Microsoft script recreates shortcuts deleted by bad Defender ASR rule
-
@Dashrender said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
Microsoft script recreates shortcuts deleted by bad Defender ASR rule
Microsoft released advanced hunting queries (AHQs) and a PowerShell script to find and recover some of the Windows application shortcuts deleted Friday morning by a buggy Microsoft Defender ASR rule.
Does it work?
What a clusterf*ck of a mess. The number of folks we've seen hit by this is astounding.
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@Dashrender said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
Microsoft script recreates shortcuts deleted by bad Defender ASR rule
Microsoft released advanced hunting queries (AHQs) and a PowerShell script to find and recover some of the Windows application shortcuts deleted Friday morning by a buggy Microsoft Defender ASR rule.
Does it work?
What a clusterf*ck of a mess. The number of folks we've seen hit by this is astounding.
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
I don't know - Ask @Scott - his people have had to deal with it some.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
I'm trying to decide if running Windows is more like having a live virus on your computer or if it's like having a government controlled device that you bought and paid for but have no say over (it's for you own good of course).
-
@Pete-S said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
I'm trying to decide if running Windows is more like having a live virus on your computer or if it's like having a government controlled device that you bought and paid for but have no say over (it's for you own good of course).
Isn't that the same for your phone?
-
@Dashrender said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@Pete-S said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
I'm trying to decide if running Windows is more like having a live virus on your computer or if it's like having a government controlled device that you bought and paid for but have no say over (it's for you own good of course).
Isn't that the same for your phone?
More or less yes. But perhaps more spyware than virus I think.
-
@Pete-S said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
I'm trying to decide if running Windows is more like having a live virus on your computer or if it's like having a government controlled device that you bought and paid for but have no say over (it's for you own good of course).
Is OSS any better? Nope.
https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-sourceIn fact, a very big NOPE.
At least with closed source one can "trust" to some degree that the vendor is not going to outright shoot themselves in the foot.
That story above shows that anyone and their dog can hypocrite commit and no one would be none the wiser. None. Nada. Zippo. Zilch.
The Kernel team showed a really bad side of themselves there. Very immature.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
Is OSS any better? Nope.
https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source
In fact, a very big NOPE.What? It's SO much better. And you provide a famous reference as to why it is better.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
That story above shows that anyone and their dog can hypocrite commit and no one would be none the wiser. None. Nada. Zippo. Zilch.
That means, nothing. First, open source does NOT imply what you say, that's false. You are talking about an open project repo, not open source. You aren't even talking about open source. A closed source application can still have an open commit repo. Those are two totally different concepts. nothing in something being open source implies this whatsoever.
Second, you say commit as if that's a bad thing. It's not. You are attempting to use marketing FUD to make something good sound bad. That anyone can SUBMIT changes is good. Why is that bad? You can SUBMIT changes to Windows or any other closed source system. It's not like those changes are automatically accepted. That's a different thing.
So your statement is, untrue. In every sense.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
The Kernel team showed a really bad side of themselves there. Very immature.
What now? So you think that Windows would just let malicious entities add changes with no ramifications? I think not. And I'm unclear why you'd want that.
I feel like you are racing to defend closed source at any cost and are getting really emotional here. And you are mixing concepts of repos, specific managers, security and other things and using all those things are proxies but then claiming it is the licensing that creates or determines those. What?
-
Maybe social engineering and attacking the software team is considered "good behaviour" at Microsoft, but here in the software engineer and IT worlds, that's a crime.
-
@Dashrender said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@Dashrender said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
Microsoft script recreates shortcuts deleted by bad Defender ASR rule
Microsoft released advanced hunting queries (AHQs) and a PowerShell script to find and recover some of the Windows application shortcuts deleted Friday morning by a buggy Microsoft Defender ASR rule.
Does it work?
What a clusterf*ck of a mess. The number of folks we've seen hit by this is astounding.
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
I don't know - Ask @Scott - his people have had to deal with it some.
Not seen this hit us yet, but we use a lot of Windows 11, but not ASR.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
So glad we're holding back on deploying Windows 11 and staying out of Microsoft's cloud where we can.
I've missed something. Dont get me wrong, I totally don't trust Microsoft and can't believe companies are willing to pay us against our advice to maintain it in production and I'm very thankful for all of the revenue it generates, but what does keeping Windows up to date have to do with this? That ASR has a bug is one thing, and relatively easy to have happen with something like ASR because it has to be a little aggressive to od what it does. But how does up to date Windows put you at risk?
-
@Dashrender said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
Microsoft script recreates shortcuts deleted by bad Defender ASR rule
Microsoft released advanced hunting queries (AHQs) and a PowerShell script to find and recover some of the Windows application shortcuts deleted Friday morning by a buggy Microsoft Defender ASR rule.
This affects all Windows including the full Windows 10 & 11 series. So even staying back an epic number of releases would not have protected. And it's not a Windows issue at all, it's an ASR issue. Had ASR been installed and available on Mac, Linux or anything else, it would have the same potential. It's just a bug in software designed to delete unwanted things. Not a lot of ways to protect against that other than regular diligence.
