Jump to content

[9x/Me] Surviving Without a Virus Scanner


Queue

Recommended Posts

I'm writing this from the perspective as someone who does not like real-time virus scanners. I sincerely would like discussion in favor of and against them to follow.

---

First off, computer virii are long dead. They existed in the DOS era and slowly died off as executable code that modified all executables on a system became easy to detect, repair and prevent. A true computer virus would be triggered when an infected executable was run; the viral code would search for other executables and modify them to contain said viral code to be executed when those programs are run. They often had a purpose besides replication, that would either occur arbitrarily or when certain criteria were met, and ranged from the benign to the ferociously malicious.

Besides anti-virus programs being good at thwarting these virii, modern OS design protects against them. They are dead.

What you have today is malware, typically tiny executables that are a program by themself. Rather than infecting all executables, they typically make use of mechnisms in the OS to run every time the computer is started up. Occasionally they exhibit virus-like infection of specific files to make sure they get executed. Malware is an amalgam of spyware, adware, trojan horse programs, and any other type of malicious program. A given malware program can be any of those things; they themselves are just more descriptive, but tend to operate in the same way as eachother.

---

Why do I dislike real-time (active, resident, they have many names) virus scanners? They hurt computer performance. They don't protect you from new threats. They incorrectly detect programs as being ''infected'' when they're actually not.

The three most common ways a computer gets infected with malware are:

- a remotely exploitable software flaw that allows execution of code

- a user downloading and executing a malicious application

- a flaw in a browser (or internet multimedia program) that can be exploited to run executable code

---

The first is 100% preventable. For a remote exploit to work, your computer has to be sent data that triggers an execution of code (that would, for example, download and run a malware executable). You have two standard options here: a hardware firewall (for example, a router between your comuter and your internet connection, with no ports being forwarded to your computer) or a software firewall (the best advantage here is explicit control over which programs can access the network/internet). There's no reason not to use both, except a software firewall will have some performance cost on your machine. To generalize, a hardware firewall protects you from incoming data, and a software firewall prevents programs from using the internet AND from incoming data. Keeping your software (especially your OS, browser and media players) up to date mitigates most remotely exploitable flaws, as security updates are released specifically to address these flaws, however, the patches come after the flaws are discovered, so simply keeping patched doesn't protect you from newly found exploits.

Now, that said, you could initiate a connection to a remote entity that sends a malicious reply that triggers an execution of code. A hardware firewall won't protect you from this, and a software firewall can only help mitigate the damage done (as could a real-time virus scanner).

---

The second is also 100% preventable. Don't download and run programs. Kinda like abstinence to avoid STDs, this isn't gonna be an option for most people. This is, theorhetically, where anti-virus programs are supposed to shine; but they don't. Malware goes out of its way to avoid detection: they modify themselves before transmission so that signature-based scanners don't detect them, they exploit flaws in the scanning routines to avoid detection or to outright crash the virus scanner, if they manage to run, they shut down the anti-virus or add themselves to the exceptions list.

Signature-based scanning doesn't work. Behavioral-based scanning doesn't work. If they did, malware wouldn't work.

They have a second critical problem that trains people to make mistakes: false positives. If a virus scanner says things that aren't infected, are infected, the user will eventually start ignoring the virus scanner.

---

The third is the cause of the browser security wars, people claiming X is more secure than Y. Browsers have design flaws that let code be executed, no browser is exempt from this truth. So do media players (QuickTime has a particularly bad history for both the MacOS and Windows).

This one is also preventable via abstinence: don't browse the internet. Obviously too extreme, so most take the risk. How do you avoid infection then?

First off, know your partner before you sleep with them. Major websites aren't places for you to fear.

Second, don't have sex with the back-alley prostitute: warez and p0rn sites can either be outright malicious or have been compromised because the site itself isn't secure.

Unfortunately, any site that provides more than basic HTML can potentially have been compromised and be serving browser (and other) exploits to try and infect your computer. Major country's embassy websites, for example, are no stronger to being compromised.

