Custom built more vulnerable to malware

Out of curiosity ohblu, which SP is installed on the machines, 2 or 3? (hopefully not 1 ) ?

If the machines are fully patched and the users are running in limited accounts, that will already provide a solid measure of security, let alone anything security software, and more importantly common sense might add.

You might want to check out some backup/restore solutions; it can make life sooo much easier.

 

Technically, all a router does is connect two networks. NAT is the feature that allows multiple computers to use the one IP address assigned by the ISP by assigning new "local" addresses to each computer connected to the router. This, in effect, hides your computer's IP address from the world. That is the main security point of having a router. NAT does not block ports, but some routers allow you to block and open ports.

 

When I test a router at www.grc.com all ports are either closed or stealth.
Granted, I haven't tested EVERY router that exists, but isn't that test reliable ?

Don't virtually all simple consumer type routers block and/or stealth ports by default ?

 

ShieldsUP is an excellent test and I use it all the time. But what that is really showing is the ports on your computer cannot be seen - and that is because the router is hiding (the stealth part) your computer's IP address from the world.

And yes, since most home routers have NAT - they do that by default. But many folks who do on-line gaming, or setup VPNs may open access to allow others to get in.

 

AFAIK, a typical home NAT router will block unsolicited inbound traffic, although this is not to suggest the packet filtering is any where near that of an enterprise device, but at minimum no Internet "noise" is going to reach the pc's network interface.

 

Both computers are Win XP SP2 with the windows firewall enabled. Even when I disable that firewall and connect directly to the modem (without the router), the ports are all stealthed according to the ShieldsUp test at GRC.com. Although it fails the ping test. The modem firewall (whatever that is) is turned off. So I don't know why the ports are showing as stealthed. I installed the Comodo free firewall and created a rule for blocking ping attempts, but it's not working.

Normally, the computers are networked like this: the router is connected to the modem via ethernet. The custom built pc is connected to the router via ethernet. The other computer is connected through an unsecured wireless connection (antenna on back of computer). I just changed things so that the other computer will now be connected via ethernet so that no computers will be on a wireless connection.

The games grandma plays come from (are downloaded from) game sites like Yahoo and BigFishGames.com. She must have 100-200 games on there. Sometimes, a few relatives use it to check Facebook and sites like that. But they mainly use the other computer for stuff like that. The other computer has been used for P2P which I know is riskier than just about anything.

Is it possible that the custom built computer got infected through the other computer and the other computer didn't get infected? If they're networked, aren't things like that possible?

 

As I noted a couple replies up,

Have you run the additional scans mentioned above on both computers?

 

Correct, home grade routers are setup to run in "gateway mode"...they take the single public IP address handed out by the ISP...and using NAT, allow a computer (or computers..up to 253 with class C home grade routers) to connect to the internet and share that single IP address.

NAT brings a feature of a basic hardware firewall that blocks all 65,000 plus ports from the "wild side". So your computer(s) is/are hidden from the internet. It's a 1 way firewall, unsolicited incoming traffic is blocked. For those of you that know a bit of about boating...think of it like a scupper on a boat..those 1 way flapper valve/drains in the transom of some boats. Water can flow out, but water doesn't flow back in.

Those of you that worked on computers a few years ago may remember the MS Blaster worm. Computers that were connected directly to simple broadband modems...those computers were directly on a public IP address, and pretty much all of the hundreds and hundreds of computers that I cleaned the MS Blaster worm off of were setup in that manner. Computers that were behind routers pretty much never got it. MS Blaster was a worm that was capable of self spreading across networks. Computers directly on a cable modem for example...they were exposed to it. Computers behind NAT routers...they were not exposed to it.

Going through the above experience years ago is what made me form my rule of thumb..any computers that I will be supporting are put behind NAT, I will not support a computer not behind NAT (except in a few very rare cases).

Some people will say "Well, I don't need a NAT router firewall, I run my own software firewall". Well, I've come across plenty of instances where I've seen software firewalls disabled by malware, or become corrupted and not start, or <whatever>..thus in a matter of minutes the computer is exposed and pillaged and plundered by the bad stuff out there.

 

Oh yes, I remember getting nailed by blaster back in ’02, I think it was, within mere minutes upon installing XP SP1 and not yet behind a router.

