Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

[9x/Me] Surviving Without a Virus Scanner

- - - - -

  • Please log in to reply
93 replies to this topic

#51
JustinStacey.x

JustinStacey.x

    Welcome to your life, there's no turning back...

  • Member
  • PipPip
  • 180 posts

The trusted, restricted, and internet "zones" in Internet Explorer attempted to do this to a very limited degree. With no ability to block or permit specific content on the fly, it's not sufficient.


Steve Gibson apparently has an app which can allow on-the-fly use of Internet Zones in IE.
"XP is just a buggered up version of 2000 with skins added." - Phenomic.


How to remove advertisement from MSFN

#52
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
The problem with the "zone" concept in Internet Explorer is the complete lack of versatility more than it is "on the fly" usage. There's only 3 levels of permissions available at any one time. All sites not entered into the trusted or restricted zone run with "Internet zone" permissions. Proxomitron takes the idea much farther, letting you make an almost unlimited number of permission lists, whitelists, blacklists, etc. You can have separate site whitelists for flash, java, javascript, etc. That way, you can allow the site only the permissions it needs instead of selecting between 2 or 3 pre-defined groups or zones. You can allow the java applets on a site to run and still block the flash content.

Besides the lack of flexibility, one of the main problems with the "zone" concept is its default-permit basis. It's default zone should be what it calls the restricted zone, not the internet zone where sites have more permissions. Whoever came up with those default settings didn't think the process through. By the time you find a site should be in the restricted zone, you've already visited it in the internet zone.

Internet Explorer users who don't want to use Proxomitron should completely change the "zone" settings. Since the "Internet Zone" is the default permissions for sites not listed in the other zones, it should have the least permissions. The "restricted zone" should be the next step up where sites have more permissions than those in the default zone. The "Trusted zone" should be limited to sites that need the higher levels of permissions to work. Site trust and permissions should always start low and be raised if necessary, not the other way around.

One of the key rules of computer security is to keep applications in the user area as much as possible without them straying into the privelaged areas of the system - this is one rule that antivirus applications ritually break. Even a user running as a limited profile isn't protected against this because an attacker just needs to target the AV program and use its privelages to breach the security. This literally makes any antivirus application that is running in realtime, a potential backdoor.

That is becoming a bigger problem all the time. Malicious code that's executed by the AV when it's unpacked and scanned. Fortunately for 9X users, that code most likely targets NT systems and probably won't run on a 9X system. There's also been several instances where a security suite is successfully attacked and used to take over the OS. If I remember right, that happened with Norton Internet Security and those compromised PCs were used to launch some big DDOS attacks against anti-spyware vendors and websites. Malicious code that makes the AV part of the attack surface puts the AV vendors into a no-win situation. If the resident AV can't function at a kernel level, it won't be effective against malicious code that does. On the other hand, when an AV scanner is integrated with a resident AV, certain types of malware can exploit that by using the scanner to execute it. The only way to avoid that is for the resident AV and the AV scanner to be completely independent of each other. That would make them even more bloated than they are now. Most are already too bloated to run decently on a 9X system.

A well configured HIPS like SSM can prevent the execution of malicious code by the AV, but it will require very tight control over the parent-child settings for the AV components. That problem is compounded by the fact that AVs need constant updating, which often includes new executables that will be unknown to the HIPS software. If the AVs updater isn't permitted to launch new executables, the AV can't automatically update. In order for HIPS to protect the system from malicious code that's executed by the AV, the AV can't be allowed to execute an unknown, which makes updating it a manually performed administrative task. It's simpler to set up a default-deny policy, drop the resident AV, and use online scanners to check files.
Rick

#53
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 855 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

... Herbalist, Rick ... just a note of thanks for posting so much info in this thread. I always learn something new from your postings ... I use Proxomitron and never heard of Andrew's Security Filters ... have been using them for a few days now and I really like that addition to Proxomitron ... I use Sidiki's set of filters and Andrew's filiters work just great with it ... took me a few hours before I figured out how to work with them and the A - B buttons in the upper right hand corner. Anyway, keep the info flowing ... Also, I was aware of WinSock but didn't have a copy in my software collection, thanks for posting the link.

