Hello,

This may sound like a big pompous rant, so feel free to ignore or even ask for deletion of the contents herein.

Recently, I have seen a serious surge in certain posts concerning protection, real-time and on-demand, as well as various aspects of protection and coverage provided by certain tools, like firewalls.

Good discussions are always nice, but a worrying streak nags at me. Many people use terms like hackers and malware in a very very active way. That is the only thing that keeps total havoc at bay is a huge range of security applications, as if each one of us has a dedicated hacker waiting to burst in and violate our PCs.

I find the trend a bit ... disturbing. While awareness is good, unreasonable fear is as much counterproductive as the acknowledgement of possible dangers.

Which brings me to my actual topic:

People use security arsenals - this or that - a mix of various programs that they have found to be best suited to their needs. Fine.

BUT ... apart from the following criteria:

Compatibility, GUI, usage footprint (CPU, memory etc) and other peripheral issues, what has decided that you should use what you use?

How many times have you had your computer port-scanned?
How many times have you had your anti-virus trigger an alarm?
How many times have you had your HIPS warn you about some strange process going on while browsing / chatting / gaming etc?
How many times have you had an anti-whatever pop an alarm?

Why do you think it's important that anti-virus programs update within an hour or three times daily and not one a day or every 48 hours? Why is that so crucial?

Why do people think they need special software just to conduct online banking or shopping activities?

Why do you think firewall must be able to defeat the system processes of the very system they are installed in?

Why do you want to use HIPS programs when your knowledge of how system works is limited to high-level processes?

Where does education kick in - as in learn new things every day - rather than use stopgap measures to prevent vulnerabilities in one's own education?

I think that sentences like >

... xxx ... keeps you safe from hackers and malware
... malware tries to get in
... rootkits are becoming more and more prevalent
... is safe but security experts claim there will be a 300% increase next month
... there is a proof-of-concept code that can turn any song into Shock The Monkey by Peter Gabriel in mp4 format

> are counterproductive and miss the real purpose of security programs that people use, heighten the feeling of fear, helplessness of the unknowing and prompt me to rethink the entire domain security practice going on.

Seems to me like a huge conspiracy to keep the masses under control and milk the honey from the pockets. I mean who has the greatest interest in wanting malware to continue existing - and keep the public awareness vectored onto how needy it is of security solutions.

What are your thoughts?

Mrk

Hum... i see you are a big critic of firewall's HIPS/leakpassfeature:) . Nothing to add there, i've seen your posts and understand what you mean.
But having HIPs in the Firewall is the same as having a sepparate HIPS and a basic Firewall. Except that HIPS in todays Firewalls are not comparable to SSMs, i get it. For me, it allows more control. Alright there's numerous way to bypass it, but it doesn't mean the firewall isn't trying. But yes, definetly isn't the best criteria for a Firewall.

About using HIPS themselves, i understand you, but maybe you miss the point of many of us. I used SSM free for kicks;D . I learned something with it too. Eventually i uninstalled because of stability issues. Because i know i'm not experienced, i use Prevx1, and i think it's a damn fine product. FP's or not (rare, only saw once i think, and it was today), i feel safe with it.

As for having lots of things installed, i'm with you, some users tend to have lots of apps for defending their computer. I have 3 real time, plus another that really doesn't do that much, but it is of sentimental value:) . None is AS. AS for me is useful to scan one every month or so to check if everything is ok. For that, yes, i have an arsenal, but i accumulated over time, and it only ocuppies a small space in the HD.

Fear, gotcha. No paranoia is good. Seeking the best defense possible is ok and more than reasonable though.

And as for seing the apps in action, yep, i've seen them. Avast! found trojans, so did AVGAS, A-squared and Spybot. GeSWall blocks Adobe Reader from accessing some protected folders, not being dangerous or anything, but i did see i working as it should. AReader was prob. just doing an inventory of PDFs, i know, but i saw how GeSWall works.

Now, the most important:

"Seems to me like a huge conspiracy to keep the masses under control and milk the honey from the pockets. I mean who has the greatest interest in wanting malware to continue existing - and keep the public awareness vectored onto how needy it is of security solutions."

Not conspiracy, but capitalism at its best (worst). Paying attention to the news, one concludes that this is the latest technique, inducing fear to sell more (goods or stocks;) ). That's one of the reasons that i almost refuse to pay for a security app. I consider paying one, but they give me alot of confidence. Haven't payed yet.:D

Did i forget anything? By the way, good topic:thumb:

Hello,

Someone, you hit the right spot.

I can understand that you want to control applications. But the emphasis should be on "applications you trust". Your working environment. That's the whole idea.

Many people refer to HIPS as the beast that will fight other beasts. IMHO, this is the wrongest approach to security. First, why the hell do you let undesired applications reside on your machine. Second, why do you try fighting it on its own terms? Shouldn't you (not YOU specifically) decide what goes on? While most people refer to HIPS as PROACTIVE it's in fact RETROACTIVE. You respond to the perps by acknowledging their methods on YOUR own computer. If you were using HIPS to clear remote machines or server ... well, I could understand that. But on your own PC?

BTW, your Acrobat example is a good one. A nice example of useful HIPSing.

Firewalls are a sore spot for me. Again, it's having diarrhea on your machine and trying to keep it from leaking. And all these leaktests are useless if the culprit decides to open its own socket.

Which brings me to another set of questions:

How many times have you had an application hijacking / dll injection by a process that turned out to be malicious?

How many times did you pass real leaks and not just fun demos?

As to anti- catching stuff in real time? Please tell me how you managed that?

As to the fun of playing with apps - of course, that's why we're all here. That's not what I meant. This is not about the favorite movie for Star Trek fans (Empite Strikes Back, of course, like duh).

Mrk

I guess when people refer to HIPS, it's more when they download something (Ok i know), and then it acts as a malware rather than a Windows Vista Theme, for eg. You download this theme, but suddenly it tries to delete stuff, read important resourses, hook the system, whatever. You then realize it's bad, and block it. Then you remove it (lol, Prevx does it all; sorry for the comercial ref;D )

Proactive, to me, there are only these two concepts: Firewall and Sandbox type HIPS (in the general sense). That's the defense structure, besides Opera/Firefox-NoScript-Cookiesshmookie::) .
Something gets by, the AV/M has to catch it. AV is for historical threats:D , Prevx1 analyses the unknown. (i forgot, 123, 4 apps in my pc sorry)

I hang on to these because the computer does not drag due to them. If it did, time to cut something. The computer is made to enjoy it, or work with it. Not going to war with the internet.

To finish, no i haven't seen the FW passing a leak test, because i don't try them. It's enough to see others trying and their feedback. Neither real malware, but i did block things. LOL control freak:-[
The ASs didn't catch on real time, only on scan (i only have free versions). Only once, SpyGuard, which i don't use anymore, and AVGAS, on the same threat, when it was on trial; both when i didn't use Noscript+GeSWall...

Interesting thread.....
Some thoughts on the issues;
Update frequency for any security program:daily is ok for me.Unless there is a new outbreak.
My criteria for a firewall are stealth rating,no major slowdown at boot, and stability.
People think they need special software for online banking because someone is cashing in on paranoia.;)
Education is still a big factor.Safe surfing habits can go a long ways toward security or lack of it.

-{ Quote: "Hello,

That is the only thing that keeps total havoc at bay is a huge range of security applications, as if each one of us has a dedicated hacker waiting to burst in and violate our PCs.
" }-

Well that's quite possible. I read that some highly qualified members here who go around giving advise on security software and computers have themselves being hacked more than once. And they are running what we consider (here) as state of the art security.

-{ Quote: "
Compatibility, GUI, usage footprint (CPU, memory etc) and other peripheral issues, what has decided that you should use what you use?
" }-

I follow the crowd, I see what other people are doing. That is how I get interested in new products. If someone smart says it a great product and gives *technical* reasons (which I must be able to understand) why it is better I will definitely try it. Next I run tests like leak tests, test demos and check to see if it doesn't conflict with my 2 other HIPS , firewall and antivirus.

If it all checks out it becomes part of my new security setup.

I repeat the cycle about once every 1-3 months.

-{ Quote: "
How many times have you had your computer port-scanned?
" }-

Don't know, I don't look at logs.

-{ Quote: "
How many times have you had your anti-virus trigger an alarm?
" }-

Well everytime I open my folder that contains the leak tests for one.
Once I was surfing to this website, and my AV complained about some malware in my cache.

-{ Quote: "
How many times have you had your HIPS warn you about some strange process going on while browsing / chatting / gaming etc?
" }-

Never. Though it happens a lot after I install a new program or sometimes even a new version.

-{ Quote: "
How many times have you had an anti-whatever pop an alarm?
" }-

See above.

-{ Quote: "
Why do you think it's important that anti-virus programs update within an hour or three times daily and not one a day or every 48 hours? Why is that so crucial?
" }-

It's crucial because it is needed to protect us against fast spreading malware. Why else? Imagine if the AV updates only once a day, and you get nailed by some malware that would have being detected if they had pushed updates at a more frequent rate.

-{ Quote: "
Why do people think they need special software just to conduct online banking or shopping activities?
" }-

Not sure what you mean.

-{ Quote: "
Why do you think firewall must be able to defeat the system processes of the very system they are installed in?
" }-

because the system can't be trusted to defend itself.

-{ Quote: "
Why do you want to use HIPS programs when your knowledge of how system works is limited to high-level processes?
" }-

Because it feels like I am doing something proactive defending my computer when I press those buttons to okay the prompts. :)

Also so I can feel good and look down at all the poor noobs who still don't get it and rely on outdated Antivirus and antispyware. Everyone knows those just plain don't work.

-{ Quote: "
Where does education kick in - as in learn new things every day - rather than use stopgap measures to prevent vulnerabilities in one's own education?
" }-

Learning to use HIPS is quite an education. Fastest way to go from a Noob who knows nothing about computers to a not-so noob.

I understand exactly what you mean Mrk, and heck... most of my computer related problems this past year or so have in fact, been self-inflicted from trying out this utility... or that application... LOL! But then again, trying out new stuff is half the fun...

I have to go coz I must try this new app: System Virgin Verifier... LOL! (Of course I don't need it and it could trash my system... but as I said, it's half the fun...) ;)

Excellent thread.

It's easy to follow the hype.

I admit to being one that causes my own problems by installing this and that.

Trying hard to stop my paranoiac by telling myself the scan is always clean.

I have learnt a lot but am now asking myself if common-sense if my powerful weapon.

Looks like Mrkvonic has at last got me trusting in the force.

Ian

-{ Quote: "Excellent thread.

It's easy to follow the hype.

I admit to being one that causes my own problems by installing this and that.

Trying hard to stop my paranoiac by telling myself the scan is always clean.

I have learnt a lot but am now asking myself if common-sense if my powerful weapon.

Looks like Mrkvonic has at last got me trusting in the force.

Ian" }-

Nice thread mrk. You may or may not find this hard to believe, but I supervise my mom with what she can/cannot do with the computer ;D.

I learnt most of my computer knowledge through testing out different applications, setups and methods over long periods of time and doing risky beta testing, I still remember how the beta version of XP SP2 crashed my computer badly, of course I tested the beta version out of curiosity. :o Of course at the end of the day I realise that I cause my own problems.

The purpose: To pick out the best solution which fits my computer best.
The goal: Independent self-support. NO technical support calls.

The biggest headache is the sense of paranoia which haunts me every now and then. Blame it all on my reading too much of others' malware encounters and computer problems. At times it makes me so frustrated that I feel like telling the person to piss off and go solve the problems on their own. :-[

After all, I've come to believe that it's what the user does on the computer which determines the outcome.
To me,
Programs= tools
Knowledge= power. solutions.
You can have all the tools in your arsenal, but it's what you do with those tools which matters the most.

Common sense is just part of the solution. And I believe it is just one of the many skills applied when using the computer.

-{ Quote: "How many times have you had your computer port-scanned?" }-
Real port scans, where many ports are scanned in a short period of time happens maybe once a week or so. Individual port scans, I guess they fall under "internet noice" are countless.
-{ Quote: "How many times have you had your anti-virus trigger an alarm?" }-
Not more than a handful this latest year, and most of them was when testing malware I knew would trigger my AV.
But before I knew about noscript extension to FF, I actually had some warnings from my AV about malicious javascripts. But of course those warnings came when visiting the darker side of internet. I rarely get any attachments (that I didnt ask for) in my mail, and if I do I delete them.
-{ Quote: "How many times have you had your HIPS warn you about some strange process going on while browsing / chatting / gaming etc?" }-
Never.
-{ Quote: "How many times have you had an anti-whatever pop an alarm?" }-
I have had some popups from Prevx1 when it didnt recognize some software I was installing.
-{ Quote: "How many times have you had an application hijacking / dll injection by a process that turned out to be malicious?" }-
Never.

I still dont know enough about computing (and I do always run as admin for convenience reasons) so I dont dare to let go of some of the protection. I have however ditched the intrusive software that gives endless alerts on everything that happens on my computer. Such HIPS were nice while learning stuff, but got annoying and therefore unsecure in the end. Based on my experience with different HIPS and FW with HIPS functionality the last 2.5 years.

Hello,

Nice discussion everyone - except DA, the neverending tosser :)

Seriously, to give my own input:

Except for a single port scan every 3-4 days, I've never seen any malicious activity taking place, in any form.

Combined, several years of online usage vs. what happens online prolly means you have to take special effort to hurt yourself as opposed to you have to take special effort just to stay barely ahead of the "bad guys".

I would like people who disagree with the "liberal" approach to step in. Their view of things might also be nice to hear.

Mrk

Hello,

Just a quick addition:

My father is not exactly the most computer-savvy person in the world. But my brother and I have taught him a few basic concepts:

Don't download **** - consult with us before you do.
Any email attachment that you don't expect - delete instantly.
He browses with Firefox (without any extension).

He was abroad for a few months. Even during that period, he simply updated Windows, and used the basic firewall / av that we installed for him, and had not the slightest of problems. And he also plays games, including online, visits sites of all kinds. Has his own laptop and takes care of it all alone - just Windows updates here and there, a bit of anti-virus definitions, occasional Firefox update, and that's it.

So all the hype about malware raping seasons a bit bloated, I might say.

Cheers,

Mrk

-{ Quote: "Many people use terms like hackers and malware in a very very active way. That is the only thing that keeps total havoc at bay is a huge range of security applications, as if each one of us has a dedicated hacker waiting to burst in and violate our PCs." }-It would be good to see a sticky on how malware typically gets onto people's computers (because they download it and run it), what a hacker or bot would need to gain access (no firewall, vulnerable service listening), and the potential dangers of emails and websites and how to avoid them. Something that would explain the mechanisms involved, but pitched at a level that the relatively noob reader can understand.

Reading posts on Wilders, I get the impression that many posters, especially recent arrivals, have little understanding of the above, and set about building up impregnable fortresses and elaborating Byzantine strategies that go far beyond what's actually needed to stay safe. That was certainly the path I went down when I first came here.

Hello,
I've already written about it in one me earliest articles.
Will gladly make another one, more detailed or more graphical, if needed.
Mrk

Hello

I'm all for the enthusiastic amateur who enjoys experimenting :thumb: If we leave it all to the 'experts' we must be totally at their mercy.

Good then that we have the experts to produce the software. Better still we have the experienced enthusiasts who like to learn and help keep the experts honest :P

One way or another, the enthusiast is driven by self-interest. If sometimes it takes a little fear to encourage the initial development of that self-interest, then OK. The more people take an interest the better for all of us. Once the fearful get somewhere like Wilders, there is the opportunity to replace the fear with a little understanding and score another run for the hometeam.

I think most people can see the majority are here because they enjoy raising the level of their own game. It's not about trying to scare the new guy.

A protected router/firewall, decent AV, fully patched OS with some unnecessary services disabled, together with script control on various (regularly updated) applications. This together with good practice helps keep my friends & family secure today.

A benefit of my interest is to help ensure they are secure tomorrow. Like for instance when a vulnerability is announced but a patch not yet produced. It's nice to be able to guage how much of a threat this is for them and how to advise them if necessary. This is easier because I enjoy and make use of all the threads. They aren't dry and technical. It is real people talking about their experience and concerns. All this keeps my interest piqued and encourages me to learn more.

Mrkvonic, Crashtest Dummy et al:

Just to stir the pot a bit I will issue 2 challenges for Mrk to put his honey on the table!


Raise your how many alerts, triggers, viruses, malware ?'s as a POLL!
Run one of your own PC's without ANY security at all, nothing, just the default setting on your browsers and OS, no routers, nothing then report back January 2, 2007.


However, I'm so paranoid I don't think either of these things will happen since he could be part of the vast right wing malware conspiracy. That poll would be very bad idea since more that 2 or 3 people might respond and the truth could emerge. Do you guys think that McAfee and Norton's secret malware hacker development groups will ever be exposed? They generate evil so as to prove the need for their products.
The end is near! ::) Got to go now forgot to leave my front door and windows open

-{ Quote: "Nice discussion everyone - except DA, the neverending tosser :)" }-Actually, it's an interesting read from all, you just need to know how to read it... :)

For the computer literate and security aware - it is important to occasionally recall back to the days when you were completely illiterate in the area. What looks to be commonsense now was completely obscure then. What is painfully obvious now was impenetrable back them. This site currently has and will always have a range of experience among members. That brush of experience paints much of what you see here. You also have a significant range of needs and levels of risk aversion among the various users here. That explains part of what you see, unfortunately I realize it may be a small part at that.

