Mr insecurity

since I got zapped last Oct with a trojan I have been on what seems like an endless mission of getting my machine fully secure. The downside is I haven't seen a security suite , app, AV, firewall or what have you that I haven't tried or bought...Unfortunately I can't get it nailed down as to what makes me feel safe, I suppose just too many choices & too many invaders. I suppose you could call me paranoid. I have a few favs but it seems like I'm constantly chging setups, anyway thanks to everyone here who's a bit more informed and in the know as it helps to see others with some great tips & insight...

 

Hehe, I think most people here started out that way, and I think it's because you think you're just fine when you got hit, so everything that you do to make yourself feel 'just fine' again just doesn't cut it. The fact is that just being that much more aware makes you much better off. One thing you might try doing is getting Process Explorer from www.sysinternals.com, set it to replace your task manager, and enter a description of all the programs running on your computer in the comments field. This will make you a lot more aware of what's running on your machine, making it easier to see for yourself when something is going on, and you will learn how to find relevant information if something does happen. Also get autoruns while you're at sysinternals.

There's plenty of good databases out there filled with what processes and startups are what:
http://castlecops.com/StartupList.html - also look through the navigation panel on the left for other lists
http://www.bleepingcomputer.com/filedb/
http://www.processlibrary.com/
http://www.sysinfo.org/startuplist.php
http://www.tasklist.org/
http://www.bleepingcomputer.com/filedb/ (to do a search, go into one of the descriptions and there will be a search box)

If you run into something, you can also find info on new malware here: http://fileinfo.prevx.com/ - lists new malware from early on, can potentially give you info before any other site has anything.

 

great tip thanks!....what's your AV of choice?

 

I like NOD32. I have been using for about 3 years now and am very happy with it, especially the heuristics

 

Hello,
Larry, I would suggest the following:
Get "in touch" with how pcs work, how windows works, how software works and interacts, and your sense of security will go up, knowing you are capable of controlling your environment and recovering - easily - from potential disasters.
It helps if you disemble the problem into parts.

1) Personal data
Keep offline copies of your important stuff on cd / dvds, and / or an external flash driver or hdd. Update these copies incrementally every month or so. Keep several copies always readily available.
This way, if you ever get zapped or even as a simple thing as a hdd failure occurs, you will not have lost everything.

2) Programs
Make a nice folder on your hdd and keep all your important software installers there. Burn this folder to a backup cd / dvd every once in a while, updated with fresh copies of your installers. I also suggest you have Windows updates downloaded manually and saved offline.

Keep the programs cd / dvd alongside your other installation disks, like Windows, mobo drivers, video card and so forth, so you are always ready to make a fresh install without fussing up.

3) Security
Some programs can and may help. But you need to understand that the key to security is knowledge - and your decisions. You will very rarely contract something "by itself". Most of the time, things happen because of the user decision (a click here and there).

You can minimize your exposure by using alternative browser and mail client rather than the windows default (ie and outlook express). You can also help control the environment by using firewall and anti-virus.
Most importantly, you need to know what happens. You need to know what registry is, startup, services, command line, port, and more. Once you master the concepts and basics, you will see that things are much simpler than they seem.

4) Other things
If you really want to learn more about controlling computers and recovering from distaster, I suggest you look into BartPE or Ultimate Boot CD for Windows live bootable cds, and how to make custom copies of them. Then, learn how to make small useful scripts for your own benefits. Training on formating and installing Windows could also help.

I hope this helped you; if not, ask on.
Mrk

 

some of that I already do the other tips are excellent...

 

To add to Mrkvonic's excellent post:

Seperate the OS from the data by creating an OS only partition and one for user data.

The OS partition then can be easily and qiuckly drive imaged or repaired or re installed w/o worrying about your data.

The user data then can be easily backed up in any number ways - cd/dvd or an external HD.

To reiterate Mrkvonic's point, the issue really is that if malware does get thru, then learn how to recover reasonably fast w/o losing your data.

This thread http://www.windowsbbs.com/showthread.php?t=49222 quides you thru moving the the Documents and Settings folder(s) which contains My Documents - My Pictures - Favorites and so on (part of user data) to a data partition so you don't even have to worry about XP's default folders.

Regards - Charles

 

Charles you are new here, so let me help you out.

1) The best antivirus is probably KAV and NOD, but it's well known that Antiviruses are on their way out, because they just can't keep up with the amount of malware. Blacklisting based on signatures is a dead end. Any decent hacker can write his own virus that cannot be detected.

It's still okay to use one, but just don't rely on them 100%.

2) You also need an Antitrojan. Most of the time you get ATs not for the file scanner, the best ones like Ewido, Boclean, have something called memory scanners. Yeah Antiviruses also claim to have them, but these are not 'real memory scanners' what ever that means. Confusing ? Just trust me, you need an Antitrojan to pick up packed samples.