#54
Sweet William

Sweet William

    Newbie

  • Member
  • 25 posts

_snip_
Internet Explorer users who don't want to use Proxomitron should completely change the "zone" settings. Since the "Internet Zone" is the default permissions for sites not listed in the other zones, it should have the least permissions. The "restricted zone" should be the next step up where sites have more permissions than those in the default zone. The "Trusted zone" should be limited to sites that need the higher levels of permissions to work. Site trust and permissions should always start low and be raised if necessary, not the other way around.
_snip_


Herbalist, you are right. I have been running IE 5.5SP2 with the zones rearranged as you suggest for a number of years now and it works. I also use "Microsoft Internet Explorer 5 PowerTweaks Web Accessory" which adds 2 options to the Tools menu to add the current domain to either trusted or restricted zones. That makes surfing pretty painless. I'd still be using the old IE but it does not handle a lot of web 2.0 sites and I was unable to find a way of controlling flash intrusions.

I now use Opera with a little add-on to control the flash and it works when it doesn't crash! I also use a software firewall (Outpost 1.0) behind a nat router. If anyone thinks that is belt and suspenders then I say "they're my pants". I dont run a virus scanner at the moment but I'm about to try out the free version of Avira.

Great thread; the best ever.

#55
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
Thanks. That's very much appreciated. I'm glad to hear that others are finding this thread useful.

I pretty sure that AntiVir/Avira has already dropped support for 98/ME. There aren't many left for 98. I haven't tried the online system scanners in a while. Probably should just to see which ones still work with 9X.

I now use Opera with a little add-on to control the flash and it works when it doesn't crash!

Is it Opera itself crashing or the add-on that's causing it? SeaMonkey and K-Meleon are both good browsers for 98. Avoid the 2.0 versions of SeaMonkey unless you have KernelEX installed. Both browsers are fast, light, and very stable. Unlike Internet Explorer, which hasn't been patched on 98 in some time, these browsers are up to date. Both are available as installers or zip files. If you'd like, you can install both and see which one you like better.

K-Meleon has flash blocking built in. The FlashBlock extension has a version (1.3.13) for SeaMonkey that works very well. Proxomitron can also block flash content for any browser. Flash is one of those problem formats that's more often used to deliver ads and junk than to deliver useful content. It can also be used maliciously. In one instance, Flash was used to alter the settings in routers via UPnP. When Adobe stops updating the 9X compatible versions of Flash Player, flash content could be a major vulnerability for 9X systems. Blocking it by default and allowing it on an as-needed basis is the best way to deal with a format that's not usually delivering anything useful.
Rick

Edited by herbalist, 20 May 2009 - 12:32 AM.


#56
JustinStacey.x

JustinStacey.x

    Welcome to your life, there's no turning back...

  • Member
  • PipPip
  • 180 posts
I think Clam AV works for 98, and since it's not resident, it could be a good one to consider

The programs I run on my 98 are hit and miss tho, since I use the Win95 shell, so in some ways I am actually limited to software that is designed for 95. Not that it bothers me :)
"XP is just a buggered up version of 2000 with skins added." - Phenomic.

#57
Sweet William

Sweet William

    Newbie

  • Member
  • 25 posts
Herbalist,
this responce has been prepared offline because Opera decided to have a page fault while I was writing a reply online. Rather than quoting I'll do this in point form.

Avira and anti-virus s/w:
You are right. Avira has dropped 9x support. I should have opened the manual before my mouth. I'll still use it on my XP machine.

I think ClamAV is likely to be the only option available to 9x users in the not too distant future. If they have a good project leader, there is no reason why that app should not continue to improve and become quite significant. The problems I had with ClamWin was unreliable updates.

Realtime virus scanning is necessary for neophytes but experienced users should not require it. Root kits and trogans are of greater concern and require constant vigilance. Luckily for us, the 9x users, for the most part the creators of this malware are concentrating on XP/Vista vulnerabilities because that is where the money is and, ethics aside, these guys are professional in every sense of the word. Script kiddies are no longer the problem they once were although, I have no doubt, they are still there. That said, I would like to scan some (all) of the old software packages I download for my 98SE.

