How many scanners do I need?

Discussion in 'other anti-virus software' started by KF4BUS, Sep 25, 2002.

Thread Status:
Not open for further replies.
  1. KF4BUS

    KF4BUS Registered Member

    Joined:
    Sep 25, 2002
    Posts:
    1
    Location:
    Atlanta, GA USA
    This question could have been posted under several topics, but I'll start here.

    I'm trying to figure out how best to tell an average PC user how many scanners they need (but first I need to better understand this myself).

    Everyone knows about Anti-virus scanners and is hopefully running and keeping current a good application. However, I wrote Symantic and they don't detect all trojans and don't even start to look for Adware and Spyware. So I'm thinking I need to run five different scanners.

    1. Virus (& worm) scanner
    2. Trojan (& zombie) scanner
    3. Adware scanner (i.e. lavasoft)
    4. Spyware scanner (perhaps the same as adware scanner?)
    5. Keylogger scanner (i.e. spycop)

    First, I ask this forum will I miss scanning for any other malware if I run the five scanners listed above.

    Are any of the five scanners combined in a single product? Can five scanners be combined in a single product? How is the best way to expalin the need for five scanners to an average PC user?

    Since I've learned of most forms of malware, virus doesn't top my list anymore as most serious (or should it still?). I understand a virus with a new signature is usually not detected until the signature is determined. A new virus also hits many users at once so empathy is shared. But this other malware is scary. Especially spyware/keyloggers. I read back in June that the Russian Mafia had installed Keylogger software on several public terminals at the University of Arizona (this was reported in Tech TV and I found several other articles on it so I don't believe it was a hoax).

    Summary: Does the average PC user need five scanners and what process (order and frequency of scanners) should be recommended by security practitioners?
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    1 and 2: yes
    3 and 4 and maybe 5 take a look at: http://beam.to/spybotsd
    Although I have never heard of anyone having troubles using Adaware and Spybot S&D side by side.
    IMO 5 is covered by using a decent Trojan scanner and Spybot, but there may be other opinions since I don't know that much about keyloggers.

    Regards,

    Pieter
     
  3. DrSeltsam

    DrSeltsam Guest

    >1. Virus (& worm) scanner

    KAV.

    >2. Trojan (& zombie) scanner

    I think you doesn't need one if you use KAV ;o).

    >3. Adware scanner (i.e. lavasoft)
    >4. Spyware scanner (perhaps the same as adware scanner?)

    Jepp - lavasoft.

    >5. Keylogger scanner (i.e. spycop)

    Illegal keyloggers are in fact trojans and are found by kav. Legal keyloggers have to be installed by yourself. If it was installed by your boss its in fact a reason to be fired if you deinstall it.

    I would use KAV and AdAware. Perhaps TDS, but i think this wouldn't be neccessary ... .
     
  4. minacross

    minacross Registered Member

    Joined:
    May 12, 2002
    Posts:
    657
    What is a keylogger? o_O
     
  5. DrSeltsam

    DrSeltsam Guest

    keyloggers are a special kind of trojan recording all your key strokes.
     
  6. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I have noticed lately there seems to be a lot of concern for keyloggers. It seems to me this is pretty much a minimal risk for the average user.
    Someone please enlighten me if I am delusional. :D
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Maybe shed a little light, although I think you're right about the risks for the average user: http://security.tao.ca/keylog.shtml

    Regards,

    Pieter
     
  8. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Personally,
    I use some form of protection as mentioned in the first post.
    SpybotSD, Zone Alarm Pro, and DrWeb and Web Washer.
    I don't use a "trojan scanner" on a reglular basis, only if I suspect something, I'll run a copy of TDS or another.
    I depend on my firewall to inform me of any suspect connection attempts. Good idea or Bad idea ? Can't really decide, but has worked for me so far !!
    Now I'll wait for the "trojan scanner" users to pounce on me over this comment !! ;)

    regards,
    bill ;)
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Bill,

    Having a look at your last post at least leads to one conlcusion:

    You might get caught by some trojan server - provided you've configured ZAPro to ask for permission in regard to any installed software - your browser included! - you might be alerted a server is trying to contact the client(s) outside. Since your system will be infected already, that's not a pro-active way to deal with these issues.

    regards.

    paul
     
  10. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Thanks for that link Pieter. I like a short consise look at something like that which explains with adequate detail, Most of which should be considered about a subject. It pretty much confirmed what I was thinking.
    I don't think the FBI has planted Magic Lantern on me yet, but some of the places I end up, may one day attract their attention. :D
    Eyespy, I agree with Paul totally here. It is much better to be proactive and use TDS3, than to have it lie dormant on your computer most of the time. Having paid for such a great tool, it seems a waste not to use it as intended.
    Whenever I go to DSL Reports security forum, I am reminded every day that people do get infected with trojans and viruses on a regular basis.
    Given the current political atmosphere, I do expect to see an increase in the use of keyloggers and other spying programs. I would almost bet if you sent an email to a friend and used a bunch of "hot" words, such as b*mb, you would attract the attention of the FBI. Such is the world we live in. :(
     
  11. DrSeltsam

    DrSeltsam Guest

    > I depend on my firewall to inform me of any suspect connection attempts. Good idea or Bad
    >idea ? Can't really decide, but has worked for me so far !!

