I'm writing this from the perspective as someone who does not like real-time virus scanners. I sincerely would like discussion in favor of and against them to follow.

---

First off, computer virii are long dead. They existed in the DOS era and slowly died off as executable code that modified all executables on a system became easy to detect, repair and prevent. A true computer virus would be triggered when an infected executable was run; the viral code would search for other executables and modify them to contain said viral code to be executed when those programs are run. They often had a purpose besides replication, that would either occur arbitrarily or when certain criteria were met, and ranged from the benign to the ferociously malicious.

Besides anti-virus programs being good at thwarting these virii, modern OS design protects against them. They are dead.

What you have today is malware, typically tiny executables that are a program by themself. Rather than infecting all executables, they typically make use of mechnisms in the OS to run every time the computer is started up. Occasionally they exhibit virus-like infection of specific files to make sure they get executed. Malware is an amalgam of spyware, adware, trojan horse programs, and any other type of malicious program. A given malware program can be any of those things; they themselves are just more descriptive, but tend to operate in the same way as eachother.

---

Why do I dislike real-time (active, resident, they have many names) virus scanners? They hurt computer performance. They don't protect you from new threats. They incorrectly detect programs as being ''infected'' when they're actually not.

The three most common ways a computer gets infected with malware are:
- a remotely exploitable software flaw that allows execution of code
- a user downloading and executing a malicious application
- a flaw in a browser (or internet multimedia program) that can be exploited to run executable code

---

The first is 100% preventable. For a remote exploit to work, your computer has to be sent data that triggers an execution of code (that would, for example, download and run a malware executable). You have two standard options here: a hardware firewall (for example, a router between your comuter and your internet connection, with no ports being forwarded to your computer) or a software firewall (the best advantage here is explicit control over which programs can access the network/internet). There's no reason not to use both, except a software firewall will have some performance cost on your machine. To generalize, a hardware firewall protects you from incoming data, and a software firewall prevents programs from using the internet AND from incoming data. Keeping your software (especially your OS, browser and media players) up to date mitigates most remotely exploitable flaws, as security updates are released specifically to address these flaws, however, the patches come after the flaws are discovered, so simply keeping patched doesn't protect you from newly found exploits.

Now, that said, you could initiate a connection to a remote entity that sends a malicious reply that triggers an execution of code. A hardware firewall won't protect you from this, and a software firewall can only help mitigate the damage done (as could a real-time virus scanner).

---

The second is also 100% preventable. Don't download and run programs. Kinda like abstinence to avoid STDs, this isn't gonna be an option for most people. This is, theorhetically, where anti-virus programs are supposed to shine; but they don't. Malware goes out of its way to avoid detection: they modify themselves before transmission so that signature-based scanners don't detect them, they exploit flaws in the scanning routines to avoid detection or to outright crash the virus scanner, if they manage to run, they shut down the anti-virus or add themselves to the exceptions list.

Signature-based scanning doesn't work. Behavioral-based scanning doesn't work. If they did, malware wouldn't work.

They have a second critical problem that trains people to make mistakes: false positives. If a virus scanner says things that aren't infected, are infected, the user will eventually start ignoring the virus scanner.

---

The third is the cause of the browser security wars, people claiming X is more secure than Y. Browsers have design flaws that let code be executed, no browser is exempt from this truth. So do media players (QuickTime has a particularly bad history for both the MacOS and Windows).

This one is also preventable via abstinence: don't browse the internet. Obviously too extreme, so most take the risk. How do you avoid infection then?

First off, know your partner before you sleep with them. Major websites aren't places for you to fear.

Second, don't have sex with the back-alley prostitute: warez and p0rn sites can either be outright malicious or have been compromised because the site itself isn't secure.

Unfortunately, any site that provides more than basic HTML can potentially have been compromised and be serving browser (and other) exploits to try and infect your computer. Major country's embassy websites, for example, are no stronger to being compromised.

Ultimately, what browser you use doesn't matter as much as where on the internet you go. You might be thinking to yourself, but I use Firefox, don't have Flash or Java and have scripting (JavaScript) turned off: an exploit might target a flaw in Firefox's CSS handling, or its XML handling, or even in its basic HTML handling and be able to execute code. How quickly the browser is updated after a flaw is discovered doesn't matter if you went to a malicious website before the fix was released and you downloaded and applied it.

Security through obscurity, exploits not targeting you because you use a program for a given thing (browsing the web) that not many people use, is neither reliable, nor totally ineffective. The larger the userbase for a given program, the more effort that's put into finding exploits for it. No browser is perfect, so security through obscurity IS an option, although not a perfect one; it worked for Firefox at first and earned it its reputation.

---

Now, how does all this relate back to a real-time virus scanner? Well, a virus scanner is there to stop a malicious program from running, but malicious programs don't get detected. So, you're wasting processing power on something that interferes with data throughput and ultimately doesn't protect you.

Never connect your computer directly to the internet, let a router (or a dedicated hardware firewall) sit between your machine and the internet.

Keep your browser of choice patched up to date and any supporting software (Flash, Java, your media player).

Don't download and run programs. If you do download a program, determine if it's from a trustable source, get independent feedback on it (ask someone else who has used it if it was legitimate), scrutinize it (manually unpack it if it's self-extracting, for example), the decide if it's worth the risk.

---

My opinion isn't fully stated here, I'm hoping for some pro-anti-virus responses. The gist of my stance is that real-time anti-virus programs aren't worth the performance cost on a system and are ineffective.

Queue

too avoid any confusion: you got the star for the number of posts, not the number of words

I subscribe to the no additional action other than staying current on updates and sitting behind a router. That combined with completely reloading quarterly.

Please, Queue, do take my comments as constructive. However your post is very assertive, so I feel bound to comment some of what you said, and disagree with some points. I do have more to say also, but here are my first thoughts about what you said:

I write this from the perspective of one running Win 9x/ME. While keeping to this perspective, I remain in the DOS era, and so do you.

To put it simply: no, they are not.
If you don't believe me, do read Mark A. Ludwig's books, particularly "The Giant Black Book of Computer Viruses".
You can perfectly have a virus hide in an alternate data stream of a Win32 executable on NTFS. ...And even a Vista machine is as vulnerable to a boot-sector virus as your average garden-variety of 386 of times past...
The fact that we hear less about them may even mean those who write them became better at hiding them...

I do agree with you here. My own security measures have been scanning and a router firewall for a long time now, and, AFAIK, my machine has been virus-free since 2001 (although I've added the router firewall only when I switched to DSL).

We're talking Win 9x/ME here: this is becoming less and less of an option, no matter how much we strive at keeping up to date. In the long run, no, it's not an option.

Are you serious? Don't you ever?

Why not scan it with multiple scan engines? If you don't want a live scan engine in your machine, you may still use, say, VirusTotal? Avoiding scanning completely out of a dislike simply is not understandable, although all the other measures you reccommend do have their merits, especially if used together, and complemented by scanning.

You've also not mentioned the main shortcoming of a AV scanner program: it does not protect one against zero-day threats. And while you're quite right that security through obscurity is an option (although not a perfect one), security through being at the periphery also has its merits... Simply by being in Brazil, I've, up to now, avoided zero-days, but, obviously, that can change at any moment. Moreover, the performance cost of a real-time AV scanner is dependent on how you configure it and also on what hardware you do have. So, here, YMMV.