I don't like the idea of online virus scanning. Isn't that the ultimate example of an oxymoron?

When it's all said and done, if the web gets too dangerous for 9x then I'll do all my surfing with a Linux live cd. Let's see the b......s get that!

Opera and browsers:
Compared to the other browsers I've tried, warts and all, Opera is streets ahead of the rest. Repeated page faults is the most significant problem I have experienced. I'll put this one down to the compiler and libraries they use. At least it does not take the system down with the traditional BSOD.

The next most significant seems to come from their implementation of the DOM which manifests as a failure to display a page when scripting is _on_ and yet works fine when it is _off_. I can't believe they got the ECMA scripting engine wrong; it's too well documented. I think their slavish belief in defined standards (by W3C) is their undoing.

Despite the above, Opera is far, far faster and, for me and the way I like to work, the interface is far superior to IE, Firefox, or Seamonkey. UI appreciation is purely subjective so I don't expect agreement. I'm happy to tolerate its self destructive tendancies.

#58
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
I've never used Clam or ClamWin. Others who are obsessed with test results claim that it fails to detect a lot of malicious code. Then again, they all have that problem to a growing degree.

I don't like the idea of online virus scanning. Isn't that the ultimate example of an oxymoron?

I suppose that you could look at it that way, given the fact that most malicious code gets into a system from the internet. That said, unless you bought your AV from a store on a CD, chances are that your AV came from the same internet, as do its detection updates. AVs are not completely trustworthy by design. They're never completely up to date. None of them catch everything. I don't see any real difference between an online scanner and a locally installed one, save that you know when the locally installed one was last updated. Is using an online AV any different than using online data backups or online applications? Ideally, I'd choose a locally installed application every time but 9X users aren't getting many to choose from.

Realtime virus scanning is necessary for neophytes but experienced users should not require it. Root kits and trogans are of greater concern and require constant vigilance. Luckily for us, the 9x users, for the most part the creators of this malware are concentrating on XP/Vista vulnerabilities because that is where the money is and, ethics aside, these guys are professional in every sense of the word.

Agreed. Then again, neophyte users shouldn't be running unsupported software and operating systems. Unless they know how to secure their system using their own resources, they're running on nothing but blind luck and random chance. Malicious code might not be targeting 9X systems much anymore, but it is targeting the applications that run on it.

It's been years since I tried Opera. Didn't like it, but it was long enough ago that I don't remember what it was I didn't like. For me SeaMonkey and its predecessor, the Mozilla Suite have been very reliable. I can't remember the last time I had a non-beta version crash. Everybody has their preferences, but like everything else, there's fewer that work on 9X all the time. Eventually, 9X users will have to run the last compatible version and rely on good filtering and a default-deny policy to offset their weaknesses.
Rick

#59
oc_dt

oc_dt

    Member

  • Member
  • PipPip
  • 104 posts
I'm on the same boat and have just switched to Avast!, which is still supported for 9x. It may not be long, but until then it should be fine.
OC

#60
Sweet William

Sweet William

    Newbie

  • Member
  • 25 posts
Hi Herbalist,

there are a number of things I don't like/trust about online virus scanning. Where I am in Oz we have limited bandwith so downloading a scanner and database each time I want to check for a virus is out of the question, financially at least. Any significant amount of cloud computing stuff is not going to happen here for quite a while.

Another question is "how do you protect yourself from site hijacking?" It happens to banking sites and such so an online virus scanner seems like a pretty inviting target for exploitation. Sure the connection would be SSL but certificates have been spoofed and the incentive for the bad guys to find a way in is in the mega-buck range. Can you imagine the damage if such a site was compromised for even a day? Personally, there is enough to be thinking/concerned about surfing the net. I _never_ do internat banking because of site spoofing and the like. That might be considered paranoid but I'm old (and proud of it) and I'm allowed! ;-)

That attack on routers you mentioned is a serious threat but I don't think to me. I'm running a relatively obscure router (Siemens 4200), I turned off its PnP facility, and 98SE doesn't support the technology. I tested the system with UPnP from GRC.COM and got a clean bill of health, so here's hoping.

