heise Security UK: You're running a pipeline but, how do you work to eliminate false positives on the pipeline?
Alex Eckelberry: It's as you get more into this advanced area that you run into higher chances of false positives, because you increasingly rely more on heuristics and behaviour, as opposed to pure signature match and it scares the crap out of us. We spent a lot of time focussed on what we what can do to make sure people don't get false positives and on response times, how fast we can deal with those false positives. The first thing we do, for every definition update, is that every single thing that goes through the pipeline gets scanned through our corpus of white-listed products to make sure we never hit an Excel, Word, Powerpoint, Java, whatever, any of those basics.
hS: Of course, we can't let you go without sounding out what you think about what Windows 7 means for security?
AE: I don't see anything all that special about it. I think the lower UAC settings will arguably hurt some people, but on the other hand, a lot of people were being driven batty with the constant pop-ups, so they were turning it off anyway. I do feel positive about the 64-bit kernel protection, in both Vista 64 and Windows 7. It's a real help to protect users. Another good thing they have done is to expose the 2-way firewall; it was a bit buried in Vista.
hS: How about Morro, Microsoft's free anti-virus. What impact do you see that having on security in general and for AV vendors?
AE: It's arguably a capitulation on the part of Microsoft, that OneCare didn't work out well for them. Let's face it, OneCare put Microsoft in the position of selling security software for an OS that was insecure as a result of their actions, and OneCare was always going to be something that would be a problem for them, because security is very high profile. When you miss something, everyone knows about it.
I don't know that it will mean a lot for security vendors. As far as I know, it's a basic anti-virus product. I take Microsoft's statement that this is designed for the third world, etc. at face value. Yes, there will be those who may just stick with the free product, but there are free products available right now from companies like AVG. Those who want to pay for more functionality will go with the incumbent vendors. The biggest question is whether or not Morro will be controllable by Group Policy. If so, that's not a good thing for the enterprise AV security vendors.
As for security in general, I think Morro is ultimately a positive step for the general universe of Windows computing, in the same way as the Malicious Software Removal Tool, which has cleaned various bad things from an enormous amount of computers.
hS: Thanks for chatting Alex and we look forward to seeing the MX-V technology in VIPRE joining the battle against malware.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