Now, I think the real problem is that, some months from now, no one using Win 9x/ME will have the option to use an up-to-date AV scanner to fully scan one's machine, say, once a day, because no compatible such software will have been left being updated. And that's the main new scary reality on Win 9x/ME users horizon I feel we need to address right now.

I think this thread is very timely, and hope it can help all of us (those who do and those who don't like scanners) keep computing safely in a time where most of the scanning programs are dropping Win 9x/ME, or have already dropped it.

You cant...

I have been infected two times for the past years, first was when I was infected through peer to peer, it was a tough virus because it infected every .exe and .com file in every partition or drive in my computer. All I was left was my jpgs and mp3s + full format and install, no antivirus there.

The second time was just last March, the virus installed itself on other drive (in my case it was drive E:) and it made detection more difficult because I just scan system drive.

Because of the above-mentioned, today, I do not go online without firewall, activeX control (spywarebalster) and antivirus...

Not so. I have a Windows XP system that got infected with WIN32:Vitro. It infects every executable that gets opened. It even infected an executable on one of my Windows 98SE Computers whn I tried to copy a program into the XP machine. Fortunately the virus crashed when I used the program in Windows 98SE. This led me to discover the Virus. I ended up having to write a disinfector since the Anti-Virus programs I found could not disinfect the executables but would just delete them, leaving a useless system.

I'm not aware of any universally accepted definition of virus, worm, or any other particular class of malicious code. That classification system as such is as out of date as detection by definition is. Most modern malicious code can be classified in several categories, and fit correctly in each. If it's necessary to classify malicious code, I'd call most of it a hybrid of several categories. Much has changed since that term was applied to malicious code, most important of which is the source of that code. Viruses/malicious code used to be written by individuals primarily for bragging rights, showing off, etc. Now the motives are data and financial theft, and the control of others systems for malicious purposes. There is still plenty of malicious code that is effective against 9X systems that many vendors do classify as viral. In addition, this code is targeting applications, not just Windows and Internet Explorer. Until operating systems become read-only and completely unalterable, this problem will continue.

I stopped using a resident AV in 2005, mainly for the same reasons you listed. Today, 9X users have another reason to add to that list, a dwindling number of choices that run on 9X systems. Most users have grown up with AVs on their systems. Thanks in large part to companies motivated by profit promoting a single method of protection that creates user dependence on a continuous stream of updates, the majority of users are not aware that there are other ways to protect/secure a PC that are equally or more effective. Windows has long had convenience and permissiveness as its core philosophy. The user can do anything, as can most of the installed software. Except for some specifically blocked items, any application can launch any other application, including ones that can alter critical settings in the OS. AVs are also based on this philosophy or policy, which can be accurately described as default-permit. In the beginning, this policy was reasonably effective. There wasn't that much malicious code. Internet access was primarily dialup, which helped keep down the rate that malicious code spread. The present day scenario is much different. Counting variants, there's over half a million examples of malicious code. Today, high speed and connected 24/7 is the norm. Static IPs are common. PCs are connected and targetable all the time, not just when a user is online. 9X users also have to deal with dwindling software support for user software. The security flaws aren't getting fixed in the versions we have to use for many apps.

One of the most effective ways to secure a 9X system is to reverse the philosophy it's based on. On 9X systems, there's no separation of user and administrator functions. The first step in securing a 9X system is defining user and administrative functions. Installing or updating software, registering DLLs, registry modifying, changing system settings, etc should all be regarded as administrative tasks. The advice that's given to users of NT systems applies to 9X as well. The OS shouldn't be in an administrator mode during normal usage. The task then becomes effectively separating the user and administrator modes. For this, we have a couple of tools available. The first is on the Windows CD, the policy editor. It's located in \tools\reskit\netadmin\poledit\ and is not part of a default install. The file, poledit.exe can be run from a floppy and works by making specific changes to the registry. Before using the policy editor to make any changes to your system, make a full backup of the registry. On units with more than one user profile, make sure the backup includes the user.dat files for each profile. When the policy editor is used to open the registry, two choices are displayed:
1, Local Computer.
2, Local User.

The settings most useful for the creation of separate user and administrator modes are found under Local_User\Windows 98 system.
The options available here are:
1, Shell.
2, Control Panel.
3, Desktop Display.
4, Restrictions.
The Shell and Control Panel sections are useful for restricting users access to sensitive parts of the system. The last section, Restrictions, has more powerful options. The screenshot below shows where an application whitelist can be created.

This section will not restrict system executables but will restrict applications, installers, trojans, adware, etc from being launched by explorer or another user application. Whitelisted applications need to be entered as a filename with the extension, such as poledit.exe. Make certain that you include poledit.exe in your whitelist or you won't be able to get back into the policy editor. With a little planning, all the apps a user might need for normal user tasks can be added. Since the user can't accidentally launch a malicious process or install an unwanted program, this will greatly reduce the chances of the user compromising the system. On multiple user PCs, each users allowed list can be individually made.

The policy editor performs some of the functions normally associated with HIPS (Host Intrusion Protection System) software but is not as reliable. On 98, the policy editor does not check the path used by the whitelisted executable or its integrity. It has no signature checking. If test.exe is in the allowed list, any file named test.exe will be allowed to execute. NT systems have more safeguards against this type of spoofing, so the practice isnot nearly as common as it used to be.

On NT systems, HIPS software, whether free-standing or part of a firewall suite gives those systems the equivalent of a policy editor on steroids. Just about all of them are for NT systems only, but there is one exception that I know of. It's the free version of System Safety Monitor. It's no longer supported or being developed, but then neither is 98. It is the most effective option I've ever seen for controlling applications and their activities on a 9X system. I'll cover this along with controlling internet access, preventing compromise by limiting integration and interprocess activity, registry protection, and filtering undesired and malicious web content from the allowed traffic in later posts. It takes some time and planning to go through the details, but with a well thought out strategy, a 9X system can be made very close to bulletproof, and at no cost.
Rick

edited to fix image

WIN32:Vitro, a.k.a. Win32/Virut, is a good case-in-point. It's a polymorphic virus that uses process injection technology to proliferate. It doesn't work on Win 9x/ME because it depends on NTDLL.DLL functions NTCreate*, NTOpenFile and NtQueryInformationProcess, as far as I was able to gather by googling around. It's quite nasty. But, then again, it doesn't use stealth techniques. It could be even worse...

I only use on-demand scanning, and I also reject real-time scanning. But the main problem is that it is getting difficult to do ANY virus checking under Win98, anti-virus vendors are dropping support for Win98.
Food for thought. Nearly all the malware detected in my current downloads are trojans etc. But it's just a matter of how you call these critters. Kaspersky Anti-Virus would in this sense be a misnomer, since most of the stuff it detects are trojans. Myself, I quite often use the word 'virus' to mean 'trojans, etc', even if it's not correct. And when I run a virus-check, I am checking for all kinds of malware, not just for viruses.

In my personal experience, firewall software has had only marginal value in protecting me from malware. The main use of firewall software is to protect me against nosy software vendors trying to call home.