3) As good as AT and AVs are, they are totally based on blacklists. If the security company doesn't have a sample he cannot create a signature to detect it. So what do we do?

If you worry about stupid run of the mill worms, all you need is antiviruses, really. But it's well known among security experts here that HIPS/behavior blockers offer the only chance of protection against advanced malware (zero day exploits, rookits, bios related rootkits) etc.

And as everyone knows these advanced malware are getting very very common, every experts says that!

As such It is CRITICAL you run a couple of HIPS to INCREASE YOUR CHANCES OF BLOCKING THOSE . I recommend a minimum of 2, though to be on the safe side you should go to 4.

Won't that slow down your computer? Don't despair, nowdays many firewalls and antiviruses incorporate such features, so you really need only 2 more specialised HIPs + your firewall and antivirus to reach 4 HIPS.

I recommend something like this

KAV 6 beta (Antivirus has HIPS features)
Zone Alarm Pro ( Firewall Has system firewalling features)
Processguard (HIPS)
Neovguard. (HIPS)
BOClean (antitrojan).

The reason why you need so many HIPS, is that each HIPS covers a different entry point into your system (also there are overlaps but you turn them off), and only by running a combination can you be sure you cover as many of them as possible.

Remember the more stuff the HIPS monitors the better!

HIPS is very important, and most laypersons still haven't caught on to this yet, but here at Wilders we are ahead of the pack. If you go away from Wilders learning only one thing, it should be this

Forget debates about brands of Antivirus, firewalls. HIPS/Behavior blocks are the key! They are the most critical components of keeping your computer safe, you need them to stay safe!


if you have the time also learn this

2) Security is about using computer security software, the more you run the more secure you are.

Ignore the naysayers who tell you this is false! This is a security forum that's what we do. It's totally insane to believe that HIPS are not necessary. What do you think we are? A bunch of idiots who started reading wilders for a couple of months?

If you don't run HIPS, you will end up like one of those poor cases of people seeking help for HJT log readings. Not good. It's well known as people here will tell you anyone running HIPS has never being infected before!!

Also remember to stay uptodate to the HIPS scene. MAlware makers are always coming up with new ways of hacking you, you need to ensure that your security software can keep up, by changing to a newer one whenever possible.

For example look at this rootkit in bios thingie , if your HIPS can't handle this, I think you should throw it out!

 

Post removed - trolling/baiting

Please do focus on the topic at hand and refrain from trying to stir the pot. I find it funny that someone who has been challenged repeatedly and has not faired well, would now try to be someones friend, encouraging such behaviour. I guess it's an attempt to negate future challenges - which is truly sad. Consider it a favour that I remove the post as it doesn't show well.

Steve

 

It's absolutely Nothing to do with trying to be his friend. I was agreeing with him, if that's allowed ? And my previous post was, as i stated was a Sincere one, as i fully support what he wrote.

And it's NOT an attempt to negate future anything either, nor do i consider it a favour the post was removed, and i've just noticed my additional one also. What was wrong with that one ? nothing i was supporting his views that's all ! So you can put it back now, thanks.

Just because sometimes people may disagree and or have different views on things, doesn't mean i automatically go around rejecting all advice etc, if i do agree with whatever etc.

Being challenged on views etc is just fine with me i can assure you ! Whether or not some of my points faired well with some, is a matter of conjecture. Maybe some other peoples posts etc don't fair well, and they might not like being challenged either hey !


StevieO

 

I'm sure that Charles can perceive that your tongue is firmly in-cheek. But for a causal reader who may not....

Whether any vendor can or cannot keep up with the proliferation of malware obviously depends on the staff and capital resources focused on this task. Currently, the major organizations have no problem. Will they in the foreseeable future? I don't see this as an immediate issue. At some point that may change for the large organizations. At this point it hasn't, as far as I'm aware.

If there is an issue with blacklisting, I would say it revolves around the management and realtime searching of the signature database. This can be handled in a number of ways. Again, with current PC's this isn't a major issue and the user does have a number of options from which to select, some fleet of foot, some less so. Detection, or lack thereof, is largely a time dependent issue unless the OS is compromised. Although there is much gnashing of teeth on this topic, it is not a current general issue as far as I can see.

It's never a good idea to blindly rely on anything 100%, unless, of course, 100% reliance yields a better outcome than blithely ignoring the warnings. I guess the most recent example of the downside of 100% blind reliance has been provided by McAfee, although from a rather different perspective.

Although I left my personal answer somewhat in the air here, if the qualifier used is need, my answer is no. Whether or not an AT will pick up something an AV doesn't - due to use of an obscure packer/etc. - is time and priority dependent, that's it. Does the time dependency worry you? Perhaps process memory scanning will fill a void, but it's important to understand that it's a rather small void being filled.

