsoft\Active Setup\Installed Components

According to one website that advertises and sells Napolar as Solar Bot, this “feature” is for anti-bot installation - which sounds like preventing other malware from installing. This reminds me of the already crowded and competitive black market.
There are a couple of anti-debugging tricks can be found in Napolar that are also worth mentioning. They are not new but work for common debuggers:

  • Using code section name “%*s%*s%s*” for crashing OllyDbg.
  • Self-debugging to evade single process debugging.
  • Hooking Ntdll!DbgUiRemoteBreakin to block debugger remote attaching.

More interestingly, Napolar is written like Shellcode so it’s able to self-relocate and dynamically resolve APIs. At first glance, it is an x86 executable; however, so it can work with both x86 and x64 platforms it embeds the x64 copy of itself (no PE structure, just code and data) in the x86 executable. The x64 code is then decompressed by standard API RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1 as format if it is running under a Wow64 emulator.

To run the 64bit code from x86 code, Napolar allocates a 7 bytes buffer and puts far-call code calls into the decompressed x64 code with the segment selector set to 0x33 (the x64 code segment), then calls into the buffer. 


Figure 4: Napolar generates far call code into segment 0x33

The far-call switches the current process to execute x64 code and do code injection into x64 explorer.exe.

Napolar is a trojan that can do pretty bad things – from deploying more malware to stealing your credentials. The social engineering trick it uses is simple but it works, just keep that in mind and be careful when opening executables sent on social networks. Even if it's sent from one of your friends, don’t open it if you have no idea what it is.

 As always, the best protection from Napolar and similar threats is an up-to-date real time security solution.

Shawn Wang
MMPC

Categories: MDT

MSRT November 2013 - Napolar

The USMT team blog - Tue, 11/12/2013 - 12:00

​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines.

Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix.

As shown in the chart below, Napolar was hitting ~220K unique machines during the week of August 23rd.

Napolar is a trojan that can download and run files, utilize your machine’s resources to conduct a DDoS attack or serve as a SOCKS proxy, monitor network traffic, and steal credentials for FTP, POP3 and websites.  There is also a plugin infrastructure designed in Napolar, but we haven’t seen much usage of it.

Figure 1: Napolar infected machines in August/September 2013

The major infection vector used by Napolar during the spike of the week of August 23rd was a spammed link sent in a Facebook message.

The group behind this major  distribution chose to use public file sharing services (such as 4shared and mediafire) to host their malware. They also utilized computers infected by another family, Win32/Dorpiex, to send the malicious links to their Facebook friends.

The links redirect to a Napolar executable hosted on the file share service. The  files downloaded from those links  have a name and icon that make them look like an image (see example below) to lure people into opening it.

Although this is an old and well-known social engineering trick, sadly it still seems to trick a decent number of victims for the bad guys.

Figure 2: An example of the downloaded file containing win32/Napolar

Napolar installs itself in a similar way as other bots, but it takes a further step to install a user-mode rootkit to hide its file presence in the system and inject itself into newly created processes by hooking system native APIs (Ntdll!NtResumeThread and Ntdll!NtQueryDirectoryFile).

The chart below demonstrates a typical process found in Napolar. With newer variants, the main module name “lsass.exe” and plugins folder name “SlrPlugins” are changed to a random schema. There is more information on this in our Napolar family description.

Napolar starts when a user logs, because the Napolar file is located in the %Startup% folder. The  file is hidden by the user-mode rootkit so it can’t be seen directly with Windows Explorer. To be even stealthier, the main payload is injected and run in the explorer.exe process. The payload does the main tasks like communicating with a C&C, download files/plugins, etc. We have seen it download Win32/Dorpiex, which does further spreading, as well as Win32/Vicenor which does bitcoin mining.

Figure 3: A typical process found in Win32/Napolar

When running in web browsers and processes where ws2_32.dll is loaded, Napolar monitors network traffic and captures credentials by matching given patterns. Default strings ‘USER’ and ‘PASS’ are used to capture credentials from unencrypted FTP and POP3 traffic, and more patterns can be given by a C&C to capture credentials from websites.

