Immunizations - worth it?

I've been using Spywareblaster and Spybot's immunizations. Are they really worth it? I would think that most of the thousands of entries are dated. Wouldn't a site that is all known to host spyware be taken down eventually as it is no longer effective and it's being blocked by everyone?

The problem I have with Spybot is that the latest version bloats Firefox, it makes it very slow to open its allow/block lists because of the 7000+ entries it adds.

If immunization is still a good idea, what would you recommend? I guess I'm interested in something that is light weight, that blocks tracking cookies from the major ad houses and that has a list that's maintained and obsolete entries are actually removed once in a while. Oh, and it has to be FREE, automatic scheduled updates would be nice too ...

 

I prefer HOSTS lists over immunization because it blocks the sites. Plus I dont use IE.

As for cookies, I would use an extension like CS Lite or Permit Cookies to control cookies in Firefox. Block all cookies and just allow the sites you need.

 

Is there a good hosts list out there that's being maintained and non-existent domains are removed?

 

MVPS HOSTS is regularly updated.

 

For users of Interent Explorer they both are still worth the time spent keeping up with the programs in regards to sig updates. They both write their respective entries to the registry and passively protect creating no noticeable overhead with that layer of protection. I would suggest that you might consider using only one of them since their respective databases do overlap and you would only have to keep up with one program and it's progress.

Some of the entries are indeed dated meaning they have been there awhile and even tho I would have to get back in the re-checking business, they all resolved at one point in time in the past. I would also comment that AV's have dated malware in their respective databases but it's an overhead one has to expect given once bad always bad.

The slowdown is being actively worked on by PepiMK and all the gang @ Team Spybot.

Bubba

 

Forget it! It is the same nonsense like directory immunizations, if you use several antispys they will show mass of false positives!
Keep your system slim and don´t put sh*t into it.

 

Spywareblaster and Spybot's immunization features have nada to do with "false positives" or perhaps you are strictly speaking of Spybot's scanning feature in regards to "false positives"....a feature Spywareblaster does not possess ?

Bubba

 

There are some antispy companies (probably you don´t know them) outthere that flag spybots immunizations of ie or @hosts as possible malware.

It may be logical to immunize your system if you are beginner and surf to dangerous websides, but as a pro and reasonable surfer you really don´t need stuff like this.

 

At the moment I am aware that Symantec has an issue with Spybot but fortunately they have rectified that issue....so yes I do "know them" in fact more than I care to know sometimes

It's "logical" and an unfortunate necessity for everyone regardless of knowledge to stay protected on the net given the exploits\social enginnering that crops up each and every day. For those that wish to think they know it all, their cockiness will bite them sooner or later.

As for the topic of this thread....immunizations by Spybot\Spywarebalster(ActiveX kill bits, Restricted Site additons) are such an easy addition for those users that wish to use or are required to use Internet Explorer that one would be irresponsible to not recommend this feature especially for those less knowledgeable or for those who do wish to visit less than desirable websites. Each and every browser has it's own security settings and\or addons and these 2 programs can offer the extra layer of protection for IE users that wish to take advantage of this added layer of security.

Bubba

 

7000+ entries, isn't that a drop in the Malware Ocean ?

 

The very interesting thing about spyware, adware and the like is that a good percentage of the files are served from a much smaller set of sites than you might imagine.

Some of these sites have served thousands of variants of potentially unwanted programs over their lifetimes. Others may not serve the files, but act as popular "gateways" through which users may be tricked into downloading them.

And, sometimes, you'll see a single domain being used in mass attacks on tens of thousands of sites to distribute various unwanted wares:
http://isc.sans.org/diary.html?storyid=3621
http://isc.sans.org/diary.html?storyid=3625

So whereas a spyware detection/removal program might count every file and registry entry that every variant of a potentially unwanted program makes (multiplied by potentially hundreds of variants or more), a prevention program may merely count the number of sources (websites) and/or installers. The numbers are not directly comparable. (And this is excluding the fact that different removal programs may count "variants" of a particular piece of malware in different ways to come up with their totals. It also doesn't include the fact that a single "dropper" or "installer" may end up cluttering a system with multiple different unwanted programs, each of which writes many files and registry entries, and so on - all of which may be counted as "1" item by the prevention program, but many items by the removal utility.)