Hmmm, advanced... Well, zero day is run-of-the-mill, but early on. Nothing advanced there. BIOS related rootkits? Let's try to keep it real. Rootkits? Could we have a show of hands by everyone who has had their system hammered by a rootkit while participating in normal surfing/activity? OK, let's broaden that to risky activity. I thought so.

Setting aside the advanced part, since I simply don't know what that means, malware in the sense of malicious software is not common. What is common is annoyanceware. It annoys, it may even prevent your PC from functioning as you wish it would, but it is primarily an annoyance, though at times a truly significant one. Malware is certainly present. I clearly don't want to leave the impression that it is not, and a user should be aware of it, but based on my own years of usage, it is not common except in certain venues that I simply don't view as mainstream.

If you deem it appropriate to run a HIPS, like anything else, settle on 1, at most.

Include the HIPS functionality implemented in that AV/firewall/etc. as the 1 if appropriate.

Wonder what will happen on boot? I see a fine hue of blue in the offing....

And those specific different entrypoints would be? Except for very specific solutions (for example, RegDefend for registry protection only), general HIPS applications have extensive overlap with potentially some unique twists for each approach.

Obviously not true as a general statement. More does not necessarily equate to better. Duplication does not equate to better. Filling a clear gap may equate to better, or may not. Whether it does or not depends on secondary factors (system stability, finding yourself in an alert-fest of pop-ups, is a real gap addressed, etc.)

Mainstream AV's and firewalls remain the foundation for most users at this time.

Guess I'm a naysayer. False.

As someone who does have a 1 HIPS installed, I don't they are necessary. Most provide some basic functions that I find useful, but these are quickly being incorporated into AV packages.

Whether or not this is true depends on how one responds to the alerts provided by the HIPS as well as its coverage. HIPS as a product class have two primary problems in my own view. First, since they alert on potentially malicious behavior, the vast majority of the warnings are, initially at least, equivalent to false positives. It is more or less the inverse of signature based packages where the false positive is an infrequent event. Second, you have to know how to respond to the alert. A casual user often does not have this information in their bag of knowledge.

We've clearly transitioned from the sublime to the ridiculous.

DA, you're playing you namesake well. But I fear the useful points that you make are being lost in the devilry. My serious summary of your perspective, which I tend to agree with, and apologies for what I get wrong:

• With everything, there is a point of diminishing returns which can quickly turn to negative results. This is true of defensive layering as well.
• As with any activity, knowing what your actions do is a prerequisite to doing no harm.
• The default action of many security programs, particularly HIPS, can create problems if blindly followed
• There's malware out there, be aware that it is real.
• There's hysteria out there, try to separate the real from the paranoid. While this can be a moving target, it's not moving that fast for mainstream users.
• Yes, there is such a thing as "too much". The result of "too much" can span anything from neutral result to system slowing to gross instability. I suppose that sufficient conflict could, in principle, make you more vulnerable, not less. I've not seen an example of this, but I suppose it should be included as a potential result.
• Being safe can be accomplished with simplicity. A casual surfer does not have the same needs as someone running p2p/frequenting malware-hack sites/or generally surfing the underbelly of the internet. Recommended security approaches should reflect this.
• Even if one exclusively surfs the underbelly of the internet, there is such a thing as "too much"

Apologies in advance for any misrepresentations.

Blue

 

Well some people may have not realised it yet, but if you re read DA's post No. 8 you might discover Everything he wrote is Not as it first may appear, and i do mean Everything. He might have been replying to zcv, but his comments were directed at ALL of us. And it's more than just tongue in cheek, if you havn't noticed !

That's why i had previously posted that i was Very sincere in agreeing with him in there. Not because of the way he did it, but it is very Very clever. But because he's trying to make us take a good at how we attempt to achieve decent security, not just perceived security on some level/s, or solely on recommondations etc. Like i said before, i truly believe it's the best thing he's posted, so far anyway.


StevieO

 

Agreed, and I didn't had that feeling either ... the only minor point I had with his post is his recommendation of -at least- 4 HIPS programs to a complete newbie lol ..

/edit: I hope we'll see him again real soon .. asking what the %$[`means static dll injection lol cause that's in the helpfile

 

Bluezannti yes, I was mostly tongue in the check.

I was afraid I would be too subtle, so towards the middle I was dropping heavy hints I wasn't serious.

I mean come on...

"Remember the more stuff the HIPS monitors the better!!"

"Security is about using computer security software, the more you run the more secure you are."

But it seems it was not enough, it's still good enough that Stevio and infinity thinks it is my best post ever

Well i guess if i recommended 4 hips to 'experienced' users here, it would be okay? Okay take 0.5 points off my perfect post.

