Are Security Vendors Tricking XP SP2?

Microsoft says its Service Pack 2 update adds an additional layer of security to Windows XP-based PCs. However, recent PCW tests seem to show that at least two major security suites are crippling SP2's ability to offer users accurate security information.

SP2, which Microsoft rolled out in August, includes the new Windows Security Center. This feature alerts users when their PC's antivirus or firewall software is missing or out of date. It also signals when the real-time virus scanner is disabled, and when the firewall is not enabled. At least, that's how it's supposed to work.

However, when we installed Symantec's Norton Internet Security 2005 and McAfee's Internet Security Suite 2005 on a system running SP2, both apps caused the Windows Security Center to erroneously report that the products were up-to-date. Any antivirus software, whether downloaded via the Internet or purchased at retail, will need its signatures updated when it is first installed. This is because they need to reflect any new viruses that were discovered between the time the product was created and when it was installed.

In the case of McAfee, even the vendor's own product incorrectly reported that it was up-to-date out of the box. (Symantec's product correctly noted that it required an update).

We also installed Trend Micro's PC-cillin Internet Security 2005 to a system running SP2. In this case, the Windows Security Center properly reflected that the product needed updating. Once the Trend Micro PC-cillin Internet Security 2005 product had been updated, the Windows Security Center status changed accordingly. We had similarly successful results when installing F-Secure Internet Security 2005, ZoneAlarm Internet Security, and Panda Software's Platinum Internet Security 2005. Each of these suites worked seamlessly with the Windows Security Center, and the update status was properly reflected after their installation.

Tricking Windows Security

Representatives from Symantec and McAfee acknowledge that their latest programs manipulate the Windows Security Center.

During installation, Symantec's Norton suite deliberately disables the Windows Security Center feature that alerts users to missing or incomplete protection, says Kraig Lane, product manager for Norton Internet Security. Norton keeps the feature disabled until it has completed its initial update, and then it turns it on, he says. This is done because Symantec's usability studies showed that the Windows Security Center alerts that users received during the installation of a new product weren't conducive to a good user experience, Kraig says.

McAfee offers a similar explanation. The antivirus signature files are deliberately dated to the time of install, specifically to "avoid Windows Security Center out-of-date messaging," on Windows XP SP2 systems, says Brent Lymer, senior director of product and partner management at McAfee Consumer.

Neither Symantec nor McAfee indicated to us that they are planning to change these policies.

Microsoft Weighs In

Microsoft says the onus for accurately updating the status of antivirus definitions falls on the antivirus vendors themselves. The Windows Security Center merely attempts to mitigate threats by providing a single location for reporting the status of security problems and alerting users when programs are in need of attention.

The Windows Security Center also can alert users when worms or viruses disable their antivirus software. Viruses and worms often exploit the window of vulnerability that exists after a new virus is first discovered and before specific detection signatures are available. Upon infecting the vulnerable system, the worm disables the antivirus software protection, preventing the updates that would have guarded against it and leaving the system exposed to further compromise.

In order to offer these alerts, the Windows Security Center uses the Windows Management Interface (WMI), reading the data placed there by the security vendors and reporting accordingly.

The Windows Security Center was deliberately designed to be flexible, says Ryan Burkhardt, lead program manager for the Microsoft security business and technology unit. "Our hope was to get as many antivirus and firewall companies as possible to utilize this infrastructure, but it is really up to the vendor how they do the implementation," he says.

Unfortunately, the same flexibility that allows the antivirus vendors to manipulate the Windows Security Center leaves open the possibility that a malware writer could do the same. We spoke with several security experts about this possibility, but none who were well-versed in SP2 technology were willing to speak on the record regarding the possibility of exploit. When we posed the question to Microsoft, the company stated that the WMI has no known security vulnerability related to it.

Antivirus update schedules vary widely among vendors, and Microsoft wanted "to avoid judging who was in a good state or a bad state," says Yoav Schwartz, program manager for the Windows Security Center. Microsoft has "provided the necessary support, documentation, and infrastructure [and] it is really up to [the vendors] to provide the best experience they can for the user."

So how can you protect yourself? Your best bet is to check for antivirus updates immediately after installing the product, regardless of the status reported by either the Windows Security Center or the product itself, and to configure the product to search for updates automatically, at least weekly. If you suspect your protection may not be working properly, you can test it using the EICAR test file found at Eicar.org, or contact your antivirus vendor support for assistance.

Subscribe to the Best of TechHive Newsletter

Comments