Security UPDATE--The Future of Malware Defense?--March 16, 2005

1. In Focus: The Future of Malware Defense?

2. Security News and Features

- Recent Security Vulnerabilities

- New Security Patches and Updates from Microsoft

- Microsoft Takes Action Against Malware

3. Instant Poll

4. Security Toolkit

- Security Matters Blog

- Security Chat

- FAQ

- Security Forum Featured Thread

5. New and Improved

- Fight Phishing

==== Sponsor: The Neverfail Group ====

High Availability for Windows Services

It is no stretch to say that Windows high availability must be a fundamental element in your short- and long-term strategic IT planning. This free white paper discusses the core issues surrounding Windows high availability, with a focus on business drivers and benefits. You'll learn about the current market solutions, technologies and real-world challenges including cost-benefit analyses. Plus, find out how to assess technical elements required in choosing a high availability solution, including the robustness of the technology, time-to-failover, and implementation difficulties. Download this white paper now!

http://www.winnetmag.com/whitepapers/neverfail/highavailability/index.cfm?code=sectop314

==== 1. In Focus: The Future of Malware Defense? ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

You're probably aware that Microsoft is working on branding its antivirus and antispyware solutions. The company has already released an antispyware solution into public beta testing and has acquired well-established GeCAD Software and Sybari Software antivirus products.

Some industry analysts think that the most logical way to address spyware is to evolve antivirus solutions to incorporate that ability to prevent spyware from infecting systems in the first place. That's a reasonable approach, even though it's another step towards a single point of failure, which many security administrators try to avoid.

I read some interesting comments at CNET.com, which published an interview with Bill Gates. The article implied that eventually antivirus solutions and possibly antispyware solutions will become integral parts of Windows. There's more to the story, which isn't covered in the CNET.com article.

I mentioned in an earlier column that Microsoft has published a research paper on root kits and has developed a detection tool that it hasn't made available to the public. The company released another interesting research paper several months ago that offers further insight into what other kinds of security-related technology the company might offer in the future.

The second paper, "Can We Contain Internet Worms?," was published in August 2004. In it, Microsoft researchers discuss how worms might become more readily containable as computers collaborate in a more automated manner. The concept, which the researchers have dubbed "Vigilante," proposes "a new host centric approach for automatic worm containment."

The summary states that the technology "relies on collaborative worm detection at end hosts in the Internet but does not require hosts to trust each other. Hosts detect worms by analysing attempts to infect applications and broadcast self-certifying alerts (SCAs) when they detect a worm. SCAs are automatically generated machine-verifiable proofs of vulnerability; they can be independently and inexpensively verified by any host. Hosts can use SCAs to generate filters or patches that prevent infection." You might think of this technology as sort of like a much smarter version of Snort or other intrusion detection and prevention systems.

In essence, the proposal discusses a means of having hosts monitor their own activity and automatically contain misbehaving processes. When a host detects a worm, it can generate an alert that's broadcast to other hosts. The general idea is to decentralize detection systems so that worms can't evade detection by evading a particular network point. A key to the idea is that an SCA could verify worm detection by reproducing its effects. So hosts attain a level of trust by doing their own verification, instead of depending on third parties to provide signatures to endpoint detection systems.

Although the paper doesn't mention this specifically, the implications are huge. The same principles could be applied to viruses, Trojan horses, spyware, and just about any kind of application or network behavior. Such a system would become vulnerability-centric; instead of having to develop signatures for each variation of malware, the system would instead identify the vulnerability and be able to act to defend the system against it. For example, it could shut down an application, reconfigure a firewall, or generate some sort of patch. There is much more to learn about the concept in the paper, which you can download in PDF format at the Microsoft Web site.

ftp://ftp.research.microsoft.com/pub/tr/TR-2004-83.pdf

==== Sponsor: NetIQ ====

10 Ways to Effectively Secure Active Directory

Active Directory is vulnerable to malicious and inadvertent security attacks, thus protecting Active Directory from internal and external threats is a constant challenge. In this free white paper, learn how to configure Active Directory to be resistant to threats, and regulate changes so data consistency is protected and security policies are enforced. Download this white paper now and learn how to ensure a secure Active Directory environment.

http://www.windowsitpro.com/whitepapers/netiq/tenways/index.cfm?code=secnl

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

New Security Patches and Updates from Microsoft

Microsoft didn't release any new security bulletins in March, but the company did update previous bulletins (MS02-005 and MS02-015) to include patches for Windows 98 and Windows Me. The company also released an updated version of its Malicious Software Removal Tool.

http://www.windowsitpro.com/Article/ArticleID/45643

Microsoft Takes Action Against Malware

Paul Thurrott examines what Microsoft is doing both this year and next to deal with spyware, adware, and similar types of electronic attacks.