I've recently prchased an EEE PC901 with XP and I'm quite undecided about letting it anywhere near the internet, it is just so vulnerable.

On ClamWin, I just downloaded a new version, installed it, and deleted it. It went off into na-na land on it's first run. Ok, my system has become a bit flakey and is due for a rebuild, but I don't think it is that unstable yet. Probably another oss project compiled with an M$ compiler. Combine all that with a ui that has not improved in the last 12 months. The project manager needs a swift kick. Scratch ClamWin for now.

On browsers, I'm probably being impatient with SeaMonkeys speed but it is noticably slower than the current Opera and I don't like the way they run the project. Their bug fixing is spotty; they fix visible security bugs immediately, as they must or go under overnight, but other things like cookie management, which was broken in v1, ignored in v2, has only now been fixed in v3 or so I'm told. Basic Mozilla browsers seem pretty limited in functionality because if you want some necessary feature you have to install a plugin. NoScript as a plugin? Give me a break! And have you seen the code implementing these plugins? It's b....y pathetic. Talk about script kiddies.

The plugin system in Opera seems better conceived than in Mozilla stuff. Take the FlashBlock thingy. It consists of a piece of CSS and a piece of JScript that are injected into the web page when it loads and executed before control is passed to any embedded stuff. My understanding is that their whole plugin system is based on this concept. Seems to work OK. For me, their configuration management is better organised and accessible. It ain't perfect but, in an age of mediocrity, it ain't bad either.

#61
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
I never saw your last post. Sorry about the delay in responding.

Where I am in Oz we have limited bandwith so downloading a scanner and database each time I want to check for a virus is out of the question, financially at least. Any significant amount of cloud computing stuff is not going to happen here for quite a while.

I can't say if this applies to all the online system scanners but the last time I ran HouseCall, it updated the previously downloaded scanner, much like a conventional AV would. The main page of the scanner claimed that 2K or newer was required but the scanner downloaded and worked fine. There were a few activities I questioned the need for and decided not to allow, like a specific component that tries to get your MAC address, but the scanner still worked. When I have the time, I'll try to go through the available online scanners and see which ones still work with 98. It will be a while before that happens.

Another question is "how do you protect yourself from site hijacking?" It happens to banking sites and such so an online virus scanner seems like a pretty inviting target for exploitation. Sure the connection would be SSL but certificates have been spoofed and the incentive for the bad guys to find a way in is in the mega-buck range. Can you imagine the damage if such a site was compromised for even a day? Personally, there is enough to be thinking/concerned about surfing the net. I _never_ do internat banking because of site spoofing and the like. That might be considered paranoid but I'm old (and proud of it) and I'm allowed! ;-)

Paranoid? I don't own a credit or debit card and have never used an ATM. There's nothing paranoid about it. It was just this year that I started using the online facilities of my bank with my checkbook. The problem is that you have to trust that both their end (the financial site) and the DNS system that took you there have not been compromised in addition to knowing that your own system is secure. There's 2 separate problems here. The first is knowing that you're actually at the site you wanted to visit, and that you haven't been redirected to a spoofed site. The second problem is when the legitimate site gets hacked. The Bank of India was hacked badly a while ago and was serving up a lot of malware, including password thieves.

Other than making your own system resistant to any malware a compromised site might serve up, there isn't much you can do about the integrity of their end, but there are some things you can do on your end to offset some of the problems.
Site Spoofing, making an almost identical copy of a legitimate site for the purpose of stealing your log-in credentials, credit card info, etc. The site may look the same, but its IP address is different. Get the IP addresses of the financial sites you use and add the address and site name to your hosts file. That defeats attacks that use the DNS system. You can also use firewall rules that restrict the IPs you can make secure connections to. If the IP is wrong or changes (redirected), your firewall should alert you.