One sentence captured it in a nutshell for me:-{ Quote: "Many people use terms like hackers and malware in a very very active way. That is the only thing that keeps total havoc at bay is a huge range of security applications, as if each one of us has a dedicated hacker waiting to burst in and violate our PCs." }-I see tendencies towards this as well, and it is unfortunate since this is not real life for most of us. It does happen - example: a coworker's daughter is currently dealing with a stalking ex-boyfriend. There was an apartment break-in and one worry was installation of tracking/logging software on a PC. The police are handling this one and doing a good job on it, but this is the overwhelming exceptional case. These types of circumstances can't apply to most of what we see here.

While it is always prudent to be self-aware of your situation, endlessly scanning logs and responding to false alerts should not be the norm for a typical home user.

With respect to some of the questions:
-{ Quote: "Compatibility, GUI, usage footprint (CPU, memory etc) and other peripheral issues, what has decided that you should use what you use?

How many times have you had your computer port-scanned?" }-PC? None, I use a router. I also believe that achieving stealth is basically a misguided adventure.
-{ Quote: "How many times have you had your anti-virus trigger an alarm?" }-Rather infrequently - but this metric should be approached with caution. It is the exceptional event that users should be guarding themselves against, not a norm of continuous attacks from the ravaging hordes. I see this as a part of the education dilemma that can be addressed and a part of the reason you don't need an absolute fortress. Most users are assisted by very simple measures that are turnkey solutions in the form of well designed security applications, custom configuration, and so on.
-{ Quote: "How many times have you had your HIPS warn you about some strange process going on while browsing / chatting / gaming etc?" }-In the entire time I've tested/used various HIPS products - once, on my son's machine. BOClean alerted as well, KAV WKS missed it, and it was real malware. So, out of what was likely many hundreds (thousands?) of pop ups overall, one was real. I view this as a very real problem with this class of application if they are targeting mass market use.
-{ Quote: "Why do you think it's important that anti-virus programs update within an hour or three times daily and not one a day or every 48 hours? Why is that so crucial?" }-It's not. Users obsessing over this are focused on the wrong issues.
-{ Quote: "Why do people think they need special software just to conduct online banking or shopping activities?" }-This is a new one to me - I guess one persons paranoia is another persons market opportunity.
-{ Quote: "Why do you think firewall must be able to defeat the system processes of the very system they are installed in?" }-It shouldn't.
-{ Quote: "Why do you want to use HIPS programs when your knowledge of how system works is limited to high-level processes?" }-Never use a tool if you don't know what it does. You really don't need to understand in depth how it works, but you really do need to know what it does. Once HIPS get much more complicated than simple allow/block execution, most potential users are trodding on very soft ground.
-{ Quote: "Where does education kick in - as in learn new things every day - rather than use stopgap measures to prevent vulnerabilities in one's own education?

I think that sentences like >

... xxx ... keeps you safe from hackers and malware
... malware tries to get in
... rootkits are becoming more and more prevalent
... is safe but security experts claim there will be a 300% increase next month
... there is a proof-of-concept code that can turn any song into Shock The Monkey by Peter Gabriel in mp4 format

> are counterproductive and miss the real purpose of security programs that people use, heighten the feeling of fear, helplessness of the unknowing and prompt me to rethink the entire domain security practice going on." }-Agreed
-{ Quote: "Seems to me like a huge conspiracy to keep the masses under control and milk the honey from the pockets. I mean who has the greatest interest in wanting malware to continue existing - and keep the public awareness vectored onto how needy it is of security solutions." }-Don't lose track of the fact that while malware started as simple cyber-vandalism with no monetary goals, it is now a money making enterprise. Many purveyors of malware have clear commercial goals. Security providers certainly play on that reality to push sales, but the implied statement that security providers are necessarily the primary drivers here is simply a misguided conjecture.
-{ Quote: "My father is not exactly the most computer-savvy person in the world. But my brother and I have taught him a few basic concepts:

Don't download **** - consult with us before you do.
Any email attachment that you don't expect - delete instantly.
" }-While both suggestions have generally positive outcomes, they are unrealistic approaches in general and as indiscriminate as the HIPS solutions noted above. I simply don't see an operational difference between a false alert raised by, for example, a HIPS program and that mental false alert associated with an admonishment to automatically delete each and every email with an unexpected attachment. Both approaches scream of overkill.

From an industry perspective, some of the newer approaches are offered as an alternative to signature based approaches which may run into a performance brick wall as the database of known malware continues to expand over time. A key question is where that brick wall sits - and that's really unknown. At present, it is clear that signature based offerings still have plenty of staying power, while some of the alternate approaches have clear compatibility issues with Vista in it's current form.

You're right that many users need to step back and reassert their grip on reality. While oodles of options and distinct approaches are available to users, they really shouldn't adopt them all at once. IMHO they all represent distinct approaches to the same goal. My generic base recommendation? Router + AV or suite. Want to control communication out? Add a software firewall as well. Too much impact on performance? Go with a "lighter" AV. Still too much impact? Take advantage of security policies, virtualization/sandboxing, or start down the road of execution control/application firewalling. Still too noisy or slow? Go with a straight lockdown approach or put yourself in a position of running bare and being able to manually deal with any eventuality. The different approaches, and there are many, should not be merged into a monolithic package, but really should be treated as separate implementations with their own benefits and risks.

Any of them can work, any of them can fail. The key is understanding which are more likely to work, work well for you, and not saddle you with that vague air of paranoia every time you fire up your favorite browser.

Blue

Mrk,

Internet won't hack you unless you provoke it (http://www.dedoimedo.com/computers/internet.html)

I like it, it's a list of dos and don'ts that anyone new to security will find useful, and an entertaining rant too. What I had in mind, though, was the next step, an introduction to the underlying mechanisms. For instance, -{ Quote: "His PC has lots of doors (65,000 and some). If he does not close these doors, someone might try coming in" }-is a useful metaphor, but it doesn't explain what's really going on. If I accidentally shut down my firewall, should I panic? (It's a rhetorical question).

To take another example, the section on P2P is how I run P2P, it's a good guide to staying safe. Also, I don't feel I'm taking any (security) risks with P2P, because I've read elsewhere that vulnerabilities in P2P apps are very rare. What I don't know is WHY they're rare. I'd like to find out.

So anything that would add knowledge to the basic guidelines would help people make more informed choices about security software and procedures. It seems there's a gap to be filled, as I've only picked up that kind of information in a piecemeal way, if at all. sukarof puts it succinctly: -{ Quote: "I still dont know enough about computing so I dont dare to let go of some of the protection." }-

Hello,

Thanks all, once again for a very nice discussion.

Escalader, I'm willing to participate, just a few clarifications:

OS - you mean Windows, of course?
Default browsers - am I allowed Firefox?
Default settings on OS - does that include Windows firewall?
System updates, am I allowed?
Can I use non-MS software, like OpenOffice?
The machine needs to be stand-alone, I presume, no NAT/ICS?

What should I do? Browse? Chat? Porn?

Mrk

-{ Quote: "Hello,

I would like people who disagree with the "liberal" approach to step in. Their view of things might also be nice to hear.
" }-

From past experience in starting similar threads, You are never going to get that. Pretty much Everybody is going to agree with you (or stay silent), for fear of being seen as paranoid.

If a visitor only read such threads he would would have thought that everyone here feels HIPS are a joke and totally unnecessary.

The reality is totally different as you know.

There are "gurus" walking around lecturing on how insecure the OS is, and how HIPS is totally necessary

"experienced members" saying that HIPS X sucks because it fails to block test Y (despite the fact that various threads created have established that no one cares much about such tests lol).

You see people jumping ship to a newer HIPS product A for various reasons.
In one case the older product B, is criticized for lack of development and support, okay fair enough.

But in another case the older product C is being developed at a impossibly rapid rate, answers to support questions are rapid, and yet I still see self described "refugees" cursing that they bought Product C instead of A.

Why? Because Product A is getting way more hype and attention than Product C.


-{ Quote: "
Nice discussion everyone - except DA, the neverending tosser :)
" }-

LOL. I thought you wanted answers that weren't 'liberal', mine are the only ones you are likely to get.

I go through phases with security apps. For a while it's max amount of apps. Now ondemand just Sygate & KAV. I'm good.

Hello,

Another thing I wanted to say: We all pay lots of money to be online. We might as well enjoy it. The world is so full of grief and war. Should Internet also be turned into another evil battlezone? Lean back, relax, enjoy.

Of course, none of this applies to people who LOVE to tweak and for whom the issue of security is fun. I meant the average people for whom the PC is the means and not the end.

Devil, I have no problem with people jumping board from product A to C. Or loving it. Or enjoying the thrill of tweaking / hacking / ruining their own systems. I love to do it myself. But when asked by someone "outside the circle of trust", I tend to approach it from a different angle. You cannot heap the burden of your security fun on an unsuspecting casual user. It's unfair. Like a doctor telling a patient all about his troubles with medicines. Sort of like Doc Deneeka in Catch 22.

Throw a list of 80 applications at a newbie and tell him to pray every night because nothing will save him ... instead, we could give him a few tips here and there, explain a few concepts. Give him a nice, easy comfy intro into the world of security. After all, learning through fun is the most effective way.

That's my rant for now, cheers.

Mrk

-{ Quote: "...You cannot heap the burden of your security fun on an unsuspecting casual user. It's unfair. Like a doctor telling a patient all about his troubles with medicines. Sort of like Doc Deneeka in Catch 22.

Throw a list of 80 applications at a newbie and tell him to pray every night because nothing will save him ... instead, we could give him a few tips here and there, explain a few concepts. Give him a nice, easy comfy intro into the world of security. After all, learning through fun is the most effective way. " }-That's good advice, to anyone.

Blue

-{ Quote: "

Once HIPS get much more complicated than simple allow/block execution, most potential users are trodding on very soft ground.
" }-

We are already way past this. Prosecurity and SSM are an example of the "put every feature and option into the interface as you can think of, prompt on everything" approach brought to its limits. Pretty much ProcessGuard/Appdefend x100.


And yet I see some self proclaimed experts using such products running around saying that his 3 year old offspring has no problems understanding what each prompt means (never mind that some of the prompts are so cryptic that even the average degree holder with computer science is baffled (if he was honest)). Or another guy saying that PS is great for people who don't know the correct answers to questions!!


I think Prosecurity does this total control approach slightly better than SSM currently (all that load libraries stuff), which explains all the 'refugees' from SSM to another. More control = good right? Never mind if we never use it at all, and just click yes to it without thinking much.

I think in time to come the successors to Prosecurity will be prompting you on every single CPU instruction cycle. Now that's control!

-{ Quote: "
My generic base recommendation? Router + AV or suite. Want to control communication out? Add a software firewall as well. Too much impact on performance? Go with a "lighter" AV. Still too much impact? Take advantage of security policies, virtualization/sandboxing, or start down the road of execution control/application firewalling. Still too noisy or slow? Go with a straight lockdown approach or put yourself in a position of running bare and being able to manually deal with any eventuality.
" }-

Or more likely invoke the idea of layers and use them all!

-{ Quote: "
Any of them can work, any of them can fail. The key is understanding which are more likely to work, work well for you, and not saddle you with that vague air of paranoia every time you fire up your favorite browser.
" }-

Firing my favorite browser doesn't saddle me with paranoia.

Nothing saddles me with paranoia compared to after reading this forum!

-{ Quote: "Hello,

Devil, I have no problem with people jumping board from product A to C. Or loving it. Or enjoying the thrill of tweaking / hacking / ruining their own systems. I love to do it myself.
Mrk" }-

An excuse. People switching believe that they are more secure after switching and not just because they enjoy tweaking (though that might be a reason for the beta testers).

I seriously doubt anyone would switch if they thought it was weaker or even provided exactly the same amount of protection. I'm talking about people who really believe that if they don't keep up with what Wilder's considers 'state of art', they are in trouble and should switch.

I mean take PG, people say it sucks cos it hasn't had an update for a while compared to say newer products that release once a week or something. They say it is a problem also because the lack of support and answers at the forum.

What is the lack of support they are concerned about? Well seems to me they are worried about PG failing some tests (like the commodo leak test) or the keylogger/terminate tests of SSM and these are the questions they want answers to. Ergo, they are worried about their security...

Hi Mrk, glad you accepted the challenge, we will all learn from your 1 month experience! Here are the clarifications you asked for:

OS - you mean Windows, of course? YES, WHAT EVER YOU USE NOW

Default browsers - am I allowed Firefox? IF YOU USE FF NOW, OTHERWISE NO.
Default settings on OS - does that include Windows firewall? NO, m$ ADDED THAT AS PAST OF RIGHT WING CONSPIRACY, YOU HATE FIREWALL REMEMBER!
System updates, am I allowed? NO, THEY ARE ALWAYS SECURITY FIXES WHICH ARE NOT NEEDED
Can I use non-MS software, like OpenOffice? DO YOU USE IT NOW? IF NOT NO TRICKS
The machine needs to be stand-alone, I presume, no NAT/ICS?, YES, STAND ALONE NAKED FACING THE FULL FORCE OF THE LIBERAL INTERNET, NO routers no hips, nothing, remember you are a liberal in a liberal environment.

What should I do? Browse? Chat? Porn? DON'T CARE AS LONG AS YOU DO THESE THINGS NOW, JUST USE THE PC AS YOU NORMALLY WOULD.

-{ Quote: "Hi Mrk, glad you accepted the challenge, we will all learn from your 1 month experience! Here are the clarifications you asked for:

OS - you mean Windows, of course? YES, WHAT EVER YOU USE NOW

Default browsers - am I allowed Firefox? IF YOU USE FF NOW, OTHERWISE NO.
Default settings on OS - does that include Windows firewall? NO, m$ ADDED THAT AS PAST OF RIGHT WING CONSPIRACY, YOU HATE FIREWALL REMEMBER!
System updates, am I allowed? NO, THEY ARE ALWAYS SECURITY FIXES WHICH ARE NOT NEEDED
Can I use non-MS software, like OpenOffice? DO YOU USE IT NOW? IF NOT NO TRICKS
The machine needs to be stand-alone, I presume, no NAT/ICS?, YES, STAND ALONE NAKED FACING THE FULL FORCE OF THE LIBERAL INTERNET, NO routers no hips, nothing, remember you are a liberal in a liberal environment.

What should I do? Browse? Chat? Porn? DON'T CARE AS LONG AS YOU DO THESE THINGS NOW, JUST USE THE PC AS YOU NORMALLY WOULD." }-
right now I´m posting from a Win 98SE patched machine and:
-No router
-No firewall
-No AV on access, F-Prot DOS on-demand
-NetBIOS open
-Basic hardening
-Maxthom browser
-Thunderbird
-SpywareBlaster
-Superantispyware
Clean for two years and counting ;)

Mrkvonic: do you buy online? Do you check your banking accounts online?

Hello,

Escalader, I like firewalls - it's one of the few things I actually like. Wherever did you get the idea that I do not like firewalls? I disagree with the whole leaktest fever, though. Firewalling should be just simple control of packets.

So, again, a clarification:

Windows XP - how far back (no SP, SP1, SP2). If SP2, then firewall is a default. Which patches am I allowed to use, then?

I was thinking along this line:
Windows XP SP2 fully patched with / without Windows firewall. This is the default and most common setting for the majority of systems out there. I will need a few days to set it up and of course inform my ISP that should they get a bot machine, realize it's part of a controlled test.

And yes, I do use mostly non-MS software in Windows environment.

BTW, if you read through my posts, you will realize that I claim that you need just a firewall and Firefox / Noscript to cover your security needs. I have written against mindlessly heaping tons of programs onto the system, without really knowing what they do.

My creed, if it can be called that - and in regard to my questions earlier - how many times this / that ... - makes the use of real-time protection redundant when following simple common-sense rules.

So I'm willing to test the asked-for setups. BTW, I can already tell you that I have Windows XP machines, fully patched, running only firewall for years. So, that might satisfy you.

But I'll try to indulge you and try no firewall here, although this goes against my own dogma. Which brings a fairly simple issue: if there are any open ports, applications / services listening on them can be accessed remotely. If there applications / services have a flaw that can be remotely exploited, the machine can be compromised. Which brings the issue of how patched the system should be.]

BTW, my ISP stealthes the most common service ports like 135-139 etc, so the test might not be the most fair, by your terms.

Lucas, yes I do a bit of online shopping and check my bank once in a while.

Mrk

-{ Quote: "Why do you think it's important that anti-virus programs update within an hour or three times daily and not one a day or every 48 hours? Why is that so crucial?" }-


-{ Quote: "It's not. Users obsessing over this are focused on the wrong issues." }-

BlueZannetti

I would firstly like to mention that while i use an AV like most, I'm not thrilled by their methods. If an Antivirus company were to somehow develop an antivirus product that contained Heuristics detection closely matching it's signature detection, then obviously updating frequency would have much less importance. But with top Heuristics detection still missing almost 50% of the time, it's not even close to signature detection and even heuristics need updating. I am going to assume that you are referring to me as one of the 'obsessing ' posters. But i will have to completely disagree with that statement because i am simply stating how an AV provides the most protection. It ain't 'Heuristics' that for sure. I always try to look at things from the worst case scenario or from the high risk/high usage person. Obviously, someone who spends minimal time surfing, only goes to a few trusted sites, checking a few emails from their mother, etc, it probably would'nt matter if they used a slow updating Antivirus. Because their usage dictates low risk of infection. Others such as myself, are high risk/high usage users who because of this usage, are more probable to encounter a situation of infection and if a signature has not been added to the database, well i for one don't like the odds of remaining 'Clean'.

