This article is more than 1 year old
Reg WinXP beta system virus defences breached
The good news - they can't get out. The bad news - we can't kill them either...
WinXP diaries How safe is Microsoft's new approach to viruses? Sort of safe, but not entirely helpful, it would appear. Not one virus but two seem to have slid through the deflector shields of my Office XP installation, and while they're under control, catching them and killing them is a bit of a puzzle right now.
For experimental reasons I've been running Outlook 2002 with the default security settings for a month or so now, because I ought to find out what happens to real live customers. With hindsight, I accept it was a tad reckless to do this with a production system, but then again how else could I find out?
Up until the arrival of the two unwanted guests it did seem to be working, and some aspects of Outlook were actually very helpful when it came to dealing with the biggest mail headache, and my prime virus source - The Register Daily Update mailing list. The account used for this only ever sends the daily update, and on a daily basis gets back about 200 holiday autoresponders in numerous formats and languages (I don't actually know the Norwegian for 'I'm away right now', but I can easily find out).
It also gets about half a dozen viruses, tons of spam, and about once a week a sad message from somebody who can't figure out the automatic unsubscribe - frequently because they've forgotten their own email address.
So the task is to automatically throw away all of the holiday responses, viruses and bits of spam, leaving a couple of weird bouncers and these lost souls to deal with. The ease with which Outlook 2002 allows you to set up rules means it's being doing splendidly, and I've even had time to sneer at the company that sent a message begging to unsubscribe the one person there who isn't on the list, whereas what they meant was take off all four of the people who were. Apparently I'm supposed to be able to guess this sort of stuff.
Compare and contrast this with the previous client I'd been using, Eudora 4.3. This does allow you to set up rules, but I'd never been able to figure my way around setting up particularly sophisticated ones, so the big pile of crud would back up, and the lost souls got patchy service. Which many of them deserve, but it's better to be nice.
The joys of automation
Aside from being good at automated rule creation, Outlook seemed to be doing pretty well on viruses as well. Homepage bounced off, as did the various puzzling attachments in weird languages I don't speak. Surely it couldn't last? No, apparently not.
I've just for the first time looked at the macro security settings, and they're at high, which is "only signed macros from trusted sources will be allowed to run. Unsigned macros are disabled." Furthermore, I note I have no trusted sources, which is as it should be in this business. So, how come something got inside the tent?
And then there's the matter of how come the viruses have taken a week or more to kick into action? I've found the originating messages, two apparent domain registration spams whose message IDs suggest they're from the same source. In neither case has a .scr attachment been detected, which I take it is how you tell they got through (I'm new to this end of the business - never, apart from the odd Word macro, suffered a successful hit until now).
They were sent on Sunday 13th, and I think I can explain some of the long delay. It might have actually hit on that day, because I noted that some tasks in my Outlook queue were failing. Figuring out what was going wrong proved difficult, but I concluded it was to do with me having to switch around my outgoing email ID depending on whether I'm at home, or on the office or a dialup connection.
The confusion over outgoing IDs may actually have saved me there by stopping the virus going out. It was late, so I gave up trying to fix it, then the next morning when I found it had spent the night logging on and failing to send over 900 times I thought virus, then phone bill (MSN Messenger does this to ISDN as well, if you forget to catch it and kill it), pulled the plugs, disabled all the auto send and receive, and cancelled all tasks for good measure.
That seemed to fix it, and as there was nothing suspicious in either the outbox or the sent messages, I concluded it had just spent all night trying to send the two messages from me that were in the outbox, but that I'd set to send on the wrong ID.
So maybe I had a virus, but I didn't notice. One useability deficit of Outlook springs to mind here, because although you can see tasks failing in the send/receive details, you can't readily see what it is specifically that's failing. Outlook help seems silent on the subject of task queues, as indeed it is on many of the other nasty techie things it's intent on shielding you from.
Making it harder by way of easier
You could say this was a standard feature of the Microsoft approach to software, however. The products have many helpful bolt-ons which when they're good, are very very good. But when something goes wrong you find the answer, if it exists, is buried deep under many layers of shielding, and that Clippy is just as useless as he ever was. Lob in the thought that it is quite possible that a combination of the automation and the shielding is actually generating problems users can't solve on their own; mightn't that suggest that by trying to make it easier, Microsoft is simply building everybody bigger and bigger headaches? Particularly its own support, useability and development teams.
But getting back to today, the 23rd for a litle while yet, the virus is either back, or it just kicked into action after a ten day slumber, and this time the system has handled it differently, slightly more expertly, but not very helpfully. Here's what happens. A dialogue box kicks in, warning that something is trying to access my address book. It doesn't volunteer information about what that something is. Click no, don't allow it, up it pops again... and again... and again. I'm not about to click yes, am I?
But there's a clear useability issue here. If a naiive user, more naiive even than me, can't figure out how to get out of this apart from clicking yes, then they're going to do that, at least maybe. OK, shall we find out what it is then? Pull the cable out of the wall, click yes. Now it wants to know if it can send something. Click yes again. Here it is again, click yes again. Get bored, look in the outbox. Here we are, two outgoings, and no doubt many more if you carried on clicking yes.
Outlook has blocked both outgoing attachments, which are new_doc.scr, and the tempting New_Napster_Site.DOC.scr. But it's trying to send the mail, so presumably it'd spam all my contacts with the dumb message anyway, but minus the attachment.
So we've now got several puzzles here. If it's the same as last time, why is Outlook warning now, but didn't warn then? It's the same machine, I haven't changed the setting, so why? Why the gap of ten days? This I might be able to answer - I imported the mail into a boot managed Win98 OXP system, collected some more mail, and then when I rebooted in WinXP, just opened the outlook.pst on the C drive. So opening it may have weirdly brought it back to life.
Danger, WinXP
Next, how do you stop the warning popups? Tell it to go away and it just keeps coming back; I've only got 30 people in the book and have just tried 90 clicks, so that does seem to be the case. Clearly the simplest way to do this is to run an antivirus program and hose the things, then kill off anything lying around in the outbox. But friends, may I quote from the WinXP beta 2 readme.doc? "On computers running Whistler Personal, Whistler Professional, or Whistler Advanced Server, only antivirus programs written for the specific Whistler operating system run correctly. Antivirus drivers not written to run on the specific Whistler operating system might cause problems. Other issues might include a lack of real-time scanning for viruses or system vulnerability to to virus attack. These problems range in severity from recoverable errors to loss of some or all of the data, to the computer becoming unusable. There is no workaround for this. This issue will not be addressed in future release."
Get out of that without moving, and surely that last sentence has to be a misprint? I knew there was an antivirus issue with the WinXP beta, so hadn't bothered reading the relevant paragraph, but it's so bizarre that it really requires further explanation from Microsoft - if they're saying what they mean, then what the blazes are they smoking?
I quite frequently hear from the Microsoft techies when I do these pieces. They're good people who genuinely want to build good products, they're generally eager to help nail the problem, and I'm willing to help them if I can. Trust me on this, they're nice, it's the marketing people who're not. So I wouldn't be at all surprised if I hear from the OXP team over this one, and with that in mind I've kept the system 'as is' for the moment. Gentlemen, I have your viruses in isolation.
Two possible workarounds that occur to me would be to drop back to the Win98 system, hose it with Norton, then vape Outlook, reinstall and import (bit of a sledgehammer, but wouldn't take long and beats digging around in the entrails). The other one - which is now going to happen anyway, is just vaping the address book - Outlook clearly can't be trusted with it, right now. ®