The best thing I have done for my computer in the last couple of months was to throw out ZoneAlarm v5.5 and install ancient Tiny Personal Firewall v2.0.14 instead, my computer has become REALLY crisp and fast afterwards.
I disagree, unless you meant OS=open source/Linux. I consider my Win98SE system to be safer because I have tried to stay away from updates released after Sept.11, 2001

It has worked for me, because I have a long backlog. In general it's wise not to install dubious downloads for about 2-3 months, the signature updates eventually catch up with newer malware. Kaspersky doesn't have too many false positives. But that doesn't really matter, in most cases there are many sources for the same stuff, anything which Kaspersky flags as infected or which otherwise looks fishy, gets deleted.

Hi Rick,
I have Internet access via cable, and can only change my IP by changing the router MAC, about once every other week. Eventually internet connections may be stored for eternity, this may make it more difficult to tie all together.

Younger malware-writer may not know how to write Win98-compatible code anymore. There even is a keygen which displays under Win98 the hiliarious msg: "keygen.exe expects a newer version of Windows. Upgrade your Windows version." (That's where I got my first SNIP in this forum, probably because I mentioned also the program name)
Anti-virus software has become lousy at disinfecting, and the disinfected stuff most likely won't work.

About 6 years ago my Netscape mailbox was infected and I was able to clean it Ok with Emailchemy, by converting the virus-infected mailbox to RFC-822 message folders, then checking the RFC-822 files with Kaspersky AVP, then deleting/editing the flagged infected message files .txt with Notepad/Wordpad and finally converting the .txt message files to Eudora mailboxes.

Format conversion software might be helpful in repairing infected files.

I've had DSL for about 3 years now. I didn't ask for a static IP but mine hasn't changed since I got it. It was a radical change from the bargain dialup service I used to have. On dialup, my connection had an hour limit, after which I was automatically disconnected. Every hour or less, my IP changed. At the time, I had ID-Blaster tied into the dialup. Every time my IP changed, so did my ID numbers. Combined with a random proxy setup and a firewall that didn't respond to incoming connection attempts, I wasn't easy to track. How times have changed.

For many years, I relied exclusively on a software firewall. The hardware firewall (Smoothwall 2.0) is a recent addition in comparison, added primarily as a gateway for my local network. It was also a great way to recycle an old PC (a P5-133) that wasn't powerful enough to run 98 decently, at a total cost of 3 networks cards. I consider a software firewall to be an essential component for applying the default-deny policy to internet access on a per-process level. Only those apps that require internet access to function can connect out, and only when and to where it's necessary. Software firewalls are not weak in themselves. Their primary weakness is the OS they run on. If that OS is well protected against compromise, the firewall will be reliable. I use Kerio 2.1.5, which is very much like Tiny with a few more features added, like being able to import and export rulesets. Kerio 2 can import the rulesets made by Tiny. I have yet to see it fail. Kerio 2 and Tiny 2 are ideal firewalls for 9X systems. They don't slow the system at all, even with old hardware. Properly configured, they can actually speed up internet apps slightly by preventing system executables (like Windows Explorer) from wasting bandwidth. On dialup, the improvement can be noticeable. A firewall like Kerio is also very good at controlling local or loopback traffic. I use Proxomitron to filter the web content to all browsers. The loopback rules in Kerio prevent the browsers from bypassing Proxomitron, protecting it from a lot of malicious code in the process. The advantages of controlling loopback connections can be demonstrated with the PCAudit2 firewall leaktest. Although it's generally regarded as a test of HIPS ability to intercept DLL injection, it can also be used to demonstrate how malicious code can gain internet access by using loopback connections to apps with internet access. With well designed loopback rules, this test (and malware that uses these methods) can be defeated with just a firewall. Combined with a process whitelist created by the policy editor, this gives 2 layers of defense against malware of this type. If one layer fails, the next still protects you. The addition of HIPS software effectively puts 4 layers in the way, the 2 already mentioned plus blocking of the global hook and preventing the adding of autostart entries for the malicious code. More on HIPS later.

Some users don't like rule based firewalls like Kerio because they require the user to have a basic knowledge of the IP system and how it works. 9X users are already in the position of having to provide their own support. A basic understanding of the IP system and firewall rules is an extension of that. The ability to write good firewall rules is rapidly becoming a lost art, thanks largely to security suites with automatic rule creation and an emphasis on combined security packages and added features, most of which are not 9X compatible.


True, but given the nature of present day malware and the huge quantities of it around, it's not entirely unexpected. Asking software that runs within windows to remove rootkits with no user assistance is a tall order. Malicious code has become quite good at concealing and defending itself, including directly attacking the security software. Some malicious code can't be removed without booting from a separate OS, so it's not reasonable to expect that the AV will be able to. Because of the quantities of malicious code and the very short time between its release and becoming widespread, the AV is no longer a reliable front line defense. AVs still have a place, scanning files and software from outside sources for known malicious code, but their default-permit design makes them too vulnerable to new, encrypted, packed, or otherwise concealed malware. Since their real time protection isn't as effective as it needs to be, there's no reason an AV has to be installed and running on the operating system. New files can be scanned with online scanners. Sites like VirusTotal can scan individual files. For large or multiple files, Trend Microsystem's Housecall works fine.
Rick

Nonsense. Every website should be subject to the same security measures. Websites get hacked and often host third-party content that can also get hacked. You aren't 'safe' anywhere.

More nonsense. Gecko is open-source, so flaws get fixed all the time, even when not exploited. Mozilla's strength is that it fixes known vulnerabilities quickly. Even quicker if it's exploited. The time that you are vulnerable while using Gecko-based web browsers is very, very short.

That's your own fault. P2P opens a huge repository of untrusted, and often malicious, programs.

You didn't mention how you got infected the second time.

You are contradicting yourself here. You can't blame somebody if its not safe anywhere. And change the word P2P with "internet" and its also a valid statement. Meaningless as well, but also valid. P2P can be dangerous but you could say the same about having connection to the internet in general.

Are you serious when you say this ?

Can you give us some precise examples of what files you need to delete from your eDonkey/Kademlia download because they are infected ?

So dencorso, you're using a firewal on an external router, what's the benefit of that ?

I don't seem to see any as it will block only incoming traffic if I am not mistaken.

You've said above you download an average of 5 to 10 infected files per day.

So what was infected for example today and with what in your downloads ?

Give us a list please, don't be so unhelpful.

Other than that and out of curiosity I was just wondering if those keygen.exe, that sometimes don't run on 98 as you've mentioned above, come together with those digitally signed executable you deem safe and those nfo files you spoke about in another thread ?

I am using Kerio 2--14, and think it's great.
I also use the alpha shield external firewall.

Now what I want to know, is this: are these firewall settings in any way defeating the functions of the external firewall?

Out going ping command in/out------both denied.

Incoming icmp--------denied

Outgoing reply Time exceede---Icmp in----denied.

Outgoingreply on ping comm...Icmpout-----denied.

Other ICMP--Icomp (both)-------------------denied.

Icmp-------other 2(both)---------------------denied.

DHCP dynamic host..... UDP..................denied.

Windows Explorer---------------------------denied.

The only thing I allow is the DNS UDP (both)

If system appears on the firewall setting on one of my computers, I deny that.

I deny outgoing and incoming exho request too.