    Bad idea. At the moment i know at least 3 ways to circumwent za :eek:).

    First of all you can use the "unsecure standard ruleset". If you send to port 53 za think this is a "normal" DNS traffic and won't block it :eek:).

    Second za uses a socket layer. If you kick out this layer there is no problem to circumwent ZA.

    Third za can be circumwent using its own protocol stack.

    Fourth za can't prevent process injecting.

    Fifth za hasn't a statefull inspection so it can be tunneled using other communication than tcp/ip and udp (for example ack packages or echo reply ...).

    Sixth za doesn't check if the user realy clicks on the "permit" button ;o).

    and so on and so on and so on ...

    ooups - a little bit more than 3 ;o). All this methods can be used to tunnel zone alarm.
     
  12. controler

    controler Guest

    first two screen shots are Outposts Default settings

    Sorry bout the bandwith. delete as nessary..
     

    Attached Files:

    • 1.gif
      1.gif
      File size:
      73.5 KB
      Views:
      1,348
  13. controler

    controler Guest

    Second Outpost screen shot
     

    Attached Files:

    • 2.gif
      2.gif
      File size:
      12.2 KB
      Views:
      1,348
  14. controler

    controler Guest

    Windows XP's default firewall settings
    two screen shots again
     

    Attached Files:

  15. controler

    controler Guest

    Still with me here Andreas H. ?
     

    Attached Files:

    • XP2.gif
      XP2.gif
      File size:
      10.2 KB
      Views:
      1,348
  16. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    I knew that was coming !! LOL !
    So Paul,
    you are saying that if I allow say IE6 to connect, ZA can't distinguish if I am actually connected to a trojan server ?
    I don't allow servers to operate within ZA. So with that being said, I am still susceptible to being hacked by a trojan server, IF I am infected with a trojan ? Without ZA sending out the red flags ?

    Regards,
    bill
     
  17. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Andreas,
    you should be working for ZA. They would probably pay you big bucks for your knowledge. LOL ! ;)
    Now I get the feeling that a good firewall is NOT the "end all, be all" in regards to trojan activity.
    Occassionally, I would do a scan of my system with a trojan
    scanner, but never had one running in the background per say !
    I really appreciate your comments and will make another visit to your domain for the latest on ANTS !
    And keep away from my ports !! :D

    JK of course,
    best regards,
    bill ;)
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Bill,

    In essence my statement stays up: it's counter-active instead of pro-active. You might prevent a possible trojan server connecting to client(s); fact remains, your system could be infected.

    Apart from that, it's turning into a interesting discussion ;):

    Sockets and running parallel/below the Windows Stack could be an issue..I'll leave the fun to Andreas and Checkout.

    regards.

    paul
     
  19. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Paul,
    <<<it's counter-active instead of pro-active>>>

    I like that !! Pro-active...can I use it ??



    And thank you . :D

    kindest,
    Bill
     
  20. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    A few questions so I understand what you're saying here...
    Since we're talking trojans here, I'm assuming you mean outbound access to DNS. From what I've seen, any programming trying to access out to get DNS is alerted by ZA, unless it's a program you've already permanently permitted access for. Could you add to your thought?
    I agree.
    I'm thinking you are talking DLL injection here? Have you looked at the ZAP component control? New or changed components, even attached to an existing and permitted program will be alerted by ZAP. Or are you talking about a lower level access than this?
    I'm not sure about this one, but I don't necessarily doubt it. ZA handles tcp and udp okay, but I probably not too much more.
    I don't think this is right, unless you're just joking. Permits and denys work in all the ZA versions I've used.

    I'd like to talk more about this. I think people need to know just what a products limits and abilities are. ZA does some things well, and others it's weaker. But, I think many products have both stengths and weakness - it's good to know what they are. :)

    Regards,
    LowWaterMark
     
  21. DrSeltsam

    DrSeltsam Guest

    >Since we're talking trojans here, I'm assuming you mean outbound access to DNS. From what
    >I've seen, any programming trying to access out to get DNS is alerted by ZA, unless it's a program
    >you've already permanently permitted access for. Could you add to your thought?

