Why are some not concerned with outbound, especially w/risk driveby downloads?

Main two questions is

1) How are you preventing drive by downloads? Just turn scripting off and suffer the hassles? or? And does turning scripts off give full protection?

2) For those not concerned with outbound, why? (Are you that sure you are immune from drivebys, primarily zero day that AV misses).

My reasoning/situation.

I have gotten malware/virus on my computer once in past 8 years, my wife ~5 times. All were via internet infested pages. (My wifes AV has probably blocked a hundred over 8 years)

Not concerned with inbound since using router, and my software firewall past 8 years always says "0 access attempts".

My wife is european, works on websights, and has to use internet explorer most of the time. Some of European forums/sites occasionally have issues with malware. Turning off scripts makes her work difficult (she refuses to). She has gotten her bios and registry hosed a couple times from zero day exploits which AV missed. That is a minor irritation. The real concern is she got malware one time which an outbound picked up trying to phone home. While outbound is necessary on her computer, prevention is obviously better.

Greenborder was a godsend sandbox for a few days, until we realized it continously corrupted IE links, which made it unusable. Sandboxie is not bad, but there are some issues with her work, and it slows down browser by a second or two, and she thus wont use it.

From our point of view, 100% of risk is via browsing. Our only real security threat is driveby downloads, more for wife than me. Especially to those who dont think outbound is important, (ie those that are confident they can keep malware off their computer), how do you stop driveby downloads? Is there something I am missing?

Do you just turn off scripting and suffer with the irritation or?

My wife did try using firefox with noscript (even though not convient for her work), but she got malware using that, ? it was a site she whitelisted, which later had malware vs other). So back to IE as more convenient for her.

Any other ideas on safe web browsing that I am missing? Greenborder has right idea, it was just poor implentation, not to mention they are no longer in business.

 

I just use NoScript.

So far my AV has caught any malware before it installs. The chance of getting a rootkit or other malware installed and connecting out seems so negligible that I just dont worry about it.

Im not concerned with legitimate software connecting out either.

 

Prevention is always better than cure , that is for sure . About drive-by downloads -> Unlikely most of my relatives/friends I know what cyber threat is and how it acts , I don't click on each and every link I manage to see , I keep my computer and everything inside "mean and lean" (a.k.a don't install each and every program) . Once malware has infested a machine , it is not difficult to find it and it is not impossible to remove it .


Since I know what is already on the machine , I am supposed to know how and where it connects to , so I trust their connection(s) - this is why I don't need outbound firewall protection

Think 3 times before you click a link . Choose a antivirus that works (mine has never left me in critical moments) . In addition , make your wife's computer has the Microsoft-MVP's host file (updated monthly) so that your computer "rejects" known bad sites

 

Yeah, that is quite all, what I used in XP with a firewall and what I use now along with Vista's engine covered by UAC and IE7 with protected mode.
Disabling scripts provide almost full protection, if you keep your OS and all other apps regulary updated, properly set up and avoiding unknown things.

I am not consered about privacy, like some software trying to find out, what PC I have or what webpages I visit, as long as it does not slow down PC.
As HiTech_boy pointed out, the prevention is the key and once the malware is in, it is too late anyway and the best way to get rid of it, is a clean instal.
I hope, that I am quite well protected, because even if I would use a dozen of security apps, I could still only hope, that they would catch all those nasties.
So far I have not noticed any malware in my PC, so I guess, that it works (for years), but who knows, maybe I have a bot PC and I even do not know about it.

Well, it has some disadvantages like a few disabled webpages and some with limited functionality, but its advantages, like speeding up loading webpages, no google ADs or popups and 99% malware free PC, overtake it. Anyway, if I want to allow something, I add a webpage to trusted pages and it mostly works, not sure about Firefox, but in IE it is possible to setup, which scripts to run along with other settings. I tested it 4 times with zero day exploits and even when I had POC webpages in trusted zone, I was protected against 2 of them, until I tried default Internet zone settings, the other 2 could be prevented by hardware DEP.

 

Try GeSWall. Very light, policy-based sandbox. The free version protects browsers.

Use temporal whitelist and set NoScript to control plug-ins (Quicktime, Flash). Also keep Firefox up-to-date.

Good old common sense, Link Scanner Lite, etc.

Security is unfortunately almost always a trade-off between convenience and strength.

 

As you say, if a white listed page gets infected I am not sure noscript can help. But then I have a second layer of protection: Limited User account. On op of that I have a decent antivirus and application filtering firewall. If that would ever fail me I would use sandboxing software and unintrusive AT like Boclean or even likewise unintrusive HIPS like Prevx2, Norton Antibot. But so far HIPS in a LUA seems a bit overkill.

Why not run under a restricted account? It is not that much hassle one would think. I have until recently avoided LUA coz I thought it would hamper my computing, but then I thought if a Linux junkie can live with it, so can I

Or you could try surf inside Bufferzone (downside - doesnt work with BHO´s like Roboform), Defensewall, Sandboxie, Safespace, all software that isolates the browser from the rest of the system. Runsafe is another, it lowers the privileges of the browser. So it is not that hard to protect yourself. Personally I haven't seen any malware in years, even when visiting the darker side of the net.