I have recently concluded 3rd party firewalls are, as you’ve suggested, too unreliable. I’ve also frequently seen unpredictable behaviour in them as well. The Windows built-in fw, imo, although maybe doesn’t have the bells and whistles of 3rd party offerings, at least works exactly as it should. I’m using Win 7 with customized rules for two-way control and it’s awesome, and no matter what other’s have claimed, Internet browsing speed is faster than with 3rd party fw’s. Also behind a NAT home router as well.

 

Why are the third party firewalls too unreliable ?
I have never had a problem with those. Basic outbound filtering has its benefits. (Windows XP)

Currently I use the Avira security suite, I've also used the McAfee firewall, the KIS 2010 firewall, without any problems.

 

By themselves I don't trust them. I've seen/fixed waaaaaaaaay too many computers that had their security suite tanked, thus the OS got tanked. You can spend days...weeks....reading about the many examples of malware out there that will specifically target some software firewalls (as well as AV) and "knock them out"...disabled the services, corrupted the services, etc. We're talking about an operating system here...software can corrupt, services can fail to start, etc.

If you want a 3rd party software firewall..fine...great, have at it, but I'd still want to be behind a NAT router as the primary line of defense.

 

I do not buy the argument that 3rd party (software) protection is unreliable, and I say that from personal experience (in 20 years I have not had an instance in which they failed me) but still the argument stands that having NAT is a very good idea.

The more secure the better.

 

Just as YeOldeStonecat correctly claims, they can buckle under the pressure of malware or system conflicts.

I will contend this is an impossible claim (truthfully) if you've used software firewalls over many months or especially years of use. There is always a bug that affects more than just one or two individual's setup, no matter how hard the developer tries to produce a product that works perfectly on all supported O/S', given the inumerable possible software platforms that may be running alongside on a given setup. All you have to do is check out the various firewall support forums for evidence of this. There is always somebody complaining about something that isn't working right with their firewall or some other buggy behaviour with other software after they've installed the firewall. Granted, sometimes it is the end-user's fault, but you can be sure many of the bug reports are based on a legitimate bug in the firewall.

Absolutely! It is just that I have found Win 7's and previously Vista's two-way control, although cumbersome to setup all the various program rules, is the best I've used yet. it works exactly as expected. If something didn't work right, it was my own fault setting up the rule incorrectly.

 

Are you really saying you do not believe that there are people out there who have never had a failure of their defensive (software based) strategy? No doubt there are folks whose set-ups have failed them but just because you can find issues on forums, that does not mean the majority of users are having problems. If you go to the Acronis forum you see all kinds of issues but still the majority of users do not have issues. In fact there is probably no technology that does not have a certain percentage of its users experience problems. Going from some users having problems to calling the technology unreliable is a tad extreme IMO.

To put it in concrete (as opposed to digital) terms, some locked doors are easier to get through than others. And no lock is impossible to pick or door impossible to get open if you have the smarts and resources to go for it. But this in no way implies or indicates that locking your door as you leave the house or car is a waste of time or that locks are unreliable. In short you can always do more and adding NAT is a good idea but just because you do not have NAT does not mean you WILL have a problem.

 

No system is 100% safe but in all cases, the user is the weakest link. If malware gets on your computer, it is not likely you could narrow it down to the fault of the firewall, for it would also have to get past your other defenses as well. And even then, malware exploits vulnerabilities, the vast majority of which would be plugged if the computer is kept updated and patched. So once again, it boils down to the user failing to keep the system patched, updated, scanned and blocked. The best system in the world if useless if the user let's the badguy in.

The fact of the matter is there are nearly 1 Billion Windows machines in the world today and a huge chunk of them are running just fine with default settings (to include Windows Update on full automatic), Windows Defender, Windows Firewall, Internet Explorer, and some AV. The fact a firewall, or AV or Windows itself stumbles does not mean the computer will automatically be infected. If the user avoids illegal porn, gambling, and P2P sites; does not "click here" to stop getting these popups and spam message, and never opens unsolicited attachments or downloads without scanning first, it is not likely it will ever be infected.

No, you don't have to have NAT to be secure, but sitting behind a router with NAT provides a huge layer of defense. I think the key thing here is to remove "crimes of opportunity". Badguys, (unless they are specifically targeting you on a personal level) are basically lazy people. They go for the "easy pickings" and any time you can make it harder for them, they will simply move on. Adding a router with NAT is an easy, inexpensive, and very effective layer of security that is well worth it, even on networks of just one computer.