Thanks Stevio, but it wasn't as clever as you think. Besides nothing i posted is new, i adapted it from various posters and the sentiments expressed here definitely aren't original.

As for my true feeling Blue basically nailed it. Read his summary again to see what my points were.

PS Just in case Dog is right and you are trying to suck up to me, please you don't need to! I'm not one of your security experts or super vxers like holyfather, i'm not going to give you insider access....

 

Hello,
Devil, I appreciate the sarcasm, but that's not the way you should introduce yourself to a new member (larry) asking a serious question. He needs time to adapt to your style. Furthermore, he seemed genuinely concerned, so instead of elevating his fears, we should try to calm him.
Mrk

 

You are right mrkvonic.

I was wrong to do this. I don't know why Wilders puts up with trolls like me.

As self- punishment I will not post for a month. See you....

 

Hello,
As self-punishment, I'd suggest you eat a pizza with pineapple, but do post... Otherwise, who will I have to jab?
Mrk

 

Maybe i read something wrong here?

What is your motivation advising beta software for protection

 

Probably because KIS/KAV2006 isn't that "beta" anymore, it is practicaly finished anyway. I would suggest KIS2006 (as a whole suite) too cause it is rather newbiefriendly, the major glitches are gone, the complete protection scope is practicaly excellent personaly I'm wondering what they'll come up with next year! Cause there isn't much room for new features anyway .. and to be honest it is easy to configure ..

 

Your advice is bad as DA's is.

Beta software contain bugs, and KIS/KAV2006 is no exception.
About this particular software: the Kaspersky folks can confirm this.
The present beta-version isn't the final candidate, it will be when all known bugs are solved.

And advising a "newbie" such software is asking for troubles.
The experienced user can play with beta's, a "newbie", rookie or give it name definitive not.

We are here at Wilders, a well-known and appreciated Security Forum.
People expect here reliable help, but for sure no doubtfully experiments.
Let's keep it here at Wilders professional: giving good and reliable advice to the people.

 

agreed but I'm not experiencing any glitches nor am I seeing any "critical bugs" like in previous releases .. but agreed, Wilders is a well known and appreciated Security Forum, with lots of different guys with even more different opinions ..
I'm having KIS2006 installed on my dad's machine and everyday I answer his questions, he's a total newbie but he likes KIS2006 already a whole lot more then his previous AVG ..
The feeling I have is that KIS/KAV2006 will be released shortly and using it already will not pose to threats that could be avoided when it is released Final .. that's just my opinion atm .. 297h is A OK for me (I'm not talking about spelling errors in their helpfile or translation errors .. ) and the bugs they are mentioning in here:
http://forum.kaspersky.com/index.php?showtopic=11233
.. I don't have those issues ...
A while back I wouldn't suggest a beta program to be used, apparently this has changed but if I knw that the security aspect of such a program isn't functioning right, I would never ever advice it to others ..

 

Hello,
Larry stated that he is using lots and lots of programs and just cannot get that feeling of feeling secure. I guess he does not need specific recommendations to softwares, but rather recommendations to fundaments of security - not which, but how. For all practical purposes, KAV and UNA are one and the same.
Mrk

 

Actually, the advice is not all bad. Yes, it is still in beta. However, these release candidates are so far down the line that they are bordering on final. For the majority of folks, it will be the same as KAV/KIS 6.0.0. The basic yardstick that I use, however, if a potential user feels as though they need to ask whether it is OK to test/use it now, the answer is a decided no.

As for DA's advice, he needs no assistance from me, but I suggest you read between the lines since he does play devil's advocate (no surprise there). It is among the most technically advice sound offered here or elsewhere.

Since virtually every piece of complex software I have ever used has been released with known, though minor, bugs, stating it will be released when all bugs are solved simply isn't reflected in reality. All major known bugs will be addressed, but it is never certain that all major bugs are known on the initial release. The point you make is a good one if expanded to an initial x.0 release. On any major field release one should be prepared to excounter significant bugs.

Again, a true novice should be equally wary of beta and initial field releases. If they do not have recovery contingencies in place, it is always prudent to wait a couple of weeks, read the pertinent forums, and see if new problems emerge as the installed based becomes a lot more diverse.

Blue

 

At work we always use the final version of any software on production machines.
The word "beta" is there for good reasons and it's a safe principle not to use such softwares at all and certainly not in a work environment.
So we wait ... until the software has a decent name and version without anything else.

We neither use freewares, nor download softwares from the internet, we buy our softwares and upgrades on CD.
We don't allow users to install softwares either, our computer department does that job.
We also disconnected as many pc's as possible from the internet. So it's a privilege to get an internet connection at work.
What happens at home is not our business.

 

That are exactly my considerations.

With such an important piece security-software, an anti-virus, you can't take the risk that the software isn't doing the job in a proper and reliable way.