-
@scottalanmiller said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
Is OSS any better? Nope.
https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source
In fact, a very big NOPE.What? It's SO much better. And you provide a famous reference as to why it is better.
Huh?
The U published code under the noses of the Kernel Team with not a peep out of the KT until the U pointed out that they did it?
Seriously?
-
@scottalanmiller said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
The Kernel team showed a really bad side of themselves there. Very immature.
What now? So you think that Windows would just let malicious entities add changes with no ramifications? I think not. And I'm unclear why you'd want that.
I feel like you are racing to defend closed source at any cost and are getting really emotional here. And you are mixing concepts of repos, specific managers, security and other things and using all those things are proxies but then claiming it is the licensing that creates or determines those. What?
No Feelings here Scott just thoughts.
SolarWinds is a good example of the clusterf*ck that can happen with closed source.
Neither are perfect but when it comes to the balance of "trust" I think closed source has the edge.
The U publishing code their parrot could have written under the noses of the Kernel Team makes it clear that anyone with COMMIT status could do so. Anyone.
There's a big difference there as that ANYONE could be a lot more than what should be a closed loop supply chain.
In both cases, there has been a demonstrated failure to test their code prior to publishing and to operate under a zero trust paradigm.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
Neither are perfect but when it comes to the balance of "trust" I think closed source has the edge.
But... why? Everything about closed source is insecure. Trust goes 100% to open source. In every way. There are no downsides, only upsides. Closed source has no upsides, only downsides.
When it comes to security, trust, end user value.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
SolarWinds is a good example of the clusterf*ck that can happen with closed source.
Not really. This is an example of a bad vendor. That's not related to its source licensing. Solarwinds is a bad vendor, if their products were open source they'd still be a bad vendor making bad products, just with friendlier, better, more secure licensing for their customers. It's "better" but marginally so.
the bottom line is open source is always, no ifs ands or buts, for customers. Literally in every sense. Every negative people use as examples of open source always turns out to be about something that isn't the licensing, but as software is complex people look for easy scapegoats so point to something that they've heard of and associate unrelated things with it.
Once source licensing concepts are understood, I believe that there can be no discussion. The value of open over closed is so universal that it actually feels crazy to me that someone would eve suggest that closed source could have any form of positive value.
Closed source exists only for two reasons....
- It has benefits to the vendor (as a software vendor we OFTEN choose closed licensing... because it's in OUR benefit, we could never do so for our customer's benefit.)
- To hide security holes that the vendor doesn't know about or what to deal with.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
The U publishing code their parrot could have written under the noses of the Kernel Team makes it clear that anyone with COMMIT status could do so. Anyone.
You can say that about anything. But the reality is, that that's not true. That ANYONE can PROPOSE something bad has nothing to do with source licensing. That's the first piece. And that anyone could sneak something under their noses is a theory that they proved wrong. Yet Defenser ASR proved correct.
But in neither case is the availability of teh source a factor. But in the open source example there is vastly more chances to catch someone having done that. Vastly more.
In closed source, there can be no trust.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
There's a big difference there as that ANYONE could be a lot more than what should be a closed loop supply chain.
So again...
- That the supply chain is open or closed is misleading. Open source doesn't imply that the supply chain is open or even visible. Nor does closed source suggest that the supply chain isn't open.
- In this case, the supply chain IS closed, just like Windows Defender ASR.
-
@PhlipElder said in Microsoft script recreates shortcuts deleted by bad Defender ASR rule:
In both cases, there has been a demonstrated failure to test their code prior to publishing and to operate under a zero trust paradigm.
No, neither case demonstrates that. That's not even what the researchers were attempting to test. They were attempting to test human error, not an existence of trust.
And they got caught, while it wasn't as soon as we'd hope, it happened. No different than a bad employee getting fired at Microsoft. The difference is that one is public and open to inspection and discussion. The other is closed and secret. Which process should you trust? You can't say the secret one, we know that that isn't the answer.
I'm literally dealing with this with a closed source financial systems vendor. We can't see their code, but we can see how it is interacting with the database and were able to tell the financial operator that they'd been intentionally putting a lot of holes (hypocrite commits) into the system. And since it is closed source, we don't know how many, when, who, etc. It's all hidden from us. They conveniently "lost" the code commits so that they can't tell us any details. but what we know is that really bad things, not just research, was happening.
With open source we'd at least have a guarantee that we could look into it. With closed source, we have to start over with another vendor. This is all internal, so we aren't talking public open source, but source open to the customer, but the effect is the same. Malicious updates going in and using the closed source aspect to hide it.
We think at least SOME of the employees that did it were fired. Because of that? We'll never know. It's all secret. But one thing we know.... we can't trust anyone there.
The issue here is that we are just looking at human error. No one accepted the Linux commits on purpose, they didn't see the mistakes. No one put the bad update on ASR on purpose, they didn't see the mistake.
We can feel really, really sure that Microsoft tested the f out of that code and just didn't catch the cases or way that it did this weird shortcut delete. And we know for a fact that the Linux kernel gets insane testing before release AND after release by primary AND third parties.
So it's not showing a lack of testing, or an abundance of trust. It's showing the risk of human error when something bad happens that can be hard to catch or test for. You can only test for things you can predict.