 

I just responded to your quote:

...and I don't see where I suggested they will fail but I do agree with YeOldeStonecat that they can (maybe I should have stated could) fail under malware influences What I did imply is that over time, perhaps some months or more, you will no doubt encounter at least a bug or two in almost any release you use. It's inevitable. It always happens. If you check release notes, some of them at least always list bug fixes.

Right, it is not necessarily - nor likely - the fault of the firewall. It is just that 3rd party fw's tend to introduce stability issues in the O/S that a NAT device or Windows built-in fw will not. The more 3rd party security software - not just firewalls - piled onto a pc, the more likely stability issues occur. I guess what I'm trying to get at is that all this software can act as a kind of virus itself, slowing the machine and causing stability issues for the end-user. I have concluded unequivocally that it's better to use as much as is built into Windows as possible (LUA, SRP, Win fw, AppLocker), along with a NAT device on the perimeter. Maybe one light product such as Sandboxie, ShadowDefender, Defensewall, is perfectly fine, and I'll even wholly endorse this idea. As for antivirus, I like the idea of an on-demand program such as Malwarebytes, but absolutely abhor the real-time products.

 

So you're disputing the fact that there has been malware out there which actively seeks to disable some specific brands of software firewalls? How many computers were you in charge of or serviced, over those 20 years? I have..probably easily 2 digits before the comma in my count.

 

I am not sure I understand this argument.

First, let's get rid of the 3rd party limiter. All 3rd party means is that it is not made by Microsoft. There's no reason to exclude Windows Firewall or Microsoft Security Essentials (anti-malware and anti-spyware).

Second, we need to be fully aware of, but for the sake of this discussion, exclude rogue or fake security software. Sadly, fake security software is a major threat today - but, if you installed fake security software on your computer, that means you, the user (once again, the weakest link), failed to do your homework.

Third, let's be careful about our claims of years of use with security software. Software based firewalls for home PCs did not come about until 1994 with CheckPoint's ZoneAlarm. Prior to the Internet, viruses were primarily transmitted via "sneakernet" - that is, by, once again, "a user" walking an infected floppy from one PC to another. The first virus for "Windows" did not come about until 1992 - although there were DOS viruses before that, most computers were either on a corporate network, or stand-alone.

Fourth, until Man can create perfection, no product will ever be perfect.​

What does reliable mean? Since I brought home my first Intel based PC in early 1993 (I drove up to the original Gateway factory in North Sioux City, SD), no computer in my home has been infected. And that includes PCs used by kids and grandkids and their friends, and house guests, and while being on a high-speed broadband connection since early 1998. So in that since, I can say my security "strategy" has been very reliable at keeping my systems secure and malware free.

But have I had security software "problems"? Tons! I abandoned McAfee AV in the early 90's due to bloat, crashes, and other "reliability" problems. I abandoned Norton AV a few years later due to bloat, crashes, and other "reliability" problems. I abandoned AVG due to bloat, crashes, and other "reliability" problems. I abandoned ZoneAlarm due to bloat, crashes, and other "reliability" problems. The list goes on.

I suspect most of us have similar stories. So in that since, there have been tons of reliability issues with virtually all security programs. But all in all, they have been very reliable at their basic primary function, keeping malware out.
***

Oh, and for the record (speaking of non 3rd party) I built this computer for Windows 7 and it is using Windows Firewall, Microsoft Security Essentials (both "free"), and IE8 behind a basic Linksys router with NAT. In terms of protecting my system, as well as other reliability issues, there have been absolutely no problems with bloat, crashes, infections, or any reliability problems. I am very happy with, and have no reservations recommending Microsoft's offerings and I hope the 3rd party security program makers take notice.

 

Well said.

 

Why not?

The history of software firewalls is irrelevant, although I'd lean towards BlackIce being out at the same time...if not a year or two before ZoneAlarmingly. (A quick Google shows BlackIces predecessor was released to public in 1992)...but I have no interest to dig deeper...when the first software firewall for home users came out isn't relevant. IMO the fact that they can be disabled via several means is relevant.