I hope this helps.

Best regards,

-Javacool

 

Probably. I won´t use immunizations because I like to test many antispys even rogue ones and this will lead to billions of fp´s with those bot immunizations and there will be only confusion by comparing all tools because some rogues display all immu´s as malware.

 

Your comments are unfair. Saying that spywareblaster is not needed does not mean that one is cocky. In the extreme case, the user could be running with HIPS, virtualization, sandboxes etc and surely in this case you would concede that adding spywareblaster is almost certainly going to make no difference and hence is not needed.

Based on my understanding of how spywareblaster works, I am doubtful on how effective spywareblaster really is in this day and age. My doubts are mostly theortical of course, but similarly the pro-arguments for spywareblaster are equally theortical.

Too bad, no one has actually tried and emperical test of how effective spywareblaster is in preventing infection. For this to be fair, you need to have 2 equal systems, with one has a control and start surfing malicious sites. My guess is if both are running IE7 ,Windows XP/SP2, fullly patched the difference will be minimal i suspect.

My guess is if spywareblaster is of any value, it is the restricted IE sites that play a greater role , rather than setting the activex killbits...

It all depends on how fast the updates are of course... A zero day exploit that spreads like wildfire to hundreds of sites would be very hard to handle by using restricted zones. And these generally are not activex based...

 

Hi, folks;

Needing immunizations or not ? this reminds me of Our provincial (Ontario, Canada) government's annual Flu shot program; it is free for all residents of Ontario. Many view it as a passive measures. Because the vaccine contains past known variants only and hoping to stop them from infecting people again. IMO and perhaps in some's, it is powerless against unknown new virus. Elderly persons and health field workers are urged to take a shot. Many others who fear the known side effects have skeptical opinions of programs. Just for folks to relate and image. Take a good care.

 

I was not implying that if one did not use Spywareblaster or any layer of protection for that matter "that one is cocky". I simply stated "For those that wish to think they know it all, their cockiness will bite them sooner or later."

I have no true numbers to back this up but simply based on the user base I am personally aware of....family members, friends, work machines....almost all use Interent Explorer and their level of expertise in securing their browser is pretty low in fact in most cases it's non existent. Your acquaintances may be different but mine are what they are....very lacking in what lies ahead when they access the net. It has always been and will always be a slow process when attempting to teach those less knowledgeable how best to protect their browsing experience. We in security forums are understanding of what it takes to practice safe hex and We IMHO are very small in numbers. With the holidays approaching there will be even more in numbers that access the net for the very first time....hips to them is what they will be worried about when they have to many turkey legs.

Bubba

 

And there lies the irony Bubba. Those that need HIPS and Anti-malware have no clue how to use them. Those that do know, don't need them!

 

I stick to my boot-to-restore, which makes my harddisk immune for any change, that's better than depending on security softwares, that are based on incomplete blacklists.

 

I have some data of little statistical value, but it may have some value: some clients of mine which agree on installing more than "that AV thing called AVG" and learn how to update SWB stay cleaner for longer periods of time. Safe surfers or SWB saving their bacons?

 

I am dazzled by so much philosophy, true true...

 

But you said that directly while quoting "It may be logical to immunize your system if you are beginner and surf to dangerous websides, but as a pro and reasonable surfer you really don´t need stuff like this."

The implication is that the person who says this is wrong/cocky... But i notice that in your comment below you agree with his statement?

I do not secure my browser at all beyond the default. Or those of the browsers of family members, friends and work machines. They are all at default setting which is pretty solid these days.

What I do notice is that the ones who stay safe, have updates (whether automatically or not) more often than not.

Believing in safe hex? No No, that is too cocky, you are going to get your ass bitten eventually.

 

"Safe hex" may be over-rated by some, but it is still part of a defense-strategy...