Ultimately, what browser you use doesn't matter as much as where on the internet you go. You might be thinking to yourself, but I use Firefox, don't have Flash or Java and have scripting (JavaScript) turned off: an exploit might target a flaw in Firefox's CSS handling, or its XML handling, or even in its basic HTML handling and be able to execute code. How quickly the browser is updated after a flaw is discovered doesn't matter if you went to a malicious website before the fix was released and you downloaded and applied it.

Security through obscurity, exploits not targeting you because you use a program for a given thing (browsing the web) that not many people use, is neither reliable, nor totally ineffective. The larger the userbase for a given program, the more effort that's put into finding exploits for it. No browser is perfect, so security through obscurity IS an option, although not a perfect one; it worked for Firefox at first and earned it its reputation.

---

Now, how does all this relate back to a real-time virus scanner? Well, a virus scanner is there to stop a malicious program from running, but malicious programs don't get detected. So, you're wasting processing power on something that interferes with data throughput and ultimately doesn't protect you.

Never connect your computer directly to the internet, let a router (or a dedicated hardware firewall) sit between your machine and the internet.

Keep your browser of choice patched up to date and any supporting software (Flash, Java, your media player).

Don't download and run programs. If you do download a program, determine if it's from a trustable source, get independent feedback on it (ask someone else who has used it if it was legitimate), scrutinize it (manually unpack it if it's self-extracting, for example), the decide if it's worth the risk.

---

My opinion isn't fully stated here, I'm hoping for some pro-anti-virus responses. The gist of my stance is that real-time anti-virus programs aren't worth the performance cost on a system and are ineffective.

Queue

Link to comment
Share on other sites


too avoid any confusion: you got the star for the number of posts, not the number of words B)

I subscribe to the no additional action other than staying current on updates and sitting behind a router. That combined with completely reloading quarterly.

Link to comment
Share on other sites

Please, Queue, do take my comments as constructive. However your post is very assertive, so I feel bound to comment some of what you said, and disagree with some points. I do have more to say also, but here are my first thoughts about what you said:

I write this from the perspective of one running Win 9x/ME. While keeping to this perspective, I remain in the DOS era, and so do you. :whistle:

First off, computer virii are long dead. They existed in the DOS era and slowly died off as executable code that modified all executables on a system became easy to detect, repair and prevent. [...] Besides anti-virus programs being good at thwarting these virii, modern OS design protects against them. They are dead.
To put it simply: no, they are not.

If you don't believe me, do read Mark A. Ludwig's books, particularly "The Giant Black Book of Computer Viruses".

You can perfectly have a virus hide in an alternate data stream of a Win32 executable on NTFS. ...And even a Vista machine is as vulnerable to a boot-sector virus as your average garden-variety of 386 of times past... :whistle:

The fact that we hear less about them may even mean those who write them became better at hiding them... :ph34r:

Never connect your computer directly to the internet, let a router (or a dedicated hardware firewall) sit between your machine and the internet.
I do agree with you here. My own security measures have been scanning and a router firewall for a long time now, and, AFAIK, my machine has been virus-free since 2001 (although I've added the router firewall only when I switched to DSL).
Keep your browser of choice patched up to date and [also] any supporting software (Flash, Java, your media player).
We're talking Win 9x/ME here: this is becoming less and less of an option, no matter how much we strive at keeping up to date. In the long run, no, it's not an option. :(
Don't download and run programs.
:blink: Are you serious? Don't you ever?
If you do download a program, determine if it's from a trustable source, get independent feedback on it (ask someone else who has used it if it was legitimate), scrutinize it (manually unpack it if it's self-extracting, for example), then decide if it's worth the risk.
Why not scan it with multiple scan engines? If you don't want a live scan engine in your machine, you may still use, say, VirusTotal? Avoiding scanning completely out of a dislike simply is not understandable, although all the other measures you reccommend do have their merits, especially if used together, and complemented by scanning.

You've also not mentioned the main shortcoming of a AV scanner program: it does not protect one against zero-day threats. And while you're quite right that security through obscurity is an option (although not a perfect one), security through being at the periphery also has its merits... Simply by being in Brazil, I've, up to now, avoided zero-days, but, obviously, that can change at any moment. Moreover, the performance cost of a real-time AV scanner is dependent on how you configure it and also on what hardware you do have. So, here, YMMV.