 

On our home PC's we use the combo of a policy sandbox and behavior blocker.

The policy Sandbox HIPS should protect from most threats, without sacrifying functionality. For downlaoded programs our AV misses, I trust the IDS/Behavioral blocker to protect me until the AV knows that malware (when it does something strange the behavior blocker will get it, when it lays low the Av will ultimately know its signs/fingerprint).

DefenseWall or GeSWall (32 bits), HauteSecure (vista64), A2 Malware with IDS or ThreatFire free (32 bits) and Primary Response Safe Connect (Vista64).

You could also run your browser as a limited user account (Amust Defender in XP, Vista has it's UAC).



Regards

 

Thanks for the suggestions.

I realize surfing on US/English sites the risk of having financial info stolen via a trojan is neglible, and if it was not for my wife, I would smirk at that possibility as well. But on Russian/Ukranian sites the new trend is malware that looks for credit card numbers, account numbers etc.

In the US it would be highly unlikely that say a moderator at Wilders would post a legitimate link that also silently installs malware, on some Russian sites, not so unlikely. My wife can not simply avoid any of the sites, and no way to tell which rare ones are going to have malware.

Have not tried GesWall or the Microsoft-MVP's host file, will look into those, thanks. Though I dont know if MVP will have all the russian sites.

We both surf with dropmyrights limited user account, but just started that in past couple months, so will see how that helps.

For her a sandbox would be ideal, as she is basically surfing in a minefield. I will try Geswall and some of the others listed that I have not tried yet, if I can find something that wont slow her down, and allows her to do her work that would be great.

Thanks again for the suggestions!

 

If you run Vista with UAC enabled, you are going to get a UAC prompt if a site does anything funny. Don't put too much trust in the IE7 sandbox in Vista. You could give permission to and active-x control that was a keyloger. It might only work in IE7, but that is enough to steal your banking logon.

I used noscript for a while, but found it to be too much work. Even if I am capable of making decisions to train security software, my standard of performance is could an IT department roll this out to 1000 workstations where 975 of them are run by folks who don't know anything about computers and it all would work without a jillion calls to the help desk. I really do not need to be bothered by the security software unless something is really amiss. Unfortunately the stuff is so dumb it never gets trained.

There are some highly regarded firewalls and HIPS out there that are actually useless to anyone but an expert user because they never are done asking questions.

 

With good AVs with proper protection, one only needs to apply some common sense and outbound protection is no longer needed, a router takes care of inbound quite well.

 

When you are willing to pay, DefenseWall is the easiest to use. GesWall free might require some configuration to allow printing from the web.

DefenseWall versus GeSWall = very easy versus easy
GeSWall Pro versus DefenseWall = in GeSWall you can set certain untrusted aps (like mail = Yess, others like P2P and Webbrowser not) to access confidential files (for mail obbiously your mailbox directory, but you can deny access to other confidential directories). Defensewall does not allow untrusted aps to access confidential directories. It is yes or no. Same applies for trusted level DefenseWall only has trusted and untrusted, GesWall has 4 options. Besides the configurability of untrusted aps per confidential folder, I have not encountered any other advantage GeSWall has over DefenseWall. The advantage DefenseWall has over GeSWall is it out of the box no easy setup. They both do well in protection (both are from russian origin, so it takes a hacker to protect you from hackers).

DefenseWall is absolutely the only Sandbox HIPS which works right out of the box and is a very quiet HIPS I know. GeSWall is also quiet, but has more options and some times (dependinbg your set up) requires some configuration. That is why my son preferres GeSWall and my wife DefenseWall.

Regards

 

Very true Arup, and also, relying on outbound implies that the threat has already installed itself and run on your machine, which is not a good situation either, better to keep the nasty off the PC to begin with.

 

I agree with the above. I´ve never been concerned about the outbound protection since prevention is the most important thing. However, I would like to see some tests/reviews about how good different firewalls are concerning the inbound protection. Does anyone know were to find these tests?

/C.

 

Any site can be compromised. If you find out about it you may be able to use a software firewall to block movement to the (potentially redirected) site that installs the malware:

https://www.wilderssecurity.com/showthread.php?t=136452&highlight=gromozon

Naturally you can also block the usual Microsoft stuff, like when you use the Search, Help, Files and Settings Transfer Wizard, etc. or even block certain sites altogether.

As far as trusting apps go, you never know when a corporation changes its philosopy or lets bugs creep into their software. Examples like Zonealarm connecting to Zonelabs servers without permission (due to a so-called "bug") and some versions of Flashget being silent while the next version they come out with wants to talk to the whole world. What you trust one day may be the enemy tomorrow, especially if you allow automatic updates or try out new software versions a lot or don't keep abreast of unpatched vulnerabilities.

Outbound software firewalls provide some protection for the above.