http://www.windowsitpro.com/Article/ArticleID/45688

==== Resources and Events ====

Plan For or Prevent Exchange Messaging Disasters

In this free Web seminar, join Exchange MVP Paul Robichaux as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability and how you can survive them with your messaging and job intact.

http://www.windowsitpro.com/seminars/exchangedisasterrecovery/index.cfm?code=0316emailanns

Get Ready for SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0314emailanncs

Infosecurity Europe 2005

Infosecurity Europe is Europe's number one, dedicated Information Security event held April 26-28, 2005, Grand Hall, Olympia, London. Now in its 10th year, the event continues to provide an unrivalled education program, new products & services, exhibitors and visitors from every segment of the industry. To register for FREE, please visit:

http://www.infosec.co.uk/windowsitpro

Empower Users and Produce Substantial ROI

Join industry expert David Chernicoff in this free Web seminar to learn how to integrate and automate fax from messaging systems such as Microsoft Exchange Server and Outlook and other various applications. And learn how to improve document handling and delivery by streamlining the integration of fax services into everyday business processes.

http://www.windowsitpro.com/seminars/faxservers/index.cfm?code=0316emailannc

Achieve High Availability and Disaster Recovery for Microsoft Servers

Attend this free Web seminar for your chance to win a $1000 American Express Gift Check! In this Web seminar, discover what it takes to minimize the likelihood of downtime through reliability and resilience in your Microsoft server environment, including Exchange, SQL Server, File Server, IIS, and SharePoint. Sign up today!

http://www.windowsitpro.com/seminars/microsofthighavailability/index.cfm?code=0316emailannc

==== 3. Instant Poll ====

Results of Previous Poll: Do you think Microsoft should offer Internet Explorer (IE) 7.0 for Windows 2000 platforms?

The voting has closed in this Windows IT Pro Security Hot Topic nonscientific Instant Poll. Here are the results from the 44 votes.

- 77% Yes

- 23% No

New Instant Poll: Do you consider IIS 6.0 to be a secure platform?

Go to the Security Hot Topic and submit your vote for

- Yes

- No

http://www.windowsitpro.com/windowssecurity#poll

==== 4. Security Toolkit ====

Security Matters Blog

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Got NT? Better Have Extended Support or a Good Firewall!

Windows NT systems contain a critical vulnerability for which a patch is available--if you have an extended support contract. You can also defend your NT systems with a good firewall.

http://www.windowsitpro.com/Article/ArticleID/45694

Security Event Log Chat

Randy Franklin Smith is one of the foremost authorities on the Windows Security event log and a respected trainer who teaches Monterey Technology Group's "Security Log Secrets" course. Here's your chance to ask Randy your questions about the Security log and get answers Microsoft doesn't provide. Join the chat today at 4:00 P.M. Eastern / 1:00 P.M. Pacific time. For details, visit

http://list.windowsitpro.com/t?ctl=4412:10355

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q. Should I define a "catch-all" subnet for my Active Directory (AD) sites?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/45472/

Security Forum Featured Thread: Best Network Security Scanner

A forum participant writes that he's decided to purchase software to check his network for open ports, vulnerabilities, permissive user rights, open shares, accounts with administrative rights, unapproved Instant Messaging (IM) software, and so on. He wonders what the best tool to use might be. Join the discussion at

http://www.windowsitpro.com/Forums/messageview.cfm?catid=42&threadid=130535

==== Announcements ====

(from Windows IT Pro and its partners)

Get Windows IT Pro at 44% Off!

Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now:

http://www.windowsitpro.com/rd.cfm?code=theu2052up

Get SQL Server Magazine and Get Answers

Subscribe to SQL Server Magazine today and get the latest "Top SQL Server Tips" handbook (includes over 60 helpful SQL Server tips) and free online access to every article ever published in the magazine--that's thousands of problem-solving solutions, expert tips, tricks, and the latest insider notes to help you get the most out of SQL Server. Sign up today:

http://www.sqlmag.com/rd.cfm?code=tgeu2153ts

==== 5. New and Improved ====

by Renee Munshi, [email protected]

Fight Phishing

Cyberworlds offers Swidgets Email Xray, which lets you look inside Microsoft Outlook email messages to detect phishing attempts. The program lets you view your email messages as plain text so there's no possibility of being harmed by a malicious script or link. Email Xray also reveals the email headers and source code and lets you easily email this information to your Help desk or service provider. Email Xray works with Internet email and Microsoft Exchange Server messages, can be installed across a LAN, and lets administrators modify or disable specific features. Email Xray runs under Windows XP/2000/Me/98SE and works with Outlook 2003/2002/2000. Email Xray costs $14.95 (quantity and academic discounts and 15-day free trial copy are available). For more information, go to

http://www.swidgets.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]