Now, I think the real problem is that, some months from now, no one using Win 9x/ME will have the option to use an up-to-date AV scanner to fully scan one's machine, say, once a day, because no compatible such software will have been left being updated. And that's the main new scary reality on Win 9x/ME users horizon I feel we need to address right now.

I think this thread is very timely, and hope it can help all of us (those who do and those who don't like scanners) keep computing safely in a time where most of the scanning programs are dropping Win 9x/ME, or have already dropped it.

Edited by dencorso
Link to comment
Share on other sites

You cant... :rolleyes:

I have been infected two times for the past years, first was when I was infected through peer to peer, it was a tough virus because it infected every .exe and .com file in every partition or drive in my computer. All I was left was my jpgs and mp3s + full format and install, no antivirus there.

The second time was just last March, the virus installed itself on other drive (in my case it was drive E:) and it made detection more difficult because I just scan system drive.

Because of the above-mentioned, today, I do not go online without firewall, activeX control (spywarebalster) and antivirus...

Link to comment
Share on other sites

First off, computer virii are long dead. They existed in the DOS era and slowly died off as executable code that modified all executables on a system became easy to detect, repair and prevent. A true computer virus would be triggered when an infected executable was run; the viral code would search for other executables and modify them to contain said viral code to be executed when those programs are run. They often had a purpose besides replication, that would either occur arbitrarily or when certain criteria were met, and ranged from the benign to the ferociously malicious.

Not so. I have a Windows XP system that got infected with WIN32:Vitro. It infects every executable that gets opened. It even infected an executable on one of my Windows 98SE Computers whn I tried to copy a program into the XP machine. Fortunately the virus crashed when I used the program in Windows 98SE. This led me to discover the Virus. I ended up having to write a disinfector since the Anti-Virus programs I found could not disinfect the executables but would just delete them, leaving a useless system.

Link to comment
Share on other sites

I'm not aware of any universally accepted definition of virus, worm, or any other particular class of malicious code. That classification system as such is as out of date as detection by definition is. Most modern malicious code can be classified in several categories, and fit correctly in each. If it's necessary to classify malicious code, I'd call most of it a hybrid of several categories. Much has changed since that term was applied to malicious code, most important of which is the source of that code. Viruses/malicious code used to be written by individuals primarily for bragging rights, showing off, etc. Now the motives are data and financial theft, and the control of others systems for malicious purposes. There is still plenty of malicious code that is effective against 9X systems that many vendors do classify as viral. In addition, this code is targeting applications, not just Windows and Internet Explorer. Until operating systems become read-only and completely unalterable, this problem will continue.

I stopped using a resident AV in 2005, mainly for the same reasons you listed. Today, 9X users have another reason to add to that list, a dwindling number of choices that run on 9X systems. Most users have grown up with AVs on their systems. Thanks in large part to companies motivated by profit promoting a single method of protection that creates user dependence on a continuous stream of updates, the majority of users are not aware that there are other ways to protect/secure a PC that are equally or more effective. Windows has long had convenience and permissiveness as its core philosophy. The user can do anything, as can most of the installed software. Except for some specifically blocked items, any application can launch any other application, including ones that can alter critical settings in the OS. AVs are also based on this philosophy or policy, which can be accurately described as default-permit. In the beginning, this policy was reasonably effective. There wasn't that much malicious code. Internet access was primarily dialup, which helped keep down the rate that malicious code spread. The present day scenario is much different. Counting variants, there's over half a million examples of malicious code. Today, high speed and connected 24/7 is the norm. Static IPs are common. PCs are connected and targetable all the time, not just when a user is online. 9X users also have to deal with dwindling software support for user software. The security flaws aren't getting fixed in the versions we have to use for many apps.