Part of the solution has to come from the financial site. On the initial login page of my bank, only your login name is entered, which can be anything you choose. The site may or may not challenge me with a security question. The site then has to display an image and a line of text that I selected when I set up the account. If I see those, I know it's the correct site. A spoofed site would have no way of knowing what those would be. If they're correct, I enter the password. If a financial sites login system does not have provisions for you to authenticate them and well as them authenticating you, don't use it. They're not facing the realities of todays internet.

Some browsers allow the same user to have several profiles. With those that do, setting up a profile that strictly for financial or sensitive tasks can help. Any cookies or temp files created are in a different location than those used by the default profile. It's also a good idea to make any financial work the first thing done in a browser session, and to not visit any other sites during that session. Wiping the browser cache, history, cookies, temp files, etc after a session would prevent a malicious site that's visited afterwards from collecting that data. I use the launcher component of Eraser for this, executed by a small batch file. One click wipes all the locations. Use version 5.7 on 9X systems, not the newer one.

I'm not particularly impressed with the extension system in Mozilla browsers either, especially NoScript. Any security/privacy tool that presumes to whitelist sites without my consent isn't wanted, especially when Google is in the list. I use the FlashBlock extension like a switch for flash content. The actual content filtering is done ahead of and independent from the browser by Proxomitron. This eliminates problems caused by vulnerabilities in security extensions. Firewall rules prevent the browser from accessing the internet without going through Proxomitron.

Regarding attacks on external hardware like routers, DSL modems, etc, I'm convinced that there's a lot of vulnerabilities and possibly even built in backdoors that we don't know about. I've had several DSL modems that have an upper range port open that can't be closed with any of the configuration options. On every one of them, the port number has been different, but they've all had one open port. I can't determine if this is something my ISP has done or if it comes that way from the vendor. I've also disabled UPnP on everything and added blocking/logging rules to Kerio for the UPnP ports.

I've been working on some web pages that detail how to use SSM free on 9X systems to enforce a comprehensive default-deny security policy sufficient to offset the lack of AV support. It's taking much longer to finish than I expected. Too much else to do and not enough time in a day.
Rick

#62
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,757 posts
  • OS:98SE
  • Country: Country Flag

Donator

For those who have at least 512 MiB or more RAM to spare, setting up a RAM disk and then pointing TEMP; TMP; Temporary Internet Files; Cookies; History and the java temporary files to the RAM disk is a good and reliable way to get rid of the junk resulting from Internet navigation with every reboot. The only downside is if and when one decides to download files bigger than the RAM disk, because then IE will fail silently, pretending it finished the download, but, of course, yielding a truncated file. There are several workarounds for this problem, ranging from temporarily setting the Temporary Internet Files elsewhwere, just for that download, and then setting it back to the RAM disk, to using FlashGet or some other download manager for the files bigger than the RAM disk. With plenty of RAM to spare, a 1.5 GiB RAM disk (my current option) makes even this small annoyance quite rare. It's painless, it's transparent and works like clockwork, provided one reboots regularly, as in shuting down the machine every day, at least during the time one'll be asleep. Of course, it's not as useful for a machine that will be running P2P all the time, but, even then, a reboot usually is required every 48h or less, and that will do fine. And anyone who is able to spend the money needed to get 1.5 GiB or more RAM needed to adopt this strategy should consider spending US$10 more to get the excellent RLoew's non-XMS RAM disk, which is invisible to Win 9x/ME and leads to the most stable possible configuration with a RAM disk (for more on problems arrising from using very big RAM disks esp. with XMSDSK, refer to my > 1 GiB thread, for which there is a link on my signature).

#63
lightning slinger

lightning slinger

    Member

  • Member
  • PipPip
  • 207 posts
  • OS:none specified

I've been working on some web pages that detail how to use SSM free on 9X systems to enforce a comprehensive default-deny security policy sufficient to offset the lack of AV support. It's taking much longer to finish than I expected. Too much else to do and not enough time in a day.
Rick


Looking forward to this immensely Rick.

Your posts on security are always a very good and informative read.

I use 98SE and 98SE2ME on two boxes without any resident AV and with SSM Free.