Am I denying anything vital for the external firewall to function properly, does anyone know?
Would greatly appreciate advice from anyone that really knows what they are doing---as I do not know anything much about firewall settings.
My policy is deny everything, unless it is essential to me using the internet.

Very. I've had a bitnet account back in 1991, before we had real internet here. As soon as there was internet available I've moved over to it. I've participated in listservs, then usenet newsgroups, then forums, so I was as current about what was happening abroad as possible from here. But, in all this time, I've had only four virus episodes (I mean really getting the machine infected, not caching viruses and deleting them without the machine getting infected): ping-pong, stoned, brasil and jerusalem. The first three were boot sector infectors, being easy to remove by hand, by using debug or symdeb or NU (the good old Norton hexeditor). Jerusalem cost me a reinstall from scratch, and taught me viruses were a serious matter. Some time later the McAfee ViruScan arrived in Brazil, and I've used it continuously up to 2002 or 2003, when I switched to AVG, which I use up to the present. Incidentally, note that all those four viruses were cached through 5 1/4 floppies! When I began using fast internet at home (July 2003) I installed a FreeBSD firewall that latter I've changed for a Linux one that I use today. My scanner cached numerous viruses along all this time, but I've managed to avoid infection up to now. I've seen much damage due to viruses along this time, but not on my machines. And, anyway, I do backup obsessively.

If you asked Eugene Kaspersky this question, he wouldn't answer you, even if he wanted to help you.

BTW, did you know that there are collectors of viruses, just like stamp collectors? "I got a virus which you don't have, but I won't show you."

You're right. It's more useful to protect XP than Win 9x/ME, because it blocks incoming attacks and sniffing. To turn off either the machine or, at least, the internet connection, when the machine would otherwise be idle is also a good idea, when feasible. A software firewall to prevent and detect programs trying to call home is also very usefull. I'm intending to use one again, and I think the Tiny Personal Firewall, reccomnded by Multibooter, may be just what I was looking for. I've used the Norton Personal Firewall 2003 for some time in the past, but it hogged down the system too much for my taste, so I ended by dumping it. BTW, the good old usenet Firewall FAQ (last updated in 2001, the 2009 revision exists at this link) remains a fair introductory reference for anyone new to the subject, and provides a good demonstration of how little things changed since then, at least at the conceptual level: the hardware has had a lot of improvement, the software became more powerful (or more bloated, it depends on how you look at it), but almost no really new ideas have appeared in the last 8 years.

I don't use P2P much anymore, and have never used it to the point of wanting a dedicated PC for it. When I do run P2P, finding trojans disguised as or hidden inside of legitimate files is quite common. P2P has proven to be an easy way for some to take control of a lot of PCs with trojans and rootkits. I used to post at a couple of P2P forums and was amazed at how little regard many of them for their own security (not pointing at you, Multibooter). Several that I talked to at those forums refused to run an AV or firewall. They were so obsessed with getting every possible bit of transfer speed and were totally convinced that security software would cost them some of that speed. Botnet owners love those dedicated P2P users. Fast PCs on very fast connections with open ports and no defenses, perfect for DDOS attacks. My P2P usage is primarily music and some software. Everything I download (P2P or otherwise) is scanned with online scanners. Applications I get through P2P are installed or launched on a test OS I built for this purpose. Once I'm convinced that the file is safe and meets my needs, then I'll move it to a good OS.

I've also taken additional precautions on the OS containing the P2P software (Shareaza). When I going to use Shareaza, I load in a different registry containing severe system and software restrictions, along with an alternate SSM ruleset that prevents Shareaza from launching any other process and blocks all other executables in Shareaza's folders from running.
Rick

Hi dencorso,,
I don't (On second thoughts: maybe I do). I only make a backup after the final clean install of a new software package. Besides my original software CDs, downloads and data, I only backup \Windows\ and \Program Files\. During the installation of a software package I always choose an install-to location outside of \Program Files\, to keep \Program Files\ small (Exception: Kaspersky KIS6 must be installed to \Program Files\ otherwise an opsys restore turns a valid purchased key somehow into a blacklisted one, there must be a bug in their validation program). Currently the size of my rared up Win98 opsys backup (\Windows\ + \Program Files\) is 495MB. The install-to directory of a new clean software I backup separately, but only once. I have archived all my opsys backups and install-tos going back to Nov.2003. I can restore the system to basically any date between Nov.2003 and now. This helped me to trace the last infection to its origin, a respectable website (trojan spooner, in Jan 2004).

I do restore obsessively, mostly the last clean opsys backup, maybe once every third day. It doesn't matter if I tread in murky or black waters, any stuff which gets thru and stays unnoticed, gets wiped out in a couple of days. Because my opsys backups are small, a restore takes less than 10 minutes, including the booting into WinXP, and then back into Win98.

Regarding your problem with AVG:

a) I went thru a similar problem when my ancient Kaspersky AVP v4.5 stopped working under Win98 in December 2008. My workaround was to purchase at ebay old unopened retail boxes of Kaspersky Internet Security/Kaspersky Anti-Virus v6.0.2.621, which is still supported under Win98. I bought a supply of 3 boxes=3 years of updates, in the hope that Kaspersky Lab will continue to supply signature updates under Win98, and that the 2 unused keys will still be accepted in the next 2 years. The keys of Kaspersky are version specific, i.e. a key for v9 does not work for v6. I don't know where else one could purchase keys of v6, maybe by calling up Kaspersky Labs in Moscow or in Brazil http://usa.kaspersky.com/about-us/contact-info/ . There are no valid v6 keys in dark channels.

b ) Real-time scanning is not necessary under Win9x. On-demand scanning plus cautious practices are sufficient.

c) Eventually there will be no more virus-scanning under Win98. This means that all on-demand scanning will have to be done from WinXP. Kaspersky KIS can scan across the Network. I am planning on 2 desktop boxes running at the same time, one under Win98, the other under WinXP, and both connected via LAN. 2 boxes under a desk, connected to a monitor, keyboard and mouse via a KVM switch.

People wishing to continue to use Win98 safely, will most likely have 2 options in 2-3 years:
- either they multiboot and have Win98 and WinXP on their computer, checking Win98 from WinXP (or from another opsys)
- or they set up a Win98/XP network, and scan their Win98 machine from a WinXP machine in the network

Tiny Personal Firewall v2.0.14 (I prefer this v2.0.14 to the last version) can be downloaded with Firefox from http://web.archive.org/web/20011227140728/...PF_Build_14.exe Somehow FlashGet v1.65 couldn't download it today.

BTW, there was another benefit of dumping ZoneAlarm v5.5: I have to run Norton Disk Doctor much less now. When shutting down with the power-off button, i.e. when Win98 was hung, ZoneAlarm caused damage to the file system, which NDD detected with the msg: "The following files have allocation errors: \windows\Internet Logs\tvDebug.log". Very often there were also lots of lost clusters.

The dedicated laptop also serves as a print server computer, with the lid usually closed. It's up 24 hours a day. Since I use near-identical laptops, the only work to get another dedicated computer going is to clone a HDD, no additional support is required.

Yes. I now remember that at least on 10 different occasions the mule requested to send email messages, then the firewall came up and then Win98 was frozen. I guess this botnet stuff didn't work so well under Win98
Good safe practicce.

