In a post yesterday from the Microsoft Malware Protection Center (MMPC), Microsoft cloud protection, the MMPC team provides some details on how they use cloud resources in conjunction with their malware products to provide the highest level of protection for users of the companies security related software.
Microsoft is using cloud protection to help keep our customers safe. In fact, nearly any detection made by Microsoft security products could be the result of cloud protection. Software developers often ask us how this cloud protection works and how they can improve our cloud’s impression of their software.
There are three specific times the cloud comes into play in protecting a customer from malware:
- If a file is known to be malware by our servers but not by the local antimalware product, the cloud protection module can tell the local product to block or remove it.
- If a file is known to be clean by our servers, but the local antimalware product detects the file as malware (an incorrect detection situation), the cloud protection module can tell the local antimalware to not detect it, and the incorrect detection does not affect the user.
- If a local antimalware product encounters a file that we don’t know about, our server can make a determination based on probabilities, and tell the local antimalware software to block it, even without having seen a copy of the file.
If a company wants to make sure their software is not blocked by Microsoft’s malware protection methods they make the following recommendations:
- Digitally sign all of your software.
- Protect they key which you use for digitally signing your software. If it ever gets associated with malware then that will impact your reputation in the whitelisting process.
- Avoid security vulnerabilities in your software because it could be detected as an attempt to install malware.
- Proactively check any affiliates and those who bundle your software to make sure they are not including malware in the bundled file.
Some behaviors that alone might be OK but together they create suspicion and therefore could lead to a detection as malware:
- Installed in non-common folder
- Changes a critical registry key
- Process or thread injection
- Strange internet activity
If a developer suspects there may be some misidentification with a piece of their software there is a developer contact form that can be used to dialog with the Malware Protection Center.