Computer Security Thread
Dear Malware: We Hate You
It's a dangerous internet out there. In this thread, let's discuss questions, recommendations, and techniques related to computer security.
Dealing with a nasty infection? Make a post and see if anyone has any advice. Need some recommendations on which anti-virus to use, or just have a quick question about what MBAM is? Check out the software list and ask around for testimonials. The thread's really intended to be a catch-all for any information you might need for security related issues. The OP will be updated as more information fills out, recommendations are made, news breaks, or errors are caught.
On that note, please feel free to contribute to the OP! If you know of a piece of security software overlooked, or take issue with the advice given, post it in the thread and the OP will be modified accordingly. As a major disclaimer
I personally am not a security expert, but many people on the forums are very skilled in this field. I plan to give as much help as I can, but hopefully this thread can become a useful info-dump. With luck we can avoid numerous redundant threads on the forum about the same problems, and have a quick-access reference for a variety of questions.
Most of the assembled links and advice are offered for Windows systems, but discussion for all OS flavors are invited.
Big `lo List of Dang-Useful Security Software:
Other Protective Measures
A note on software: No single solution is 100% effective for every person. Depending on how you use your machine, different software will be more suited to your needs. As such, there's no way to tell you exactly what to install, but hopefully you can get some good recommendations about where to start if you're curious.
Current Top Recommendations.
From lurking about the forums, the following pieces of free
software have been highly recommended by a large number of people. They're listed here for quick reference, and may change or rotate depending on forum reception and popular opinion. They're lightweight, very effective, and easy to work with. If you're wondering what to get for Anti-Virus or Anti-Malware, these are solid choices. For a list with more options, see behind the spoilers.
This post is old and requires some updating. A/V Software is currently evolving quickly. For the moment, the best advice is - Avoid McAfee (if you're running Government machines, Kaspersky) if you can.
Basic layers of defense against intrusion from internet-based attacks. From Windows XP SP2 and higher, Windows Firewall should be on by default. A large majority of people using computers should therefore already have a firewall on, but these solutions offer more robust options if you're interested.
Interesting note: Windows firewall has caught a lot of flak in the past for not having outbound protection. For XP, it certainly doesn't. In Windows Vista and Windows 7, though, it is possible to configure the firewall for outbound filtering. See here
for more details.
Personal Opinion from the OP (Take with a grain of NaCl): If you're worried about nasties, outbound blocking isn't going to help you much. Once the thing is on your system, it's too late, even if you're blocking it's communications. Outbound blocking/monitoring can be useful for privacy's sake, though.
Other Protective Software - HIPS (Host Intrusion Prevention System) and Sandboxing
can be nasty, nasty things when put to malicious purposes. I'm not an expert, so I can't explain them fully, but my layman's understanding of them is that they can effectively hide from just about anything - including your A/V and Antimalware software. The following programs are designed to detect, and/or remove rootkits from your system.
Make no mistake, though. If a rootkit gets on your system, the highly recommended course of action is to backup, clean format, and rebuild
. It's the only way to be sure you got the sucker.
(Unless specified, these programs are only for x86 machines. 64-Bit Rootkit detectors are a different matter)
Other useful software
HIPS and Sandboxing programs add a fantastic layer of first-line defense in addition to Anitvirus and Antimalware software. Most of these programs aim to prevent any software that's untrusted from running or modifying the system, or else will run programs/save files in a virtualized environment where they can't cause harm. Sometimes this means more hassle for the end user in some regards - If you actually want to get a file or program out of the sandbox, or past the HIPS, you have to do so manually - But it's very difficult for nasties to get past these layers if you have them configured correctly.
Keep in mind some of these programs take some advanced configuring, and may not play well with others. I'd recommend further research into each product before taking the plunge.
Note that as of writing this post, there are no functioning HIPS or Sandboxing programs that I know of for x64 Windows machines. Microsoft's Patchguard makes this rather difficult. (EDIT
: 64-Bit Sandboxie is available, in release form, as of 2/3)
LiveCD and RescueCD options
- Tools of great value, now owned by Microsoft.
- Autoruns - Allows you to see and manipulate/remove all startup tasks and such. Also has a very handy 'Filter Out Windows Processes' option.
- Process Explorer - Task Manger on Steroids. Allows you to see all running processes, including daughter process relations and in-use DLLs, etc.
- Process Monitor - More detailed process information, including monitoring of real-time file system, registry, and thread activity.
