Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Anti-Malware Suggestions

- - - - -

  • Please log in to reply
69 replies to this topic

#51
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,458 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Thanks for your response, GrofLuigi.

 

I'm not sure what's different about our systems, but on mine attempts to access 0.0.0.0 are aborted immediately.  There's no timing out.  At one time I had Subversion Server running on this system, so I thought maybe that was causing the immediate kill of such requests, but that's gone now and I'm certainly not seeing anything that could be called a timeout.

 

ZeroAborts.png

 

Thing is, not only is having a big blacklist hosts file like this without practical downside on a modern system, this is such a good way to block parasite web sites (not to mention ads) that it's worth working through however many arguments people make against it.

 

-Noel


Edited by NoelC, 17 May 2015 - 04:32 PM.



How to remove advertisement from MSFN

#52
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,362 posts
  • Joined 21-April 05
  • OS:none specified
  • Country: Country Flag
It depends on the browser, I still mostly use Opera Presto, most other (modern?) browsers do not wait. I'm not sure if Opera still does, but there is no harm if blank images get served. I think it also helps with the geometry (layout) of the page, not to have the symbol of broken image(s).

I am still not sure if it serves javascripts (empty text files?), there are several versions and documentation is slim.

Edited by GrofLuigi, 17 May 2015 - 05:16 PM.


#53
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,458 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Tarun, if you're unwilling to debate using a hosts file in the thread I've started on the subject, then I suggest it is inappropriate to counter my suggestions here with language intended to discredit them. 

 

If you can't back up your claims with real information then your claims cannot be justified.  I have provided both the theory and the measurements that say the hosts file is both effective and does not cause undue overhead.

 

In this particular case, I further assert that the advice I gave in the original post of the thread I linked above quite likely would have prevented Browncoat's infection.  And, further, if such infection was introduced by his running a download despite recommendations to test in an isolated environment, the hosts file would serve to block subsequent attempts to send sensitive information to those servers.

 

-Noel



#54
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 10,012 posts
  • Joined 28-April 06
  • OS:Windows 7 x86
  • Country: Country Flag

Donator

Tarun, if you're unwilling to debate using a hosts file in the thread I've started on the subject, then I suggest it is inappropriate to counter my suggestions here with language intended to discredit them.


Your post moved back here instead of from where it was posted:
http://www.msfn.org/...roredirect1com/

No need to follow people around the site. :)
In the case of that thread, posting "should have done this or that" doesn't help his current situation. Tarun is correct that the hosts file does not prevent infections, although it can hinder said infection from working properly... IF the url it is attempting to use is already marked.

As a general rule, using the hosts file is not recommended because of the reasons he outlined. You have to understand that you (nor I) can compare performance of properly set up system (maybe that is in our dreams :w00t: ) against what an average computer may be. The same goes for a fresh install into a VM. The average computer is underpowered and hobbled by all the junk the user have installed over time. The average user cares not for actual performance and uptimes, and even the "power user" to this day insists on doing fresh installs once something goes awry.

 

I consider any sort of malware prevention, system or network protection ideas to be a YMMV issue and there is no right or wrong... except not having a network connection. ;)


MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg


#55
Browncoat

Browncoat

    Rebel

  • Member
  • PipPip
  • 122 posts
  • Joined 19-January 10
  • OS:Windows 7 x86
  • Country: Country Flag
So true!
:yes:

I use other browsers for specific thing. IE is used for Microsoft related websites only... Chrome is used primarily for Google related sites like Youtube.


That is generally the doctrine I follow, IE for sevenforums/tenforums Chrome, when I want to post on YT.
However, Opera Portable only has four [grocery flyers] tabs open and is really slow to load but I don't always up date to the latest when I have time to read the newspapers that come on Thursday of every week. FF is my main viewer, Java disabled unless a site really needs it, then disable and do scans.

classic shell and some manual reg changes do trigger false-positive within stupid MBAM
and not as hijack but as trojan - lulz

For that you gotta remember what actions you did and give the appropriate exemptions, right?

#56
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,458 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

The bul***** sometimes gets deep around here.

 

  • IE has the best security model of all of the browsers - you just have to reconfigure it from its default permissive behavior.
      
  • A good hosts file is a valuable cog in an overall security strategy and does not cause any performance problems.
     
  • There is no technological substitute for thinking before acting.