And why exlude rogue/fake alerts? The fact that they have turned into, by far, the biggest numbers for PC repair jobs show that they are completely relevant. Granted not relevant to NAT routers or home grade 3rd party software firewalls.

The claim that the user "failed to do your homework"...that shows a lack of understanding in how these rogue/fake alerts spread. It has nothing to do with PC smarts or good computer use habits. I'll wind back the clock to mid-winter of last year, I..myself, an SMB network consultant, was using one of my home PCs doing some research on the Big 3 Auto problems last year with OBummers goverment bailout. Running NOD32, naturally Windows updates, and Firefox as my browser, behind a NAT firewall built on PFSense with Snort IDS add-on, I was on the United Auto Workers website, as soon as I clicked on one of its pages for Union Dues...BAM, XP Antivirus 2008 or 2009 or whatever variant jumped up on me. Luckily my cat like reflexes managed to shut down the processes within a few milliseconds because I immediately recognized what it was. Here I was, an exceptionally well informed end user with a fairly decently protected computer, all legit software, never run warez or do that p2p/torrent crap, nice clean image, no bad surfing habits, certainly wasn't browsing midget porn sites...I was on a fully legit and well known website and a rogue jumped out and tried to lock its jaws on my PC. NOD didn't even see it, my eyes and fast hands protected my PC faster and better than it did.​

 

I had forgotten about BlackIce - which I used before ZoneAlarm too. It was revolutionary when new, but, initially, it was not really a firewall in the true sense either - but you are right, that's for a different discussion.

Because this discussion is about security strategies that failed - (actually, it's about custom vs off-the-shelf PCs). I said for the sake of this discussion we can exclude rogue and fake software because by their very nature, it is a given they will not protect a system. If you want to discuss fake and rogue software, I suggest a new thread for that topic so we don't hijack this thread further.

But I will say this in answer to your example - you getting the popup does not indicate a failure in your security strategy. I assume you did the right thing and did not click to install the software. That's simply a part of good user discipline: Never click on unsolicited links or install unsolicited programs.

Taking it one step further, had you considered installing it, the right thing to do first is to do your homework before downloading and installing. Research the product. By simply plugging XP Antivirus 2008 into Google, anyone can quickly see it is a rogue/fake program.

 

Consider the following:

If you installed an OEM version of Windows, be sure you used the MS OEM build software intaller package for Windows of any flavor. Otherwise, the binary blobs that generally replace the original motherboard BIOS will haunt you (they don't play well with other OSs, I've read that the MS EULA now tells you, using some questionable legal doctrine, that they now own your machine, and only they can tell you what you can do with it.) If you think you can just reflash the BIOS these days, you're in for a rude awakening (sometimes spelled EFI and SMBIOS and countless other fun acronyms).

I made that mistake being a DIYer, which apparently violates some industry law. Try convincing someone who thinks a kernel come from corncobs (about 99.9 % of the population by my quess), that you have a kernel/userland bios32 type rootkit on your machine. Then try and guess who you turn to for help. If you find out, let me know! While I'll probably never find an attorney capable of understanding, let alone a justice system capable of dealing with it (despite violating at least four separate Federal statutes), you might want to consider the following.

Build or purchase prebuilt, a system that never parses an MS Eula. Base it on one or several *nix OSs, say Fedora, Ubuntu, openSUSE, and perhaps OpenBSD or DragonflyBSD as a backup, and you might never look back, unless you're feeding your kids and paying the rent or mortgage working an IT job in the US. Here ends the advice based on the past three years of my life. The rest is sob story or flamebait.

The worst part of this is if some shmuck who thinks his MS cert gives him the wisdom of the ages and the gullibility of a typical twenty-something tech confronted with idea that real wealth (seven 0s) along with a CPA and a JD make a person truly honest. If he decides to believe the wealthier former partner's story and enters your name instead into ms's webpage (aka Kangaroo Court or Star Chamber depending on your humor or lack therof) for reporting unlicensed software use (with no true legal accountability, just contract one of the offshore divisions.)

Welcome to my world! Coming to you Live! (thanks to Mepis antiX and *nix in general) from a DFI socket 939 motherboard with an AMD Opteron 170 processor, 1 GB DDR3200, nv 256 BM graphics card, and an embedded Busybox composed kernel that uses both unix and ms calls, prevents my properly configuring of any hardware such as a hard drive, my 1680 x1050 Viewsonic LCD monitor that prefers to display in non-native 1600x1200 when I'm lucky or 640x480 when I'm not, or even a USB stick without coding sleight of hand.