Besides hiding itself, Napolar also tries to block changes to the following registry key paths with its rootkit functionality:

  • Microsoft\Windows\CurrentVersion\Run
  • Microsoft\Windows NT\CurrentVersion\Windows\run
  • Microsoft\Windows NT\CurrentVersion\Windows\load
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • Microsoft\Windows NT\CurrentVersion\Winlogon
  • Microsoft\Active Setup\Installed Components

According to one website that advertises and sells Napolar as Solar Bot, this “feature” is for anti-bot installation - which sounds like preventing other malware from installing. This reminds me of the already crowded and competitive black market.
There are a couple of anti-debugging tricks can be found in Napolar that are also worth mentioning. They are not new but work for common debuggers:

  • Using code section name “%*s%*s%s*” for crashing OllyDbg.
  • Self-debugging to evade single process debugging.
  • Hooking Ntdll!DbgUiRemoteBreakin to block debugger remote attaching.

More interestingly, Napolar is written like Shellcode so it’s able to self-relocate and dynamically resolve APIs. At first glance, it is an x86 executable; however, so it can work with both x86 and x64 platforms it embeds the x64 copy of itself (no PE structure, just code and data) in the x86 executable. The x64 code is then decompressed by standard API RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1 as format if it is running under a Wow64 emulator.

To run the 64bit code from x86 code, Napolar allocates a 7 bytes buffer and puts far-call code calls into the decompressed x64 code with the segment selector set to 0x33 (the x64 code segment), then calls into the buffer. 


Figure 4: Napolar generates far call code into segment 0x33

The far-call switches the current process to execute x64 code and do code injection into x64 explorer.exe.

Napolar is a trojan that can do pretty bad things – from deploying more malware to stealing your credentials. The social engineering trick it uses is simple but it works, just keep that in mind and be careful when opening executables sent on social networks. Even if it's sent from one of your friends, don’t open it if you have no idea what it is.

 As always, the best protection from Napolar and similar threats is an up-to-date real time security solution.

Shawn Wang
MMPC

Categories: MDT

MSRT November 2013 - Napolar

​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines.

Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix.

As shown in the chart below, Napolar was hitting ~220K unique machines during the week of August 23rd.

Napolar is a trojan that can download and run files, utilize your machine’s resources to conduct a DDoS attack or serve as a SOCKS proxy, monitor network traffic, and steal credentials for FTP, POP3 and websites.  There is also a plugin infrastructure designed in Napolar, but we haven’t seen much usage of it.

Figure 1: Napolar infected machines in August/September 2013

The major infection vector used by Napolar during the spike of the week of August 23rd was a spammed link sent in a Facebook message.

The group behind this major  distribution chose to use public file sharing services (such as 4shared and mediafire) to host their malware. They also utilized computers infected by another family, Win32/Dorpiex, to send the malicious links to their Facebook friends.

The links redirect to a Napolar executable hosted on the file share service. The  files downloaded from those links  have a name and icon that make them look like an image (see example below) to lure people into opening it.

Although this is an old and well-known social engineering trick, sadly it still seems to trick a decent number of victims for the bad guys.

Figure 2: An example of the downloaded file containing win32/Napolar

Napolar installs itself in a similar way as other bots, but it takes a further step to install a user-mode rootkit to hide its file presence in the system and inject itself into newly created processes by hooking system native APIs (Ntdll!NtResumeThread and Ntdll!NtQueryDirectoryFile).

The chart below demonstrates a typical process found in Napolar. With newer variants, the main module name “lsass.exe” and plugins folder name “SlrPlugins” are changed to a random schema. There is more information on this in our Napolar family description.

Napolar starts when a user logs, because the Napolar file is located in the %Startup% folder. The  file is hidden by the user-mode rootkit so it can’t be seen directly with Windows Explorer. To be even stealthier, the main payload is injected and run in the explorer.exe process. The payload does the main tasks like communicating with a C&C, download files/plugins, etc. We have seen it download Win32/Dorpiex, which does further spreading, as well as Win32/Vicenor which does bitcoin mining.

Figure 3: A typical process found in Win32/Napolar

When running in web browsers and processes where ws2_32.dll is loaded, Napolar monitors network traffic and captures credentials by matching given patterns. Default strings ‘USER’ and ‘PASS’ are used to capture credentials from unencrypted FTP and POP3 traffic, and more patterns can be given by a C&C to capture credentials from websites.