No, I'm not contradicting myself. Browsing the web doesn't mean downloading tons of executables from unknown sources. The web of HTML documents, images, CSS, and JavaScript. When you download an executable from the web, you do so from a trusted source. With P2P, all the sources are untrusted and unknown.

Obviously I'm not dencorso, but I think I can do a good job of explaining this one.

Let's start with a diagram:

Computer---\
Computer----\ 65.7.34.120
Computer-----Router/Firewall---Modem---Internet
Computer----/
Computer---/

Even if you only have one computer, just ignore the extra 4 in the diagram, the layout would still be the same.

Now, when your computer makes a connection to another computer out on the internet, the router keeps track of which computer made the connection, and when a reply comes, sends it back to the computer that made the request. There is no interference with outbound connections.

When an incoming connection is attempted, let's say someone makes a connection to the (fake) IP address listed above (65.7.34.120) at port 135, the connection is refused. This occurs for two reasons: the first is that the router doesn't know which computer on the network would even want the connection request, the second is because it's not been told to accept connections on port 135 and forward them to a certain computer.

This is the primary security benefit of a hardware firewall: denying incoming connections.

As an example, on my Win9x machine, the following ports are open: 137, 138, 139 (all NetBIOS related) and 1033 (related to modifying web content before it reaches my browser). Without a hardware or software firewall, remote users could, theorhetically, try and establish connections to my NetBIOS ports. Closing those ports isn't an options: they're related to proper network functionality of Windows. WinXP usually also has port 445 open. Many early remote exploits on WinXP are services listening on given ports; a fresh install of WinXP without any updates is very vulnerable to automated attack if directly connected to the internet.

If I want to be able to receive an incoming connection on a given port, there are at least two options: I can change my router's settings to explicitly forward incoming connection requests on a given port to a specific computer on my network, or a program can use a system called Universal Plug 'n' Play (UPnP) to ask the router to forward a certain port (so I won't have to configure it manually).

Hardware firewalls can be configured to affect outgoing connections as well, but it typically can just control things at the port number level; only advanced firewalls analyze the data being sent and filters it according to what type of data it is. A software firewall has more information available, such as which program is trying to make an outbound connection or wants to start listening on a given port.

Queue

Another 9X thread relocated. I hope users of NT systems can see this is a thread for 9X users and refrain from adding the 'upgrade your OS" posts.

The 98FE unit, my primary OS, changes very little. Except for little unzip and go apps, when I do install or update software, I make a full system backup first. If something goes wrong with the install, like finding they've removed 98 compatibility, I can get back to where I was very easily. Contrary to the standard advice, I don't make an effort to stay current with the browsers. Right now, I'm using SeaMonkey 1.1.9, which is 7 versions behind. Most of my extensions are installed in the application folder and have to be re-installed when I update the browser. Every so often, one of the updates breaks an extension I use, forcing me to either find a replacement, find a way to fix it, or back up to an earlier version of the browser. With most of the browsers integration with other applications removed, disabled, or otherwise blocked, its traffic filtered through Proxomitron and SSM restricting the access the browser has to the OS components and other applications, I don't worry much about non-IE browser weaknesses.

I back up the entire OS at once except for the boot folder, which contains several bootable images including Knoppix. This I treat as a separate OS. I was using an older version of the Acronis rescue CD for all the backup and restoring tasks, which worked very well. I never had a problem with it except for one time when I was restoring from CDs. One of the CDs was damaged, not the fault of Acronis. I have backup images of this OS dating back to 2006. Don't ask me why I haven't pitched these. Last year I started experimenting with using 7zip for full OS backups. For the most part, it has worked well. It has enabled me to back up and restore any of the Windows OS from any any other, including the DOS image. The 7z backup images are 25-35% smaller than the Acronis images and take quite a bit longer to make. I can extract individual files from them from Windows and DOS. For me, that's a big plus. It seems I'm always having to open a backup image to get something I left on the desktop. Another advantage of using 7zip is that I can keep using Windows and doing other tasks while it's running, which makes the longer creation and extraction times a non-issue. The ability to run 7zip at a lower priority in the background is sweet.

Tiny and Kerio are excellent firewalls for 9X systems. Kerio 2 was developed from Tiny. Their engines are so similar that Kerio can import Tiny's rules. I'm pretty sure that Multibooter stays with 2.0.14 because it's pre 9/11. If you don't consider it necessary to use pre 9/11 software, there's version 2.0.15 of Tiny and Kerio 2.1.5, also very similar. The size difference between Tiny and Kerio (1.35MB vs 2.06MB) is due to help files contained in Kerio. If being "stealthed" is important to you in a firewall, Tiny doesn't stealth ports 0 (nul port) and 1 properly. The other major difference is that Kerio can export and import rulesets, a feature Tiny doesn't have. Other than that, they're almost the same firewall.

In that instance, definitely. The potential attacker has no way of knowing what OS the potential target is running. If he/she did know, they could just as easily pack a different trojan that did run on 98.

On web pages, it's not that simple. Some of those who create malicious sites or attack supposedly safe sites use scripting, headers, and other tactics to determine the OS, browser type and version, and at times which patches have been applied. It uses that information to select the best malware for compromising that system, or if the system is not vulnerable, the site delivers no payload at all. They can tell if the PC/IP address has been there before, which makes it hard for security app vendors to get samples. Some of these attackers have really put some work into these sites, with up to 40 pieces of malware or exploit code. It would be a simple matter to include something for a 9X system if they chose to. We're not dealing with script kiddies anymore. These are professional coders who know how to exploit vulnerabilities, defeat AV detection, and bury code so deep into a system that it's a nightmare to get it back out. The "security through obscurity" concept for 9X systems is of limited value that only helps in certain situations, P2P downloads being one of them. Don't rely on it.

I don't see this as a problem. Besides online AV scanners like HouseCall, local on-demand integrity checkers can be used to scan the file system for new, altered, and missing files. Anything new or altered can be uploaded to VirusTotal. There's several good free ones. There's also several apps that poll files and folders at user defined intervals. There's at least one that checks the root directory along with the "windows" and "system" folders at bootup, also free. I have quite a few of these on my FE system but rarely ever use them anymore. In some ways, running an integrity checker is superior to scanning with an AV. The AV is looking for known threats. It doesn't detect unknown malicious code, altered, corrupt, new, missing, or moved files. Integrity checkers can find all of these. I have a fair selection of these if anyone is interested.
Rick

Unless you need to share files over a local network, the NETBIOS ports can be closed. That's the first thing I do on a 9X system.

Yes. I had to weigh priorities, because Tiny v2.0.15 has a nice handling of peer networks, which Tiny v2.0.14 does not have.
My feeling is that it's very difficult to defend against a trojan customized especially to your machine. Maybe one could fake that one is running WinXP or Vista and then hope that this customized trojan won't work under Win98.

http://browserspy.dk/os.php is a good site to show what is easily seen of one's computer. Which are the best tools to pretend to be running a different operating system?

Yes. "security through obscurity" is based on an economic argument which may not always hold: Criminals want to make money and going after a 0.1% of the potential market is not a money-making proposition. Governments are restricted by budgets: Spending big money on devoping something like a "Bundestrojaner" which covers only 0.1% of potential targets would need a special reason. Maybe some governments spend money to penetrate Arabic Windows operating systems; but Arabic Windows 98 is seriously flawed and hardly anybody still uses it, so it doesn't look like there is a ready source of budget funds for targeting Win98 under that category.