Unfortunately, my small knowldege of coding was learned while unable to connect to my prior ISP (high speed cable, yeah!) for over two years until the Linux 2.6 kernel and a certain flavor of Linux (with cross platform agreements with the os world gorilla) finally rescued me from Internet hell into mere purgatory. Here in purgatory we still can't get root, and have a device and process tree the envy of any psychotic kernel-filesystem-hardware developer (when your device and process naming/numbering requires thousands of possibilities, you kinda guess there's something not quite Kosher.)

I'm sure that every expert on every IT acronym will have fun with the old wacko posting to this forum for the first time, but before you all come up with every conceivable explanation, first tell me why a piece of malware would only exist to prevent or hinder my internet access, script my system to use DNS servers in Australia, need hiddden .exe and .dll files when I've either uninstalled or never installed any legally licensed versions/flavors of ms winders, have never used an illegal copy of any software on any of the eight new motherboards this rootkit has trojaned onto, can't be of much use to a botnet when there's no harddrive present, gives me a unique id number no matter the motherboard/cpu combo, always installs IPv6 despite the fact my current ISP, Verizon, only uses IPv4, logs and transmits everything, and if I install or use a distro supplied copy of Wireshark as root eventually renices(or whatever the proper term is) my processes +/ up until they can't get processor time, and time me out so fast, I'm unable to log any traffic.

Plus, the kit updates itself and uses some kind of framework partially based on the work of an IEEE sub-committee working on internet standards. I found an address in the Firefox java console that included an error retrieving an html framework/template file from the committees website. (I have the specifics filed, it just a for instance..) I can't even write and print a resume locally. And, no I'm neither a terrorist or involved in criminal activity, and I haven't earned enought the past three years for even the IRS to be tapping me.

An Old Dog that's finally learning some new tricks!
ps not that it really matters, but I am sane and capable enough to at least claim a BS Temple Univ School of Eng, '81, it ain't Ivy League, but it was a 4 yr scholarship.

 

Why? To mess with you, of course. Not all malware is used to spread viruses, spam, spyware, or to conduct DDoS attacks. Some is written just to be a nuisance.

Obviously there is something in common with all your troubled systems. The same optical drive? Mouse? Wireless adapter? My guess would be some driver is infected, or another computer on your network is infected, and infecting your system when you connect.

 

My drivers are all embedded in the rootkit kernel, it hooks the memory from boot. As I said, I'm running a live Linux distribution, the embedded BIOS/rootkit, forces a fused, read only file system, where depending on the particular distro I may or maynot have root privileges. My point is that it is not a simple infected driver, it's a sophisticated, adaptive piece of malware that was able to write itself into eight new, different motherboards and prevent their BIOS EEPROM from being flashed by a normal floppy boot. No matter what os is booted, it is crippled from the start, with a preset ethernet proxy configuration, users and groups that shouldn't exist, firmware drivers that consistently bypass the normal os boot configuration process, and on and on.

No mattter which motherboard or cpu I build the system with, it always is a basically static configuration and firmware dictated by the embedded kernel bios rootkit. The rootkit contains both unix from the Busybox and a lot of processes for cross-platform translation, particularly support for ms filesystems. It also tries to configure any harddrive install with ntfs (hidden, but detectable by some utilities, and then mount a virtual filesystem while trying to force the system to accept the volume as a real physical partition when it is in fact, a logical partition.

The only reason I know is because some distros are able to control and redirect the boot process better than others. Also. I sometimes boot into level 1, and work from the console, other times I boot into level 3 or 5. I haven't sufficient skills yet to attempt my own compile or if the system will allow it, but whatever, it's no simple script-kiddie annoyance. I'm not a programmer by trade, but I'll teach myself whatever it takes to complete forensic analysis of the malware and defeat it or learn enough to build a system that can.

happy trails

 

I'm not a programmer by choice! But I do know that there must be something in common to these setups that is infected, causing a reinfection of your systems. Some rootkits can survive a format. There are differing opinions as to whether firmware in peripherals (optical drives or hard drives) can become infected - I don't see why not. And most malware does try to propagate, starting within "trusted zones".