Besides hiding itself, Napolar also tries to block changes to the following registry key paths with its rootkit functionality:

  • Microsoft\Windows\CurrentVersion\Run
  • Microsoft\Windows NT\CurrentVersion\Windows\run
  • Microsoft\Windows NT\CurrentVersion\Windows\load
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • Microsoft\Windows NT\CurrentVersion\Winlogon
  • Microsoft\Active Setup\Installed Components

According to one website that advertises and sells Napolar as Solar Bot, this “feature” is for anti-bot installation - which sounds like preventing other malware from installing. This reminds me of the already crowded and competitive black market.
There are a couple of anti-debugging tricks can be found in Napolar that are also worth mentioning. They are not new but work for common debuggers:

  • Using code section name “%*s%*s%s*” for crashing OllyDbg.
  • Self-debugging to evade single process debugging.
  • Hooking Ntdll!DbgUiRemoteBreakin to block debugger remote attaching.

More interestingly, Napolar is written like Shellcode so it’s able to self-relocate and dynamically resolve APIs. At first glance, it is an x86 executable; however, so it can work with both x86 and x64 platforms it embeds the x64 copy of itself (no PE structure, just code and data) in the x86 executable. The x64 code is then decompressed by standard API RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1 as format if it is running under a Wow64 emulator.

To run the 64bit code from x86 code, Napolar allocates a 7 bytes buffer and puts far-call code calls into the decompressed x64 code with the segment selector set to 0x33 (the x64 code segment), then calls into the buffer. 


Figure 4: Napolar generates far call code into segment 0x33

The far-call switches the current process to execute x64 code and do code injection into x64 explorer.exe.

Napolar is a trojan that can do pretty bad things – from deploying more malware to stealing your credentials. The social engineering trick it uses is simple but it works, just keep that in mind and be careful when opening executables sent on social networks. Even if it's sent from one of your friends, don’t open it if you have no idea what it is.

 As always, the best protection from Napolar and similar threats is an up-to-date real time security solution.

Shawn Wang
MMPC

Categories: MDT

MSRT November 2013 - Napolar

The Deployment Guys - Tue, 11/12/2013 - 12:00

​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines.

Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix.

As shown in the chart below, Napolar was hitting ~220K unique machines during the week of August 23rd.

Napolar is a trojan that can download and run files, utilize your machine’s resources to conduct a DDoS attack or serve as a SOCKS proxy, monitor network traffic, and steal credentials for FTP, POP3 and websites.  There is also a plugin infrastructure designed in Napolar, but we haven’t seen much usage of it.

Figure 1: Napolar infected machines in August/September 2013

The major infection vector used by Napolar during the spike of the week of August 23rd was a spammed link sent in a Facebook message.

The group behind this major  distribution chose to use public file sharing services (such as 4shared and mediafire) to host their malware. They also utilized computers infected by another family, Win32/Dorpiex, to send the malicious links to their Facebook friends.

The links redirect to a Napolar executable hosted on the file share service. The  files downloaded from those links  have a name and icon that make them look like an image (see example below) to lure people into opening it.

Although this is an old and well-known social engineering trick, sadly it still seems to trick a decent number of victims for the bad guys.

Figure 2: An example of the downloaded file containing win32/Napolar

Napolar installs itself in a similar way as other bots, but it takes a further step to install a user-mode rootkit to hide its file presence in the system and inject itself into newly created processes by hooking system native APIs (Ntdll!NtResumeThread and Ntdll!NtQueryDirectoryFile).

The chart below demonstrates a typical process found in Napolar. With newer variants, the main module name “lsass.exe” and plugins folder name “SlrPlugins” are changed to a random schema. There is more information on this in our Napolar family description.

Napolar starts when a user logs, because the Napolar file is located in the %Startup% folder. The  file is hidden by the user-mode rootkit so it can’t be seen directly with Windows Explorer. To be even stealthier, the main payload is injected and run in the explorer.exe process. The payload does the main tasks like communicating with a C&C, download files/plugins, etc. We have seen it download Win32/Dorpiex, which does further spreading, as well as Win32/Vicenor which does bitcoin mining.

Figure 3: A typical process found in Win32/Napolar

When running in web browsers and processes where ws2_32.dll is loaded, Napolar monitors network traffic and captures credentials by matching given patterns. Default strings ‘USER’ and ‘PASS’ are used to capture credentials from unencrypted FTP and POP3 traffic, and more patterns can be given by a C&C to capture credentials from websites.