One could stay away from popular applications. Removing which unneeded functionality from Win98 would make Win98 safer against customized trojans? Active desktop, webckeck.dll? Any suggestions?

Is there a general faking tool which could pretend to have a range of popular (WinXP) applications installed, so that potential trojans fall into such a honeypot and crash Win98?

Tiny Personal Firewall download links v2.0.14 and v2.0.15 and v2.0.15a (the last v2)...
...and the v2 Users Guide, in .pdf and a partial version history!
... and two alternative links for Kerio Personal Firewall v2.1.5: link1 or link2

BTW, do any of you have any experience with Spybot - Search and Destroy's "Tea Timer"? I have been using SSD for a long time now but never did install Tea Timer... It's a system integrity checker of some kind, isn't it?


I think it's warranted to repost here a working link for direct download of the System Safety Monitor v2.0.8.583-free.

Tea Timer can sort of be described as the spyware equivalent of a resident AV. It's primarily a signature based blacklisting tool. I used to run SpyBot many years ago, but strictly as a manual scanner. I had other resident "anti-" software at the time, too much in fact, and didn't want to risk its conflicting with the rest of the detection software.

There are many, many trojans that will run on 9X systems. They're no more difficult to write than their NT counterparts. There's toolkits available that can make custom trojans for most any OS that AVs won't detect. One of them is actually sold as commercial software, with updating and support. Check out MPack.

The deception techniques and software you're asking about would only be useful against sites that try to identify your OS, browser, state of patching, etc, and only against certain methods. Browser headers, javascript, Java, Flash, ActiveX, probably Silverlight, etc can all be used for those purposes to varying degrees. I'm not aware of any software that's specifically designed to deceive malicious sites. That said, there is software that does this to varying degrees. The K-Meleon browser can spoof the user agent and is very configurable in what it will allow (flash, java, JS, etc). The more I use this browser, the more I like it. There's extensions for FireFox and SeaMonkey that can do the same thing. The best tool I know of would be Proxomitron. Using pattern matching, it can rewrite web pages on the fly, including javascript. It's only limitations are the users knowledge of html and scripting languages, which are required for writing good, specific filters. That said, the default filters are pretty good. Sidki still maintains a set. If you can find them, the old JDList filters were very good. Anyone wanting to learn how to write good filters should examine that set. I still have a copy if anyone wants it.

By far, the best way to defend against a custom trojan, or any malicious code that an AV doesn't detect is the default-deny security policy. Custom made or "off the shelf", a trojan is a process. A rootkit installer is a process. Infecting a system requires code to be executed, aka a running process. It can be a free-standing process like keylogger.exe, install.exe, and similar. It can be a DLL that's executed by RUNDLL32.EXE or another system process, It can be malicious code that's injected into a legitimate process, an option which still requires a process to initiate it. Any method that can enforce a process whitelist will defeat the first group, as long as the user doesn't choose to allow it. The whitelist is also partially effective against the 3rd method, injection, provided a separate process is used to initiate it. HIPS software can defeat malicious injection/hooking as well as the malicious use of system processes like RUNDLL32. I got a bit extreme on my system regarding RUNDLL32.EXE after it was used to defeat my defenses, which were more conventional at the time. When operating in what I've defined as "User Mode," RUNDLL32.EXE is not allowed to run at all. It's not needed for normal usage.
Rick

Well, let's see whether I can sum up where we've got so far...

We can:

1) Set up a strong default deny system (by using, say, Tiny or Kerio, SSM, Proximonitron and perhaps a router firewall). Add to it web resources like Virus Total and HouseCall and a sensible backup/imaging strategy and we're independent from the resident AV scanner industry's whims;

2) Jump from resident AV scanner to resident AV scanner until the very last of them drops 9x/ME, and then we think about what to do...;

3) Burrow our heads in the sand and hope for the best?

OOoOoOo OOOoooOo I LIKE #3!

Ignorance is always the best!

lol j/k

#3 works, as long as the worms don't bite.

Internet Explorer has long held the title of the most attacked and exploited software for a few reasons.
1, It has long been the most common browser on the web.
2, Thanks primarily to its integration into the 9X operating system, successfully exploiting the browser usually gave the attacker the ability to execute their code on the OS.
Unlike Internet Explorer, the alternate browsers (FireFox, SeaMonkey, Opera, K-Meleon) are not an integral part of the operating system. In addition to having fewer exploitable vulnerabilities, when they are found, they don't result in remote code execution nearly as often. When applications are integrated into the operating system, their vulnerabilities become the operating system's problems. In their quest for complete ease of use and user convenience, Microsoft integrated everything together. Yes, it made everything very convenient. It also made everything vulnerable to any weakness found in any component. Convenience for the user usually results in convenience for malicious code. Integrating web applications into the operating system effective makes the operating system targetable from the web.

This problem is not limited to Microsoft applications being integrated into Windows. This integration also exists between the browser and other user software. Example, PDF files on websites are usually opened in a browser window. Likewise, a PDF file can contain a link to a website. When used with their "as installed" settings, the PDF software will be allowed to launch the browser and direct it to the specified site. Very convenient for both the user and the malicious code writer. On a PC using the most common software brands, malicious code in a PDF file can use that integration to gain control of the browser, and if that browser is part of the OS, the code in the PDF can run code on the operating system too. The convenience brought by the integration of user applications with each other or with the operating system lowers your systems overall resistance to attack. Vendors are constantly patching vulnerabilities in user software that allows these kinds of attacks, and malware writers keep finding more. It's an unending cycle of penetrate, patch, update, but not for the 9X user. During the constant patching process, 9X support gets dropped, forcing 9X users to either accept software with exploitable vulnerabilities or try to find replacements. The problem is that most of the replacements are doing the same thing. Quite often the 9X user has one choice, use an application with known vulnerabilities to open unknown and potentially malicious content.

As bad as that sounds, it's actually normal usage for everyone. There's unknown and unpatched bugs in all software. No application that opens unknown content is truly attack proof. It's a simple fact that the users security policy needs to acknowledge and address. Since we can't prevent user software from being vulnerable to malicious code, the question becomes:

"How do we prevent a compromised application from being used to compromise the operating system?"

For this problem, any software that has internet access, that is directly started by software with internet access, opens web content, or opens files from outside or unknown/untrusted sources is considered the attackable surface. This includes the browser, media player, PDF reader, IM software, P2P applications, office software and others. A large part of the solution lies in the dis-integrating or separating the exposed and vulnerable applications from each other and from the operating system itself. The attackable surface needs to be as isolated as possible from the operating system components and from applications that are not part of the attackable surface in order to prevent the malicious code from gaining access to the more critical parts of the system. Part of this is accomplished via configuration of the individual applications and of the OS. The rest of this isolation is achieved with the policy editor and security software. On NT systems, users have a wide selection of security software available, some of which is quite ingenious and very effective. One option I'm very impressed with is SandBoxie. Except for complete virtual systems, it's one of the best tools available for isolating the attackable surface. Host Intrusion Protection Systems (HIPS) are some of the most powerful tools made for enforcing a default-deny security policy and preventing malicious code from running in the first place.