 

These are simple truths no matter what the self-proclaimed experts around here may say.

 

-Noel


Edited by NoelC, 18 May 2015 - 10:03 PM.


#57
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
  • IE has the best security model of all of the browsers - you just have to reconfigure it from its default permissive behavior.

 
Ah well, that is an interesting piece of news.
 
An image is worth a thousand words, a loooong image should be worth some more.

 
jaclaz

Attached Files



#58
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,458 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Your diagrams don't seem applicable to me.

 

  • How many people do you think reconfigure IE to lock it down as it can be for secure browsing? 
     
  • How many understand that when Microsoft puts up the message "Do you want to reconfigure to recommended settings?" that they may actually be OPENING IT UP to more vulnerability? 
     
  • How many do you think practice good security practices as an overall strategy? 
     
  • Do YOU allow IE to run ActiveX from the Internet Zone?   If so, why?

 

Why do some folks here delight in taking things out of context?

 

-Noel


Edited by NoelC, 19 May 2015 - 10:30 AM.


#59
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,216 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

The bul***** sometimes gets deep around here.

 

  • IE has the best security model of all of the browsers - you just have to reconfigure it from its default permissive behavior.
      

 

but not for you, if you disable UAC and so disable the sandbox of IE.


Posted Image

#60
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,458 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Security can still be decent with UAC disabled.  As long as it doesn't run ActiveX the need for a sandbox is greatly reduced.

 

One of the prime reasons its security model is very good is that it's quite configurable.

 

I'll wager my system, with me at the helm practicing the security measures I outlined at the start of this thread, is providing both a more secure and better performing computing environment than most.

 

By the way, the word "security" is almost too broad a subject to discuss in one broad swath.  Secure from what?  There's unsaid context in each statement.  Secure from ads that install malware is just one aspect.

 

-Noel


Edited by NoelC, 19 May 2015 - 11:52 AM.


#61
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
  • Do YOU allow IE to run ActiveX from the Internet Zone?   If so, why?

 

Actually I do NOT allow IE to run AT ALL.

 

But then I am no expert. :no:, not even a self-proclaimed one, here is one:

http://www.msfn.org/...83-experts-say/

 

Anecdotally on the machines on which I never run IE, but only Opera as a browser (and lately only rarely a Chrome based browser), I was never infected by anything in the last 10 years or more, most probably this means that there is not a direct cause-effect relationship between how good a security model is and actual security. :unsure:

 

OT but not much also UAC, DEP and ASLR (and what not) introduced in Vista and later are good security models in theory :yes:, but in practice I did not notice the dramatic drop in infections worldwide I would have expected since their introduction:

http://www.msfn.org/...-the-interwebs/

 

jaclaz



#62
Tarun

Tarun

    Spectre

  • Super Moderator
  • 3,126 posts
  • Joined 27-January 04
  • OS:Windows 7 x64
  • Country: Country Flag

Let's keep things civil in this thread. We're here to have discussions and to learn. As a reminder:
 
 

7.b This community is built upon mutual respect. You are not allowed to flame other members. People who do not respect personal opinions and/or personal work will be warned in first instance. If you ignore the warning and keep on flaming, you will be banned without notice.

 
MSFN Rules



#63
NoelC

NoelC

    Software Engineer

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,458 posts
  • Joined 08-April 13
  • OS:Windows 8.1 x64
  • Country: Country Flag

Your warning has been noted, Tarun, as has the disrespect you have shown me by actively discrediting my suggestions to others without bothering to back up your claims.  The difference is that I don't hold power over your ability to post here.

 

I'm done in this thread and with trying to share my knowledge of computer security here.

 

-Noel



#64
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,216 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

Security can still be decent with UAC disabled.

 
not really. Sorry.

 

OT but not much also UAC, DEP and ASLR (and what not) introduced in Vista and later are good security models in theory :yes:, but in practice I did not notice the dramatic drop in infections worldwide I would have expected since their introduction

 
they do. 90% of the security issues are fixed only be having UAC on.
 
http://arstechnica.c...g-admin-rights/


Edited by MagicAndre1981, 19 May 2015 - 10:07 PM.

Posted Image

#65
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

they do. 90% of the security issues are fixed only be having UAC on.

 

...or simply running as non-Admin....