Besides hiding itself, Napolar also tries to block changes to the following registry key paths with its rootkit functionality:

  • Microsoft\Windows\CurrentVersion\Run
  • Microsoft\Windows NT\CurrentVersion\Windows\run
  • Microsoft\Windows NT\CurrentVersion\Windows\load
  • Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • Microsoft\Windows NT\CurrentVersion\Winlogon
  • Microsoft\Active Setup\Installed Components

According to one website that advertises and sells Napolar as Solar Bot, this “feature” is for anti-bot installation - which sounds like preventing other malware from installing. This reminds me of the already crowded and competitive black market.
There are a couple of anti-debugging tricks can be found in Napolar that are also worth mentioning. They are not new but work for common debuggers:

  • Using code section name “%*s%*s%s*” for crashing OllyDbg.
  • Self-debugging to evade single process debugging.
  • Hooking Ntdll!DbgUiRemoteBreakin to block debugger remote attaching.

More interestingly, Napolar is written like Shellcode so it’s able to self-relocate and dynamically resolve APIs. At first glance, it is an x86 executable; however, so it can work with both x86 and x64 platforms it embeds the x64 copy of itself (no PE structure, just code and data) in the x86 executable. The x64 code is then decompressed by standard API RtlDecompressBuffer with COMPRESSION_FORMAT_LZNT1 as format if it is running under a Wow64 emulator.

To run the 64bit code from x86 code, Napolar allocates a 7 bytes buffer and puts far-call code calls into the decompressed x64 code with the segment selector set to 0x33 (the x64 code segment), then calls into the buffer. 


Figure 4: Napolar generates far call code into segment 0x33

The far-call switches the current process to execute x64 code and do code injection into x64 explorer.exe.

Napolar is a trojan that can do pretty bad things – from deploying more malware to stealing your credentials. The social engineering trick it uses is simple but it works, just keep that in mind and be careful when opening executables sent on social networks. Even if it's sent from one of your friends, don’t open it if you have no idea what it is.

 As always, the best protection from Napolar and similar threats is an up-to-date real time security solution.

Shawn Wang
MMPC

Categories: MDT

Upatre: Emerging Up(d)at(er) in the wild

Microsoft Deployment Toolkit Team Blog - Thu, 10/31/2013 - 20:28

The MMPC is constantly monitoring emerging threats that are impacting our customers the most.

Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months.

Figure 1: Monthly telemetry data on Win32/Upatre downloader

 

As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.

Figure 2:  Monthly telemetry data on Win32/Upatre by country 

 

We have seen this malware distributed via spam campaigns with email attachments such as the following:

  • USPS_Label_<random number>.zip
  • USPS - Missed package delivery.zip 
  • Statement of Account.zip 
  • <number>-<number>.zip
  • TAX_<variable names>.zip
  • Case_<random number>.zip
  • Remit_<variable names>.zip
  • ATO_TAX.zip
  • ATO_TAX_<variable names>.zip

The <variable names> can be domains, company and individual names, or may be just random letters or words.

Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.

Win32/Upatre’s end purpose is to download and install PWS:Win32/Zbot.gen!AM. The month after its first appearance, Win32/Upatre also started downloading the VBR bootkit TrojanDownloader:Win32/Rovnix.I.

In the past, PWS:Win32/Zbot.gen!AM was known to use domain generation algorithm (DGA) generated URLs and attempt to download updates. DGA URLs are harder to track than normal URLs as they are usually registered for a very short time by the attacker’s choice. As the attacker knows the algorithm, they are able to predict which domain the malware to attempt to connect at any given date and time.

However, recently we have seen this variant of Zbot configured to download other malware. In particular, we have seen it downloading the "CryptoLock" ransomware that we detect as Trojan:Win32/Crilock.B. After a few days, it was modified to download a different malware, detected as Trojan:Win32/Necurs.A.

This diagram shows the infection chain:

Figure 3: Upatre and Zbot infection

 

It is worth noting that a recent variant of this downloader (TrojanDownloader:Win32/Upatre.B) shares common modules with its payload malware, Win32/Zbot. The way Upatre’s code has evolved over time has made it easier to allow more URL links to be embedded. It has an export function named loaderConfigSource() that does not contain codes but rather data on URLs from which to download malware:

Figure 4: loaderConfigSource export function

 

Figure 5: Pseudo code of the core downloading module

 

This may also impact the proper system remediation of Win32/Zbot (or other malware used as the payload in Win32/Upatre variants) because failure to properly detect and block Win32/Upatre may mean your system will get re-infected by Win32/Zbot.