I don't think you or any one else would use an AV that has a signature detection rate of 53%, would you!. I doubt it. If one was to read through the many 'HJT' security forums, and i do every day, there are 2 common themes here. First of all, many of the infected posters are using 'Norton' but obviously, market share has to be considered here. The other is that it's not like Norton is not detecting the 'Trojan', it is, but it's detecting it after the trojan has rooted itself in the system and is causing major issues. Some have to accept blame for inproper configuration settings but most have it set right with auto - updating on. So the question remains - 'How the hell did it not get detected and prevented in the first place'. There is only one answer, that is 'At point of contact, there was no signature for this malware in the database'. There is now however, and that's why it's being detected now instead of before.

So low risk users aside, i just don't see how you or anyone else can say that update frequency should not be considered important. Do you not feel less infections would occur if slow updating antiviruses made a concentrated effort to update it's databases quicker?.

I'm certainly no expert but based on how antiviruses offer their best protection, i just don't see how it can be seen as not important. With 3 different HIPS programs running and the knowledge to understand it all, then yes, i could see it.

I agree that common sense prevents most infections. But what´s common sense?
-Backup strategy
-Keep up to date OS and apps.
-Hardening
-Strong passwords
-Use of non-default settings
-Prefer third-party apps
-Reject unsolicited and unknown attachments
-Trust no executable/script

What happen if you, for whatever reason, fail? Nobody is perfect, one wrong choice and your system is infected or your backup is lost. So, a proper security setup will make most decisions and keep most malware out of your eyes. You only have to make minimal, yet critical, decisions. This is different than making ALL decisions. Enter layered security. An example:
-NAT/SPI router blocks all unsolicited connections and most problematic ports
-Personal firewall(with Bluetack lists) only allows limited application access to network and denies communication with known crap/ad sites. Changed, hijacked or unknown apps trying to access the network result in a prompt
-SiteAdvisor/Scandoo/Link Scanner Lite(I recommend this last one) advises me of bad sites before I reach them
-AV knocks most malware before they arrive to browser and mail client
-Firefox with NoScript only permits scripts/cookies from trusted sites.
-Thunderbird only displays plaintext mails. Links are checked with LinkScanner. Attachments are carefully checked
-Scripts and DOS executables require my approval to execute(Script Defender)
-Files sent by friends/parents/etc are scanned with local AV and Jotti/VT
-HIPS(GeSWall) keeps track of all objects, files created by isolated apps. Also it denies access to confidential folders and prevents changes to registry and system files

As you can see, I don´t have to make all the decisions

On the other hand, what can you say about:
-custom/targeted attacks
-BIOS rootkits
-privacy concerns
These three points scare people

-{ Quote: "BlueZannetti

I would firstly like to mention that while i use an AV like most, I'm not thrilled by their methods. If an Antivirus company were to somehow develop an antivirus product that contained Heuristics detection closely matching it's signature detection, then obviously updating frequency would have much less importance. But with top Heuristics detection still missing almost 50% of the time, it's not even close to signature detection and even heuristics need updating." }-When you stop to think of the potential impact of generic signatures, the numbers on these tests may be biased somewhat towards the low side, even as a retrospective measure.
-{ Quote: "I am going to assume that you are referring to me as one of the 'obsessing ' posters. But i will have to completely disagree with that statement because i am simply stating how an AV provides the most protection. It ain't 'Heuristics' that for sure. I always try to look at things from the worst case scenario or from the high risk/high usage person. Obviously, someone who spends minimal time surfing, only goes to a few trusted sites, checking a few emails from their mother, etc, it probably would'nt matter if they used a slow updating Antivirus. Because their usage dictates low risk of infection. Others such as myself, are high risk/high usage users who because of this usage, are more probable to encounter a situation of infection and if a signature has not been added to the database, well i for one don't like the odds of remaining 'Clean'." }-I'm not talking specifically of you or anyone else. I'm speaking of a climate in which truly inconsequential differences in products are hyped as critical performance differentiators.

The problem with taking a pure worst case scenario of things is that one substantially overstates the real risk by ignoring the frequency of the event. Also keep in mind the specific scenario I was commenting on - one update every day or two vs. "many" (let's say hourly) updates per day.

That's not a problem if there are no negative unintended consequences (here I'm thinking mainly of layered collections of software that conflict with one another, but it could be product cost). If you make your application choice based on update frequency, set things to maximize that frequency, and go about your business, it's fairly transparent whether your setup updates 20 times a day or once a week. It happens in the background and is irrelevant to you.

If, on the other hand, you tend to spend hours looking at sites such as Jotti's, reanalyzing the same file dredged up from who knows where, waiting either for your favorite AV to cover it, or noting with glee that the competition has not and is therefore a fundamentally flawed product, extensively commenting on either side of this fence on the online forums, then I'd say that's an unproductive obsession and fairly ridiculous behavior. I've also seen it play out in many locales.
-{ Quote: "I don't think you or any one else would use an AV that has a signature detection rate of 53%, would you!. I doubt it." }-Of course, that's not what a retrospective test really says, does it?
-{ Quote: "If one was to read through the many 'HJT' security forums, and i do every day, there are 2 common themes here. First of all, many of the infected posters are using 'Norton' but obviously, market share has to be considered here. The other is that it's not like Norton is not detecting the 'Trojan', it is, but it's detecting it after the trojan has rooted itself in the system and is causing major issues. Some have to accept blame for inproper configuration settings but most have it set right with auto - updating on. So the question remains - 'How the hell did it not get detected and prevented in the first place'. There is only one answer, that is 'At point of contact, there was no signature for this malware in the database'. There is now however, and that's why it's being detected now instead of before." }-I find that making inferences on how a machine was infected without having physical access to it fairly unreliable.
-{ Quote: "So low risk users aside, i just don't see how you or anyone else can say that update frequency should not be considered important. Do you not feel less infections would occur if slow updating antiviruses made a concentrated effort to update it's databases quicker?." }-I'm not saying it is completely unimportant. Revisit the specific case I commented on - once every day or two vs. multiple intraday updates.

I am saying that there is a clear point of diminishing returns. Let's consider a specific case: 4 updates per day/0% zero-day coverage vs. 1 update per day/50% zero-day coverage in which each update covers all released infections - which is the preferred solution?

Assume exposure from each piece of malware is possible within 1 hour of release, as well as a coverage by a signature after 3 hours and malware released within 3 hours of an update is not covered by that update. You have to look at this in terms of infection-hours (i.e. sum of the live exposure time per piece of malware summed over all samples). I'm not about to go through the entire analysis (I used a very simple level), or the rough approximations that I made, but at 4 updates a day, you're slightly better off with the "50% heuristic" solution. Increase the update frequency to 6 times/day, and the "50% heuristic" solution is slightly worse. The 50% heuristic approach with 1 update is basically in between the 4 and 6 hr update frequency within the model I described. That's not bad, especially in view of the assumption that the pure signature approach gets a sample of the malware almost immediately and has reasonably fast turnaround. 50% coverage may look poor, but it's not.

-{ Quote: "I'm certainly no expert but based on how antiviruses offer their best protection, i just don't see how it can be seen as not important. With 3 different HIPS programs running and the knowledge to understand it all, then yes, i could see it." }-It's in the roll of the dice. No more, no less. As for running 3 HIPS, no thanks.

Blue

-{ Quote: "
What happen if you, for whatever reason, fail? Nobody is perfect, one wrong choice and your system is infected or your backup is lost.
" }-

Obviously there is a middle ground. You guys seem to be assuming that we 'liberals' are saying you don't need to do anything, but just use common sense.

-{ Quote: "
So, a proper security setup will make most decisions and keep most malware out of your eyes.
" }-

Yes. Except it seems to me these days security software like HIPS don't 'make most decisions', in fact they make you make *more* decisions that few are equipped to decide! One wonders if the decisions you are forced to make are that important.

-{ Quote: "You only have to make minimal, yet critical, decisions. This is different than making ALL decisions.
" }-

Very good theory no one will disagree. But as we know, short of some magic AI system, if you want to protect against all things, the best way is to inform the human and make him make more decisions. That is why HIPS are getting more bloated.

Even Your setup isn't that "minimal" and forces the user to make a lot of decisions. But I guess compared to the standards here yours is considered minimal.

Whether the decisions you are forced to make are the right balance of security and usability, I have no idea.

Let me show you.

-{ Quote: "
Enter layered security. An example:
-NAT/SPI router blocks all unsolicited connections and most problematic ports
" }-

Fair enough, this one is accepted to be necessary usually by even the most 'liberal' guy.

-{ Quote: "
-Personal firewall(with Bluetack lists) only allows limited application access to network and denies communication with known crap/ad sites. Changed, hijacked or unknown apps trying to access the network result in a prompt
" }-

Decisions to be made

1) What firewall to use and how to set it up.
2) If using blacklists which llists to use (some are overly restrictive).
2) How to respond to the prompt

-SiteAdvisor/Scandoo/Link Scanner Lite(I recommend this last one) advises me of bad sites before I reach them

Decisions to be made

1) To trust the rating on the site or not. I have seen Siteadvisor rate perfectly innocent sites as malicious quite a few times.

-AV knocks most malware before they arrive to browser and mail client

Decisions to be made

1) What AV to use, what configuration


-Firefox with NoScript only permits scripts/cookies from trusted sites.

Decisions to be made

1) When to allow scripts if a site breaks.

-Scripts and DOS executables require my approval to execute(Script Defender)

Decision to be made

1) What scripts to run.

-HIPS(GeSWall) keeps track of all objects, files created by isolated apps.

Decsions to be made

1) Tons.

-{ Quote: "
On the other hand, what can you say about:
-custom/targeted attacks
" }-

No defense exists.

-{ Quote: "
-BIOS rootkits
" }-

No defense exists.

-{ Quote: "
-privacy concerns
" }-

No defense exists.

-{ Quote: "Hello,

Escalader, I like firewalls - it's one of the few things I actually like. Wherever did you get the idea that I do not like firewalls? I disagree with the whole leaktest fever, though. Firewalling should be just simple control of packets.

So, again, a clarification:

Windows XP - how far back (no SP, SP1, SP2). If SP2, then firewall is a default. Which patches am I allowed to use, then? OKAY, I STAND CORRECTED YOU LIKE FIREWALLS AND USE THEM, SO BE IT KEEP WHAT YOU HAVE!

I was thinking along this line:
Windows XP SP2 fully patched with / without Windows firewall. This is the default and most common setting for the majority of systems out there. I will need a few days to set it up and of course inform my ISP that should they get a bot machine, realize it's part of a controlled test.

And yes, I do use mostly non-MS software in Windows environment.

BTW, if you read through my posts, you will realize that I claim that you need just a firewall and Firefox / Noscript to cover your security needs. I have written against mindlessly heaping tons of programs onto the system, without really knowing what they do.

My creed, if it can be called that - and in regard to my questions earlier - how many times this / that ... - makes the use of real-time protection redundant when following simple common-sense rules.

So I'm willing to test the asked-for setups. BTW, I can already tell you that I have Windows XP machines, fully patched, running only firewall for years. So, that might satisfy you. OKAY, I STAND CORRECTED YOU LIKE FIREWALLS AND USE THEM, SO BE IT KEEP WHAT YOU HAVE!

But I'll try to indulge you and try no firewall here, although this goes against my own dogma. Which brings a fairly simple issue: if there are any open ports, applications / services listening on them can be accessed remotely. If there applications / services have a flaw that can be remotely exploited, the machine can be compromised. Which brings the issue of how patched the system should be.] OKAY, I STAND CORRECTED YOU LIKE FIREWALLS AND USE THEM, SO BE IT KEEP WHAT YOU HAVE! But no new tricks!

BTW, my ISP stealthes the most common service ports like 135-139 etc, so the test might not be the most fair, by your terms. I don't care what your ISP does.

Lucas, yes I do a bit of online shopping and check my bank once in a while.

Mrk" }-

Oh bye the way leave your machine on 24X7 for 31 days So other than windows sp2 firewall, you have NOTHING else right? NO AV, AMW, no other fat sofware screeners, everything left as is. You will visit your bank site, buy someting on line, play some on line games, download some music, visit a travel planning site like an airline and a rental car firm. Register on a social forum, see how that all goes. I stop short of saying visit the dark side, cos that is over the top.

-{ Quote: "Oh bye the way leave your machine on 24X7 for 31 days So other than windows sp2 firewall, you have NOTHING else right? NO AV, AMW, no other fat sofware screeners, everything left as is. You will visit your bank site, buy someting on line, play some on line games, download some music, visit a travel planning site like an airline and a rental car firm. Register on a social forum, see how that all goes. I stop short of saying visit the dark side, cos that is over the top." }-

What's the wager?

Hello,

Sorry to disappoint you, but I'm already doing that. I have several broadband accounts - including one that has a XP SP2 machine with default firewall on and FF / Noscript plugged into it. It's on 24/7 for close to a year.

Is anything supposed to happen?

But just for fun, I'll pay more attention to that one machine, if you like. I got other machines, but they fall under cheating, as they have either anti-virus, NAT/ICS, Linux, or similar.

So, see ya in 31 days. Although it's been 331 since ... but whatever.

Mrk

-{ Quote: "
Yes. Except it seems to me these days security software like HIPS don't 'make most decisions', in fact they make you make *more* decisions that few are equipped to decide! One wonders if the decisions you are forced to make are that important.
" }-
Try sandox/virtualization HIPS. They are the most user-friendly and provide strong protection
-{ Quote: "Even Your setup isn't that "minimal" and forces the user to make a lot of decisions. But I guess compared to the standards here yours is considered minimal.
" }-
I´m fan of minimal setups too :thumb: But I don´t think that I have to make tons of decisions
-{ Quote: "Let me show you.

Decisions to be made
1) What firewall to use and how to set it up.
2) If using blacklists which llists to use (some are overly restrictive).
3) How to respond to the prompt

Decision to be made
1) To trust the rating on the site or not. I have seen Siteadvisor rate perfectly innocent sites as malicious quite a few times.

Decision to be made
1) What AV to use, what configuration

Decision to be made
1) When to allow scripts if a site breaks.

Decision to be made
1) What scripts to run.

Decsions to be made
1) Tons.
" }-

Firewall:
-Jetico for me. Really, it isn´t user friendly but I can deal with it. Comodo, Zone Alarm, LnS are the user-friendly ones. But in the end you have a point here: firewalls aren´t ready for Joe Sixpack
-PeerGuardian default lists aren´t obstructive
-Prompts: you have a point. I can deal with them but ....... ;D

LinkScanner/SiteAdvisor:
-Yes, they are prone to FP. Unless you really need to visit a certain website you can avoid it until you can establish that it´s a FP

AV:
-Common sense = informed user so you must inform yourself about what AV to choose and how to setup it. Most of them are very user-friendly

NoScript:
-A solution to trusted sites that could get hijacked is the use of temporal permissions

Local scripts:
-Only execute scripts made by me or requested by me. Also, check them in Notepad

HIPS:
-Have your really tried GeSWall or DefenseWall?

One note: Peerguardian2 sometimes is restrictive. Like blocking Opera's homepage. But of course it depends on the lists that you use.

MrK: Only one request for your test: download stuff;) . I know you say that would be the user's shot in the foot, but lets face it, people download things right? It's part of the online experience. A Windows theme for a cleaner environment, software that reads rss, or a new media player that plays everything without extra codecs, etc. People will download stuff, i do, and the arguement of safe surfer doesn't cut it most of the time, it WILL depend on the user's preferences.

And a question: i hear some sites, bad ones, do things without user intervention(not worried, note, but just a dought). The best way would be NoScript? Or do i need a sandbox still to be on the safe side? (try to make a different approach lol);D

Cheers

-{ Quote: "What's the wager?" }-

Good point. Mrk should download things as usual I should not have assumed he wouldn't do that. But this is Mrks test, not yours or mine and he needs a wager ? He didn't mention it! So there isn't one.

But here are the commitments:

He has promised to run his counting questions through the forum as a poll

He runs the "unprotected" machine as he normally does, not just set it up and walk away for 31 days... we have trust in his honesty, at least I do.

His philosophy is we don't need all these fat screeners and hips etc, just
FF and windows xp sp 2 with firewall. Default settings across the board.

So in 31 days he reports back with the evidence that we need to support his thesis that these tools are part of a vast right wing conspiracy to wring money and create FUD. (Fear, Uncertainty and doubt)

If he proves his point we can all save if not money then at least cpu footprints. I for one hope he is right.

frankly if you have a firewall (and ideally use Opera/FF) then you are pretty safe if you stay away from porn/warez sites. I wouldn't wager anyone anything other than chances are a month protected by a firewall and good behaviour will not result in any infections.

Hell my antivirus rarely has anything to squeal about!

-{ Quote: "Try sandox/virtualization HIPS. They are the most user-friendly and provide strong protection " }-

2 years ago, everyone on this forum knew that PG and it's cousins was the cure to malware and that the days of AV was doomed. Right now, it seems everyone thinks sandboxing is. I once what we will think 2 years from now.
:)

-{ Quote: "

-Jetico for me.
" }-

Jetico? is that version 1 or 2? Never mind , either way, when I think of Jetico (or commodo) firewall , the first thing that comes to my mind isn't minimalist. You almost pack a HIPS in there.

-{ Quote: "
-Prompts: you have a point. I can deal with them but ....... ;D
" }-

So much for claim about making few and critical decisions. lol.