I have been relying on both Eset and Symantec On-line AV Scanners for periodic checks while they are still supporting 9X (only time IE6 is used).

However I am sure that my use and that of many users of SSM needs a little guidance to become fully comprehensive default-deny.

TIA

Colin

Edited by lightning slinger, 27 June 2009 - 08:50 AM.


#64
the xt guy

the xt guy

    Member

  • Member
  • PipPip
  • 100 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

I too, am looking forward to Herbalist's site re securing Windows 98 without a virus scanner!

#65
Tarun

Tarun

    Spectre

  • Super Moderator
  • 3,176 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Can easily summarize how to secure Windows 98 without a virus scanner: Unplug/Disconnect access to router/Internet.

Realistically: format Windows 98 off and upgrade to a modern, supported OS.

#66
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 855 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

herbalist - Rick
... some time back I tried SSM and really liked it with 98SE. Then I ran into the problem of opening Media Player Classic with SSM running ... the computer freezes up and has to be shut down. I think you were able to verify this on your end ... did you ever get any answers on that or figure anything out? I just put SSM back on one of my 98SE machines about a week ago ... had forgot about the Media Player Classic problem till today ... I could just try to remember to shut SSM down when I want to use Media Player Classic. There is certainly a problem there between the two programs. ... thanks ... that's the only program (MPC) that I found so far that has a conflict of some sort with SSM. I have many programs on my 98SE test machine.

I have another question ... on some programs you tell SSM to "always" run a certain program when it is opened but on some programs there might be a 2nd or 3rd permission asked using the term "allow global hooks". Is it OK to give future permission for the "Global Hooks" question? I don't quite understand that "Global Hooks" question when it pops up on a program.

Edited by duffy98, 02 July 2009 - 11:31 PM.


#67
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
Global hooks can serve many functions. They're used to intercept system calls, keystrokes, and mouseclicks. They can be used to inject or add code contained in a DLL to one or more running processes. Windows explorer for example needs to hook browseUI.dll in order for the start menu and window menus to work. Applications written in Visual Basic (most of Karen's power tools for instance) often need to hook MSVBVM60.DLL in order to work. The zip file version of K-Meleon needs to hook rebarmenu.dll, one of its own files in order for the menus to work.
There's also instances of applications and windows components that ask for hooks but appear to work just fine without them. On 98FE, using "Find" results in an alert for explorer wanting to hook shell32.dll. Find works normally whether you allow it or not. An older version of Yahoo messenger I had asked to set hooks to idle.dll (part of yahoo) for the keyboard and mouse. It worked whether I allowed it or not.

A fair amount of malware also uses global hooks or dll injection. It's a common method for keyloggers and trojans. Rootkits use certain types of hooks to hide their existence. Quite a few security apps also use them. On XP Pro, the pro version of SSM hooks well over 200 locations, which enables it to detect and intercept almost anything that takes place.
Attached File  RKU_Report.txt   37.7KB   6 downloads

When you get an alert for a global hook or DLL injection, the first things to check are "what application is asking" and "what is the app asking to hook". Applications asking to hook a DLL in their own folder are normally legitimate and necessary for that app to work. If the DLL has some random name, it's suspicious. The same applies to DLLs with normal names that are in the wrong location. I normally choose "block this action once" the first time such an alert appears. If everything in the app functions normally, I'll make it permanent. In instances where the hook has to be allowed, there's often a selection of responses in the drop-down box as shown in the screenshot below. Attached File  browseUI.dll.gif   31.02KB   15 downloads.
Whenever possible, limit the hook to the specific application that's asking for it and limit it to the specific DLL it's asking for. Except for browseui.dll, Windows 98 itself needs few if any hooks to function. 98FE asks for very few. 98SE and ME ask for a few more, some of which don't seem to be necessary. Beyond that, allow hooks only when it's necessary for the app to work, and if possible restrict them to the specific executable and DLL in the alert.
Rick

#68
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 855 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

Thanks Rick for the detailed explanation on the global hooks in SSM. I will put SSM back on one of my machines and check each global hook as they pop up. I do remember SpywareBlaster asking for one or two global hooks and also Microsoft Money 97 asking for global hooks permission. The term "global hooks" sounds a little sinister and I was wondering what the program might be hooking into or how far these "hooks" might go after connecting to the internet.