The MMPC team is constantly monitoring emerging threats and ensuring that our protection covers them. As always, we recommend keeping your security products up-to-date.

 

Rodel Finones
MMPC

 

SHA1s:

A2730aa0b5f74f165907409349935a9d52e6fca8
10881873606b0aa0a432cdb4966f54169518dd6d
7fc8b3b61089c4ff7984e9d881202e07f3ae7df8
5042fa3b8f28713ebe1d10cddbf9b5f88e041d83

Categories: MDT

Upatre: Emerging Up(d)at(er) in the wild

The USMT team blog - Thu, 10/31/2013 - 20:28

The MMPC is constantly monitoring emerging threats that are impacting our customers the most.

Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months.

Figure 1: Monthly telemetry data on Win32/Upatre downloader

 

As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.

Figure 2:  Monthly telemetry data on Win32/Upatre by country 

 

We have seen this malware distributed via spam campaigns with email attachments such as the following:

  • USPS_Label_<random number>.zip
  • USPS - Missed package delivery.zip 
  • Statement of Account.zip 
  • <number>-<number>.zip
  • TAX_<variable names>.zip
  • Case_<random number>.zip
  • Remit_<variable names>.zip
  • ATO_TAX.zip
  • ATO_TAX_<variable names>.zip

The <variable names> can be domains, company and individual names, or may be just random letters or words.

Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.

Win32/Upatre’s end purpose is to download and install PWS:Win32/Zbot.gen!AM. The month after its first appearance, Win32/Upatre also started downloading the VBR bootkit TrojanDownloader:Win32/Rovnix.I.

In the past, PWS:Win32/Zbot.gen!AM was known to use domain generation algorithm (DGA) generated URLs and attempt to download updates. DGA URLs are harder to track than normal URLs as they are usually registered for a very short time by the attacker’s choice. As the attacker knows the algorithm, they are able to predict which domain the malware to attempt to connect at any given date and time.

However, recently we have seen this variant of Zbot configured to download other malware. In particular, we have seen it downloading the "CryptoLock" ransomware that we detect as Trojan:Win32/Crilock.B. After a few days, it was modified to download a different malware, detected as Trojan:Win32/Necurs.A.

This diagram shows the infection chain:

Figure 3: Upatre and Zbot infection

 

It is worth noting that a recent variant of this downloader (TrojanDownloader:Win32/Upatre.B) shares common modules with its payload malware, Win32/Zbot. The way Upatre’s code has evolved over time has made it easier to allow more URL links to be embedded. It has an export function named loaderConfigSource() that does not contain codes but rather data on URLs from which to download malware:

Figure 4: loaderConfigSource export function

 

Figure 5: Pseudo code of the core downloading module

 

This may also impact the proper system remediation of Win32/Zbot (or other malware used as the payload in Win32/Upatre variants) because failure to properly detect and block Win32/Upatre may mean your system will get re-infected by Win32/Zbot.

The MMPC team is constantly monitoring emerging threats and ensuring that our protection covers them. As always, we recommend keeping your security products up-to-date.

 

Rodel Finones
MMPC

 

SHA1s:

A2730aa0b5f74f165907409349935a9d52e6fca8
10881873606b0aa0a432cdb4966f54169518dd6d
7fc8b3b61089c4ff7984e9d881202e07f3ae7df8
5042fa3b8f28713ebe1d10cddbf9b5f88e041d83

Categories: MDT

Upatre: Emerging Up(d)at(er) in the wild

The MMPC is constantly monitoring emerging threats that are impacting our customers the most.

Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months.

Figure 1: Monthly telemetry data on Win32/Upatre downloader

 

As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.

Figure 2:  Monthly telemetry data on Win32/Upatre by country 

 

We have seen this malware distributed via spam campaigns with email attachments such as the following:

  • USPS_Label_<random number>.zip
  • USPS - Missed package delivery.zip 
  • Statement of Account.zip 
  • <number>-<number>.zip
  • TAX_<variable names>.zip
  • Case_<random number>.zip
  • Remit_<variable names>.zip
  • ATO_TAX.zip
  • ATO_TAX_<variable names>.zip

The <variable names> can be domains, company and individual names, or may be just random letters or words.

Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.

Win32/Upatre’s end purpose is to download and install PWS:Win32/Zbot.gen!AM. The month after its first appearance, Win32/Upatre also started downloading the VBR bootkit TrojanDownloader:Win32/Rovnix.I.

