Need some suggestions for my brother just got nailed with the rogue software antivirus 2008 ;D

He's pretty much a noob when it comes to this kind of stuff happening also.

Nice n Easy: http://www.youtube.com/watch?v=AAx6Y2MW_uA&feature=channel_page

-{ Quote: "Nice n Easy: http://www.youtube.com/watch?v=AAx6Y2MW_uA&feature=channel_page" }-



I should also point out,if possible offering a free software alternative ;)

Any sandbox will be OK. GesWall free wil do the job.

Use Firefox with the NoScript add-on extension

-{ Quote: "Any sandbox will be OK. GesWall free wil do the job." }-

Prolly end up installing GesWall for him along with Returnil free.

He's using Explorer for the browser,wish he would switch,but you know how that goes...:wacko:

-{ Quote: "Use Firefox with the NoScript add-on extension" }-

You are forgetting "look down" NoScript is not for newbies.

-{ Quote: "He's pretty much a noob when it comes to this kind of stuff happening also." }-


Avast Free, + BoClean, And Maybe WOT - WebOfTrust.

Thats your best and most easy option.

If Sandboxing is not your taste, IMO you should try PCTool's BrowserDefender. Its kinda like SiteAdvisor, as it checks if the site you are about to visit is known to be malicious. Also it has a real-time engine, which checks every site as you browse and effectively detects many browser exploit pages as it loads. Hence preventing drive-by downloads.

See here for details:
http://www.browserdefender.com/help/#how

-{ Quote: "If Sandboxing is not your taste, IMO you should try PCTool's BrowserDefender. Its kinda like SiteAdvisor, as it checks if the site you are about to visit is known to be malicious. Also it has a real-time engine, which checks every site as you browse and effectively detects many browser exploit pages as it loads. Hence preventing drive-by downloads.

See here for details:
http://www.browserdefender.com/help/#how" }-

agreed, browserdefender is great, been using it for months now.

-{ Quote: "agreed, browserdefender is great, been using it for months now." }-

I like it also but, it doesn't work with firefox 3.1 beta which I really like.

Ice

-{ Quote: "I like it also but, it doesn't work with firefox 3.1 beta which I really like.

Ice" }-

hmm, guess its good thing im using the stable release of firefox and not the beta :ouch:

The best thing you can do it keep your system up-to-date. It will prevent most drive-by downloads.
My advice is to use something like sandboxie/defensewall or geswall. Then consider blocking out bad sites. WOT and sitehound are al right, but blocking sites with your hostfiles also helps. If you really want a easy application go with defensewall. Firefox or Opera are preferable, but IE is al right too. Remember you can use WOT and sitehound with it.
Just tell him to use a LUA if he can or use UAC with Vista and don't accept anything if you didn't chose too. Best thing to do is not to download anything and try everything.

-{ Quote: "hmm, guess its good thing im using the stable release of firefox and not the beta :ouch:" }-

It's actually very stable and quick I might add. I use WOT along side it and CIS takes care of the rest.

Ice

Simple. Sandboxie. Non registered is free, but will show some nag screen now and then. It will cover browsing.

White listing, blacklisting etc will not work against it, IMO. Best option is a Sandbox or Virtual system(( Returnil for example) for him.

there is a new program called AppGuard this one will protect you in real time againts drive by attacks;)

It,s very new so can,t be suggested for a new user.

-{ Quote: "You are forgetting "look down" NoScript is not for newbies." }-

It really isnt that hard.

-{ Quote: "It really isnt that hard." }-

Not to an experienced user but to be fair some sites generate 6 or 7 blocked items,so a degree of knowledge is required to know what to unblock if you require specific content to run,on a streaming video site for example.

-{ Quote: "White listing, blacklisting etc will not work against it, IMO." }-Hi Aigle,

Why do you believe whitelisting will not work?

White list will fail when a trusted site is compromised. We see it often.

-{ Quote: "White list will fail when a trusted site is compromised. We see it often." }-

And you tell me what the probability is a common used trusted site is compromised.

Not uncommon my dear.

wasn't half a year ago that the f-secure forum got a big fat exploit embedded actually..and more since then

-{ Quote: "wasn't half a year ago that the f-secure forum got a big fat exploit embedded actually..and more since then" }-thats where a hips and sandbox program come to the rescue;)

Process guard help with drive by downloads?

-{ Quote: "And you tell me what the probability is a common used trusted site is compromised." }-Super Bowl stadium site hacked, seeded with exploits
http://blogs.zdnet.com/security/?p=15
-{ Quote: "In the attack, which was discovered by malware hunters at Websense Security Labs, the server hosting the site was breached and a link to a malicious JavaScript file was inserted into the header of the front page of the site. Visitors to the site execute the script, which attempts to exploit the vulnerabilities." }-Popular tennis websites struck in latest malware attack
http://www.sophos.com/pressoffice/news/articles/2008/06/infected-tennis-sites.html
-{ Quote: "Pages on the ATP website are just some of the thousands on the internet to have been injected with a malicious script called Mal/Badsrc, according to Sophos experts. The script downloads another malicious script triggering an infection process which ultimately infects the victim with spyware.