-{ Quote: "
HIPS:
-Have your really tried GeSWall or DefenseWall?" }-

Yes. Geswall forces more decisions than defensewall or Sandboxie in my book.

-{ Quote: "Good point. Mrk should download things as usual I should not have assumed he wouldn't do that. But this is Mrks test, not yours or mine and he needs a wager ? He didn't mention it! So there isn't one.
" }-

Chicken. ;)

-{ Quote: "
He runs the "unprotected" machine as he normally does, not just set it up and walk away for 31 days... we have trust in his honesty, at least I do.
" }-

But mrk is an advanced user, he uses linux for pete's sake, of course he will be able to protect his computer!

I don't think it settles anything unless you think you are expert as he is at computers.

Hello,
I'm not an expert. I have no diploma to qualify me as expert. But I love computers and I love to learn new things all the time. That's all. Linux use does not make me an expert. It makes me a geek. But that's who I am...
Mrk

-{ Quote: "Hello,
I'm not an expert. I have no diploma to qualify me as expert. But I love computers and I love to learn new things all the time. That's all. Linux use does not make me an expert. It makes me a geek. But that's who I am...
Mrk" }-

Expert, advanced user whatever. The point is lots of people don't know as much about computers as you.

Just so I understand the fine print, what is a win and what is a lose in this challenge ?

If the worst happens, and Mrkvonic suffers an intrusion then will this mean he loses the challenge because his thinking is wrong ? Will this mean that his thinking was right, his practice was wrong ?

What will be the practical outcome if he wins the challenge ? Let's say on the basis of having no intrusion we can fairly define as a threat to the OS or data.

How will you package that, in such a way, that new users can be certain that their knowledge of this methodology will always be up to date ? That the services and ports they have covered today, will be the services and ports they must cover tomorrow ?

CTD

You are right crash dummy.

If nothing happens it just means Mrk is lucky and it doesn't apply to future threats anyway,

If something happens, he is definitely wrong.

-{ Quote: "2 years ago, everyone on this forum knew that PG and it's cousins was the cure to malware and that the days of AV was doomed." }-Well, it just goes to show how wrong we can be, either in an overall sense or with respect to timing.

I didn't think that the days of AV's were doomed, but I did believe that classical AV's would be more stressed than they seem to be and that these types of programs would have offered a viable remedy to that stress. I expected them to have a much larger presence in the general market, either directly or through functional incorporation into suites, than they currently appear to have. I also thought that they would have evolved to be much more friendly to casual users over time. In some respects, some offerings are going the other way. My forecasts are about as good as those by a weatherman on the weather.

At some point the generalized enumerate bad approach of classical AV's may run into performance problems due to the shear size of the databases that have to employ. There certainly are ways around this part of the problem. However, the geometric rise in the appearance of new infectious malware remains, as does the question of whether this will overwhelm the malware analysts. There are approaches to assist here (i.e. F-Prot's Maximus), but the simple mathematics of the situation clearly puts a bit of burden on the vendors. Some fallout has occurred with the smaller houses, but that hasn't openly translated as yet to the larger vendors.

The critical question, then and now, is whether a broader impact occurs and when does that happen. I borrowed the plot below from a school report my son did looking at malware growth rates and updated entries to include the last year or so to make it current as of today. He used the KL database since it is probably the most comprehensive around and there was also a long line of readily available data. There are a couple of points contained therein: Right now malware still seems to be growing at a stable rate with the current branch now almost 2 years old. Bear in mind that the plot is logarithmic, so that growth in actual numbers is geometric.
In the three branches shown (the breakdown is statistically valid), the doubling time has dropped from 36.0 to 29.0 to a current value of about 20.8 months. This is a fair amount of time to make plans and implement adjustments, but it also represents a fairly sizeable acceleration over the past 6 years.
Down the road, one item ultimately looming out there for HIPS developers is the Vista PatchGuard. If one develops software, is it a good idea to subvert active measures taken by the OS for protection?
-{ Quote: "Right now, it seems everyone thinks sandboxing is. I once what we will think 2 years from now." }-My own belief - anything that automatically wipes the slate or even part of the slate clean won't fly for the average user. If it doesn't fly for the average user, or a large specific population (e.g. schools, public access PC's, businesses), it won't fly. It can get launched and garner buzz, but that's it. Sandboxes work well in machines where the usage context is aligned with what a sandbox (or virtualization) does - eliminating the footprints of the prior user. This doesn't appear to be the usage context of typical home machines, but is the context of public use machines, so there is a clear current market. Can the approach be adapted to be more in line with home PC usage? Probably. Would this adjustment gain traction in this market? I have no idea.

As for classical AV's, the dilemma is that casual users simply cannot discern good from bad, they don't have the expertise, nor will they acquire that expertise. They have to rely on someone who does - namely an AV analyst - and that need will always be present as long as unvalidated content and executables can be downloaded and run on a machine. The need will always be present, it's really just a matter of what form it will take. Given that one can make the case for AV's remaining viable, is there room for additional discrete applications to thrive? We may speak of layering, but the market seems to prefer single provider solutions. In that case, viable alternate approaches (e.g. HIPS) simply get merged with the existing AV platform - KIS is a potential example of this, as are most other suites and Norton 360.

As for HIPS, I actually think Mrkvonic's suggestion (http://www.wilderssecurity.com/showpost.php?p=895372&postcount=14) is one of the better one's I've seen. It is similar in philosophy to AntiExecutable, though somewhat less draconian and focused differently. It is also similar to an explicit suggestion I made to one HIPS vendor a while ago - minimize the pop-up issue by allowing a user to declare or certify, e.g. by a comprehensive scan for malware, their system healthy and whitelist the entire set of executables present on the machine. Does this have potential issues - sure, but they can be dealt with.

Where does it all go? I have no idea, but I do believe that users do need to keep any solution(s) they implement effective, understandable, and parsimonious.

Anyway, those are just my own thoughts at the moment.

Blue

-{ Quote: "Chicken. ;)

But mrk is an advanced user, he uses linux for pete's sake, of course he will be able to protect his computer!

I don't think it settles anything unless you think you are expert as he is at computers." }-

HI Devil's Advocate:

This is not a pis...ing contest about who knows more or less on computers, although sometimes we are sound a bit like we are lecturing each other don't we?
I come here to learn and contribute ideas help where I can and YES issue silly challenges sometimes to make life more interesting.

Mrk says he is running his test PC under windows xp sp2, not linux. The point is not who gets what at the end bet wise. Mrk has promised to accept the conditions of the test to "prove" we don't need all these fat packages to filter reject scan what ever. His task after 31 days is to report back after the test with the proof of his theories. Why not wait til it's over and you read his results. Then as per usual we can all fire at will. I for one do not fear the test nor that he will in some way "cheat". he is an honest expert let him alone till done

-{ Quote: "Mrk has promised to accept the conditions of the test to "prove" we don't need all these fat packages to filter reject scan what ever. His task after 31 days is to report back after the test with the proof of his theories. Why not wait til it's over and you read his results. Then as per usual we can all fire at will. I for one do not fear the test nor that he will in some way "cheat". he is an honest expert let him alone till done" }-Escalader,

The problem with this test scenario is that it really isn't what people are, or should be, guarding against - at least with respect to the proposed timescale.

Mentally this test presupposes a continual flood of challenges. That's consistent with a fair number of posts here and elsewhere which parse out vendor response times to the nanosecond and differences in scan statistics to 0.01% relative - frankly I view worrying to this level of fine structure as surreal.

If you want a real test, be prepared to carry it out for a year or two. That's the timescale that seems most appropriate based on my personal experience. The problem is not a constant flood of exposure reaching your PC, it is that single infection on a rather infrequent basis

I know. Read through the security sites and you'll note that firmware rootkits are probably crawling through the flash memory on your video card, boring a hole directly to the MBR on your HDD. That's a little too close to the science fiction aisle for me. Let's head back to nonfiction, get a grip, and deal with reality for a moment.

Some of these more, shall we say, elaborate constructs do have a valid purpose. An infrequent event should not be dismissed as a minor issue. I'm sure you'd take some measures if your hard drive could be expected to get blown away every couple of years..., OK - most of us have to actually go through that once to develop a plan. Based on what you use a PC for, that plan could be anything from simply having the install CD's/sources/serial keys/etc. at the ready in a designated location if they are needed, to a formally scheduled periodic system backup to an external HDD or other archival medium. Both approaches work quite fine but reflect somewhat different needs and desires. They're solution to the same failure in different contexts. So it is with security. Needs can run the gamut from 1 AV and maybe a router (or perhaps the other way around) to less than a handful of dedicated applications. Same goal, different needs.

Do we need all of these fat packages as you put it? Absolutely not, but most of us are better off with one or some of them, appropriately chosen. If you don't feel comfortable choosing, you'll probably err on the side of caution. The extremely risk averse may feel better with a tad heavier coverage. A few may actually need an industrial strength solution, but let's focus on the mainstream, it's where most of us reside.

Blue

Hello,

Just a quick example why fat packages won't work. Recently, I used CCleaner for regular temp-files cleanng maintenance. A fine program, which I trusted and used for years. But the particular build had an issue and semi-broke my winsock. Now, regardless of what security package you use - you'd allow it - and get nailed. That's the problem.

If at all, we need packages to defend us from seemingly trusted and good. The bad ones get filtered instantly. Beware the wolf in sheep's fold.

My greatest "fear" is that something good might go wrong. Not that I'll download a keygen.exe and run it.

Mrk

-{ Quote: "Hello,

Just a quick example why fat packages won't work. Recently, I used CCleaner for regular temp-files cleanng maintenance. A fine program, which I trusted and used for years. But the particular build had an issue and semi-broke my winsock. Now, regardless of what security package you use - you'd allow it - and get nailed. That's the problem." }-Mrk,

That's not a "and get nailed" scenario any more than getting hosed using an unfortunate beta build is. There's a real difference between malware and unfortunateware. Although I would agree with the likely rejoinder than a casual user will be hard pressed to notice that difference. In any event, it's a 30 second fix.

Blue

Hello,

I should have used better terminology. What I meant is that many times when a user is convinced in his actions, he will deliberately disregard logic in order to achieve his goal. Unless that user lives in a constant state of doubt or trust no one - in which case the online experience is somewhat less pleasant.

Mrk

OH!OH!

Infected Already?.

Hello,
I doubt it, as this is not the test machine.
Mrk

From my point of view, malware danger is a little bit overrated, but not very. The main reason of it is that journalists are, mostly, novice users and doesn't installs security fixes and using Outlook and IE. Naturally, when they have problems with malware, new article is comes out with "AHHHH! VIRUSES!!!!! BEWARE!!!!! HACKERS WILL BLOW YOUR HARD DRIVE AND SCREW YOUR MIND!!!". Also, AV compenies spend a huge marketing budgets for new "right" articles, TV shows and "right" comparatives review in magazines and online.

BUT! Malware is a business. With offices, staff, investors and so on. That is why it will be growing, it will be finding new exploits, producing new undetectable by AV's malware and the number of undetectables will be growing from day to day. Effectiveness of traditional AVs will be fall down, regardless of quality of heuristic and average time of virus bases update. Retrospective tests are already down't show real situation, because I see a lot of people who are asking for help with HJT logs even with KAV/NOD32 AVs working.

Only preventive behaviour-based defense may solve the problem. That is why it is very important to create extremely easy to use and in learning curve but strong behaviour-based HIPS for novice/average users.

Hello,
Well, Ilya, you sure are on the right path. Simplicity is the key.
Mrk

Mrk, BlueZannetti, Ilya Rabinovich, tobacco, Devil's Advocate, Crashtest Dummy and all other interested parties,

I'm the silly guy who issued Mrk the challenge to run "naked" under windows xp sp2 for one month to get him to anti up his own PC to test his theories.

Blue: You want a longer test, sure why not but why not wait 31 days and say that then, have you rejected the results and learning Mrk may very well provide us? I'm sure you have not.
I have my own "fat" packages in place in the interim and until it is proven that I don't need then they will remain fully updated active and set to aggressive mode. No one can force us to change anything. But all I can say is wait for the results. Be patient.

Ilya: I'm not a journalist, and over the last year got 1 Trojan and BD filtered out a couple of viruses. But you are right I think the hype is real.

tobacco, ha you seem ready to cheer a Mrk, failure, wait for his report!;D

Mrk: Just a piece of advice during the test, wait 31 days yourself before reporting, let all the evidence accumulate. You have many PC's so to avoid confusion don't report on things going wrong with them, people will draw wrong conclusions.

I am not trying to censure you, just say the test is underway, will report later. By the way, have you actually started yet? We need to know when the clock starts. You should post when you start, with a timestamped list of all running programs on test machine. With all these guys waiting to pounce, transparency on your part is best plan.

Log your activity on test machine, so you can't be charged with letting it remain idle for 31 days. Remember use it email, surf as you do normally , download stuff, music, games, register on a forum, do some banking. Use test machine as your default PC. Would you be able to NOT use your other machines? If you felt you had to do something off the test machine, your reasons for that should be part of the test.

Good luck, let us know when you start via your transparency posting. Include anything else I should be geeky enough to ask for!

Your Celtic Friend

-{ Quote: "I'm the silly guy who issued Mrk the challenge to run "naked" under windows xp sp2 for one month to get him to anti up his own PC to test his theories." }-Not silly at all. Facts, even isolated ones, can trump pure speculation as long as the limits are well appreciated.
-{ Quote: "Blue: You want a longer test, sure why not but why not wait 31 days and say that then, have you rejected the results and learning Mrk may very well provide us? I'm sure you have not." }-Again, based on my personal experience, which, with large and small computers, runs for almost 35 years, I believe Mrk's thoughts are correct in general. This has included very extensive periods of running machines completely unprotected myself. Most users frequenting security sites are secured to the hilt. That's absolutely fine in my book as long as: The user understands this and is therefore not surfing in a constant state of anxiety waiting for the next malware shoe to drop or the next perfect solution to come around the corner.
They have a solution that addresses more problems than it creates
They have a rough idea of the role of all the components used and therefore do not address one issue 10 times, leaving 9 other issues open.
They understand no solution is absolutely perfect. There is a time dependency to coverage and a user can always end up overruling the protections to their detriment.
One size does not fit all.
-{ Quote: "I have my own "fat" packages in place in the interim and until it is proven that I don't need then they will remain fully updated active and set to aggressive mode. No one can force us to change anything. But all I can say is wait for the results. Be patient." }-You shouldn't look at this as proof one way or the other. It's one data point, from one client, providing a snapshot in time. As with any situation involving a statistical element, one can only speak of probabilities. In this case, there are two possible outcomes, "infected" or "not infected" where I'm using the terminology somewhat loosely. If Mrk becomes "infected", all you can say is that the likelihood of infection is not zero under the conditions employed.
If Mrk does not become "infected" all you can say that that the likelihood of infection is not 100% under the conditions employed.
In other words, only one of the constraint boundaries (100% infection rate or 0% infection rate) is ruled out, the other constraint boundary is not ruled in, and the large field in the middle is not addressed.

By the way, I hope both you and Mrk do not feel I am taking either of you to task on this. It's a very useful discussion to have and I hope any lurkers are learning from it.

Regards,

Blue

Hello,

Escalader, I have quit my job to run the test.

Joking. I have already begun it.

In the following month, I'll do the following on the test machine:

Install eMule and download music / movies (70% porn). Any legal issues pertaining to this issue should be addressed to Escalader - as in the Devil made me do it.

Do a few IM sessions with friends abroad using Skype and Gaim.

Register to a porn site using a dedicated address that I will create for this purpose, naively thinking I'll be granted access to "high-quality" stuff.

Download images of porn actresses (and actors ... joking) and celebs from various sites.

Download a few short porn movies from various porn sites.

Download a few programs that I might need and install them, e.g. IrfanView or 7-Zip.

Install a game and play online.

Buy a book on Amazon.

That's it, I think.

Now, the point of my test is NOT to make you stuff using yopur favorite programs. No.

The point is to show you that you can ENJOY the Internet without constantly fearing violation. Life is too good to waste on worrying about alien attacks.

After I finish the test, I'll install Spybot, Ad-Aware, Ewido, A2, SuperAntiSpyware and run full tests. Install AVG, Avast and Antivir, one at a time and run full tests. Run online tests like Panda, Trend-Micro and Kaspersky. Download BitDefender free and ClamWin and run full tests. Use UnhackMe, Icesword and Rootkit Revealer. Boot from Knoppix, Helix and Bart live CDs and inspect the machine.

Satisfied?

BTW, a quick teaser, do you think that I normally do things much different than what I described above? Yes, I do have machines with anti-virus and yes I do have machines with other firewalls, including Comodo, Kerio 4.2.3 and some others, but mainly for testing purposes. And pure fun of a geek who loves to play with software.

That's the point. Use any setup you like. But because it gives you joy and fun. Not as the ultimate protection against total doom.

If we were to live our lives with the same amount of caution we invest in computers, our lives would be:

Backup and imaging - full life insurance + a clone somewhere.
Anti-virus - full NBC innoculation.
Firewall - full kevlar vest.
Anti-phishing and anti-pharming - a lawyer and an accountant always tagging you.
HIPS programs - a whole bunch of advisors following you around.
Anti-spyware and anti-trojan - James Bond for bodyguard.
Anti-rootkits - portable enema dischargers.

Just think about it. Only the President of USA may qualify with the above. Yet, with computers, which are nothing but dumb machines that die every 4-5 years without any intervention, we pile up security like mad.

Once you start enjoying the computers, you'll branch into more adventurous parts. You'll start tweaking the little things that make all the difference. Then you'll try Linux. And then you'll fall in love.

All the HIPS in the world cannot compare to 5 minutes of command line in Linux.

Mrk

P.S. Escalader, I cannot ONLY use the test machine, as I have to work, update my website with new articles, have a daily fix of Linux and VMware, and a few more things. Not to forget the wife, who has her own games to play.

Just have to say Mrk - great post in a great thread.

Love the analogies :thumb: very funny.
Can't wait for the test period to be over and you give us the results.

As Blue suggested, I'm lurking and learning :lurking:

-{ Quote: "Just have to say Mrk - great post in a great thread.

Love the analogies :thumb: very funny.
Can't wait for the test period to be over and you give us the results.

As Blue suggested, I'm lurking and learning :lurking:" }-

Agreed - except:-

-{ Quote: "computers, which are nothing but dumb machines that die every 4-5 years without any intervention, we pile up security like mad." }-

I don't protect circuits with built in redundancy. I protect the integrity of my data.

They do want in my PC, but I cannot let them do so. Even if They get in, they must not get back out.

Mrk:

I'm more than satisfied, you plan to do more than I ever would if carrying it out!

Sorry you had to quit your job, (joking) but I'm even sorrier I had to install a lawyer on my hard drive spindle...

Far be it from me to stop you from your Linux fix. IBM is going that way, so you must be right!

Enjoy the test.... seems I wasn't as silly as feared!

Your Celtic friend

PS to all lurkers, Blue didn't take us to task, he just has the nerve to comment, I like his comments. Maybe he should visit the same sites Mrk is with screens up! As a control we should really have another tester or 2 any takers? Or are you all just talkers? ;D

-{ Quote: "But I'll try to indulge you and try no firewall here, although this goes against my own dogma." }-Hello Mrk,

I can predict that if your ports are closed, you won't have a problem. You might remember a discussion on this last year, and I ran for four days simulating no firewall ( I'm sure it could be 40 or 400 days with the same result):

Firewall Test (http://www.urs2.net/rsj/computing/tests/fw_test)

This, of course, relates to a firewall's inbound protection as a packet filter (outmoded definition of a firewall, I know...)

To monitor outbound protection, a software firewall or some type of application monitoring is necessary if you are concerned that you might get infected, which you are not, and you won't, I'm sure!

Good success with your test!

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

Mrkvonic,
I can agree with most of what you've said. I consider myself to be paranoid when it comes to computer security and privacy, which is why I stay with rule based software and avoid XP. I guess it depends on how you define paranoid. Where does paranoid begin and security conscious end?
Regarding your questions:
-{ Quote: "How many times have you had your computer port-scanned?
How many times have you had your anti-virus trigger an alarm?
How many times have you had your HIPS warn you about some strange process going on while browsing / chatting / gaming etc?
How many times have you had an anti-whatever pop an alarm?" }-
1, I don't know. Shut off the alerts for those long ago. Used to get 25 or more alerts for port scan daily, and that was while using dialup.
2, Not very often, and 75% of those were false alarms.
3, A couple times when I was installing software, SSM alerted me to its trying to add "run" or "runservice" entries I didn't expect to see with the particular type of software I was installing. Other than that, no alerts.
4, I have seen occasional outbound connection attempts when installing or testing software. Once in a great while, Script Sentry alerts on an .hta. I don't run any other anti-whatever. Gave up on them long ago.
-{ Quote: "Why do you think it's important that anti-virus programs update within an hour or three times daily and not one a day or every 48 hours? Why is that so crucial?" }-
That's more paranoid than I am. I update my AV scanners every couple of weeks or so.
-{ Quote: "Why do people think they need special software just to conduct online banking or shopping activities?" }-
Only "special" software I use for this is encryption. I keep financial records in an encrypted container. Other than that, nothing changes.
-{ Quote: "Why do you think firewall must be able to defeat the system processes of the very system they are installed in?" }-The question needs to be more specific. I use the firewall to prevent software and system components from accessing the web. My core system processes don't need internet access, and the net sure doesn't need access to them. Are you referring more to the HIPS and hook control components of firewall suites with this question or is this about the internet firewall component?
-{ Quote: "Why do you want to use HIPS programs when your knowledge of how system works is limited to high-level processes?" }-
What do you consider to be "high-level processes"? How is one supposed to answer this question? While I'm no expert, I do have a fair understanding of the processes on my system and the functions they perform, and I am still learning.
-{ Quote: "there is a proof-of-concept code that can turn any song into Shock The Monkey by Peter Gabriel in mp4 format" }-
That's terrible!! Where's the patch for this? I've got a work-around that will convert it into Pink Floyd-Echoes. :P
Seriously, I see your point regarding "proof of concept" code. Can I assume that this primarily referrs to potential new exploits or new ways of using older ones? Someone proves that a specific attack may be possible and people get worried. The problem here is that sometimes that "proof of concept" is demonstrated as an actual attack. Remember Slammer? I try (unsuccessfully) to keep up with the new exploits and proof of concept code, and see which ones can affect my system. I almost have to. Microsoft isn't patching my OS anymore so I have to do what I can. Fortunately, (or not, depending on your point of view) much of this boils down to separating real threats from exaggeration or fiction. Example, the wmf exploit and 98. It was used as a scare tactic on 98 users when 98 wasn't vulnerable to the exploit, at least not in the form it was released. That aside, with no patches being issued, SSM is pretty much the only way I can try to offset new exploits. Time will tell how well it does at this. BTW, I liked your description of HIPS with Windows.
-{ Quote: "Call it WinLinux if you like, this is how I see HIPS." }-
That's a pretty good description of how HIPS should be used. IMO, that's pretty much the only way users have a chance of actually securing windows, or as close to securing it as is reasonably possible.

-{ Quote: "I find the trend a bit ... disturbing. While awareness is good, unreasonable fear is as much counterproductive as the acknowledgement of possible dangers." }-
Are you referring to the forum threads or the way security-ware is marketed in general? The marketing is definitely playing on users insecurities and lack of knowlege. Calling some of it scare tactics would be an understatement. Then again, the majority of PCs are infected with something. Depending on whose figures you use, somewhere between 66% and 91% of all PCs are infected with some kind of undesirable code. It's clear that most users haven't taken PC security seriously enough, although I don't agree with vendors using scare tactics. The best answer would be a better operating system, but Windows dominates so the problem continues.

As for paranoia and the forum threads, a definite trend is there. One user gets told they're using too many anti-spyware apps while another wants to see how many HIPS can run on one system at the same time. Then the vendors get blamed because their HIPS is conflicting with something else on these nightmare security setups. I hate seeing posts where new or inexperienced users are told to install more than one HIPS, especially when they don't know how to configure one properly. Paranoia is installing security apps on top of security apps and not taking the time to learn and configure them properly, which leads to this point raised in the original post.
-{ Quote: "I think that sentences like >

... xxx ... keeps you safe from hackers and malware
... malware tries to get in
... rootkits are becoming more and more prevalent" }-
First sentence, very generalized, says nothing of consequence.
Second sentence, not the normal way it works, but does happen. Exploits turn up where the user doesn't expect them.
Third sentence, basically true but does nothing to educate the user.

I'd like to see security-ware vendors make their sites make their sites more educational for users, especially in regards to user behavior and how certain behaviors increase their risks, instead of spreading FUD. Better yet, I'd like to see every new PC direct the user to a good security site with solid advice when they first go online with it. Since that doesn't pad anyones wallet, it won't happen.

Forum posts are another problem when choosing terms. A term that's over-simplified to one reader isn't understood by another. While an advanced user knows that malware doesn't just slip into your system, it's about impossible to explain to a new user in a forum post or 2, even with long winded posts like mine, all the ways it does get in. How do you deal with a subject like exploits and vulnerabilities without naming specific ones? If you don't name something specific, the post is of no interest to a more experienced user and doesn't contain anything that helps with configuring a piece of security-ware to deal with them. As soon as you name a specific exploit or vulnerability, you start going beyond the average users level of knowlege. The typical user has no idea what a privelege escalation or a remote code execution vulnerability is. What's the best way to say that HIPS can be used to defend against such exploits? How do you explain to an average user why something works without writing a book that bores the advanced user?
Rick

-{ Quote: "Hello Mrk,

I can predict that if your ports are closed, you won't have a problem. You might remember a discussion on this last year, and I ran for four days simulating no firewall ( I'm sure it could be 40 or 400 days with the same result):

Firewall Test (http://www.urs2.net/rsj/computing/tests/fw_test)


-rich " }-

Forget closed ports (he's doing p2p right?). In fact, unless we know there is some lurker really determined to teach Mrk the error of his ways, the firewall probably won't come into play. Those simple minded worms aren't going to hurt him , fully patched as he is.

I predict he will get hacked, by some zero day exploit through his browser, that does not utilize javascript.

Even if he surfs only safe sites, the site will be hacked, or the adserver will be hacked, and serve him the exploit.

-{ Quote: "I predict he will get hacked, by some zero day exploit through his browser, that does not utilize javascript.

Even if he surfs only safe sites, the site will be hacked, or the adserver will be hacked, and serve him the exploit." }-DA,

You do need to place that tongue firmly and publicly in cheek for the casual readers.

I admit, parsing through many threads here would seemingly result in that being the inexorable conclusion, but let's try to maintain residence in the real world for the next 30 days or so.

Blue

-{ Quote: "
It's clear that most users haven't taken PC security seriously enough,
" }-

While that is stated over and over again, the point everyone seems to be missing is that we are not addressing such people. Anyone who comes here and posts automatically, almost by definition takes security seriously enough.

-{ Quote: "
I hate seeing posts where new or inexperienced users are told to install more than one HIPS, especially when they don't know how to configure one properly.
" }-

Well if it's merely inexperienced users you are worried about , why make a big fuss. eventually they will all become as experienced as you.

-{ Quote: "
Forum posts are another problem when choosing terms. A term that's over-simplified to one reader isn't understood by another.
" }-

Personally I love these posts and threads that try to define once and for all what the terms means.

Once we know exactly what the difference between a sandbox and virtualization or behavior blocker or whatever, their strengths and weaknesses, we can go out and get one of each to provide a layered protection.

Recently there was an even more complete. scheme posted, that made me realise as good as my security was, it still was wide open on several levels.


-{ Quote: "
How do you deal with a subject like exploits and vulnerabilities without naming specific ones?
" }-

You should say nothing about those. Those are rare, and not much one can specificly do about them (aside 'common sense'), details or no details. Most of the HIPS we use here, will do nothing to stop them from starting, though your ssm might notice something weird happening afterwards if you were lucky (assuming it does something that tips ssm off) or a sandbox might stop some of the damage (but will you sandbox everything?).

There's a reason why paranoids like to talk about the threat of going to a site that has being hacked with some zero day exploit... It's the ultimate threat that you are defenseless against whether expert or beginner.

The only possible safeguards are technological even though they work worse than AVs against malware. :)

-{ Quote: "

There's a reason why paranoids like to talk about the threat of going to a site that has being hacked with some zero day exploit... It's the ultimate threat that you are defenseless against whether expert or beginner.

The only possible safeguards are technological even though they work worse than AVs against malware. :)" }-

The practical step I choose, is to start each days surfing on a trusted site. One that like this, alerts to new exploits and any interim solutions as they appear. It's kind of nice to see the speed at which contributors come up with solutions to exploits. I don't expect to see them regularly. When they do show up I tend to enjoy the whole process of mapping the exploit from discovery to resolution.

Hello,

DA, I know you wish to heat up the debate, but that's not the point of this thread.

1. I'm not trying to prove I'm smarter than some hacker.
2. I'm not trying to challenge anyone into proving me wrong.

I have simply decided to indulge Escalader, but others may benefit, as well.

The whole idea is show that a "normal" person can enjoy the Internet with a solid mix of pleasure, fun and wise thought, without stitching his ethereal orifices with ten layers of thread against intrusions.

P.S. Just for those who feel elated about hacking, I will not publicly reveal the IP of the tested machine - HINT it is not one of the machines I used to post ... The goal is to test a nameless computer in a world of computers and not isolate it and turn it into "rape-me-dear" target.

P.S.S. DA, you should thank the hackers, though. Although a small fragment of the computer population, they are usually in charge of the most important revolutions that happen, for good or worse.

After all, Linus Torwalds started the Linux project as "hacking".

Mrk

-{ Quote: "
You should say nothing about those. Those are rare, and not much one can specificly do about them (aside 'common sense'), details or no details. Most of the HIPS we use here, will do nothing to stop them from starting, though your ssm might notice something weird happening afterwards if you were lucky (assuming it does something that tips ssm off) or a sandbox might stop some of the damage (but will you sandbox everything?).

There's a reason why paranoids like to talk about the threat of going to a site that has being hacked with some zero day exploit... It's the ultimate threat that you are defenseless against whether expert or beginner.

The only possible safeguards are technological even though they work worse than AVs against malware. :)" }-

How would SandboxIE work with this? How can you bypass SandboxIE? Not that i expect it to be perfect, but still...

MrK: i understood your preference for "The goal is to test a nameless computer in a world of computers and not isolate it and turn it into ~Snip~ target."
For this test this is appropriate:thumb: , although i would like to see someone testing his set-up by provoking. That would be interesting too, to see how the diferent approaches would defend us.:)

-{ Quote: "I have my own "fat" packages in place in the interim and until it is proven that I don't need then they will remain fully updated active and set to aggressive mode. No one can force us to change anything. But all I can say is wait for the results. Be patient." }-

Hey: do you, or anyone else here, monitor bot traffic? Or IRC communications?

Mostly out of curiosity.

SiL

Hello,

Someone, what's the point of provoking - ~Snip~
That's not what the Internet was made for. If you want to provoke someone, do it in a positive, constructive way - let's say, develop an application that is better than someone else's. Destruction is hardly the way of improving anything.

Please don't turn this into "I'm smarter than thou - I pwn you n00b" thread. If anyone wishes to see one of the participants humiliated at the end of this discussion, then we might as well quit now.

Mrk

NO no no, you miss-understood me, or i wasn't clear. I'm not sugesting that kind of provocation (wrong word), more like a simple test against whatever you through at it. To see what problems arise from a setup or another. Take it as a friendly atack, friendly hack. Like one that i read about of a guy who wanted to test his router config, n got hacked twice (his request), lol. But he asked it, to see if he configured it right.

Not for the test you're doing, or the point your trying to make, just another approach/test.

Hello,
Rmus already did the hack test last year. It was, to sum it up, uneventful.
He even posted a link to his test in the thread a few posts above.
Mrk

-{ Quote: "NO no no, you miss-understood me, or i wasn't clear. I'm not sugesting that kind of provocation (wrong word), more like a simple test against whatever you through at it. To see what problems arise from a setup or another. Take it as a friendly atack, friendly hack. Like one that i read about of a guy who wanted to test his router config, n got hacked twice (his request), lol. But he asked it, to see if he configured it right.

Not for the test you're doing, or the point your trying to make, just another approach/test." }-
Something like this? (http://www.dslreports.com/forum/remark,14671194~days=9999)

yes lol. It could be exacty this one, because i didn't read the original. And the thread is so long:P . I will read it one bit at a time;D

-{ Quote: "-{ Quote: "How do you deal with a subject like exploits and vulnerabilities without naming specific ones? " }-You should say nothing about those. Those are rare, and not much one can specificly do about them (aside 'common sense'), details or no details. Most of the HIPS we use here, will do nothing to stop them from starting, though your ssm might notice something weird happening afterwards if you were lucky.....
There's a reason why paranoids like to talk about the threat of going to a site that has being hacked with some zero day exploit... It's the ultimate threat that you are defenseless against whether expert or beginner." }-
Exploits and vulnerabilities are rare?? They're common enough that M$ made a patch day for fixing them. You've got this completely backwards. HIPS, conventional or sandbox types, are the best tools we have for addressing exploitable vulnerabilities and unknown threats. Defenseless? Not even close!

More on zero day vulnerabilities and defending your system.
http://www.sans.org/top20/?ref=1487#z1

-{ Quote: "How would SandboxIE work with this? How can you bypass SandboxIE? Not that i expect it to be perfect, but still...
" }-

Simply by doing something dangerous that Sandboxie or any sandbox doesn't filter. Java uses a sandbox, the last time I checked Java has had tons of vulnerabilities throughout it's career.

Granted we are not talking about exactly the same thing, but you get the idea.

Just saying you use a sandbox doesn't grant you 100% immunity.

-{ Quote: "Exploits and vulnerabilities are rare?? They're common enough that M$ made a patch day for fixing them.
" }-

Compared to the people who get infected by other means it is a drop in the bucket. Anyone here got nailed by a zero day that no-one knew of? How about someone nailed by a public one (doing so on purpose doesn't count)?

My point is that there isn't much you can do about unknown exploits and vulnerabilities by definition, if you already knew where the vulnerability was you could stop it , if not you would just be pissing in the dark, praying that your toys would.

Sure, you can reduce exposure by making smart bets on which software are likely to be vulnerable and try to mitigate some of the damage, based on history you can guess that many exploits require javascript to get off the ground so you turn them off etc etc.

But nothing is foolproof if you want to worry about exploits . you say HIPS. Who's to say there isn't some vulnerability in there that actually gets you hacked? So what's your plan against that?
Besides Anything you say, I can counter with " but what if a superhacker knows of an exploit in X"? You see?

Worrying about zero day exploits is a waste of time beyond a certain point.