One of the most effective ways to secure a 9X system is to reverse the philosophy it's based on. On 9X systems, there's no separation of user and administrator functions. The first step in securing a 9X system is defining user and administrative functions. Installing or updating software, registering DLLs, registry modifying, changing system settings, etc should all be regarded as administrative tasks. The advice that's given to users of NT systems applies to 9X as well. The OS shouldn't be in an administrator mode during normal usage. The task then becomes effectively separating the user and administrator modes. For this, we have a couple of tools available. The first is on the Windows CD, the policy editor. It's located in \tools\reskit\netadmin\poledit\ and is not part of a default install. The file, poledit.exe can be run from a floppy and works by making specific changes to the registry. Before using the policy editor to make any changes to your system, make a full backup of the registry. On units with more than one user profile, make sure the backup includes the user.dat files for each profile. When the policy editor is used to open the registry, two choices are displayed:

1, Local Computer.

2, Local User.

The settings most useful for the creation of separate user and administrator modes are found under Local_User\Windows 98 system.

The options available here are:

1, Shell.

2, Control Panel.

3, Desktop Display.

4, Restrictions.

The Shell and Control Panel sections are useful for restricting users access to sensitive parts of the system. The last section, Restrictions, has more powerful options. The screenshot below shows where an application whitelist can be created.

userrestrictions-apps.gif

This section will not restrict system executables but will restrict applications, installers, trojans, adware, etc from being launched by explorer or another user application. Whitelisted applications need to be entered as a filename with the extension, such as poledit.exe. Make certain that you include poledit.exe in your whitelist or you won't be able to get back into the policy editor. With a little planning, all the apps a user might need for normal user tasks can be added. Since the user can't accidentally launch a malicious process or install an unwanted program, this will greatly reduce the chances of the user compromising the system. On multiple user PCs, each users allowed list can be individually made.

The policy editor performs some of the functions normally associated with HIPS (Host Intrusion Protection System) software but is not as reliable. On 98, the policy editor does not check the path used by the whitelisted executable or its integrity. It has no signature checking. If test.exe is in the allowed list, any file named test.exe will be allowed to execute. NT systems have more safeguards against this type of spoofing, so the practice isnot nearly as common as it used to be.

On NT systems, HIPS software, whether free-standing or part of a firewall suite gives those systems the equivalent of a policy editor on steroids. Just about all of them are for NT systems only, but there is one exception that I know of. It's the free version of System Safety Monitor. It's no longer supported or being developed, but then neither is 98. It is the most effective option I've ever seen for controlling applications and their activities on a 9X system. I'll cover this along with controlling internet access, preventing compromise by limiting integration and interprocess activity, registry protection, and filtering undesired and malicious web content from the allowed traffic in later posts. It takes some time and planning to go through the details, but with a well thought out strategy, a 9X system can be made very close to bulletproof, and at no cost.

Rick

edited to fix image

Edited by herbalist
Link to comment
Share on other sites

First off, computer virii are long dead. [...] They are dead.
Not so. I have a Windows XP system that got infected with WIN32:Vitro. It infects every executable that gets opened. It even infected an executable on one of my Windows 98SE Computers whn I tried to copy a program into the XP machine. Fortunately the virus crashed when I used the program in Windows 98SE. This led me to discover the Virus. I ended up having to write a disinfector since the Anti-Virus programs I found could not disinfect the executables but would just delete them, leaving a useless system.
WIN32:Vitro, a.k.a. Win32/Virut, is a good case-in-point. It's a polymorphic virus that uses process injection technology to proliferate. It doesn't work on Win 9x/ME because it depends on NTDLL.DLL functions NTCreate*, NTOpenFile and NtQueryInformationProcess, as far as I was able to gather by googling around. It's quite nasty. But, then again, it doesn't use stealth techniques. It could be even worse... Edited by dencorso
Link to comment
Share on other sites

I'm writing this from the perspective as someone who does not like real-time virus scanners. I sincerely would like discussion in favor of and against them to follow.
I only use on-demand scanning, and I also reject real-time scanning. But the main problem is that it is getting difficult to do ANY virus checking under Win98, anti-virus vendors are dropping support for Win98.
First off, computer virii are long dead.
Food for thought. Nearly all the malware detected in my current downloads are trojans etc. But it's just a matter of how you call these critters. Kaspersky Anti-Virus would in this sense be a misnomer, since most of the stuff it detects are trojans. Myself, I quite often use the word 'virus' to mean 'trojans, etc', even if it's not correct. And when I run a virus-check, I am checking for all kinds of malware, not just for viruses.
There's no reason not to use both, except a software firewall will have some performance cost on your machine. To generalize, a hardware firewall protects you from incoming data, and a software firewall prevents programs from using the internet AND from incoming data.
In my personal experience, firewall software has had only marginal value in protecting me from malware. The main use of firewall software is to protect me against nosy software vendors trying to call home.