 

The mentioned article BTW is the usual (right) assessment of mitigation of vulnerabilities (which is a good thing, but has not that much to do with actual "security"), if you actually believe what is in that 2010 article, it seems like noone would have been infected by any malware or exploit etcetera since the second half of 2010, and it seems to me like that did not happen.

 

If (completely invented/faked numbers) in 2004 there were 10,000 "security incident" every 1,000,000 online systems and in 2014 there were (still say) 5,000 "security incidents" every 1,000,000 online systems, then the "increased security" would have halved the occurences of incidents.

 

What I failed to notice is such a high drop in this, I am talking here anecdotally, I have more or less the same number of (more or less demented) friends calling me because they have botched their PC through some virus or malware in recent years then I had 10 years ago or so

 

jaclaz



#66
MagicAndre1981

MagicAndre1981

    after Windows 7 GA still Vista lover :)

  • Patrons
  • 6,216 posts
  • Joined 28-August 05
  • OS:Windows 8 x64
  • Country: Country Flag

Donator

 

they do. 90% of the security issues are fixed only be having UAC on.

 

...or simply running as non-Admin....

 

 

this is what the UAC is doing *facepalm*


Posted Image

#67
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

 

this is what the UAC is doing *facepalm*

Sure it is :).

 

Most of the controversy about UAC (particularly with the initial setup in Vista :ph34r: ) was with the fact that it was far too "intruding" than actually needed, and it's use has been largely mitigated in later Windows versions (while in the meantime a number of third party software writers evidently learned how to write programs requiring less privileges).

 

I believe that it is not very easy to balance the actual *needed* protective measures with the actual common *needs* that a user (particularly an "uneducated" home, "average Joe" ) might have, and all in all the good MS guys have IMHO reached in 7 (and I presume also later versions of Windows) a good compromise.

 

Still it is not evidently a much working in practice "security" mechanism, it is simply a way to "invite" people to pay some more attention on what they allow to run on their machines but seemingly people keep pressing "yes" to those prompts anyway or downright disable UAC because they are annoyed by too many prompts.

 

jaclaz



#68
JorgeA

JorgeA

    FORMAT B: /V /S

  • MSFN Sponsor
  • 3,739 posts
  • Joined 08-April 10
  • OS:Vista Home Premium x64
  • Country: Country Flag

 

If (completely invented/faked numbers) in 2004 there were 10,000 "security incident" every 1,000,000 online systems and in 2014 there were (still say) 5,000 "security incidents" every 1,000,000 online systems, then the "increased security" would have halved the occurences of incidents.

 

What I failed to notice is such a high drop in this, I am talking here anecdotally, I have more or less the same number of (more or less demented) friends calling me because they have botched their PC through some virus or malware in recent years then I had 10 years ago or so

 

jaclaz

 

 

The explanation for this may lie in the vastly increased number of malware infections floating out there, waiting to affect vulnerable systems.

 

Continuing to use made-up numbers ;), if in 2004 there were 10,000,000 viruses, trojans, and whatnot lurking in cyberspace, and in 2014 there were 100,000,000 such pieces of malware, then the 90% protection that MagicAndre cited would, indeed, result in your anecdotally getting about as many reports of infections from your demented friends :) as before. When dealing with the absolute number of infections, in addition to the increased effectiveness of protective measures we also need to account for the increase in available malware packages.

 

--JorgeA



#69
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

 

The explanation for this may lie in the vastly increased number of malware infections floating out there, waiting to affect vulnerable systems.

 

Continuing to use made-up numbers ;), if in 2004 there were 10,000,000 viruses, trojans, and whatnot lurking in cyberspace, and in 2014 there were 100,000,000 such pieces of malware, then the 90% protection that MagicAndre cited would, indeed, result in your anecdotally getting about as many reports of infections from your demented friends :) as before. When dealing with the absolute number of infections, in addition to the increased effectiveness of protective measures we also need to account for the increase in available malware packages.

 

--JorgeA

 

 

Sure :) that could be a random number explanation as good as any other one, but IMHO you are confusing "pieces of malware" with "number of vulnerabilities" and with "number of incidents" (as much as the good MS guys and a lot of other people around confuse vulnerabilities with security).

 

There may be tens, hundreds or thousands of "pieces of malware" making use of a same, single vulnerability.

There may be tens, hundreds or thousands of "incidents" that could be related to a same, single vulnerability (actually to the corresponding exploit).