The problem facing 9X users is that the majority of these options don't run on a 9X system, with one powerful exception. The free version of System Safety Monitor (SSM) is the one Host Intrusion Protection System I know of that is completely compatible with 9X systems. It does require the installation of the Visual C++ 6.0 run-time components, which should have been installed on all updated 9X systems. Like Windows 98/ME and many of the applications 9X users have to run, SSM is no longer being supported and developed. It's sad when financial viability decides the fate of software and operating systems more than quality and performance. I'll also apologize now if some of this sounds like an advertisement or product promotion, but I know of no other 9X compatible software that gives the user this level of power and control over their system. I wish I did, and if anyone is aware of a similar 9X compatible program, I'd very much like to know about it and test its abilities.

SSM can be viewed as a rule based firewall that controls applications/processes and their activities instead of internet traffic. Like the policy editor, it can build and enforce an application whitelist with some very important improvements:

1. It verifies the MD5 of executables before allowing them to execute.
2. The path to the executables is part of the rules. If an executable is moved or copied to another location, SSM will treat it as an unknown.
3. SSM treats user applications, system executables, installers, and malware the same. System processes are not automatically whitelisted, save for kernel32.dll, internat.exe, and SSM's own processes. I'm not certain why internat.exe is whitelisted unless it's used by SSM for multiple language support.
4. When operating in its "paranoid" setting, SSM lets the user specify what other applications/processes each process is allowed to launch (parent) or be launched by (child). It's the equivalent of making a separate process whitelist for each executable.
5. SSM makes it easy to define separate user and administrative modes with vastly different permissions, and makes it easy for the administrator to switch between the modes.
6. SSM modules monitor and protect the important registry keys, the important .ini files, the users startup folders, and key Internet Explorer settings. All of these can be tailored to the users specific needs.
7. SSM also has a switchable "window filter" module that compares window titles or captions to a user defined blacklist. If the title bar containing the match is a user application, SSM will terminate it. If the match is a system folder or dialog such as the control panel or folder options dialog, SSM will close it. This "window filter" module is effective for controlling users access to key areas of the system such as the system folder, control panel, or folders containing another users name. It can prevent a user from accessing specific documents such as anything with "diary" or "budget" in the name. It also works with the browser, making it a useful parental tool when it's configured to filter words like "sex". The only limit is your imagination.
8. SSM can maintain separate rulesets and window filter sets for each user on multi-profile PCs. The correct ruleset is loaded when the user logs in.
9. At 3.2MB, SSM is much smaller than any AV. It's also extremely light. At this moment, it's using 3.3MB of memory on my PC. It's processor usage is also light, under 1% most of the time with short, higher spikes when applications are launched or engaged in other monitored activity.
10. Unlike the policy editor, SSM can be temporarily disabled, shut down, or prevented from automatically starting with Windows if the administrator chooses.

Again, I apologize if this looks like an advertisement, but by empowering the user to this extent, SSM makes it possible to safely use 9X systems, even with no AV support and limited software choices. That said, a couple things need to be made absolutely clear. SSM does not differentiate between processes. It makes no decisions or recommendations. It will allow or block exactly what you tell it to, even if it's harmful to your system. It is solely up to you, the system administrator, to decide what should and should not be allowed. SSM is only as good as the ruleset it enforces. Writing secure rules requires that the user/administrator understands what the different processes are for, which ones are necessary for normal usermode operation, which ones should available only to the administrator, and which ones each process should be allowed to start. Your knowledge and the security policy you build is what will ultimately protect your system, not SSM and your other security software. They are merely tools that enforce your policy. It's also extremely important that the configuration of your operating system and user software matches the rules enforced by SSM, your firewall, and other security software you're running. I realize that this statement sounds incredibly obvious, but most users including the more security conscious don't start with a plan or security policy. They install what they consider to be the best security apps, then start trying to plug all the known holes and vulnerabilities. Even when they want to set up a default-deny policy, they concentrate on items to be blocked instead of specifying what is to be allowed. The result is a piecemeal approach that usually has gaps, overlooked applications and situations, and conflicts between the rules in the security apps and the configuration of the user software. A well thought out security policy covers a lot of details and situations that are part of normal operations. Without a policy or plan as a guide, it's almost guaranteed that details and applications will be overlooked.
Rick

So when you download an executable from the web, you do so from a trusted source? That's quite an assumption. You said in another thread that most people don't know what an operating system is and I agree with you. But they do know what can be trusted?? No way. If that was the case we wouldn't see spyware or rogue virusscanners so much. People click on "yes" somewhere and they download and execute something and they don't even know.

As for P2P, I'll admit that never using it is most save. And yes sources are all unknown but not always untrusted. There are different protocols and also matters a lot what you download. The last time I used bittorent was to download Ubuntu 9.04. I never worried , but people who like the latest (cracked) games, leaked beta OSs or movies promising Obama and Oprah doing very interesting athletics together are more at risk off course. Between this black and white there's a large grey area which is not necessarily bad if you use some sense. Like you always should.

As long as you have some good hardware, (that is, meet recommended specs) upgrading to a supported OS would be a wise choice.

Myself, I doubleboot Win 98SE with Win XP SP3, so I can always scan both OSes from XP... but I don't think it's a solution I can seriously advocate as a general one. On the other hand, it's great because I can use one OS to fix the other and vice-versa.

This wasn't a critical factor; because any executable code run on Win9x essentially counts as privileged, any successful remote execution exploit allowed a compromise of the OS. IE remote execution exploits are no more (or less) dangerous than those of any other application on Win9x.

Good post otherwise. =D

Queue

True, but with alternate browsers, only a few of the vulnerabilities can be used for remote code execution. Many of them were denial of service and "data capture" problems. With IE6, remote code execution vulnerabilities were common.

Regarding the NETBIOS ports, 137-139, these ports are still probed regularly from the web. My Smoothwall logs show at least a dozen of them every day on these ports, coming from all over. Access to the ports can be blocked with a firewall, but if your setup doesn't require them to be open for file sharing on a local network, it's better to close them completely. Closing them by configuration is more secure than blocking them with a firewall. A firewall can fail. There's a fair amount of malware that attacks AVs and firewalls. There's always the possibility of a software conflict. There's code that attacks routers. I seem to remember one that used Flash and UPnP. Blocking an open port with a firewall is patching over a vulnerability. Closing the port is eliminating that vulnerability entirely.

The method for closing those ports can be found at http://www.grc.com/su-bondage.htm. The site recommends installing the NetBEUI protocol before unbinding TCP from the network client to keep the client from disappearing from view. It's not necessary to do this unless you have a need for it. Even though the network client might not be visible, it's still there and is working properly. I've unbound TCP from the network clients on every 9X system I have. A port scan on any of them with the firewall shut off shows no open ports, and they all work fine.