The best thing I have done for my computer in the last couple of months was to throw out ZoneAlarm v5.5 and install ancient Tiny Personal Firewall v2.0.14 instead, my computer has become REALLY crisp and fast afterwards.

Keeping your software (especially your OS, browser and media players) up to date mitigates most remotely exploitable flaws, as security updates are released specifically to address these flaws...
I disagree, unless you meant OS=open source/Linux. I consider my Win98SE system to be safer because I have tried to stay away from updates released after Sept.11, 2001
Signature-based scanning doesn't work.
It has worked for me, because I have a long backlog. In general it's wise not to install dubious downloads for about 2-3 months, the signature updates eventually catch up with newer malware.
false positives
Kaspersky doesn't have too many false positives. But that doesn't really matter, in most cases there are many sources for the same stuff, anything which Kaspersky flags as infected or which otherwise looks fishy, gets deleted.
Link to comment
Share on other sites

Static IPs are common.
Hi Rick,

I have Internet access via cable, and can only change my IP by changing the router MAC, about once every other week. Eventually internet connections may be stored for eternity, this may make it more difficult to tie all together.

Link to comment
Share on other sites

Fortunately the virus crashed when I used the program in Windows 98SE.
Younger malware-writer may not know how to write Win98-compatible code anymore. There even is a keygen which displays under Win98 the hiliarious msg: "keygen.exe expects a newer version of Windows. Upgrade your Windows version." (That's where I got my first SNIP in this forum, probably because I mentioned also the program name)
This led me to discover the Virus. I ended up having to write a disinfector since the Anti-Virus programs I found could not disinfect the executables but would just delete them, leaving a useless system.
Anti-virus software has become lousy at disinfecting, and the disinfected stuff most likely won't work.

About 6 years ago my Netscape mailbox was infected and I was able to clean it Ok with Emailchemy, by converting the virus-infected mailbox to RFC-822 message folders, then checking the RFC-822 files with Kaspersky AVP, then deleting/editing the flagged infected message files .txt with Notepad/Wordpad and finally converting the .txt message files to Eudora mailboxes.

Format conversion software might be helpful in repairing infected files.

Edited by Multibooter
Link to comment
Share on other sites

I have Internet access via cable, and can only change my IP by changing the router MAC, about once every other week. Eventually internet connections may be stored for eternity, this may make it more difficult to tie all together.

I've had DSL for about 3 years now. I didn't ask for a static IP but mine hasn't changed since I got it. It was a radical change from the bargain dialup service I used to have. On dialup, my connection had an hour limit, after which I was automatically disconnected. Every hour or less, my IP changed. At the time, I had ID-Blaster tied into the dialup. Every time my IP changed, so did my ID numbers. Combined with a random proxy setup and a firewall that didn't respond to incoming connection attempts, I wasn't easy to track. How times have changed.

