Reg WinXP beta system virus defences breached

The good news - they can't get out. The bad news - we can't kill them either...

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

WinXP diaries How safe is Microsoft's new approach to viruses? Sort of safe, but not entirely helpful, it would appear. Not one virus but two seem to have slid through the deflector shields of my Office XP installation, and while they're under control, catching them and killing them is a bit of a puzzle right now.

For experimental reasons I've been running Outlook 2002 with the default security settings for a month or so now, because I ought to find out what happens to real live customers. With hindsight, I accept it was a tad reckless to do this with a production system, but then again how else could I find out?

Up until the arrival of the two unwanted guests it did seem to be working, and some aspects of Outlook were actually very helpful when it came to dealing with the biggest mail headache, and my prime virus source - The Register Daily Update mailing list. The account used for this only ever sends the daily update, and on a daily basis gets back about 200 holiday autoresponders in numerous formats and languages (I don't actually know the Norwegian for 'I'm away right now', but I can easily find out).

It also gets about half a dozen viruses, tons of spam, and about once a week a sad message from somebody who can't figure out the automatic unsubscribe - frequently because they've forgotten their own email address.

So the task is to automatically throw away all of the holiday responses, viruses and bits of spam, leaving a couple of weird bouncers and these lost souls to deal with. The ease with which Outlook 2002 allows you to set up rules means it's being doing splendidly, and I've even had time to sneer at the company that sent a message begging to unsubscribe the one person there who isn't on the list, whereas what they meant was take off all four of the people who were. Apparently I'm supposed to be able to guess this sort of stuff.

Compare and contrast this with the previous client I'd been using, Eudora 4.3. This does allow you to set up rules, but I'd never been able to figure my way around setting up particularly sophisticated ones, so the big pile of crud would back up, and the lost souls got patchy service. Which many of them deserve, but it's better to be nice.

The joys of automation

Aside from being good at automated rule creation, Outlook seemed to be doing pretty well on viruses as well. Homepage bounced off, as did the various puzzling attachments in weird languages I don't speak. Surely it couldn't last? No, apparently not.

I've just for the first time looked at the macro security settings, and they're at high, which is "only signed macros from trusted sources will be allowed to run. Unsigned macros are disabled." Furthermore, I note I have no trusted sources, which is as it should be in this business. So, how come something got inside the tent?

And then there's the matter of how come the viruses have taken a week or more to kick into action? I've found the originating messages, two apparent domain registration spams whose message IDs suggest they're from the same source. In neither case has a .scr attachment been detected, which I take it is how you tell they got through (I'm new to this end of the business - never, apart from the odd Word macro, suffered a successful hit until now).

They were sent on Sunday 13th, and I think I can explain some of the long delay. It might have actually hit on that day, because I noted that some tasks in my Outlook queue were failing. Figuring out what was going wrong proved difficult, but I concluded it was to do with me having to switch around my outgoing email ID depending on whether I'm at home, or on the office or a dialup connection.

The confusion over outgoing IDs may actually have saved me there by stopping the virus going out. It was late, so I gave up trying to fix it, then the next morning when I found it had spent the night logging on and failing to send over 900 times I thought virus, then phone bill (MSN Messenger does this to ISDN as well, if you forget to catch it and kill it), pulled the plugs, disabled all the auto send and receive, and cancelled all tasks for good measure.

That seemed to fix it, and as there was nothing suspicious in either the outbox or the sent messages, I concluded it had just spent all night trying to send the two messages from me that were in the outbox, but that I'd set to send on the wrong ID.

So maybe I had a virus, but I didn't notice. One useability deficit of Outlook springs to mind here, because although you can see tasks failing in the send/receive details, you can't readily see what it is specifically that's failing. Outlook help seems silent on the subject of task queues, as indeed it is on many of the other nasty techie things it's intent on shielding you from.

Making it harder by way of easier

You could say this was a standard feature of the Microsoft approach to software, however. The products have many helpful bolt-ons which when they're good, are very very good. But when something goes wrong you find the answer, if it exists, is buried deep under many layers of shielding, and that Clippy is just as useless as he ever was. Lob in the thought that it is quite possible that a combination of the automation and the shielding is actually generating problems users can't solve on their own; mightn't that suggest that by trying to make it easier, Microsoft is simply building everybody bigger and bigger headaches? Particularly its own support, useability and development teams.

But getting back to today, the 23rd for a litle while yet, the virus is either back, or it just kicked into action after a ten day slumber, and this time the system has handled it differently, slightly more expertly, but not very helpfully. Here's what happens. A dialogue box kicks in, warning that something is trying to access my address book. It doesn't volunteer information about what that something is. Click no, don't allow it, up it pops again... and again... and again. I'm not about to click yes, am I?

But there's a clear useability issue here. If a naiive user, more naiive even than me, can't figure out how to get out of this apart from clicking yes, then they're going to do that, at least maybe. OK, shall we find out what it is then? Pull the cable out of the wall, click yes. Now it wants to know if it can send something. Click yes again. Here it is again, click yes again. Get bored, look in the outbox. Here we are, two outgoings, and no doubt many more if you carried on clicking yes.

Outlook has blocked both outgoing attachments, which are new_doc.scr, and the tempting New_Napster_Site.DOC.scr. But it's trying to send the mail, so presumably it'd spam all my contacts with the dumb message anyway, but minus the attachment.

So we've now got several puzzles here. If it's the same as last time, why is Outlook warning now, but didn't warn then? It's the same machine, I haven't changed the setting, so why? Why the gap of ten days? This I might be able to answer - I imported the mail into a boot managed Win98 OXP system, collected some more mail, and then when I rebooted in WinXP, just opened the outlook.pst on the C drive. So opening it may have weirdly brought it back to life.

Danger, WinXP

Next, how do you stop the warning popups? Tell it to go away and it just keeps coming back; I've only got 30 people in the book and have just tried 90 clicks, so that does seem to be the case. Clearly the simplest way to do this is to run an antivirus program and hose the things, then kill off anything lying around in the outbox. But friends, may I quote from the WinXP beta 2 readme.doc? "On computers running Whistler Personal, Whistler Professional, or Whistler Advanced Server, only antivirus programs written for the specific Whistler operating system run correctly. Antivirus drivers not written to run on the specific Whistler operating system might cause problems. Other issues might include a lack of real-time scanning for viruses or system vulnerability to to virus attack. These problems range in severity from recoverable errors to loss of some or all of the data, to the computer becoming unusable. There is no workaround for this. This issue will not be addressed in future release."

Get out of that without moving, and surely that last sentence has to be a misprint? I knew there was an antivirus issue with the WinXP beta, so hadn't bothered reading the relevant paragraph, but it's so bizarre that it really requires further explanation from Microsoft - if they're saying what they mean, then what the blazes are they smoking?

I quite frequently hear from the Microsoft techies when I do these pieces. They're good people who genuinely want to build good products, they're generally eager to help nail the problem, and I'm willing to help them if I can. Trust me on this, they're nice, it's the marketing people who're not. So I wouldn't be at all surprised if I hear from the OXP team over this one, and with that in mind I've kept the system 'as is' for the moment. Gentlemen, I have your viruses in isolation.

Two possible workarounds that occur to me would be to drop back to the Win98 system, hose it with Norton, then vape Outlook, reinstall and import (bit of a sledgehammer, but wouldn't take long and beats digging around in the entrails). The other one - which is now going to happen anyway, is just vaping the address book - Outlook clearly can't be trusted with it, right now. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.