Firewalls should be used to regulate traffic on ports opened by software or a service that you need. Ports are opened by applications and services that need to receive incoming connections. Trojans also open ports. If you have open ports, don't just patch them with a firewall. Find out what is opening them. Decide if this is something you need or if the application/service actually needs it to perform the tasks you want done. If you don't need it, shut it down, disable that service, etc. If it is necessary configure the firewall to restrict the traffic on that port to the specific app/service that needs it, and only to the IP range that app/service needs to function. Do not allow unrestricted inbound access to an open port. If you have an open port but can't find the service or application that's listening on that port, chances are you have a trojan hiding on your system.
Rick

Since we're now at the Malware sub-forum, I'll dwell somewhat offtopic. The default XP firewall is also designed to block incoming attacks only. Can the Tiny Personal Firewall (the Tiny User's Guide says: 98/2k/ME/NT) or Kerio be used in XP also? And, if so, is it needed or wise to deactivate the XP firewall once the third party is up and working? I ask this because it'd be nice to be able to port the configurations I'll be developping for 98SE to XP as they are, or just with minor adjustments. Please advise.

I haven't tried Tiny on anything but 98. I run Kerio 2.1.5 on 2K here and have installed it on XP with no problems. Some users have reported problems when "hibernate" is used on XP. I can't confirm or deny this. It is better to deactivate the XP firewall if installing Kerio. It does nothing that Kerio doesn't do as well. I'm not aware of it conflicting with Kerio, but it is unnecessary duplication. Kerio does create its own default rules when first started. The rules for XP include "permit" rules for services which are way too permissive.

If I'm understanding you correctly, you want to build the ruleset on 98 for use on XP? If the rules are limited to items such as DNS, DHCP, ICMP, networking rules, etc, that will work fine. Blitzenzeus did that at Castle Cops. If you try to include system executables and applications, you'll have problems. The rules in Kerio and Tiny include the path to the executable. Kerio checks the MD5 for the executable every time it connects. I believe Tiny does too. Those will be different. I'm pretty sure that Tiny can't import rulesets. I don't know if it would work if you shut Tiny down and replaced it manually. Kerio can import rulesets. I have edited XP rulesets on my 98 box. That's not a problem. The problem starts when something tries to establish a connection because all the rules will be wrong for that OS. You'd have to manually edit all the paths, then have Kerio recheck all the paths and MD5's. IMO, that would be more work than making a new ruleset.

The rule creation interface on Kerio and Tiny is very well designed. If you're familiar enough with internet protocol to write firewall rules, their interface design makes it easy. On these firewalls, you can write individual rules as needed on the fly. Once you get used to them, you can make a ruleset in very little time.
Rick

For those not familiar with configuring Kerio or writing firewall rules, there's a forum thread at Wilders that covered Kerio in detail. The configuration described in the thread is for XP, but the principles apply to all versions of Windows.
How to Optimize Security in Kerio 2.1.5.

Well, duh. But we are not average users.

Well having scripts DISABLED is definetly a good idea if you dont have one.. (Regardless of the OS) Most sites that try and hurt someone rely on scripts to move there stuff on your computer,if you have scripts DISABLED,thier stuff is less likely to function... (99% of all sites will work 100% w/o scripts)

I usually have them disabled if i can... (Stuff loads MUCH FASTER (Quite understandable))


You are right though,AV's mostly bog down your computer and depening on how much ram you have,the effect is moreless noticed more or less........

Do you mean JavaScript? Because that's definitely for the paranoid. But I will concede that some sites out there throw too much of it at you, which bogs everything down. Blocking ad scripts isn't enough.

All of our security software can be considered as filtering tools. What they allow or filter out is dictated by the security policy that's being enforced. With the standard default-permit security policy, an AV is one of the core security apps, filtering out suspicious and known malicious code. With default-deny, the policy editor and/or HIPS effectively filters out all non-whitelisted executables. The firewall filters out all traffic that's not specifically permitted. This brings us to the problem of unwanted or malicious content delivered by the allowed traffic. This web content includes a wide variety of code, including:
Media files, audio and video.
Flash content, which ranges from useful and entertaining to annoying and potentially malicious.
Java, same range as Flash.
Javascript, a wide range of functions ranging from small webpage conveniences to the fetching of malicious pages.

A lot more sites use scripts, javascript, and other interactive content than you might think. On this thread for instance, the "fast reply" window uses javascript. On this weather radar page, several of the map functions use javascript. Sites might be displayed normally with scripts and active content disabled, but there's often a loss of function that makes the site less usable. Whether we like it or not, the web is using more active content all the time. Blocking all scripting and active content might be safer, but it also makes the internet less usable and enjoyable. Unlike executable files, dealing with web content isn't as black and white. The exact same code can serve a useful purpose or be used maliciously.

The default-deny security policy can be applied to web content. Active content and scripting can be treated as executables with the sites containing them treated as parent processes. This requires software that can handle web content in the same manner that HIPS software handles applications, blocking active content by default while allowing certain sites to perform specific activities. The trusted, restricted, and internet "zones" in Internet Explorer attempted to do this to a very limited degree. With no ability to block or permit specific content on the fly, it's not sufficient.

Various extensions like FlashBlock and NoScript make possible the whitelisting of specific activities and websites on FireFox, SeaMonkey, and other "gecko" based browsers. The problem with these is that they only work with the browser they're installed to. As extensions of the browser, they can be adversely affected or broken by browser updates. Some like NoScript have a few issues of their own, like a controversy over a premade whitelist.

Proxomitron is a much more flexible and powerful web filtering tool. It's available at PrxBx.com, along with filter sets, tutorials, archived websites, certificate tools, and a forum for Proxomitron and other web filtering tools. Proxomitron (version Naoko-4.5 recommended) works with all browsers. It can filter all web content, limited only by the filter set and the skill of those who write them. The better your knowledge of HTML and scripting languages, the more powerful it is. Proxomitron enables you to whitelist specific types of active content and websites along with filtering out or modifying most any other web content, including cookies, user agents, referrers, nosy scripts, i-frames, and much more. Proxomitron is small, 1.6MB extracted. No installation necessary. Unzip it, change your browsers proxy settings, adjust your firewall rules, and go. The default filters are a good place to start. Like all rule based software, Proxomitron takes some getting used to (especially its default color scheme ) but the longer you use it, the easier it gets.

To other Proxomitron users:
In case you haven't seen them, Andrew's Security Filter(s) v5.62, updated May 10, 2009, adds NoScript-like functions to Proxomitron for all browsers. It's an addition that merges with your existing filterset, giving the user the option to allow or block, one time or permanently, many individual scripts, objects, applets, etc. See the screenshot in the above link. Excellent work.
Rick

Yup,its called "Active Scripting"

In IE, that is. Probably the only web browser where disabling JavaScript is worth it.

Queue:

You forgot to mention that an antivirus scanner running in realtime can in itself cause a whole clusterf*** of security issues. Just look at it logically: Any extra service running on the system with elevated privelages (as most AV products do) is bound to give opportunity for exploitation.

One of the key rules of computer security is to keep applications in the user area as much as possible without them straying into the privelaged areas of the system - this is one rule that antivirus applications ritually break. Even a user running as a limited profile isn't protected against this because an attacker just needs to target the AV program and use its privelages to breach the security. This literally makes any antivirus application that is running in realtime, a potential backdoor.

This is one of the main reasons I don't use any AV software at all, the other of course is the performance hit. My netbook with Vista would probably be killed even just by running NOD32, supposedly one of the most efficient AVs.

Strong browser settings and a hardened network configuration are a major step in preventing security issues, rather than just patching them when they occur.