For many years, I relied exclusively on a software firewall. The hardware firewall (Smoothwall 2.0) is a recent addition in comparison, added primarily as a gateway for my local network. It was also a great way to recycle an old PC (a P5-133) that wasn't powerful enough to run 98 decently, at a total cost of 3 networks cards. I consider a software firewall to be an essential component for applying the default-deny policy to internet access on a per-process level. Only those apps that require internet access to function can connect out, and only when and to where it's necessary. Software firewalls are not weak in themselves. Their primary weakness is the OS they run on. If that OS is well protected against compromise, the firewall will be reliable. I use Kerio 2.1.5, which is very much like Tiny with a few more features added, like being able to import and export rulesets. Kerio 2 can import the rulesets made by Tiny. I have yet to see it fail. Kerio 2 and Tiny 2 are ideal firewalls for 9X systems. They don't slow the system at all, even with old hardware. Properly configured, they can actually speed up internet apps slightly by preventing system executables (like Windows Explorer) from wasting bandwidth. On dialup, the improvement can be noticeable. A firewall like Kerio is also very good at controlling local or loopback traffic. I use Proxomitron to filter the web content to all browsers. The loopback rules in Kerio prevent the browsers from bypassing Proxomitron, protecting it from a lot of malicious code in the process. The advantages of controlling loopback connections can be demonstrated with the PCAudit2 firewall leaktest. Although it's generally regarded as a test of HIPS ability to intercept DLL injection, it can also be used to demonstrate how malicious code can gain internet access by using loopback connections to apps with internet access. With well designed loopback rules, this test (and malware that uses these methods) can be defeated with just a firewall. Combined with a process whitelist created by the policy editor, this gives 2 layers of defense against malware of this type. If one layer fails, the next still protects you. The addition of HIPS software effectively puts 4 layers in the way, the 2 already mentioned plus blocking of the global hook and preventing the adding of autostart entries for the malicious code. More on HIPS later.

Some users don't like rule based firewalls like Kerio because they require the user to have a basic knowledge of the IP system and how it works. 9X users are already in the position of having to provide their own support. A basic understanding of the IP system and firewall rules is an extension of that. The ability to write good firewall rules is rapidly becoming a lost art, thanks largely to security suites with automatic rule creation and an emphasis on combined security packages and added features, most of which are not 9X compatible.

Anti-virus software has become lousy at disinfecting, and the disinfected stuff most likely won't work.

True, but given the nature of present day malware and the huge quantities of it around, it's not entirely unexpected. Asking software that runs within windows to remove rootkits with no user assistance is a tall order. Malicious code has become quite good at concealing and defending itself, including directly attacking the security software. Some malicious code can't be removed without booting from a separate OS, so it's not reasonable to expect that the AV will be able to. Because of the quantities of malicious code and the very short time between its release and becoming widespread, the AV is no longer a reliable front line defense. AVs still have a place, scanning files and software from outside sources for known malicious code, but their default-permit design makes them too vulnerable to new, encrypted, packed, or otherwise concealed malware. Since their real time protection isn't as effective as it needs to be, there's no reason an AV has to be installed and running on the operating system. New files can be scanned with online scanners. Sites like VirusTotal can scan individual files. For large or multiple files, Trend Microsystem's Housecall works fine.

Rick

Link to comment
Share on other sites

Ultimately, what browser you use doesn't matter as much as where on the internet you go.

Nonsense. Every website should be subject to the same security measures. Websites get hacked and often host third-party content that can also get hacked. You aren't 'safe' anywhere.

No browser is perfect, so security through obscurity IS an option, although not a perfect one; it worked for Firefox at first and earned it its reputation.

More nonsense. Gecko is open-source, so flaws get fixed all the time, even when not exploited. Mozilla's strength is that it fixes known vulnerabilities quickly. Even quicker if it's exploited. The time that you are vulnerable while using Gecko-based web browsers is very, very short.

I have been infected two times for the past years, first was when I was infected through peer to peer, it was a tough virus because it infected every .exe and .com file in every partition or drive in my computer. All I was left was my jpgs and mp3s + full format and install, no antivirus there.

That's your own fault. P2P opens a huge repository of untrusted, and often malicious, programs.

You didn't mention how you got infected the second time.

Link to comment
Share on other sites

You aren't 'safe' anywhere.
That's your own fault. P2P opens a huge repository of untrusted, and often malicious, programs.

You are contradicting yourself here. You can't blame somebody if its not safe anywhere. And change the word P2P with "internet" and its also a valid statement. Meaningless as well, but also valid. P2P can be dangerous but you could say the same about having connection to the internet in general.

Link to comment
Share on other sites

My old dedicated mule laptop has been running for over 4 years, 24 hours a day, 365 days a year, at about 10-15kB/s or 1TB/month. At an average of 5-10 viruses per day, that makes about 10.000 viruses/infected files downloaded and deleted.

Can you give us some precise examples of what files you need to delete from your eDonkey/Kademlia download because they are infected ?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...