... I also will be looking forward to the web pages dealing with SSM and a 9x system.

Edited by duffy98, 03 July 2009 - 01:00 PM.


#69
eidenk

eidenk

    MSFN Addict

  • Member
  • PipPipPipPipPipPipPip
  • 1,527 posts
I was wondering where this thread had gone and then I forgot about it. I'll have few things to answer later after reading it all again in more depth. :hello:
Asus A8V Deluxe - Athlon 64 FX-55 2.6Ghz - 1GB DDRAM 400 - Windows ME (IE 5.5 SP2 Shell) + KernelEx 4.0 and Revolutions Pack 10

#70
JustinStacey.x

JustinStacey.x

    Welcome to your life, there's no turning back...

  • Member
  • PipPip
  • 180 posts
I do like this thread but it has to be said: You cannot secure an operating system which at its lowest level, the kernel, is inherently insecure. It's bad practise adding piles of addons on top of an insecure foundation and it is one which doesn't really result in computer security but an illusion of such (in actual fact, computer INsecurity).

The only Windows OSes which could be considered even partly secure are the NT based ones with a kernel that has security built in, instead of a single user kernel with no perception of ACLs or access control security of any kind - the 9x kernel. Good security can only be built on top of a good, secure kernel; if the kernel is not secure, the system can never be secure.

Windows 98 just cannot be realistically secured, it's turd polish, and while I *love* Windows 95 (or 98 with IE ripped out and the 95 shell on top) I won't ever lie and say that it can be made as secure as an NT, 2000, XP or Vista box, because it can't.
"XP is just a buggered up version of 2000 with skins added." - Phenomic.

#71
herbalist

herbalist

    paranoid independent

  • Member
  • PipPipPipPipPip
  • 726 posts
  • OS:98
  • Country: Country Flag
A secure kernel does not result in a secure OS. The opposite does not hold true either. Either way it's irrelevant as Microsoft has never made a secure kernel or operating system. The best they've managed is one that's not quite as insecure as its predecessors. Vista and Windows 7 are supposed to be Microsofts most secure systems to date, and they get infected like any other. Any system containing data or performing a function critical enough to require a secure kernel shouldn't be running Windows. The only way any version of Windows can begin to be secured is by restricting what is allowed to execute and by restricting the amount of access the allowed processes have to the rest of the system. The more recent NT systems accomplished this with software restriction policies and limited user accounts, implemented with built in tools. 9X systems don't have built in tools that can implement such restrictions, but it can be done with installed security software. When done with built in tools, it's called a more secure OS, but when it's done with installed software, it's "piles of addons." Interesting double standard, especially when much of windows "built in security" tools began as installed applications. My entire "pile of addons" takes up about 18MB, half of which is log files and test configurations. Combined, it uses 5.5MB of memory. If that's a pile, the typical security suite used on XP must be a mountain.

Malicious code doesn't have to compromise the kernel or run at kernel level. It can be damaging or costly no matter what level it runs at. When properly implemented, a default-deny security policy will prevent that malicious code from executing. If it can't execute, it can't compromise the system whether the kernel is "secure" or not. That's one of the purposes of this thread, covering the details of implementing the policy on 9X systems. If you want to call that turd polishing, fine. As far as I'm concerned, the NT systems are the real turds.
A file system that can hide malicious files in alternate data streams.
Vulnerable services few users need opening ports by default.
An OS/kernel so secure that the term "rootkit" has become common language.
An OS with so many holes that a regular "patch day" was created for it.

No thanks. I've cleaned too much garbage out of NT systems, especially XP, to ever consider it to be a security improvement. I'll stay with my "insecure" 9X system that doesn't have those problems.
Rick

#72
frogman

frogman

    Senior Member

  • Member
  • PipPipPipPip
  • 554 posts
  • OS:98SE
  • Country: Country Flag
I know this has been talked about by many forums, but as Avast are very near to releasing their new Avast 5 and will eventually drop support to 95/98 and ME.