-{ Quote: "
You've got this completely backwards. HIPS, conventional or sandbox types, are the best tools we have for addressing exploitable vulnerabilities and unknown threats. " }-

And what if there is a vulnerability in HIPS , sandboxes or whatever? if you want to worry about vulnerabilities, why aren't you worrying about them? You can betcha, these HIPS created using undocumented and highly unstable matters have tons of bugs .


-{ Quote: " Defenseless? Not even close!" }-

Well, I guess the fact that you haven't being hacked more than twice, gives you the authority to say that.

Correct me if i'm wrong, but the whole purpose of SandboxIE and GeSWall, etc. is to defend you in a broad way. Not a filter, but isolating anything that comes through the browser for instance. Whatever type of files.

Sure, there are vulnerabilities, possibly, that a SuperHiperHacker can pass. But MrK's point is that the SHHacker doesn't care about you, or that it's science fiction lol.:D

Give an example of how it would be passable without the user removing the said files from isolation. Of course how could we give one. We have to wait for another review to see if vulnerabilities are found.:-\
Maybe a theoretical example?

Hello,

Two types of hacking - massive and pinpointed.

Massive hacking is the Internet noise - bots doing automated searched all the time. Something aimed at gaining quick access to massive number of machines and usually works by standard protocols / exploits.

Pinpoint hacking - something that takes effort and time, and usually of personal kind. Here you can see all kinds of software tricks. To exploit certain programs, the hacker needs to know what the victim is running, so the relation will probably be intimate. Then, there's the social side, where the victim is lured into running a supposedly trusted program / document that containing a personally crafted trojan or such.

People who hack for profit surely will not bother will the home user, because the prospects of gain versus effort involved are small. Simple financial calculation.

It's much simpler sending millions of infected emails, chat messages or whatever and wait for the dumb to click.

People who hack for glory will surely try to own the system. I mean, in the community, if you tell your pals you owned a 70-year old grandma running Windows 98 versus you owned some government site or such ...

Finally comes the vengeance. But that's no more different than finding a bunny nailed to your front door after you dump the girl because she is psychotic and wanted you to move in with her after just three weeks ...

Mrk

DA,
It's obvious that you just want to argue and try to see how sarcastic you can get as opposed to any useful exchange of information.
Yes, I was hacked twice, both times by someone who knew what they were doing. No, I wasn't using HIPS then. Back then, I was naive enough to believe the claims the big vendors made, the "our suite protects against all this and..." Norton in this case. The incidents were prime examples of just how ineffective conventional security suites are. This was all explained long ago. Leave it to you to pull that out of context and try to apply it to a discussion about HIPS and exploits.
-{ Quote: "But nothing is foolproof if you want to worry about exploits . you say HIPS. Who's to say there isn't some vulnerability in there that actually gets you hacked? So what's your plan against that?
Besides Anything you say, I can counter with " but what if a superhacker knows of an exploit in X"? You see?" }-
Obviously. All software has weaknesses. It's unlikely that anything can stop an expert hacker. But just because one may be able to get thru your defenses doesn't mean you don't try to defend yourself. No, you obviously can't prepare against every possible exploit or attack, but you can pre-empt a lot of the damage that could be done via an exploit by limiting what each application is allowed to do or access.
"What's your plan against that?"
A system restore from external media. That is foolproof. CDs can't be altered once burnt.
-{ Quote: "And what if there is a vulnerability in HIPS , sandboxes or whatever? if you want to worry about vulnerabilities, why aren't you worrying about them? You can betcha, these HIPS created using undocumented and highly unstable matters have tons of bugs ." }-
The HIPS programs aren't creating undocumented bugs. That's what beta testing is for. Just like bugs in operating system and other software, they get fixed. As for their being "highly unstable", when properly configured, most are quite stable. It's when users like you stack them up 3 deep and try to see how many will run at the same time that systems get unpredictable. When you run separate HIPS apps with suites that contains HIPS or kernel hooking components of their own, instability is the result. You can't give total control of the same processes to 2 or more separate apps. Vendors aren't responsible for problems caused by this. All the better ones work as claimed. If you don't trust a particular HIPS to do the job, use a different one. If you can't figure out how to configure one to run smoothly, get a simpler one. Classic HIPS aren't for everybody.
Let me know when you want to actually discuss something of consequence as opposed to this pointless arguing you seem to enjoy. This helps no one.
Rick

Herb:

You are right, some just want to argue & sling opinions around and not share real knowhow that can actually help others. I wonder if a moderator could "freeze" the thread til Mrk is finished with "my" challenge?

Mrk I would like to move "your" test to "my" challenge to it's own thread limited to the challenge and your report on findings, then immediately freeze it til you are ready to report. At which time we would all enjoy positive discussion about what it means.

As far as arguing people go you can always block them but I always hestitate to do that.

Your Celtic friend

Hello,
I will make a new thread with results only if needs be with reference to this one.
But whatever rocks your canoe.
Mrk

Great:

Nobody is canoing in December in Canada, skates yes, but zero liquid water...

See yah eh

-{ Quote: "DA,
It's obvious that you just want to argue and try to see how sarcastic you can get as opposed to any useful exchange of information.
" }-

Looking through your history, I don't think you are the right person to accuse others of being argumentative.

It's obvious to me you just want to set yourself up as a guru and preach without getting contradicted. Any contradiction in your book is not "useful exchange of information".

-{ Quote: "
Yes, I was hacked twice, both times by someone who knew what they were doing. No, I wasn't using HIPS then. Back then, I was naive enough to believe the claims the big vendors made, the "our suite protects against all this and..." Norton in this case. The incidents were prime examples of just how ineffective conventional security suites are. This was all explained long ago.
" }-

Or perhaps they are prime examples of how incompetent and noob users can get hacked. How do we know the difference?

How do we know your use of SSM is the difference now?

But then again your story isn't unique, lots of members here
are noobs who got hacked or infected once (though twice seems to be a bit strange), started learning to protect themselves, and became overly paranoid.

They then start preaching to the masses you got to use X, or you will be hacked like me....

-{ Quote: "
Obviously. All software has weaknesses. It's unlikely that anything can stop an expert hacker. But just because one may be able to get thru your defenses doesn't mean you don't try to defend yourself. No, you obviously can't prepare against every possible exploit or attack, but you can pre-empt a lot of the damage that could be done via an exploit by limiting what each application is allowed to do or access.
" }-

Exactly. Now tell me how worrying about zero day exploits IN GENERAL can help?

-{ Quote: "
"What's your plan against that?"
A system restore from external media. That is foolproof. CDs can't be altered once burnt.
" }-

If that's your plan, why worry about other security measures? And of course there are certain forms of damage that can be done that cannot be remedied by just a backup.

-{ Quote: "
The HIPS programs aren't creating undocumented bugs. That's what beta testing is for.
" }-

Beta-testing at least the way we do it here isn't typically a audit of security bugs. Very few are qualified.

-{ Quote: "
Let me know when you want to actually discuss something of consequence as opposed to this pointless arguing you seem to enjoy. This helps no one.
Rick" }-

Let me know if you want to be constructive when dealing with someone who disagrees with your dogma.

For someone who has being hacked twice, you sure are arrogant in thinking you always have the right answers.

DA:

For now I'm going to block you off, it's getting too personal which clouds objectivity and makes good points you may otherwise make questionable.

If you are so upset with Herb why not take it offline?

To all,

Technical discussion and opinions are welcome. Running commentary on posters is not....nor will it continue. That's about as plain as it gets. We will let the "Scope of security" discussion continue along with this side discussion challenge or We will indeed freeze the thread.

Bubba

~snip....un-necessary comments....Bubba~

Going back to the original topic, personally, my AV has alerted me several times about a virus being downloaded and my firewall has logged a lot of intrusion or ping attempts on my connection. Do I think the issue is overblown about malware and imminent attacks by hackers? Perhaps to some degree, but since areas of the internet can be made to contain nefarious and sometimes system disrupting elements, a user needs to have some minimal form of protection when going online. I started to work with computers before there were PCs and viruses were used to propagate a piece of code or process to other parts of a network. Now things are more complicated and the global scope of the internet makes one "exposed" to more possible computer problems. I see a lot of new software suites that tout "complete" protection against spam, phish, viruses, spyware, network intrusions, etc. As I noted in another post, I wonder if the protection that you need to install will take more space than anything else on your computer. I haven't come across any serious system malware issue and hopefully won't in future years. But I always follow my one last rule in that I will not depend on a PC to run my life. If PCs disappear like the old manual typewriters, so be it. 8)

That's good. I remember when slide rules dominated! Then came calculators and mainframes computers. Then came word processing machines, so out went typewriter. Then word perfect on PC's the rest is history.

I fear that if PC's and lans left the work place today, many offices and businesses would collapse. At home I would have use stamps again and do my income tax by hand!

What would my grandsons do if they couldn't play games?

Please don't take my PC away, I must be too sensitive to be here.... I'm going away now into the yard to eat "worms".;)

Nah... Hackers and security crackers are no problem at all...

I love them!
Without them, I would not be able to make a living!!!
Viruses are great!

I love earing people's frustration about having to secure their computers and begrudgingly having to pay up for security tools.

I gave a lecture once at a chamber of commerce in Toronto on security and some guy was really grumpy. He said, Why should I have to pay up $$$ each year just for security when all I'm doing is browsing the web and downloading e-mails???

My answer was simple. People who perhaps refuse to harden the systems they use online should be held accountable for the damage caused by hackers who used that system to do bad things to others. Like spew 100,000 e-mail spam messages or infect others with remote viewers or RAT's...

The large majority of nonsense problems we experience are caused by computers not secured. When that is caused by willful neglect I get cranky! believe it or not some people "Pride" themselves in not having security! (or they're just plain stupid!)

My opinion: Stop crying about it and lock your doors!!!;D

Hello,
Maybe stupidity or money motives have nothing to do with security?
Maybe it comes down not to "pride" but different approaches to computer usage than ones you know or prefer? But if you're earning money from viruses, then perhaps your opinion is not entirely impartial.
Mrk

-{ Quote: "Hello,
Maybe stupidity or money motives have nothing to do with security?
Maybe it comes down not to "pride" but different approaches to computer usage than ones you know or prefer? But if you're earning money from viruses, then perhaps your opinion is not entirely impartial.
Mrk" }-

Hi Mrkvonic,
I wonder what impartial really means in the context of what I have said...
I simply state an obvious element when I point to the fact that we now have a responsibility to secure our environment regardless of what we do with the technology as long as we are "connected" and that this reality will or could negatively impacts others... I am stating that "Some" users still refuse to take those responsibilities seriously and that they are all costing the rest of us millions, not counting time, stress and frustration. I was perhaps too sarcastic about the issue but it is a frustratingly obvious issue that is not openly addressed for fear of "offending the offenders".

Making $$$ money cleaning viruses and spyware and pluggin security holes doesn't make me impartial since I am just as victimized by those as anyone else. Not counting the many times I had to provide "Technical Welfare" to those (Oh so many!) who cant deal with it and cant afford to pay for the help!!!

To be fair, I believe very strongly in making Microsoft more "Inclined" to include such technologies or at least provide an "Opt-In" function for those who may object having to use one sided security offering from the Redmond Giant. It would go a long way like the rather sizable impact including a built in firewall has had on the deployment of certain types of viruses... Imagine now having real security built into the O.S. where users have real control over content instead of obscure corporations waisting more energy obfuscating issues instead of creating real solutions...

Hello,
No need to imagine - it already exists.
BTW, you're looking at the problem the other way around - securing the OS instead of making OS secure.
Mrk

Hello,

31 days ago or so, Escalader and I made a friendly bet. In this bet, we agreed that I would use a Windows XP SP2 machine with basic windows firewall and a normal browser to test the viability of getting infected.

This is what we agreed upon:

http://www.wilderssecurity.com/showthread.php?t=156441

------

Escalader, I have quit my job to run the test.

Joking. I have already begun it.

In the following month, I'll do the following on the test machine:

Install eMule and download music / movies (70% porn). Any legal issues pertaining to this issue should be addressed to Escalader - as in the Devil made me do it.

Do a few IM sessions with friends abroad using Skype and Gaim.

Register to a porn site using a dedicated address that I will create for this purpose, naively thinking I'll be granted access to "high-quality" stuff.

Download images of porn actresses (and actors ... joking) and celebs from various sites.

Download a few short porn movies from various porn sites.

Download a few programs that I might need and install them, e.g. IrfanView or 7-Zip.

Install a game and play online.

Buy a book on Amazon.

That's it, I think.

-----

After I finish the test, I'll install Spybot, Ad-Aware, Ewido, A2, SuperAntiSpyware and run full tests. Install AVG, Avast and Antivir, one at a time and run full tests. Run online tests like Panda, Trend-Micro and Kaspersky. Download BitDefender free and ClamWin and run full tests. Use UnhackMe, Icesword and Rootkit Revealer. Boot from Knoppix, Helix and Bart live CDs and inspect the machine.

------

That time is up.

I have the results.

A dilemma that I face is the presentation of results.

I assume that people will BELIEVE me what I present my report, because if they do not - showing empty scan logs or screenshots has no meaning. I could easily do that on a completely non-related machine.

If you do not believe me, you can stop reading and disregard all and any of my posts like cheap propaganda.

Therefore I will present my results in a simple text compilation. If someone is really craving for pictures, I will try to free some time and compile a full article-like report, but this will take me some time, because I have other, more important things to do.

Here's what I did:

Installed eMule and downloaded about 15GB of stuff. I needed codecs to watch some of the movies, so I downloaded some.

I talked with a friend using Skype and GAIM (using ICQ account) on a few occasions.

I downloaded some 50 small clips from adult sites and about 250 pictures of various personae from different sites. I also registered myself with a fresh spam mail address to one of these sites. I used Google to randomly look for the sites.

I installed Scorched3D and played and even hosted a server. I also played a few flash games.

I bought meself an Asterix comics from Amazon.

The system was on 24 hours a day with a reboot once a week or so. Browser of choice was Firefox, of course.

Two days ago and yesterday I started investigating the system. This includes multiple scans in normal and safe mode with a variety of AS / AT / AV tools mentioned above, dedicated anti-rootkit tools, including some more that are not on the list, and using Live CD tools.

The results is:

No infections.

The only downside is that my spam mail address receives about 10 emails daily offering me niagras and viagras.


I will NOT post links to the sites I frequented because they might be a TOS.


Escalader, you might think this is a right-wing conspiracy to bring you down, but this is not the case.

The conclusion? Internet is enjoyable.

Happy New Year.

Mrk

Hi Mrk & a Happy New Year :)

I don't question your integrity Mrk. I'm not sure how the individual who has just started his/her surfing career is going to benefit from this as it stands.

While you have a track record of placing the accent on the user and not 3rd party software, simply stating for the record that you have done it, doesn't offer the beginner more than they had last month - other than inspiration of course.

If you can present a simple guide to the principles you followed in securing your OS. Features such as control of Ports/Services/Scripts etc that is not only repeatable, but has the promise of being maintainable by the beginner, then you move your argument on.

If your efforts, while proven to your satisfaction, remain unaccessible/not reliably repeatable, to the beginner - then the differences between your efforts, which then remain an esoteric exercise and the probably unfathomable work of the 3rd party software engineer become less clear.

If both approaches are similarly dumbfounding to the beginner - then the automated approach is going to win isn't it ?

The software engineer will make a sale and your message of self-reliance passed by.

Hello,

First, I have written quite a few articles about software & security, one of which is called "Internet won't hack you if you don't provoke it" which could sum it up nicely. Link in the siggy.

Second, this was not done in order to subvert masses of beginners into running without any protection and getting infected. This was aimed at the more advanced population (re. majority of Wilders members), and as a result of healthy debate with one of the members.

This is not meant to discredit efforts of people who develop software or users who love to have tons of programs on their comps. This was meant to give an angle that not many people have.

I'm not a typical Wilders member, I think. I believe in free Internet, which means porn, p2p, gaming, sharing etc are something you should not abstain from just because somewhere someone somehow might hack you.

You can find many hardening guides on the net, but they all come down to:

No gaming, no printer, no sharing, no this, no that. In the end, it comes down to a paradox. You run Windows admin account that has no privileges. Then why don't you run a Limited Account? And if you run Limited Account, then do it properly, with an OS that actually WORKS with Limited Account.

Answer: Linux.

But for Windowsers among us, there is no need to kill and rape your system with every hack / patch / program available. This is something I've been trying to convey for a long time. And this so-called test is yet another step.

In itself, it has no great meaning. But if you read my last 500-1000 posts, you might see a trend.
Cheers,

Mrk

First of all Mrkvonic, thanks for your efforts.

Am i surprised by the results?. Not at all as you have the knowledge knowing that even making adjustments to a browser can prevent infections though with that minimal setup and the places you ventured to download things, sooner or later you would become infected by some of those downloads. Anyone that's ever used 'Limewire' knows that it's pretty safe to download music but alot of malware in other areas.

Not to take away from this test but at the beginning, i offered a spam post that i found on a legit product forum for Mrkvonic's test as it contained a link to a video clip which of course needed a codec to be installed to view(Zlob Trojan). I run in Bufferzone and therefore do not lock down my browser and even after closing the download window, this trojan tried getting in as my AV kept alerting me to. With Mrkvonic's locked down browser, this did not happen. But obviously, he did not go ahead and download and install the codec anyways as i did. If he had, as downloading was part of his test, infection would of taken place. It did on my system but once i clicked the 'Empty The Bufferzone' tab, all was back to normal. I think i'll stick with my setup which i've drastically cutdown but have something in place to help protect against infected downloads.

So my summation of this test is this. Just locking down one's browser can provide excellent protection even if you aren't a safe surfer and a minimal setup will/can take you a long way. But when downloading is involved pertaining to riskier sites and even my example which was found on a very legit site, some type of other security needs to be in place in addition to this minimal setup.

-{ Quote: "I believe in free Internet, which means porn, p2p, gaming, sharing etc are something you should not abstain from just because somewhere someone somehow might hack you.

You can find many hardening guides on the net, but they all come down to:

No gaming, no printer, no sharing, no this, no that. In the end, it comes down to a paradox. You run Windows admin account that has no privileges. Then why don't you run a Limited Account? " }-

sidestepping the Linux adoption (which Im at least working on)
I too believe in a free internet in the strongest possible terms
and Ive always engaged in "risky" behavior (with the exception of IM)
slumming blackhat sites, cracks, warez, XFTP, P2P, ect.
Far worse back when I was figuring it all out, then now which is comparatively mild mannered.

But I dont necessarily agree hardening per say is abstention, sure its a component, but even before virtualization there was simply employing another box, isolating it and observing it. I think of hardening as locking down a box to acceptable behaviors, avoiding as many threat vectors as fits your current needs and changing the OS in ways that will break most malware.

Or at least it used to break vintage malware. The advances in the last year and a half with the great rise in rootkits, kernel mode malware, dll injection ect have me rethinking alot of what I used to do and quickly adopting virtualization. Inorder to continue my wicked ways ;D

But I still "harden", proscribed scripts, no html in email, no IM, protect or remove a host of OS exe's that arent commonly employed. HIPS, security auditing, filechecking. as much rule based whitelists as possible with a little signature\behavior IDing throw in.

It will be interesting to abandon all this Windows knowledge as I fully migrate over to Linux. Im just not comfortable in my ability to know whats going on over there yet.

-{ Quote: "
If you can present a simple guide to the principles you followed in securing your OS. " }-

W2K\XP (http://www.wilderssecurity.com/showpost.php?p=905157&postcount=8)

how Ive done it in the past, but I too would be very interested in Mrkvonic's Windows proceedure

Recap Part 1

I just thought it might be worth recapping on some of the features of this thread for any really new user who may not be sure if something amazingly advanced and for them, unachievable has happened in this thread ...... or worse, believes that they have been given permission to ignore the principles of safe-surfing. I know Mrk says this thread wasn't really aimed at the new user - but I don't see the point of aiming it entirely at the experienced one, who presumably is already amassing sufficient experience and information to have passed the stage of blind paranoia.

Having initiated the thread with what I see as a basic plea for the balanced use of security software, achieved through education and self-control, Mrk was then presented with a challenge. To run a Windows box with minimum security for 31days, while continuing act and surf as he normally does.

He has responded to the challenge by ensuring his system is fully patched , is running a basic Windows firewall and then presumably further secured his ports by the disabling of unwanted services etc. So if the service isn't running, it isn't listening at a port and vulnerable to exploitation, principally through automated attacks. I don't think he stated on which basis he was attributing permissions either globally or on a per-application basis (eg administrative or user account token).

This is where I think Mrk could have offered more for the learner that has come to this thread. Which OS are you using, how did you choose to disable services and control port activity ? was it manually, such as through services.msc or do you prefer some automated freeware such as wwdc.exe. How did you test that your ports had been secured e.g. using ShieldsUP at grc.com. Noting from time to time, such as when a new exploit is announced, or a new Service Pack introduced - some minor changes to the application of these techniques may be needed.

When it comes to monitoring outbound traffic, I think Mrk believes in the focus of preventing untrusted activity gaining a foothold in the firstplace, rather than worring too much about monitoring outbound activity, which should by default, be by trusted applications that have already been granted some level of token/permission.

Recap Part 2

The next concern in this test and really the biggest threat, assuming we are not worried about physical access by someone else, is what we do to ourselves through curiosity, impatience etc - through inviting a download.

If we take a look at Mrks article http://www.dedoimedo.com/computers/internet.html.

The article is fair enough, includes usual stuff about running Firefox/NoScript etc to create a secure and more flexible browsing experience than is possible than with a secured IE. Then we have the standard list of proscribed activities:-

Email: Do not open email attachments (even from friends and known contacts) unless you are sure that the content is safe.

Instant Messaging: Do not click links or download photos from strangers. Keep the programs up to date.

P2P: Use clean, unbundled software, keep it up to date. Do not download programs (executables) and cracks to programs, because you cannot be sure they are not well-crafted malware. There is a general misconception that P2P is extremely dangerous. It's partially true. Some programs are bundled with malware. Just don't use them. Second, downloading malware through P2P does not make it any different than downloading malware through a web browser. Often, the availability of programs (and dangers) is much greater through P2P than web sites.

I bring the article in, because to the casual reader of this thread, it may look at first glance, as if Mrk has, through the link in his signature, began with advising the above method of running the Windows OS on the principle of this prohibitive approach......... and then gone on to achieve for himself some shangri-la .net lifestyle in which you can all but abandon security woes and download freely without fear. To be clear I don't say that Mrk makes any grandiose claims, just that at first glance it appears there are 2 different levels of user at work here - when actually there is a consistency about his approach.

-{ Quote: ""I'm not a typical Wilders member, I think. I believe in free Internet, which means porn, p2p, gaming, sharing etc are something you should not abstain from just because somewhere someone somehow might hack you."" }-

It might be useful to re-check on what's actually different and note the reality may not be such a free wheeling, Devil may care approach as a casual read may suggest. Mrks principle of a free internet is not a philosophy based on the freedom to make mistakes without consequences - it is free as in free speech, it is based on the presumption of a sense of responsibility by the user.

* Installed eMule and downloaded about 15GB of stuff. I needed codecs to watch some of the movies, so I downloaded some.

Bear in mind here that Mrk doesn't suggest that he downloaded the codecs from an on-the-fly source that may have contained the zlob virus. Codecs are freely available from reputable sources - it would have been useful to hear that this is what he had done. Mrk will presumably have then satisfied himself that the downloads he instigated were of an expected movie/music format and not overtly, or through false advertising, subvertly, a packaged executable. He may then have possibly gone on to add further security by playing the download with either a 3rd party player or used something like WMP Scripting Fix to neuter WMP and further ensure that no embedded scripts could be run. It might have been interesting to know if Mrk declined any of the downloads available to him on the basis of having some doubt about the content.

* I talked with a friend using Skype and GAIM (using ICQ account) on a few occasions.

So his IM & voice messaging was with a friend, no suggestion that he instigated or allowed any anonymous contacts either actual or the bot variety. As a result, neither is there a suggestion that there were any dodgy links to lure him astray.

* I installed Scorched3D and played and even hosted a server. I also played a few flash games.

Yet again the Scorched3D game appears to have been carefully chosen, not just some cracked rubbish he happened to come across. His browser was configured not to accept unsolicited scripts from sites, so even if he hadn't previously known of the game, he had reasonable feedom to surf until he had come across it and found a reputable source.

* I bought meself an Asterix comics from Amazon.

Well why wouldn't he - he was confident that nothing automatic could have come through his closed ports and also that he hadn't invited and run an executable that would have placed a keylogger on his machine. The rest is down to the secured nature of the online transaction and possibly using additional checks and balances, such as ensuring encrypted material isn't saved on his machine.

So to partly answer why are there all these security apps available on the market and why do so many users spend their money and cover themselves with them ?

Well, apart from anything else, the downside here is that if the system is your only system and you have no independent back-up regime, then using the above testing environment and philosphy of self-control, you really can't afford to stray too far or have an average teenager within 30ft of your machine - especially if you stand to disclose data of a personal/financial nature that could be damaging to your well being if intercepted.

As a result for the home user, It becomes more difficult to learn by trial & error. Ultimately without the extra safety-nets, then to some extent the very process of learning that Mrk advocates, becomes more threatening and the hands on experience of experimenting more difficult to achieve.

Source page for wwdc.exe http://www.firewallleaktester.com/wwdc.htm
Source page for wmpscriptingfix http://www.javacoolsoftware.com/wmpscriptingfix.html

-{ Quote: "He has responded to the challenge by ensuring his system is fully patched , is running a basic Windows firewall and then presumably further secured his ports by the disabling of unwanted services etc. So if the service isn't running, it isn't listening at a port and vulnerable to exploitation, principally through automated attacks." }-Well, at least at Mrk's site, he does advise to skip the OS tweaking within Windows (go to Linux if you're of that mindset). I tend to strongly agree since you cannot always anticipate whether an "unneeded" service is "needed" by some application, occasionally with unpredictable results.
-{ Quote: "This is where I think Mrk could have offered more for the learner that has come to this thread. Which OS are you using, how did you choose to disable services and control port activity ? was it manually, such as through services.msc or do you prefer some automated freeware such as wwdc.exe. How did you test that your ports had been secured e.g. using ShieldsUP at grc.com. Noting from time to time, such as when a new exploit is announced, or a new Service Pack introduced - some minor changes to the application of these techniques may be needed." }-I guess my read is rather different.

With respect to XP - up to date fully patched with a default install and leave as is.

To me, the take home message for a learner might be in the form of some inferences from the reported results (which admittedly are like any single test - of limited scope): Let me start with a personal prejudice - perform a default install of a simple AV, especially if you feel you need to ask the question "Do I need an AV". If you're not in a position to personally disassemble and examine downloaded content to assess whether or not it is malware, this is your best route to garnering a reasonably educated opinion.
If a user can successfully navigate the Internet for 30 days in a nominally unprotected state, should a user really feel compelled to obsess over whether their chosen AV/etc. does not immediately cover suspected malware within minutes of discovery? Short answer - no.
As a corollary to the above, are signature updates really required every 15 minutes? I realize that there is an inexorable tradeoff involved between update frequency and risk, but I do believe that there are clear tendencies to go overboard.
If my AV of choice now lags another in some test of detection statistics by a few percent, is that any reason to suddenly feel fundamentally exposed? Short answer - no.
Is the perception that a user faces a constant onslaught of challenges from the Internet consistent with the results of this test? The simple answer is no, although that could probably be inferred from the general silence of most any installed AV product. As remarked by myself and others here, anecdotal infection rates probably hover in the 1 incident/(every few years) rate for most. It's not terribly frequent, but that doesn't mean it is inconsequential, not does it mean one should ignore of issue. It does mean that an ongoing state of agitation and fear is rather inappropriate.
-{ Quote: "So to partly answer why are there all these security apps available on the market and why do so many users spend their money and cover themselves with them ?" }-Simple answer? It's the free market at work. Also, the landscape of challenges is fluid. Think back a couple of years - the niche market of AS applications was created by neglect/slow coverage of this segment by the main existing vendor base in Windows PC security (the AV vendors). This niche still exists because it remains a dynamic arena, but the main AV vendors have substantially generalized their products and now cover it fairly well. As each niche domain emerges, components that are valued in the market (for whatever reason - it can be real or imagined performance) do get incorporated across product lines. Lots of options are simply a result of the fluidity of malware challenges and slow implementation and consolidation of feature sets in rather complex products.
-{ Quote: "Well, apart from anything else, the downside here is that if the system is your only system and you have no independent back-up regime, then using the above testing environment and philosphy of self-control, you really can't afford to stray too far or have an average teenager within 30ft of your machine - especially if you stand to disclose data of a personal/financial nature that could be damaging to your well being if intercepted.

As a result for the home user, It becomes more difficult to learn by trial & error. Ultimately without the extra safety-nets, then to some extent the very process of learning that Mrk advocates, becomes more threatening and the hands on experience of experimenting more difficult to achieve." }-It is worthwhile to recall in providing advice here that many users remain single PC installations. Actions that could take the user offline may be only undone by external intervention - hence a caution that advice offered should be conservative and appreciate potential downside consequences - and everyone should probably have a Linux Live CD distro/Bart PE Win boot CD at the ready in the event the Windows side of the world folds up shop.

Blue

Hello,
eyes-open, BlueZannetti, very nice discussion! Thank you!
Mrk

All in all, IMHO, Mrk has met the challenge that I put to him a month ago.

I congratulate him.

The point I missed that has now been discussed well here is can "others" do it as well or do they have to be as skilled as Mrk to safely work the internet his way?

Mrk, although you did not yet publish your "proof" on this forum, I believe you when you say, all scans showed nada.

Regards

Hello,
I'm writing the report as we speak.
I hope to post it tomorrow.
You have cost me about 4 hours of my life.
Mrk

-{ Quote: "
Is the perception that a user faces a constant onslaught of challenges from the Internet consistent with the results of this test? The simple answer is no, although that could probably be inferred from the general silence of most any installed AV product. As remarked by myself and others here, anecdotal infection rates probably hover in the 1 incident/(every few years) rate for most. It's not terribly frequent, but that doesn't mean it is inconsequential, not does it mean one should ignore of issue. It does mean that an ongoing state of agitation and fear is rather inappropriate." }-


balanced against that would of course be the massive infection levels seen in client's after client's computers, Ive not been infected as far as I can tell for over 4 years. But Ive cleaned infections out of boxes so massive I found difficult to comprehend. Concurrently there has been a shift in subversion that isnt typically targeted at end users wherein zero day trojans get dropped on institutional (http://www.theage.com.au/news/Breaking/Hacking-case-touches-Israeli-Nsecrets/2005/06/10/1118347582878.html) and corporate (http://www.securitypronews.com/2006/0316.html) networks.

Granted they currently have bigger fish to fry, these are weapons that are out there, if the return on investment of easily exploited boxes falls, there is too much money riding on the bot net extortion and spam markets to not upgrade. More to the point is that criminal activities are market driven themselves and a new market has just been created (http://www.washingtonpost.com/wp-dyn/content/article/2006/12/12/AR2006121200525.html)

if you actually enforce the immigration and hiring laws on the books the market for identities is going to expand exponentially. And into personal computers if they can.

Fear in a modern society and civilized setting is a misplaced biological response, one that all too often is played upon to manipulate. Its taken to extremes and polarizes issues. But a rational assessment of real risks and logical extension of observed phenomena within context is highly valuable in threat assessment. Nothing here places one in mortal danger and fear is inappropriate, but serious concern and real acknowledgment of current and likely future threats is a responsibility, especially given the context within which these messages appear.

;)

Eyes-open made a few good points. One is that Mrk's judgement on what could be a bad download, bad game, etc. And where to look for codecs, and so on.

It can be explained to an average user though. But that user just won't get everything, or he will have different tastes/needs.

A very informative test! One can be safe if careful with downloads.:thumb:

-{ Quote: "Hello,
I'm writing the report as we speak.
I hope to post it tomorrow.
You have cost me about 4 hours of my life.
Mrk" }-

Mrk: I am sorry you feal that reporting is a "cost" to you.:'(

When the test began you agreed to report, so now you will report. It was of course up to you to accept the test or not wasn't it?

Regards

Hello,

Escalader, I'm teasing you.

The report is ready:

http://www.dedoimedo.com/computers/report.html

Please use discretion and common sense when reading the report.
Please do not use this test as a reason for lowering your security setup; try to UNDERSTAND what the things done rather than which software TOOLS were used to achive them. The computer setup was merely a means and NOT the goal in achieving the desired results. It would have worked equally well with KIS, Outpost, RegRun, Sandboxie, or any other software.

Several posts above mine, the methodology was disserted in a very interesting and proud way by eyes-open and BlueZannetti.

Of course, further discussion is warmly welcomed.

Mrk

-{ Quote: "Well, at least at Mrk's site, he does advise to skip the OS tweaking within Windows (go to Linux if you're of that mindset). I tend to strongly agree since you cannot always anticipate whether an "unneeded" service is "needed" by some application, occasionally with unpredictable results.
I guess my read is rather different.

" }-

Yes, absolutely correct Blue - I've found where Mrk refers to this on a different page within his site under the heading tweaking:-

http://www.dedoimedo.com/computers/collection.html#mozTocId684596

so well spotted, assume no such tweaks. :thumb:

@ Mrk - thanks :)

-{ Quote: "




http://www.dedoimedo.com/computers/report.html



Of course, further discussion is warmly welcomed.

" }-


Very interesting

For what its worth I haven't seen a real live in the wild virus for years nor has any malware given me any trouble. My Netgear DG834 probably helps and I do like Firefox ( no scripts). I keep loading anti virus programs to see if I can find a really light one - currently running Antivir - but none of them have ever found anything other than false positives. About a month ago I loaded ProSecurity and playing with it has certainly helped me to understand a little more but so far no joy -- nothing nasty to block.

Read your report. Very well written. I like it. You fooled me with the tease on cost, boo to me.

It's funny, during your 31 day test I hit 2 viruses that tried to load in my system they were stopped by Bitdefender. I had walked away from my PC while logged on the my ISP yahoo email page. Not sure what that means or even why I'm telling this trivial event. If I had been following the minimal methods would not these viruses have penetrated the PC?

Here is what is probably a stupid question, if you had not had windows firewall on do you think you would have been so "clean" ?

Why are you so cavalier re tracking cookies? Do they not spy on where we go on the net and report back? If you don't scan and remove won't they accumulate and amass more and more information re you?

-{ Quote: "
Here is what is probably a stupid question, if you had not had windows firewall on do you think you would have been so "clean" ?
" }-
Just analyze some probable vehicles of infections:
-Worms scanning for exploits, vulnerabilities. Countermeasures:
*Patching (Windows Update) or unplugging (Harden-It, WWWDC) the holes.
*Personal firewall correctly configured.
*Keeping trusted hosts (machines inside the LAN/behind the router) clean.
*NAT/SPI router.