In the past, PWS:Win32/Zbot.gen!AM was known to use domain generation algorithm (DGA) generated URLs and attempt to download updates. DGA URLs are harder to track than normal URLs as they are usually registered for a very short time by the attacker’s choice. As the attacker knows the algorithm, they are able to predict which domain the malware to attempt to connect at any given date and time.

However, recently we have seen this variant of Zbot configured to download other malware. In particular, we have seen it downloading the "CryptoLock" ransomware that we detect as Trojan:Win32/Crilock.B. After a few days, it was modified to download a different malware, detected as Trojan:Win32/Necurs.A.

This diagram shows the infection chain:

Figure 3: Upatre and Zbot infection

 

It is worth noting that a recent variant of this downloader (TrojanDownloader:Win32/Upatre.B) shares common modules with its payload malware, Win32/Zbot. The way Upatre’s code has evolved over time has made it easier to allow more URL links to be embedded. It has an export function named loaderConfigSource() that does not contain codes but rather data on URLs from which to download malware:

Figure 4: loaderConfigSource export function

 

Figure 5: Pseudo code of the core downloading module

 

This may also impact the proper system remediation of Win32/Zbot (or other malware used as the payload in Win32/Upatre variants) because failure to properly detect and block Win32/Upatre may mean your system will get re-infected by Win32/Zbot.

The MMPC team is constantly monitoring emerging threats and ensuring that our protection covers them. As always, we recommend keeping your security products up-to-date.

 

Rodel Finones
MMPC

 

SHA1s:

A2730aa0b5f74f165907409349935a9d52e6fca8
10881873606b0aa0a432cdb4966f54169518dd6d
7fc8b3b61089c4ff7984e9d881202e07f3ae7df8
5042fa3b8f28713ebe1d10cddbf9b5f88e041d83

Categories: MDT

Upatre: Emerging Up(d)at(er) in the wild

The Deployment Guys - Thu, 10/31/2013 - 20:28

The MMPC is constantly monitoring emerging threats that are impacting our customers the most.

Recently, we started seeing Win32/Upatre being distributed in the wild. This chart shows how this threat has impacted customer machines in just about two months.

Figure 1: Monthly telemetry data on Win32/Upatre downloader

 

As we see in this next chart, the concentration of infections is in the United States with 96% of total infections, followed by the UK, Canada, and Australia. The high rate of infections in the US may be due to the spam distribution methods, such that infections are being reported via online email services.

Figure 2:  Monthly telemetry data on Win32/Upatre by country 

 

We have seen this malware distributed via spam campaigns with email attachments such as the following:

  • USPS_Label_<random number>.zip
  • USPS - Missed package delivery.zip 
  • Statement of Account.zip 
  • <number>-<number>.zip
  • TAX_<variable names>.zip
  • Case_<random number>.zip
  • Remit_<variable names>.zip
  • ATO_TAX.zip
  • ATO_TAX_<variable names>.zip

The <variable names> can be domains, company and individual names, or may be just random letters or words.

Furthermore, based upon the telemetry, Win32/Upatre is also distributed via exploits kits - such as those delivered via Java and PDF-related exploits.

Win32/Upatre’s end purpose is to download and install PWS:Win32/Zbot.gen!AM. The month after its first appearance, Win32/Upatre also started downloading the VBR bootkit TrojanDownloader:Win32/Rovnix.I.

In the past, PWS:Win32/Zbot.gen!AM was known to use domain generation algorithm (DGA) generated URLs and attempt to download updates. DGA URLs are harder to track than normal URLs as they are usually registered for a very short time by the attacker’s choice. As the attacker knows the algorithm, they are able to predict which domain the malware to attempt to connect at any given date and time.

However, recently we have seen this variant of Zbot configured to download other malware. In particular, we have seen it downloading the "CryptoLock" ransomware that we detect as Trojan:Win32/Crilock.B. After a few days, it was modified to download a different malware, detected as Trojan:Win32/Necurs.A.