 

Kerodo and Arup, the reason I phrased the question like that, I was hoping those that were not concerned with outbound protection would share what security steps they take that allow them to not be concerned with outbound. Common sense and antiviral programs, be it NOD32, KAV, NAV are excellent suggestions, unfortunately they are insufficent for surfing Russian web sites, though granted that method works in English/US sites. You could argue that common sense dictates not surfing on said Russian web sites, but my wifes job entails doing so. She may be on the same page a hundred times over several months without problem, and then 101st time it has malware. I used to get irritated at her each time, then I learned what she was up against.

However, I agree 100% that keeping it off is the way to go, and trying to get some additional tips for doing so. So far I think a sandbox that does not slow performance would be best bet.

Kees1958, thanks for suggestion, I will look at Defensewall, hopefully they have a trial version so I can see how it performs. Cost is not an issue, I happily paid for greenborder and used it until realizing it was continuously corrupting IE links/shortcuts, ie kept wiping out the web document tab and thus URL of the shortcuts. The only issue is will it slow surfing down or computer. My wife has 50-100 pages open at a time, and goes pretty quickly, some sites she visits, some helps to maintain, some she is a client on etc. She will use sandboxie some, but even the slight 1-2 second slowing of surfing over long run will irritate her to point she quits using it.

 

I must admint that I dont surf to russian websites that often. It happens, but I guess it is not the malware sites you wife uses. I would love to test my defenses on malware sites (but they are hard to find imo)
Could you pm me a couple of the sites your wife gets the malware from and I will test the stuff I have to see if I am vulnerable. If I am, I can set up something quickly that will protect me and give you suggestions..

You dont have to worry about spreading malware, I do have layered defense and always have a 1 to 6 hour old images of my system to restore to if something should get out of hand so I think I can handle any risks. I always image back to a good image after I try malware even if my defenses seem to take care of the attack.

 

I use Firefox or Opera as my primary browser. I only visit a small handful of websites each day...pretty much just the same dozen forums..tech forums, well known tech forums, sum to up 99% of my browsing. Pretty much the only time I use Internet Exploader is when I hitup my Exchange Server at my office via Outlook Web Access, or use Remote Web Workplace to connect to my Small Business Server clients. No e-mail clients..use Firefox when I check my GMail.

Am I sure that I'm immune? No, there's never a guarantee. But I'm careful of what I do, this isn't my first day using a computer. And I'm probably likely to notice odd behavior that my be a symptom of something hitting me.

Software firewall are no guarantee either...they can have vulnerabilities which can knock them out (stop the service from running).

And..lets face it...I'd wager that at least 95% of software firewall users don't know what the heck most of any warnings are about. svchost or explorer is connecting to the internet..."Oh...OK..go ahead".../clicks OK.

 

Reading my first post, my wife got malware 5 times in 8 years. Surfing ~1000 pages a day, ~300,000 per year, or maybe 1 infection per half million pages. And you want me to send you links so you can surf in the same manner for 3 months til you run into malware?

If there was one site that consistently had malware, no one would go there, it would be out of business. My wife is not surfing pron, where you can find the same malware on the same page infinitum.

The whole point, in Russia, rarely legitimate sites get problem with malware, and recently malware targeted towards stealing. It is quickly cleaned off when discovered, but not until some damage is done. Does not really happen much in US, but monster.com did have some fake adds recently that downloaded trojans that captured personal information and sent it to servers, was in news month or two ago.

If you are really looking for malware, I am sure plenty of people could tell you where to find it even in the US.

 

Most of the sites that spreads malware are not in the .ru zone- most of it are .biz, .info and .com.

 

Hello,

Without quoting you too much ...

1. Drivebys only work in IE, never in Firefox or Opera, so use those.

2. As to getting infected using Firefox with Noscript - it's not difficult. You reach a site, you download a file, you execute it - you are infected. As to getting infected by simply visiting a page - with the above setup - no chance.

3. Outbound - don't get infected and your outbound is a perk ... simple as that.

Mrk

 

Drive-by-download malware spreads with all the browsers you just mentioned. Just look for a interview with MPack developer- he recommended Opera with JavaScript disabled.

 

Hello,
Recommendations are one thing. Theory is another.
Reality is something else.
Mrk

 

and mis-information spread is the worst of all evils.

 

Hello,

I have posted in good faith, fully believing what I wrote and without any intention to deceive or mislead anyone.

The way I see things - and here's an analogy - a person could get killed by a meteor or he might tunnel through a wall - nothing in the physical laws prevents this from happening. It's just the chances are so small, we can round them to zero.

The same applies here. Of course, the utterly careless combination of downloading and executing files without regarding in search after cracks and such, plus the use of outdated software (not a week or two but months), might possibly result in some sort of remote execution exploit. But I think this is a remote chance by far.

Cheers,
Mrk

 

Well, my wife has gotten hit 5 times in 8 years, not common, but too common for me.

Once was using firefox with noscript. She whitelisted quite a few sites, it is simply impractical otherwise, unless you want to hit ok 10 times each time you land on a site. And she has to allow script on some sites. And likely, and unfortunately one site she whitelisted later had a malicious script.

Bottom line she has entirely different use than you, entirely different set of needs, entirely different sites, entirely different risk than you. So unfortunately your way does not work for everyone's needs. Works for me and you, but not for her.

But I guess if you dont see it in your habits, it does not exist.