-Drive-by downloads. Countermeasures:
*Patching or unplugging holes.
*Immunizing = SpywareBlaster/SpyBot.
*Blacklisting IPs, domains, site restrictions = Hosts, IE SpyAD/SpywareBlaster/SpyBot.
*Third-party browser with script whitelisting = Firefox w/NoScript.
*Safe browsing.

-Mail-based malware. Countermeasures:
*Use of third-party mail client.
*Disabling preview, HTML mail and scripts.
*Distrust all attachments except those you have requested. Also, open those attachments with third-party viewers that have scripts/macros disabled and/or in virtual environments.
*Drop unsolicited links and don´t follow requested links. Instead, check them in a secure browser and/or virtual environments before opening.

-Dodgy apps. Countermeasures:
*Learning about their behaviours using Google search, asking in forums, etc.
*Testing them yourself in a secure environment. Drop apps. that install toolbars, have a problematic EULA, phone home quite often, etc.
*Downloading them from the creator´s site or reputable download sites. If provided, verify the checksums.

-P2P. Countermeasures:
*Using clean/malware-free apps.
*Don´t use P2P to download software (except certified software like Linux distros, OpenOffice, etc) and, worse yet, cracks.
*Blacklisting bad IPs = PeerGuardian.

As you can see, you can drop malware scanners and HIPS without losing security. AVs/ATs/ASs and HIPS/sandboxes add convenience and peace of mind but also create false sense of security.

Mr. Mrkvonic did:
-Use router.
-Have clean hosts inside his network.
-Use personal firewall.
-Use up to date OS and apps.
-Use third-party apps with secure settings (whitelisted scripting, disabled attachments, etc)
-Do safe browsing.
-Use trustworthy apps.
-Manage unknown/potentially dangerous files/links with caution.
-Go to known sites for codecs, extensions, add-ons, apps.

Mr. Mrkvonic didn´t:
-Leave his system without updates.
-Use default apps. and settings.
-Use P2P to download apps. and cracks.
-Follow links without minimum care.
-Download all the fancy apps. he has seen without care.
-Accept unsolicited mail.

Hello,

Noooooo!

In this test I:

DID NOT use router.
The computer was single test machine.
DID use Windows firewall.
DID use up to date OS and apps.
DID NOT use third-party apps with secure settings (whitelisted scripting, disabled attachments, etc) EXCEPT Firefox / Noscript.
DID NOT do safe browsing.
DID use trustworthy apps.
DID manage unknown/potentially dangerous files/links with caution.
DID go to known sites for codecs, extensions, add-ons, apps.

Likewise:

DID leave his system without updates - no updates during the test.
DID use default apps. and settings.
DID NOT use P2P to download apps. and cracks.
DID follow links without minimum care - no special attention.
DID NOT download all the fancy apps. he has seen without care - no reason to do this.
DID accept unsolicited mail - just did not read it.

Mrk

Hello,

Escalder, please explain this sentence: did hit 2 viruses that tried to load.

I have a hard time understanding such sentences. Viruses do not try to load by themselves. Software requires active execution - either through ascript when you load a page - the action here is the loading of the page - or by direct access to a file - the action is here you trying to manipulate files.

There's no black magic here. What did you do?

What browser?
What were you doing at that time?

As to firewall, if I were not using it, I might have to do some tweaking on some of the common service ports.

As to the cookies, who cares. Some company in South Dakota has tracked my surfing habits between 4th of March and 11th of August, in between the maintenance cycles. So? What are they going to do with that info?

BTW, the ID identifier is some string that relates to an IP or a computer, not me. No one really knows who the person behind the keyboard is - or how many they are. Your cable company knows every movies and channel you see. So? Do you see salesmen knocking on your door trying to sell you crapunkers for 9.99?

Mrk

-{ Quote: "R
Why are you so cavalier re tracking cookies? Do they not spy on where we go on the net and report back? If you don't scan and remove won't they accumulate and amass more and more information re you?" }-

Perhaps I'm wrong but I used to try to stop tracking cookies. Now I have crap cleaner in the recycle bin and just find myself automatically cleaning every so often. I can't see them doing any damage and they soon get deleted.

mine would just throw anyones database into a state of confusion

Japanese architecture > porn > security forum > slating a countertop > micro cogeneration > porn > cruck framing > wikipedia > obscure political philosophy > nomadic tribes of outer Mongolia > sterling engines > porn > security forum > commandline reference > repousse > weaving practices of the Turkish highlands > overclocking forum > porn > Karelian Bear Dogs > SIG PCI standards > Ceramic Kilns > ect

Id give em a nervous breakdown ;D

I dont see the obsession about cookies either

-{ Quote: "Hello,

Noooooo!

In this test I:

DID NOT use router.
The computer was single test machine.
DID use Windows firewall.
DID use up to date OS and apps.
DID NOT use third-party apps with secure settings (whitelisted scripting, disabled attachments, etc) EXCEPT Firefox / Noscript.
DID NOT do safe browsing.
DID use trustworthy apps.
DID manage unknown/potentially dangerous files/links with caution.
DID go to known sites for codecs, extensions, add-ons, apps.

Likewise:

DID leave his system without updates - no updates during the test.
DID use default apps. and settings.
DID NOT use P2P to download apps. and cracks.
DID follow links without minimum care - no special attention.
DID NOT download all the fancy apps. he has seen without care - no reason to do this.
DID accept unsolicited mail - just did not read it.

Mrk" }-
Thanks for the corrections, I was trying to summarize the five pages of the thread ;D
Your behaviours (the agreed test) have been more risky than the recommended ones which don´t imply that you would be more insecure. Also, you have "proved" that, regarding inbound, a firewall is virtually immune to all attacks except the sofisticated ones.

Hello,

Escalder, please explain this sentence: did hit 2 viruses that tried to load.

I have a hard time understanding such sentences. Viruses do not try to load by themselves. Software requires active execution - either through ascript when you load a page - the action here is the loading of the page - or by direct access to a file - the action is here you trying to manipulate files.

There's no black magic here. What did you do?

YES, AS I TRIED TO SAY, I DID ZIP OTHER THAN LEAVE MY PC CONNECTED TO MY ISP WHICH IN MY CASE IS THE LOCAL CABLE COMPANY. BITDEFENDER 9.0 ACTIVELY SCANS FILES AND GAVE ME 2 MESSAGES IN A ROW SAYING IT BLOCKED 2 VIRUSES AND NOT TO PANIC AS MY MACHINE WAS NOT INFECTED. I THOUGHT GOOD, THAT IS WHAT IT IS SUPPOSED TO DO.

What browser? FF 2.0
What were you doing at that time? NOT MUCH JUST WHEN I RETURNED FROM DINNER CHECKED MY WEB BASED EMAIL

Hi all:

I clear cookies routinely. This is not an obsession.

If a user like me who is careful (to put it mildly) and cares about spying on browser tracking I don't really think that is an obsession.

If other don't care so what? I certainly wouldn't call them non obsessive on trackers? ;D

Hey Mrk, someone is at the door could be that salesman from SD!:D

Hello,
Sorry for being a bother, but ...
You were checking your mail and ...?
Did BitDefender warn you about ATTACHMENTS?
Or while you were reading email, yahoo tried to surreptitiously download something onto your machine?
Mrk

or malware blocked by the web scanner?

-{ Quote: "Hello,
Sorry for being a bother, but ...
You were checking your mail and ...?
Did BitDefender warn you about ATTACHMENTS?
Or while you were reading email, yahoo tried to surreptitiously download something onto your machine?
Mrk" }-

Never a bother Mrc, I'm used to you now.

I can't be 100% sure of the answers for you here since I didn't record the BD messages! But all this occurred on the web based email site.

But if I was a betting man I'd say the latter, "yahoo tried to surreptitiously download something onto your machine? " There was no reference to attachments. That I'm sure of. My ISP uses yahoo's web based mail for public domain email and I only use my PC Outlook for personal mail where BD scans ALL incoming mail and ZA scans all outgoing mail. How about that? I certainly wouldn't want to propagate parasites ( I like that word better) I put this in to stir you up!:dry:

-{ Quote: "My ISP uses yahoo's web based mail for public domain email" }-
-{ Quote: "and I only use my PC Outlook for personal mail" }-
:blink:
Do you access Yahoo via POP3 or webmail? Do you have another POP3 account?
It seems that BD has blocked/deleted suspicious attachments.

Hello,

I got my answer. Outlook. This means your anti-virus scanned attachments for incoming email. Nothing special. That's NOT what I call a threat. That's not even nuisance. That's background noise.

When you said web-based, I assumed you accessed your email through the browser - at yahoo mail or other - and BitDefender warned of a drive-by-download - which is not something possible in FF, and I have yet to see one.

You did not stir me up. I am merely asking for accuracy when reporting about problems / threats.

There's a huge difference between receiving a mail that contains some stupid attachment and a visit to a website that tries to unpack a load onto your machine. Furthermore, your AV scans locally - this means that the files must be on their way to the hard drive or already there for the AV / email component to warn about.

The second part to happen in FF means a malicious file dropping into the cache and trying to execute, without user intervention - and this is quite impossible in FF. I have never seen a drive-by-download in FF, only in IE.

BTW, if my explanation is INCORRECT, please pm the website and I'll test and tell you what happens.

Mrk

The moral of the story: don´t put too much confidence in a clean report generated by malware scanners and don´t worry when infected files are deleted. View it this way:
-Infected files are deleted. Good, less work to do (lazy mind ;D). Also, don´t become paranoid, you are not under attack in almost all cases.
-Clean files. DANGER, they could be infected with unknown malware. Use common sense/best practices and manipulate those files with care and, better yet, in a virtual environment.

Hello,
Very good, lucas. After all, Troy was breached from within.
Mrk

but these days its more like Invasion of the body snatchers :dry:

-{ Quote: ":blink:
Do you access Yahoo via POP3 or webmail? Do you have another POP3 account?
It seems that BD has blocked/deleted suspicious attachments." }-

When I log on to the ISP it is via user id and psw. From there they provide Yahoo internet search news, etc etc. You click on their mail tab to access my web mail. They scan at their end for spam on web mail and if any slips through I tag it spam to prevent that one from reoccuring.

Yes, I have a pop3 personal account as well, which I access via Outlook. This is the one Bitdefender scans. So I guess you are suggesting that is the source of the warning re virus not the ISP web site?

That's all I can tell you on that.

Hello,
Yes, indeed. That was local scan. Local AV with resident email scanner can be configured to check incoming email - and if there are bad attachments or such - it will flag, warn and possibly disinfect.
Nothing special or something to worry about.
I would trade Outlook for Thunderbird, though.
Mrk

Yes, I'm interested in Thunderbird.
It would need a way to move all my addresses contacts and stored email to it with little aggravation. Perhaps I could keep both?

-{ Quote: "Yes, I'm interested in Thunderbird.
It would need a way to move all my addresses contacts and stored email to it with little aggravation." }-
Thunderbird has import wizards to help the move from Outlook Express. It's been a while and I don't remember, but I read that as a new user you are presented with the wizards by default.

-{ Quote: "Perhaps I could keep both?" }-
Yes - same as with browsers, you choose the one that you want to be your default program.

FWIW and to keep the focus on security, as it stands at the moment Secunia gives these vulnerability reports:-

re: Outlook Express Outlook Express 6 (http://secunia.com/product/102/)
re: Thunderbird Thunderbird 1.5.* (http://secunia.com/product/4652/)

thunderbird also has a Allow HTML temporary (https://addons.mozilla.org/thunderbird/1556/) addon so you can maintain a more secure text only setting as a default but still easily view a selected (trusted) message in html

I'm not sure what is supposed to be so bad about Outlook ?
My e-mail Provider https://www.netaddress.com/ picks up e-mail for all over the place for me, checks and removes most spam, removes nasty attachments etc and then passes it all on to Outlook for storage and filing.
http://www.attensa.com/ feeds news to Outlook and I can then spend most of my day thinking about what to do with those undone items on my to do list.

Outlook works for me.

Thanks Guys:

Just for the record, I use a licensed MS Outlook NOT Outlook Express.

It is part of MS Office Basic edition 2003 11.8010.8107 SP2. Fully updated.

I have no reasons as yet to go to Thunderbird. I'm interested but why should I do this? What are the advantages? Faster? More secure? More features?

This is not a "challenge" just some questions for you!:)

Faster?
Not sure.
More secure?
I would say yes, less and more quickly fixed bugs. More secure default settings.
More features?
Definitively.

The only good paid mail client is The Bat! It is the best of the market

Sorry Escalader - then your ratings just improved:-

Microsoft Outlook 2003 has just the 1 unpatched item, rated moderately critical.

Secunia Microsoft Outlook 2003 (http://secunia.com/product/3292/?task=advisories)

-{ Quote: "

Microsoft Outlook 2003 has just the 1 unpatched item, rated moderately critical.

Secunia Microsoft Outlook 2003 (http://secunia.com/product/3292/?task=advisories)" }-


Interesting. Looks like nothing is really secure:

Opera 2 vulnerabilities
Firefox Multiple
Thunderbird Multiple - including highly critical 2006 12 19

Almost makes me too afraid to open my front door ;)

The last i heard about Opera's vulnerabilities, the solution was to upgrade to the recent version. So no issues?;D

-{ Quote: "My e-mail Provider https://www.netaddress.com/ picks up e-mail for all over the place for me, checks and removes most spam, removes nasty attachments etc " }-

This makes a huge difference in the overall exposure level
having had my "real" addy with earthlink\sprint(microwave broadband) for some 6 years left me a little shocked when I got a "raw" public email addy as the news poster of a popular website. I wouldnt touch that box without using a liveCD (Knoppix)

Hi Long View :)

Sure you can mess with statistics. I'm trying hard to keep this all a valid part of Mrk's original thread and not turn it into a poll around e-mail clients. Therefore rather than answer Escalader with personal opinion, I chose to stick to the known state of security. Unfortunately working within the context of the thread, I hadn't thought to allow for Outlook2003 in my original answer to him - hence the comparative figures between Outlook Express & Thunderbird 1.5.* in my original answer to him. When it comes to relating the figures to the real World then:-

Mozilla Thunderbird versions 0.* = 21 advisories . unpatched = 0
Mozilla Thunderbird versions 1.* = 13 advisories . unpatched = 0
Mozilla Thunderbird versions 1.5.* = 6 advisories . unpatched = 0

Microsoft Outlook2003 = 10 advisories . unpatched = 1

Microsoft Outlook Express = 30 advisories. unpatched = 7

Reading around, rather than based on personal preference, I think the figures above reflect what on balance, is a popular view of the developing relationship between the different softwares. It isn't difficult now to find the view that Thunderbird has surpassed Outlook Express.

If you were about to start Mrk's test and have to pick one of the above as your client, to be used in its present state, within a tight system - I think based on features, security and general support, it would be harder to argue for Outlook Express than any of the others.

Similarly, in line with the figures, there is support for the view that Microsoft Outlook2003 is a reasonably secure client, It's more difficult to find the argument that if you already own this, that you should feel that there is an impetus to abandon Outlook2003. As spending unnecessary additional money on Microsoft products probably isn't one of Mrk's aims in this thread - it doesn't sit easily to maintain an active context for discussing Outlook2003 here, other than to support Escalader's question.

Cheers e-o

-{ Quote: "This makes a huge difference in the overall exposure level
having had my "real" addy with earthlink\sprint(microwave broadband) for some 6 years left me a little shocked when I got a "raw" public email addy as the news poster of a popular website. I wouldnt touch that box without using a liveCD (Knoppix)" }-


Sorry Ice_Czar I'm not sure that I have really understood what you have written. I'm guessing that "this makes a huge difference" is sarcasm and "I wouldn't touch that box" means you are not impressed with Netaddress ?

Unfortunately I don't keep records of how many e-mails I receive each day but after spam has been removed its approximately 100 per day. I have been using Netaddress exclusively for just under 6 years - and have not seen even one virus. So to my way of thinking either no one is sending me anything bad or I'm very lucky or the messages that I receive periodically saying that something bad has been removed are true.

Anyway getting back to post #1 I guess all I'm saying is that there is more tricking going on than treating and that the difference, in practical security terms as opposed to theoretical, between say Outlook and Thunderbird or Firefox and Explorer is not all that important. I prefer Firefox but don't imagine that I will get pregnant just by visiting MSN using Explorer.

nope just the opposite ;D

I too have led a sheltered life with a good ISP that filters emails
up till I had that raw "homegrown" server forwarding everything it got.

and that as you implied,
what level of ISP filtering is occurring is really a variable left outside of this test ;)

Hello,
Just a side thought, you won't believe me but I receive around 200 legit daily emails and only about 10-15 spams.
Mrk

thats about the proportion I get with earthlink they are damn good at filtering
when I had the raw server however that was reversed
about a hundred spam (or direct malware infected emails) per half dozen legit messages

I receive 15-20 spams a day, almost all are mails with embedded images (CAPTCHA) that Thunderbird correctly flags as spam.
I expect to reduce that number to 0 with the help of my UTM router.

Thanks, guys. I must really be sheltered since in the last month I got zero spam.

Mind you in fairness to Mrk etc I set my PC Tools Spam Monitor plus Outlook to aggressive and have any the filter finds automatically deleted. So I will never know on those.

On the web mail I was getting a fair bit say 2-3 perday. Yahoo.

Got ticked off and changed the option to if you think it is spam delete it.

Gosh maybe I'm missing some salesmen messages!:'(

Maybe we need an email tool thread?