This diagram shows the infection chain:

Figure 3: Upatre and Zbot infection

 

It is worth noting that a recent variant of this downloader (TrojanDownloader:Win32/Upatre.B) shares common modules with its payload malware, Win32/Zbot. The way Upatre’s code has evolved over time has made it easier to allow more URL links to be embedded. It has an export function named loaderConfigSource() that does not contain codes but rather data on URLs from which to download malware:

Figure 4: loaderConfigSource export function

 

Figure 5: Pseudo code of the core downloading module

 

This may also impact the proper system remediation of Win32/Zbot (or other malware used as the payload in Win32/Upatre variants) because failure to properly detect and block Win32/Upatre may mean your system will get re-infected by Win32/Zbot.

The MMPC team is constantly monitoring emerging threats and ensuring that our protection covers them. As always, we recommend keeping your security products up-to-date.

 

Rodel Finones
MMPC

 

SHA1s:

A2730aa0b5f74f165907409349935a9d52e6fca8
10881873606b0aa0a432cdb4966f54169518dd6d
7fc8b3b61089c4ff7984e9d881202e07f3ae7df8
5042fa3b8f28713ebe1d10cddbf9b5f88e041d83

Categories: MDT

System Center User Group: Netherlands – Update & Announcement

Microsoft Deployment Toolkit Team Blog - Thu, 10/31/2013 - 20:08

Greatness of a small country: Client, Data, and Cloud Management

Today the System Center User Group Netherlands is proud to announce their new website with a wink to the past Dutch Clouds (painted by Dutch famous painters 1400-1600 century) and future cloud developments. The renewed website is part of a range of new initiatives to better server the Dutch community and beyond. In addition, the organization of the user group undergoing renewal with IT-pro’s Helmer Zandbergen (MCT), James van den Berg (MVP), Robert Smit (MVP) and Ronny de Jong (MCT). The System Center User Group NL was founded in 2006 by Maarten Goet (MVP).

The new website, updated logo and renewed team should ensure varied range of technical content around System Center, Hyper-V and Windows Azure and the prelude to closer cooperation with local and international user groups. As mentioned the user group has the ambition to better serve the community with various (new) initiatives, meetings, guest speakers, webcasts and intensify cooperation with various groups by organizing joint events like Experts Live and System Center Universe 2014.

Site: http://www.scug.nl

Twitter: @scug_nl

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | Cloud & Enterprise

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

System Center User Group: Netherlands – Update & Announcement

The USMT team blog - Thu, 10/31/2013 - 20:08

Greatness of a small country: Client, Data, and Cloud Management

Today the System Center User Group Netherlands is proud to announce their new website with a wink to the past Dutch Clouds (painted by Dutch famous painters 1400-1600 century) and future cloud developments. The renewed website is part of a range of new initiatives to better server the Dutch community and beyond. In addition, the organization of the user group undergoing renewal with IT-pro’s Helmer Zandbergen (MCT), James van den Berg (MVP), Robert Smit (MVP) and Ronny de Jong (MCT). The System Center User Group NL was founded in 2006 by Maarten Goet (MVP).

The new website, updated logo and renewed team should ensure varied range of technical content around System Center, Hyper-V and Windows Azure and the prelude to closer cooperation with local and international user groups. As mentioned the user group has the ambition to better serve the community with various (new) initiatives, meetings, guest speakers, webcasts and intensify cooperation with various groups by organizing joint events like Experts Live and System Center Universe 2014.

Site: http://www.scug.nl

Twitter: @scug_nl

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | Cloud & Enterprise

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

System Center User Group: Netherlands – Update & Announcement

Greatness of a small country: Client, Data, and Cloud Management

Today the System Center User Group Netherlands is proud to announce their new website with a wink to the past Dutch Clouds (painted by Dutch famous painters 1400-1600 century) and future cloud developments. The renewed website is part of a range of new initiatives to better server the Dutch community and beyond. In addition, the organization of the user group undergoing renewal with IT-pro’s Helmer Zandbergen (MCT), James van den Berg (MVP), Robert Smit (MVP) and Ronny de Jong (MCT). The System Center User Group NL was founded in 2006 by Maarten Goet (MVP).

The new website, updated logo and renewed team should ensure varied range of technical content around System Center, Hyper-V and Windows Azure and the prelude to closer cooperation with local and international user groups. As mentioned the user group has the ambition to better serve the community with various (new) initiatives, meetings, guest speakers, webcasts and intensify cooperation with various groups by organizing joint events like Experts Live and System Center Universe 2014.