Web security experts at Sophos note that by infecting pages on the website the hackers may capitalize on excitement surrounding Wimbledon 2008, one of the four grand slams in the tennis calendar making up part of the ATP tour, as tennis fans will be likely to visit the website keen to find out the latest news." }-Visitors to Sony PlayStation website at risk of malware infection
http://www.sophos.com/pressoffice/news/articles/2008/07/playstation.html
-{ Quote: "Experts at SophosLabs™ have discovered that cybercriminals have successfully used an SQL injection attack to plant unauthorized code on pages promoting the PlayStation games "SingStar Pop" and "God of War"." }-
_____________________________________________________________________________

-{ Quote: "Process guard help with drive by downloads?" }-"Drive-by Downloads" hasn't been explicitly defined in this thread. The classic definition is, downloading of malware executables by remote code execution. If this is the case, then the answer is Yes.

fcukdat who has tested such exploits for me says that nothing gets by Process Guard.

aigle (supreme malware tester par excellence) also tested a number of different products in a test I set up last year
using an IE exploit:

http://www.urs2.net/rsj/computing/tests/remote

Remember, that most drive-by downloads are targeted at IE {hint, hint}. Some exceptions are Flash and PDF exploits which can download malware, no matter the browser. A recent PDF exploit had this type of code:


....<< /Type /OpenAction
/S /URI
/URI (http://www.some_site.com/some_trojan.exe)

But this is no match for any of the products in the test. Easily blocked.

As mentioned by others, there are ways of preventing the exploit from getting to the point of downloading the malware - disabling scripting, for example.

But a solution such as those in the test are the barrier of last resort.

----
rich

-{ Quote: "White list will fail when a trusted site is compromised. We see it often." }-Maybe I'm missing something. I don't understand how Antivirus 2008 could install and run at next boot on a machine that had a whitelist of allowed processes (when presumably Antivirus 2008 would not be on that whitelist). Perhaps you are talking about whitelisted websites, I'm not sure.

Yes, I mean web sites. I was talking in context of WOT, browser defender and other such applications that were suggested by some users.

Also, even without the NoScript add-on extension, Firefox has security settings to prevent drive-by add-on installs.

See how here (http://www.wilderssecurity.com/showthread.php?t=226375)

-{ Quote: "Yes, I mean web sites. I was talking in context of WOT, browser defender and other such applications that were suggested by some users." }-

Browser Defender performs real-time analysis of site content AFAIK,unlike WOT and similar static site rating tools.

Don't forget, Online Armor Free includes Run Safer as part of Process Guard: http://tallemu.com/vbforum/comparisons.html. Practically seamless for a noob. I think just one check mark to turn it on...

-{ Quote: "Browser Defender performs real-time analysis of site content AFAIK,unlike WOT and similar static site rating tools." }-
http://www.browserdefender.com/

-{ Quote: "Don't forget, Online Armor Free includes Run Safer as part of Process Guard: http://tallemu.com/vbforum/comparisons.html. Practically seamless for a noob. I think just one check mark to turn it on..." }-

Well is the whole OA seamless for a noob? I wouldn't think so, or it depends on which kind of "noob" we're talking about...

-{ Quote: "Browser Defender performs real-time analysis of site content AFAIK,unlike WOT and similar static site rating tools." }-

Sounds interresting so tried it for a few hours, slowed browsing down quit a bit and didnt let me acces my webmail so off it went - i cant stand apps fukkin with my browsing on the otherhand WOT hasnt causes these issues but i passed on it for the reason u mentioned.

-{ Quote: "Sounds interresting so tried it for a few hours, slowed browsing down quit a bit and didnt let me acces my webmail so off it went - i cant stand apps fukkin with my browsing on the otherhand WOT hasnt causes these issues but i passed on it for the reason u mentioned." }-

really? hmm my browsing speeds are still fast with browserdefender :-\

-{ Quote: "really? hmm my browsing speeds are still fast with browserdefender :-\" }-

No joke, could easily be a conflict from my end, maybe with Edge

-{ Quote: "Use Firefox with the NoScript add-on extension" }-

So this is the easiest exploit protection? ::)

-{ Quote: "So this is the easiest exploit protection? ::)" }-

Or chrome with its build in sandbox

Geswall. If you run a browser in isolation, no drive-by malware can install. The reason is no process can run outside the virtual environment unless you allow it to. And if it does get on the browser somehow, closing it kills the malware. Defensewall performs a similar function.

Does Browser Defender work with Opera?
If not, any similar freeware that works with Opera?

Just to add to Rmus list of so called common sites that were hacked, CNN News was exploited shortly after the College Playoffs when Atlanta was hit by a Tornado that night. I went to the CNN site to try to see what they had to report on and an exploit went beserk on my IE and forced a manual shutdown. Repeated attempts that evening yielded the same results so any widely popular server covered or not can be poked into and present a problem at any given time.

I had Process Guard & EQS out-of-service at the time and thats all it took.

It happens.