Corey

iTrader: (1)

Good reading.
http://seattletimes.nwsource.com/htm..._ptmrsh05.html

I myself would not be caught dead without using an anti virus checker, spyware removal program, and my firewall built into my router.

Just going to a website can load a trojan on your PC, and without using these tools, you are at risk.

I know many on the forum here have stated they do not believe in running an anti virus program, and I think that is just plain nuts.

I use AVG from Grisoft, and it takes no horsepower to have it running all the time.

Better safe than sorry.
There are a lot of infected PCs out there, as I often get viruses sent to me daily, and those are from members here, as it is an address that only is accessed from here.

jc1kz

hmmm, if your getting them from here, I thinking not from friends

Corey

iTrader: (1)

Many users are unaware they are even sending a virus.
Their infected PCs have trojans installed that send out viruses to all in the users address book, and spoof the return address.

That is how most viruses work.

photoleif

simply running a firewall, as many have pointed out, is not sufficient, though it should be required for everyone. there are many levels to security, and i'll cover just a few here.

physical -- assume that anyone who has physical access to your machine will eventually break in. there's only "so much" you can do about this.

network -- many insertion attacks and denials of service (DoS) can occur to your machine when it's on a network. as the article states, the only way to be fully immune from those is to be disconnected.

application -- this runs the gamut from games to shareware to the operating system and anything in between and beyond. if the OS is buggy (ahem.../cough/ windows) then you are under constant red-alert due to unpatched and undiscovered flaws. the same goes for any software, surprisingly including security software too, which we've seen as of late can be turned off by certain worms.

in terms of protecting against threats, the following are a good set of guidelines. not complete, but a very good start; (this assumes a windows OS):

1. disable all unneeded services, especially netBIOS, windows messenger and remote registry editing. run windowsupdate at least weekly, and install all critical security patches. for most users, i recommend enabling the windows auto-update service, if you haven't already, which makes this simpler for novices or those too busy to otherwise bother.

2. run at least a software firewall, such as one of the flavors of zone alarm, and keep it updated by frequently installing new "definitions" files. ensure that well-known ports that serve as attack vectors (whether incoming or outgoing) are blocked, according to recent lists. programmatically block all unused ports and configure program control to force every application to ask for permission, and when a program *does* ask for permission, find out what it is before you quickly say Allow. concerning control of e-mail, configure the firewall (software) to rename or otherwise sanitize incoming mail. for instance, zone alarm renames all executable attachments for you, so that they cannot run. additionally, consider configuring your e-mail client (or the firewall) to sanitize html e-mails. furthermore, configure the firewall to block your e-mail program's access to the internet (via HTML), by forcing it to only use e-mail ports.

3. consider running a hardware firewall; however, they're often expensive and may be difficult to keep updated.

4. run a good-quality antivirus program, keep it updated very regularly (at least weekly, if not daily), and ensure that its engine also is kept up to date, since certain older engines are incapable of detecting certain metamorphic viruses and other threats. configure the antivirus to scan all incoming and outgoing messages.

5. for daily use, do not log on as administrator. once your OS is configured properly, there's less of a need to always run with admin credentials. personally i do not do this, but i knowingly accept the risks involved with my choice. if you were infected while running with admin rights, the malware would run with your credentials.

6. concerning e-mail (from a social aspect): do not run executable attachments from anybody, period. now obviously, life isn't as fun, and your friends will razz you about this, so if you must run them, save locally and scan first. if you do not know the sender, or if an e-mail with executable content purports to be from microsoft, from "admin" or from your ISP, treat it with special caution -- these are common tricks and 99% or more of these (and 100% of mail with attachments claiming to come from microsoft) are faked. if the mail is full of poor grammar, misspellings or looks "too good to be true" -- it very likely is, and should be trashed. certain e-mail programs (eudora /cough!/ )are set up by default to save all attachments to independent files, rather than keep them in your mail database. this is truly heinous since it just *inserted* a viral file on your drive for you! this must be overridden, either by reconfiguration of the program, or by abandoning it altogether and using a more secure program such as mozilla thunderbird.

7. run all of these (or their close analogues): spybot search & destroy, spywareblaster, and ad-aware. inoculate your system (and especially IE) per these programs' directions, to protect against tracking software such as AvenueA and some ActiveX-based attacks. keep these programs' definitions files updated, similarly to how you would with your antivirus. run them weekly or so, and remove all offending code they find. i do not recommend removing program history, etc., but it's your choice.

8. use a more secure browser, such as mozilla firefox. while NO browser is 100% secure, IE has been shown consistently buggy and full of security holes.

9. use an augmented hosts file. this can be used to redirect much (though not all) network traffic away from suspicious websites to block not only malicious code, but also to block annoying ads. my hosts file is around 10,000 lines long and blocks around 75% of all ads on various sites, blocks tracking sites such as doubleclick, and disables functionality from annoyances such as click sites.

as i stated, this isn't a complete list, and many who are more expert in security will find items to add, and probably holes in my strategy... to which i say GREAT! all the better to have an open discussion on how to improve our security overall.

arjan

Interesting stuff, I got away for a long time without catching virii. I am not an active emailer and I think that helps. Also I used Eudora, and now Thunderbird, which both have spam filters which work quite well. Changes are that if I get a virus through suspicious email, I won't even see it.

Is there software which automatically keeps your hostfile update with known site associated with malware, spyware, etc. ?

I also wish that I've some good info on which service under windows are needed, and which I should, or can disable. I usually disable a bunch of obvious one, but I think there are a lot more which could be stopped.

Also when you've 1 computer at home and don't use windows networking you can go into your network setup and remove everything under your network adapter except tcp/ip. It's safer, and keeps your CPU from running unused software.