Site: http://www.scug.nl

Twitter: @scug_nl

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | Cloud & Enterprise

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

System Center User Group: Netherlands – Update & Announcement

The Deployment Guys - Thu, 10/31/2013 - 20:08

Greatness of a small country: Client, Data, and Cloud Management

Today the System Center User Group Netherlands is proud to announce their new website with a wink to the past Dutch Clouds (painted by Dutch famous painters 1400-1600 century) and future cloud developments. The renewed website is part of a range of new initiatives to better server the Dutch community and beyond. In addition, the organization of the user group undergoing renewal with IT-pro’s Helmer Zandbergen (MCT), James van den Berg (MVP), Robert Smit (MVP) and Ronny de Jong (MCT). The System Center User Group NL was founded in 2006 by Maarten Goet (MVP).

The new website, updated logo and renewed team should ensure varied range of technical content around System Center, Hyper-V and Windows Azure and the prelude to closer cooperation with local and international user groups. As mentioned the user group has the ambition to better serve the community with various (new) initiatives, meetings, guest speakers, webcasts and intensify cooperation with various groups by organizing joint events like Experts Live and System Center Universe 2014.

Site: http://www.scug.nl

Twitter: @scug_nl

/Enjoy!

Christian Booth (ChBooth) | Sr. Program Manager | Cloud & Enterprise

Program Lead: System Center: Cloud & Datacenter MVP

Categories: MDT

New infection rate data for unprotected computers

Microsoft Deployment Toolkit Team Blog - Wed, 10/30/2013 - 00:11

​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

With Windows 8, we’ve made further improvements to help keep customers protected.

For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

Stay protected folks!

Holly Stewart

MMPC

Categories: MDT

New infection rate data for unprotected computers

The USMT team blog - Wed, 10/30/2013 - 00:11

​In the previous Microsoft Security Intelligence Report, SIRv14, we introduced a new metric to measure the infection rate for computers protected with real-time antimalware software (protected computers) in comparison to computers that were not protected with up-to-date security software (unprotected computers).  Using this new data, we wrote a feature story about the risks of running unprotected. Our customers told us that providing this data really helped measure the value of running real-time antimalware software. It clearly showed that security software can provide a significant contribution to a computer’s protection level. 

With Windows 8, we’ve made further improvements to help keep customers protected.

For example, Windows Defender is automatically activated when the Windows 8 device is turned on for the first time, and will only deactivate if another antimalware program is running. If there is no other antimalware software installed, Windows Defender will be enabled. If another antivirus application is activated later, Windows Defender will automatically disable itself.  Windows Action Center monitors Windows Defender, and if it is turned off, Action Center will show a notification and provide an option to turn it back on. We’ve done all of this to help ensure that all Windows customers are protected.

What happens when another antimalware product is installed, but then stops receiving updates or the license expires? 

Like a computer without antimalware protection, this computer is also considered as being in an unprotected state.

At the MMPC, we closely monitor why people fall into an unprotected state.  Joe Blackbird and Bill Pfeifer presented on this topic at Virus Bulletin this year with The global impact of anti-malware protection state on infection rates. They found that more than half of the Windows 8 customers listed as unprotected are in that state because their antivirus has expired.

After assessing the telemetry on why customers were staying unprotected, a few updates were made in Windows 8.1 to help customers make a safe choice to stay protected.  Now, after prompting a customer about their unprotected state and giving the choice to renew or see other options at the Windows Store, a final prompt helps the customer get back into a protected state even if they do not choose to renew.  If you really don’t want to have protection enabled, you can still disable it– it’s your choice.  The feature simply makes the safe choice really easy, and the less safe choice a bit more work.

During the past year I’ve talked to a lot of people who are just as passionate about keeping our customers protected as we are.  So, I’m happy to report that we now measure protected/unprotected data on a quarter-by-quarter basis as a standard part of the Microsoft Security Intelligence Report.

As shown in the following chart, our research reveals that every quarter, about 25 percent of computers are not completely protected. This includes computers that are both unprotected and intermittently protected. We count a computer as intermittently protected for the quarter if it reports being unprotected for one month. We’d like to move the number of computers in both categories closer to zero. 

We also found that computers that never had protection were 7.1 times more likely to be infected with malware than computers that always had protection.

Figure 1: Percentage of computers worldwide protected by real-time security software, 3Q12–2Q13

For more data and analysis on protected and unprotected computers, including how we calculate this data, see SIRv15.

Stay protected folks!

Holly Stewart

MMPC

Categories: MDT

Pages