As there aren't many anti virus real time programs available now for those older operating systems I am now concerned for users that want to keep using their system as to what they will use in this instance once they can no longer use Avast that is.

I have been informed that they intent to keep Avast 4.8 running for this year anyway, beyond this they don't know, or perhaps they just don't want to say at this time.

Unless you have any other ideas I would be interested to hear them.

The time to be thinking about this is now, as we may not have that long come December.

I will start off by listing ClamWin which will apparently support 95/98/ME but unfortunately it is a resident program and not real time, but at this point in time beggars can't be choosers it would appear.

Also SAS superantispyware, again the free version not real-time, but a very good scanner for spyware cookies etc.

Please list as many types of programs, whether it be anti virus real time or resident, and spyware and Malware progs again real time or resident that you know will work and be supported for the older systems, this will help our community and hopefully keep those systems alive.

Many thanks in advance.

:thumbup
Windows 98 S.E - Opera 12.02 - Firefox 3.6.28 - Kernel-Ex 4.5.2 - Internet Explorer 6

#73
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,757 posts
  • OS:98SE
  • Country: Country Flag

Donator

This is the subject of an already on-going discussion elsewhere: [9x/Me] Surviving Without a Virus Scanner

#74
frogman

frogman

    Senior Member

  • Member
  • PipPipPipPip
  • 554 posts
  • OS:98SE
  • Country: Country Flag

This is the subject of an already on-going discussion elsewhere: [9x/Me] Surviving Without a Virus Scanner


Dear Mod,

Could my opening post be moved to that thread please?

Thanks

Edited by frogman, 22 July 2009 - 08:10 PM.

Windows 98 S.E - Opera 12.02 - Firefox 3.6.28 - Kernel-Ex 4.5.2 - Internet Explorer 6

#75
cyberformer

cyberformer

    Member

  • Member
  • PipPip
  • 138 posts
Hi! frogman!

I've had Avast on a 98se box of mine for awhile.
Then one day, I tried to scan a file, and it would not work.
It did produce a single message, telling me that the "key" they issue out, had expired.
I was not left with any working AV at all, even though it had been updated until the very day the key had expired.
I do not think I did anything wrong in the sense of not knowing how to get it to work, even though the key had expired---anyone else here, encountering this kind of thing?
So what good is it keeping up to date, when once they decide to discontinue support,
you no longer have a working AV (even with those Old, yet massive def's you have downloaded faithfully whilst the key was working?

Would I be discouraged not to use my 9x boxes once the day comes (hopefully not)
when all AV support is gone?
Not at all!
In fact, I would more VEHEMENTLY assert my right, and resolve--- to continue to use it!!!!

I would make sure I have the original Install CD, and others having all fixes, mod's, and updates; as well as the latest progs I've been using.
I would religiously make backups of any important files, that are Work, or Hobby related.
I would use my knowledge of where not to go, and hone in sharply to my "gut instincts" concerning such things as should I, or should I not---click on this suspect, or unknown download etc.

Then, should I be hit with something, that totally lays waste to my system,
all I've to do, is reformat! and reinstall!
It really does not take long at all to reinstall any of the 9x series of operating systems.
And all you need do then, is gather forth your CDs' having the programs you have always used---reinstall them---and you are a 9x user again!
Rising from the ashes of your previous experience, as new and as resolved as ever,
to continue to use and enjoy the OS you Will to use.
So with every little assault upon my 9x work and fun--due to this and that entity no longer supporting drivers, anti-virus progs, and what not,
the more so am I imbued with the strength, courage, and fortitude---to continue on.
The only thing that still concerns me, is the lack of built in IPV6 support; but a very knowledgeable computer wizard I know---assures me that there will always be a way,
to connect to the internet for those privileged enough to use 9x.

By the way, I am using Clam Win now. It's slow---slow....slow..!
Spy Bot Search and Destroy, seems to work more ploddingly too, as time goes on.
But nevertheless, where there is a will---there is always a way,
for those Strong Enough to Endure the Fight.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN