MCHE Version 2 Update

  • Comments: 4
  • Written on: May 1st, 2007

First, I will apologize in advance that it has been so long since my last MCHE. This are going very well on the MCHE development, albeit a bit past due. The program was set for a February release, but on the eve of that release some advanced testing revealed that in certain conditions, the MCHE was deleting valid files and data from our test computers.

What Was The Problem
We could not let the MCHE out the door in that condition. With some work we found that the program was doing what it was supposed to do, it’s just that so many spyware infections have files that are named the same as Windows files, that it can be hard to tell them apart. Obviously we want to delete an explorer.exe that is a spyware file, but not explorer.exe the Windows file.

What Caused the Problem
Initially we hoped to maintain a “whitelist” of hashes for files we knew were legitimate, therefore ensuring that they would never be deleted by the MCHE. We are still using this approach as a component of our false detection prevention, however alone it was simply not enough.

In a mere 24 hours, one of our cron computers (set up to download every conceivable update automatically and add them to the hash database) received more than 50 new program hashes.

Because there are so many whitelisted programs out there that happen to bear the same file names as spyware infections, the algorithm we were using (name on spyware list + name not on whitelist + name not on local exclusions list = remove infection) was not cutting it.

What Did You Do to Fix The Problem
We had to retool the scanning algorithm to be more picky about the pattern matching for spyware detections. We modified the formula to – file name on blacklist + file hash on blacklist + hash NOT on whitelist + hash not on local exclusions list = remove spyware.

Obviously building a list of hashes for known malware infections is a LOT more time consuming than building a list of safe hashes. and we are now testing that new matching algorithm. If it passes testing OK, we are ready to go. If not, then that is exactly why I have stopped posting firm release dates.

Stay tuned for additional updates this week as the program progresses through testing.

What do you think? Join the discussion...

How do I change my avatar?

Go to gravatar.com and upload your preferred avatar.

Subscribe to My RSS Feed

Subscribe Form Click to Subscribe or

      TwitterCounter for @thorschrock

Ed Wunder Loves Schrock's Service

Popular Posts

Top Commentators

Schrock Innovations' New Ride

Revolution Wraps Rocks!

Geek Squad Hires Anyone!

Other Recent Videos


We're on the Morning Blend answering your Lincoln Nebraska computer repair questions regarding warranties


Need your computer repaired in Omaha? If you're never visited Schrock Innovations before (1st time client), stop by for a FREE hour of repair

Our Open Adoption

    Kim and I are seeking to adopt another child through Open Adoption. If you know of a birth mother seeking a stable, loving family in Nebraska, please direct her to our website at nebraskaopenadoption.com.

Thor's Sponsors

© Thor Schrock 2024