 

On the other hands there may be tens or hundreds (possibly even thousands) of vulnerabilities for which an exploit is not practically doable or for which there is not a viable exploit and tens or hundreds of vulnerabilities for which an exploit exists but that never causes an incident.

 

More loosely a number of vulnerabilities in itself is a sterile number.

 

Vulnerabilities are (largely) theoretical, in the sense that very often they need such a complex set of concurrent settings/setups to be not statistically sound.

 

Let's say that I am writing a malware of some kind, and I discovered a brand new vulnerability.

The vulnerability needs (say) that:

  • a user runs Windows XP SP3
  • his/her motherboard is an Asrock xyz model
  • the machine has more than 4 Gb RAM
  • the NIC MAC begins with 00:E0:4C (i.e. an additional RealTek network card is in the system)

and when a specially forged document (let's say an animated GIF) is accessed on a Friday between 00:01 and 00:09 GMT I can run a payload of some kind, ONLY IF the user is using Internet Explorer 7.0 AND he is logged in as Administrator.

 

It is clear that if the user runs as "normal user" the vulnerability is not anymore a vulnerability, but also if anyone of the other conditions are not met, so that the number and complexity of the other needed conditions makes it so improbable that my evil plan has any actual chance of success that even if all the world users would run as Administrator I will never be able to cause any incident by using that vulnerability.

 

Yet it would be counted among the 90% of vulnerabilities "fixed" by running as "normal user".

 

jaclaz



#70
rodocop

rodocop
  • Member
  • 2 posts
  • Joined 20-December 12
  • OS:XP Pro x86
  • Country: Country Flag

jaclaz seems to be most realistic person here.

 

There isn't any 'security model' good by default. There isn't some attack surface constantly being decreased by new defending techs and tools.

All the balance is dynamic - and it would be greatest mistake to think that some solution is final.

Look: Chrome is supposed to be the safest browser - by design. But the latest Facebook malware epidemies were spread only by users with Chrome as the technic was to install malicious extension designed for this browser (and most of its clones).

 

Next point. Everyone say: "Update, update and one more time update!". Well, OK. Done.
Who can manage all the knowledge about fresh vulnerabilities - we, users (even advanced ones) or people from the dark side? You know answer.
They do. Not we.

 

Paradoxically, but newly updated system is more attractive and unrestricted field for villain than old good stable with known holes. New software, new modules, new functions mean new security holes. They learn and use them faster than we react and start defending.

 

That's why I say 98 nowadays is the safest OS from Windows ;) That's why I say that need of updating is seriously overestimated.

That's why we can't rely on any even slightly outdated research saying that some tech or ware provides the best defence.

Provided. At the moment of release. Not now.

 

What I can recommend here? Not so much. Decrease attack surface by not using popular products, popular setup. Apply all the possible proactive defense to your current setup (it may be WinXP or Win 7SP1, but you really can stop racing this Updates Grand Prix). Well, the only real system-level tool that work are policies/Applocker or EMET.

 

But may be better do not install what you don't use. For XP I refused from .NET at all (except 1.1 that goes with SP3). After deinstallation I found that only 1 (!) application stopped working. And it was just wallpaper changer that I couls replace with a number of alternatives. But I decide to install back only .NET 2.0 needed.

Well, I've updated IE to the last version available (but never intend to use it for surfing) and refused from other popular browsers in favor of K-Meleon. I've changed Adobe Reader for Foxit. I use Skype through Trillian (voice only) or have video calls with ooVoo. Sylpheed instead of Outlook, Thunderbird etc.

The second point is content filtration - so I use adblockers along with web filters. DNS filtering is good but I use K9 Web Protection (and the second option could be web-filter from Forticlient).

Next I use AnVir Task Manager for advanced startup control.

Last but not least one is DrBrain antivirus ;-)

 

This doesn't mean I restrict myself in where to go and what to do.

My security concept - on the contrary - lets me work as admin, visit any sites :angel :w00t:, install software etc. It works. And lets me work too.

I'm the real owner of my PC. I don't need all these real-time AV-monsters, eating all the power and resources and producing conflicts.

But I spend some unused time of my CPU to regular checks with good AV-scaner and some other selected antimalware stuff.

No malware last number of years. For me and my family. (And they aren't PC expert-level users :whistle: )






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users