Good thread, lets keep it going with good info.

Corey

iTrader: (1)

Leif, #9 in your post above, I run the Hosts file thing from my Spysweeper software.
http://www.pnw4runners.com/temp2/hosts.jpg

It is cool, as it blocks the embedded ads that you often see on websites.
SP2 takes care of my pop ups with the updated IE, but only the hosts blocker keeps out those pesky banner ads.

Spysweeper is a great program.

Great info you have above.

photoleif

arjan, i've not heard of software that automagically updates the hosts file, but it would be darn slick. doing it manually is a pain. i do not have experience with the spysweeper hosts file interface that corey points to above, but it's possible it provides some intelligent updating.

oh and i forgot:

# 10: periodically run "autoruns" from www.sysinternals.com, which will list out all programs that run on startup. in the list you can delete them if you wish. this performs both registry updates and can remove files and shortcuts from your startup menu. it does not provide an interface to the services list, which is instead provided by M$ built-in program called services.msc.

as background: i disable all but 21 services, and of those allow only 8 to start up automatically, resulting in about 17 active processes. the default configuration of win2k starts with about 55 active processes. if you want to find a reliable discussion of what each built-in windows service does, you can review www.blackviper.com for his list. he provides both win2k as well as xp service lists, along with a nice table identifying whether each is truly required or not, per user type (ie. gamer, optimized, etc.). do NOT randomly disable services without first being certain of their purposes, and NEVER disable Remote Procedure Call (RPC).

arjan, for home use, one should probably disable all network add-ons except for tcp/ip. in this day in age, there's virtually no need for most people to use netBIOS, IPX/SPX and windows networking. you don't need WINS except in some corporate environments, and unless you want to share a printer or share files on a home network, you should disable or even deinstall file and printer sharing. furthermore, you can disable the DNS service, since its purpose is not name-resolution, but rather storage of data for specialized troubleshooting. if you want, i can post or PM you a list of my services.

arjan

Thanks, I had actually forgotten about blackviper. I've been there before. I reinstall windows quite often, and then lose my near perfect setup again. I have Norton Gohst around now, so I should just get my system to where I want it and make a copy on dvd. It should work quite well since I use a laptop now, so the hardware doesn't change.
I ended up getting a dvd burner and stuck it in a external box with usb2 and firewire. I am using the firewire, and that works like a charm.
The cd burner in that drive is also faster then the one in the laptop, so I burn my regular cds with that too.
Anyway, back to the subject.
Tomorrow (Sunday) I'll hopefully have some time to go through blackviper his website.

Corey

iTrader: (1)

Well, I just spent the last hour disabling quuite a few things via the BlackViper site that were set to load auto.

I have not rebooted yet, so stand by

If after I reboot and I loose my cable connection, I will have to set back up the DHCP thing, and a few other services.

I did disable Restore Points, as I never use them.
If my PC gets fubared, I have a complete backup on a USB hard drive, and I would just format and reinstall all.

Corey

iTrader: (1)

Yep, I rebooted and my Steam client for Counter Strike and Half Life 2 gave me an error message.

Tried to get here, and "page not found" error.

I had to set back DHCP Client back to automatic and start the service back up.
Soon as I did, I was back on line.

The PC boots much faster.
I will test it tomorrow with some gaming.

photoleif

corey, that's a lot of work if your PC gets hosed, dontcha think? i'd recommend leaving XP restore points in the event of a minor, but problematic issue that crops up at a known time. i wish win2k had the ability to do a nice snapshot. also, DHCP is your friend, if you have a router and multiple PCs that log on at differing times (however if you have one PC, then DHCP isn't critical if you know how to program in the net info into your TCP/IP stack). PM me if you want an explanation. the overhead for these services is minimal, compared to the overhead, annoyance or security risk of hogs such as the HID input service and Indexing service, and security evils such as TCP/IP NetBIOS Helper and the Messenger service, among others. i tracked down what runs when the Messenger service is alive, and deleted the actual file, too. also, if you don't have a modem, disable telephony (note: you'll need to set telephony to disabled, then reboot, since you can't kill it while the OS is running). if you dump telephony, also disable the fax service (which can be stopped and disabled while the OS runs). disable telnet unless you critically need it. this service is *not* what allows you to telnet out; it allows incoming connections and was the subject of a messy problem for M$ a couple years back, with some security hacks.

Corey

iTrader: (1)

I got rid of telent and telephony earlier too.
The Indexing was already set to disabled, as Viper explains that SP2 does it for you.

I have 3 PC and a router on my home network, so the DHCP is a must I guess.

Yeah, I may turn back on the Restore Points service, but I have never used it.
Did on my sons PC last year, and it fixed it.

Got rid of the Messenger thing a long time ago.
For those who do not know, this is not the Instant Messenger thing from Microsoft, but another program used to send messages across networks.

Spammer often use this to send you a pop up message on your desktop.
Mine was enable last year before I learned how to disable it, but I never got a popup since I am behind a router.

Once I took the router off line and hooked right to the modem for some testing, and all of a sudden a pop up from the Messenger thing appeared on my desktop
Some guy was spamming me to buy software.
Hooked up the router again, and it went away.

What they do is send their messages to multiple IP addys at once, and he got lucky by getting to me through my IP.
When the router is in place, they can not get to your IP, since you are behind the firewall.


I pretty much keep my PC clean by running SpySweeper and using Diskeeper on Thursday night for the weekly tuneup.
I like to have it running at top notch for gaming during the weekend.

Funny thing is my PC never ever gets spyware on it.
I also run Ad A Ware and Spybot, but I like SpySweeper the best.