August 1st, 2007

Tech Shakedown #3: McAfee's 'Block/Allow this change' dialog is a useless warning

Posted by David Berlind @ 2:30 pm

Categories: General, IT Management, Personal Technology, Security, Software Infrastructure, Technology Shakedown, Vista

Tags: Registry, Firewall, Malware, User, David Berlind

As far as security solutions go, personal firewalls are probably the most problematic category for vendors to get right, let alone users to get working. Not only are there differing philosophies about what belongs in a personal firewall and what doesn’t (eg: whereas many personal firewalls can and will block suspicious outbound traffic, Microsoft’s doesn’t, by design), the solutions vary widely in their implementations and user friendliness. Depending on which solution you pick, personal firewalls tend to be more or less “chatty” with their users as a matter of their ongoing “training.” This is where the firewall checks with the user before allowing some sort of first-time network-related activity between a specific software component and some destination on the local area network or the public Internet.

On one end of the spectrum of “chattiness” are firewalls that are preprogrammed to allow certain activities. Users are infrequently bothered with questions of whether some behavior should be allowed or not. On the other end (in other words, very chatty) are solutions that assume nothing and ask the user every time they see a behavior not witnessed before. Still others (the ‘tweeners) have configuarable thresholds at which point they start to become more or less chatty.

These varying degress of chattiness appeal to different types of users. Power users like me (a.k.a. control freaks) who like to know everything that their systems are up often prefer the chattier firewalls. Every time these firewalls see an attempt at some new inbound or outbound network behavior that they haven’t seen before, they usually give the user an opportunity to block or allow that behavior and, in so doing, allow the user to control just that one attempt (in other words, allow/block this time only) or all future attempts (allow/block forever).

Two potentially suspicious activities that most firewalls look out for (an area that crosses over into what anti-virus solutions often do) are changes to the software components themselves as well as the registry (in the case of Windows). For example, if, in the course of responding to a chatty firewall’s dialogs, you gave software component XYZ permanent access to the Internet, subsequent changes to that component could result in a vulnerability since such changes are sometimes introduced by malware.

The worst case scenario might be where malware that phones home with sensitive data infects a component that already has carte blanche access to send and receive anything through your personal firewall. It’s usually the responsibility of your anti-virus (A/V) program to intercept such malware. But personal firewalls often offer an additional layer of security by notifying the end-user that some component or the registry has been altered (most such alterations happen through updates and patches, but malware could also be to blame). If a firewall alerts you to such a change and you suspect it was malware, you’re usually given the option to shut off it’s access to the network. Some firewalls give you the option to prevent the change in the first place which brings me to the point of this blog post.

As can be seen from the attached partial screenshot (above right), McAfee’s personal firewall has detected an attempt to change a key to Vista’s registry. The complete text of the dialog says:

! File Change Detected

McAfee has detected a potentially unauthorized change to your computer

Details
SystemGuard Name: Shared Task Scheduler
Change: File Modified

More Info
SystemGuard Description: The SharedTaskScheduler registry key contains a list of programs that run when Windows starts. Some spyware or other potentially unwanted programs modify this key and add themselves to the list without your permission.

Process: C:\Windows\System32\svchost.exe
Process Name: Host Process for Windows Services
Process Publisher: Microsoft Corporation
Affected Items: C:\Windows\Tasks\User_Feed\Synchronization-{7FB51E8E-F57E-4D8A-916A-1207E2509139} .job

If you did not expect this change, McAfee recommends you block it. If you expected this change, allow it

And then it gives you the option to Block or Allow the change.

So, what’s the problem. First, as I have written many times before, even power users are ill-equipped to make heads or tails of a dialog like this (I also make this point in the attached video). There’s no link or anything that says “Research this issue online.” My expectation has always been that McAfee and other security solution providers should be offering end-users additional linkage in an effort to determine whether the behavior is expected of the software component in question, or not). For example, just a link that populates a Google or Yahoo search with some keywords would be better than nothing (because that’s what I always end up doing next, by hand).

Since the firewall provider is often the anti-virus provider as well, another neat improvement here would be to offer an A/V sweep of just the affected component. That could be redundant with the monitoring that the A/V system is doing already. But it might offer the user some additional peace of mind to know that the mentioned software component has checked clean for malware as far as the A/V system (with it’s most recent updates) is concerned.

But, assuming that it’s Microsoft’s svchost.exe program that’s making the changes to the registry (hard to tell from this cryptic message), and assuming that that’s expected behavior for svchost.exe (it’d be nice to know this too — I’m checking with Microsoft), then, not only should this change be allowed this once, but also each time in the future.

My hunch is that this is expected bahavior for svchost.exe and that it’s related to the way the RSS feed-reading gadget in Vista’s sidebar synchronizes with the RSS subscriptions in Internet Explorer 7 (I could be completely wrong on this, but I’ll bet I’m warm). Regardless of whether this is expected behavior or not, the problem with McAfee’s dialog is that it doesn’t give me the opportunity to “remember” my election to allow the behavior. This, in turn, would suppress McAfee’s instincts to alert me every time something that’s supposed to happen, happens. Unfortunately, right now, I (as well as other McAfee users) don’t seem to have this choice and as a result, we must put up with these incessant warnings which I’m relatively certain are much ado about nothing.