Vista Defrag security flaw?

Faustus · 8 Apr 2007 at 16:29

I continue to be puzzled by the Vista Defrag utility. It has been designed to run in the background so that the "user" can continue to work normally. However, my experience has been that the only way to successfully use Vista Defrag is to disable the antivirus software, which in my case is AVG Free. If I don't disable AVG then the defrag is still running 14 hours later with no sign of it finishing. This means that to use Defrag I would have to use the Internet without any Antivirus. Surely this is a real security gaff if ever I saw one

modo77 · 8 Apr 2007 at 17:27

Security flaw? I dont even know where to start

Anyway I've not had a problem with antivirus apps running. I've used nod and kaspersky with vista and they didn't slow the defrag down.

Faustus · 8 Apr 2007 at 19:30

modo77 said:
Security flaw? I dont even know where to start Anyway I've not had a problem with antivirus apps running. I've used nod and kaspersky with vista and they didn't slow the defrag down.

Well certainly if you looked at my previous thread on Vista Defrag you will see the mammoth hours taken by my PC with its 250 gig and 160 gig slave drive - in fact until I stopped AVG running it never actually completed the task. Once I stopped AVG it did it in a couple of hours, and the interesting thing was that it seemed to perform the function very much like XP with the CPU ramping up to 50 and 60% usage throughout the task.

bledd · 9 Apr 2007 at 10:58

a decent AV program will ignore the file access of a defrag program

ie Nod32 ignores o&o defrag when it's moving files around

AVG is probably too simple

Faustus · 9 Apr 2007 at 11:56

bledd. said:
AVG is probably too simple

Bit like me really

I'll tell you another thing I have discovered over the last few days which is related to the Vista Defrag utility and that is with using automated Defrag scheduling. I have set my PC to go into sleep mode after 20 minutes if the computer remains idle. However, I have had an issue where the monitor switches off but the HD doesn't and I observed that the HD was showing activity even though no one was using it. It appears that if a Defrag schedule is setup and then missed, maybe not using computer that day etc. then when the PC is next started even though the schedule is not due again for another 7 days the PC starts to Defrag. Obviously because AVG is blocking the Defrag it never completes and so the PC cannot go to sleep. I have disabled any further automatic schedules and will just set them manually myself in the future - doing this cured the problem straight away.

Ah the beauty of Vista - I am now using Acronis TrueImage 10 for all my backups as Vista won't backup anymore (says the image is corrupt or has been tampered with) and now automatic Defrag is switched off. Never had any issues with XP in the three years I was using it.

TC1 · 9 Apr 2007 at 13:01

Antivirus? Whats that?

I don't use one!!

NathanE · 9 Apr 2007 at 13:11

Provided you leave UAC on (and don't blindly click Allow to all its prompts) you really don't need anti-virus on Vista. Secure by default... a fairly new concept on the Windows desktop

Faustus · 9 Apr 2007 at 21:34

NathanE said:
Provided you leave UAC on (and don't blindly click Allow to all its prompts) you really don't need anti-virus on Vista. Secure by default... a fairly new concept on the Windows desktop

Not according to Kaspersky its not.

gurusan · 9 Apr 2007 at 21:36

Use Ashampoo Magical Defrag

constantly defrags without you even being aware of it

NathanE · 9 Apr 2007 at 21:48

Faustus said:
Not according to Kaspersky its not.

They have an agenda, I don't. Up to you to decide who to believe...

Una · 9 Apr 2007 at 21:50

NathanE said:
Provided you leave UAC on (and don't blindly click Allow to all its prompts) you really don't need anti-virus on Vista. Secure by default... a fairly new concept on the Windows desktop

I take it you havn't read about the ANI cursor vulnerability then. Vista is certainly vulnerable to it... Really secure considering they patched previously but didnt check the rest of the code. Fyi quite a few AV vendors detected it and blocked the code execution before m$ issued a patch.

http://determina.blogspot.com/2007/04/exploiting-vista-with-ani.html

NathanE · 9 Apr 2007 at 22:26

Yup but Protected Mode IE7 severely reduces the threat... Once exploited they can basically do nothing to your system... the privilege level is too low.

Vista has multiple layers of security and it's unlikely that all of them can be penetrated by a single exploit. Of course it's easy and fun for media to publish headlines like "Vista exploited already" but in reality if you just read into it a bit more you'll see that it's not anywhere as serious as they make out.

If you're not using IE7 on Vista then it is a serious flaw.

Una · 9 Apr 2007 at 22:33

Nah you really don't understand it. Sure IE7 runs in protected mode but Firefox/Outlook express etc are valid launch platforms as well and what priviledges do you think they run under (Yes thats right most people still use the first account created on their vista box). Not to mention the NtRaiseHardError priviledge escalation once your in. What do you think is easier to exploit when you got local access or remote access? Local access by far. Could this have been prevented by using an AV to detect the ANI exploit, sure.

About the outlook method as well, multipart mimi e-mail that contains multiple icon files references by the html message means you can brute force the correct target via the mail reader without any form of client-side scripting..

NathanE · 10 Apr 2007 at 13:44

I do "understand" it

I'm just being realistic about the actual impact and aren't going on what I've read in the technology media...

Outlook 2007 isn't vulnerable.

IE7 is vulnerable but when running in Protected Mode (default on Vista) the threat is severely reduced.

Firefox... wide open to attack.

Opera... wide open to attack.

Other launch platforms that aren't using some low privilege "Protected Mode"... wide open to attack.

Una · 10 Apr 2007 at 14:07

Once you got a shell in protected mode its trivial to use this http://www.securityfocus.com/bid/23278 To get up to SYSTEM level access.. You really that the impact is not big?

NathanE · 10 Apr 2007 at 14:28

A flaw that's been fixed and sent out via Automatic Updates?

Also:

NathanE said:
Vista has multiple layers of security and it's unlikely that all of them can be penetrated by a single exploit

Una · 10 Apr 2007 at 14:41

NathanE said:
A flaw that's been fixed and sent out via Automatic Updates?

Also:

I was just using that as an example I know its been patched already. The point I was trying to make was that initially a decent AV would have picked up the ANI exploit before it had the chance to execute its payload (ZERT/eeye published a patch before microsoft even had a chance - not to mention when the first ani vulnerability was found in april 2005, microsoft were actually notified in dec 2006 on the 2nd... It has been non public for a while). There is no silver bullet in security - Openbsd/SELinux have a much better security model than vista and still vulnerabilities are found.

Will be interesting to see what happens when malware writers start signing their processes as protected also...