    There are a few trojans like optix lite for example that server didn't act like a real server. they contact a predefined ip and a predefined port. If you use such a trojan and say: "ok, contact myhome.dyndns.com at port 53" the trojan will work perfectly and za won't show anything cause it thinks you would like conect to a DNS server.

    >I'm thinking you are talking DLL injection here?

    Nope. You can inject code directly :eek:). Just start a internet explorer supended, get the eip, save data at eip, put your own code inside unused parts of the program and overwrite the original eip with a jump to your code. You won't find any dll :eek:). You only have to restore the eip code and jump back after you did the stuff you wanted to do :eek:).

    >I'm not sure about this one, but I don't necessarily doubt it. ZA handles tcp and udp okay, but I
    >probably not too much more.

    There is one problem. Some packets are allowed every time. For example ICMP Echo Reply (the packet you recieve as a answer to a ping). No firewall will block this. But you can use this packets to communicate. Just use RAW sockets (and ICMP raw sockets are available since winsock 2.0 under all windows versions).

    There is only one way - statefull inspection. The firewall have to look if the packet is a real echo reply. If it is not (cause it contains data) it has to drop or block this packets. Outpost hast statefull inspection for example :eek:).

    >I don't think this is right, unless you're just joking. Permits and denys work in all the ZA versions
    >I've used.

    It is. Zone Alarm can be simply fooled. Install a hook to be informed if a window is created. Just check is this is a za window. Then get the handle of the permit button and send a mouse key down and than a mouse key up. ZA doesn't check if a programm simulates this click or if the user did a "real" click.
     
  22. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Thanks Andreas - very interesting circumvention methods :)

    In my opinion, these support very well one of the original questions asked in this thread. A good Trojan scanner would clearly be of value in helping to protect against these types of attacks. (For myself, I prefer a sandbox, Tiny Trojan Trap, to watch what's happening on my system, and to back up my AV, firewall, etc.)

    Regards,
    LowWaterMark
     
  23. controler

    controler Guest

    I posted a screen shot on the firewall thread of the new Beta firewall
    I am trying out by KA

    As you will see their is an option to change the port just like a couple other firewalls I have tried. The default is of course 53

    have fun guys :D
     
  24. I know that at least with past versions of ZA port 53 is under certain circumstances/certain operating systems not blocked, because DNS doesn't work on some computers if it is blocked. I don't remember, but I think it was only for UDP port 53, and I think it was only for inbound (as I say, I don't remember for sure, but it was a fairly limited set of circumstances). However, given that what the vast majority of users have listening on port 53 is their operating system's DNS client, I fail to see how this translates into a way to circumvent ZA. Are you saying there is en exploitable bug in the Windows DNS client?

    Also, as you imply, with ZA Pro and ZA Plus, you can configure the firewall to block port 53 as well.

    The socket layer is but *one piece* of ZA's security. If you "kick out" this layer to try to initiate a new connection, ZA will block you.

    o_O

    Here I confess my own ignorance. I have heard this phrase before, and I'm not sure if it refers to loading of a bad dll (which ZAP can protect against by notifying the user when a new or changed dll loads), or something else. I know I've heard the developers here (Zone Labs) talk about this, so I suspect you are talking about something else.

    Where did you get the idea that ZA doesn't do stateful packet inspection or monitor other protocols besides TCP or UDP? What you can configure in the free program is considerably less than what is monitored and protected. Even the Pro version doesn't allow user configuration of everything that it protects against. Just to be clear: ZA *does* do stateful packet inspection, although Zone Labs doesn't bandy about that phrase the way some of its competitors do.

    ZA/ZAP supports both TCP/IP and VPN protocols. ZA Pro can be configured to block or allow VPN or other protocols. None of this has anything to do with ACK or Echo Reply packets, both of which are part of the TCP/IP protocol suite (as is UDP).

    Is this the same thing as the "process injection" you were mentioning before?

    I will not say that there are not ways to get past ZA or ZAP, just as there are ways to get past any security software. The important question is how likely is the user in question to encounter the precise set of circumstances required for a bad guy or bad software to do so.

    Up to a point, the more different types of security the user has engaged, the more secure he/she will be. Personally, I think if the user practices basically safe surfing practices, the warnings from the firewall and an antivirus program should be enough. But that is my opinion. If the user is in the habit of downloading and trying every piece of software that looks interesting, visiting porn and warez sites with lax browser security settings, or pissing off people who get a kick out of breaking into and trashing each others' computers, then these may not be enough.

    Rebeccah
     
  25. FanJ

    FanJ Guest

    Hi Rebeccah,

    First of all: warm welcome and thanks for visiting us !

    Best regards, Jan.
     
Loading...
Thread Status:
Not open for further replies.