- Secunia Personal Software Inspector - Free tool designed to alert you to the presence of outdated and / or vulnerable software on your system. Great for keeping up with third-party programs.
- HijackThis - Now owned by Trend Micro, HijackThis is a useful program for determining if nasties have their hooks in your browsers. A HijackThis log is sometimes requested if you're looking to remove malware, but not always. It takes a bit of experience to decipher the logs, but if you want to auto-analyze the results there are two OK-ish websites here and here. Just be aware of what you're doing before you remove anything!
- ESET Sysinspector - Tool for monitoring system changes and status. Sysinspector takes 'snapshots' of your system, and reports back 'risk' levels for each entry it finds. The real power comes from the ability to compare 'snapshots' between different time points, to see what changes have occurred to your system.
- WinPatrol - System monitoring software. WinPatrol keeps an eye on new additions and changes to your system, and alerts you to when they take effect.
- [url=Cleanup! - Free tool to remove temporary files from various locations on a Windows XP or earlier system, where malware oftentimes hide after infection.
- CCleaner - Tool to remove unwanted temporary files and/or old registry entries from a system.
In the event that your system becomes infected with a piece of malware, it's often preferable to try to solve the problem from outside the afflicted operating system instead of trying to address the issue from within. The following LiveCD and RescueCD options are bootable images that you can burn to a disk. The tools and available utilities for each vary depending on which you choose, but they will all allow you to boot into a Linux or Windows Environment from which you can address infection, or else take to directly to a scanning utility. This can be particularly useful for backing up files from an existing partition before doing a complete reformat/reinstall.
I'm Infected! What do I do?
Having layers of security is always a fantastic idea. It's never a good approach to rely upon one security suite and hope it will keep you one-hundred percent safe. There are actually a number of really great ways to keep your system secure that don't
involve additional scanning applications, some of which are built right into most operating systems.
Because I'm a silly, silly goose, you can find this information elsewhere in the thread
(I neglected to account for size, and this was a late addition to the OP). Even if it sounds a bit different than usual, this is really important stuff! Take a look and see what works best for your system.
Even the most vigilant user can get infected these days, thanks to the way zero-day threats and new malware propagate at an alarming rate, and in unexpected ways. If you suspect that you've been infected, there are a number of ways verify a compromise. Try running MalwareBytes AntiMalware, an anti-virus scanner, or an online scanner from the list below. They'll let you know what/if anything hit you. If they come back positive, or you're just sure that the porn-laiden pop-ups / Scareware windows that you're seeing are a good indication that you've been compromised, there are several things you can do. It's hard to give generic advice that will work in all cases, but the following are some basic ways to approach the problem. These options are, in no particular order:
- The Nuke From Orbit: Backup your data. Clean format your hard drive. Reinstall your operating system and start over. Whatever infected you, it'll likely be gone.
Yes, it sounds severe, but to be completely honest it's the only way to be sure. Modern malware has deep-digging claws, and if it gets onto your system there's a good chance of it inviting all of its friends. Once an initial infection occurs, most nasties will launch droppers to install other trojans and such, and even deploy rootkits onto your system. There's always a possibility that, no matter how well you cleaned the system, there's something left over that you can't see. Some nasty shit like Virut will also corrupt just about everything of your system, so even removal of the virus will leave damaged files behind that can't be repaired.
If you take this course of action, be sure to scan your backups for nasty garbage before you restore them. Remember, PDF and .doc files are vectors for infection. Disable autorun for USB devices on XP (it's disabled by default on Vista and 7) before you plug in your backup drive, and ensure your stuff is clean before restoring.
It may seem like a pain in the ass, but if you're running a modern system on Win 7, reinstallation can be quite fast. And with programs like NLite and vLite it can be a bit easier to manage. Restoring from an image backup can be even more painless, if your backup solution hasn't been compromised.
- Outsider Assistance: Scan your disks from outside the operating system.
Booting from a live-CD into another operating system will ensure that whatever crap got its hooks into your machine will be inert. See the "LiveCD and RescueCD options" section in the "Useful Software List" section above for various image files that can assist in either scanning for nasties, or else allowing you to backup your system from outside the OS. Alternatively, you can mount the HDD somehow to an OS X or Linux system with A/V software, and scan through that route. A bit tricky if you go the 'pop the HDD' route, perhaps, but safer than trying to clean from within Windows, if your Windows disk is infected.
- The Inside Job: Scan in Safe Mode.
Reboot your system. Once the BIOS POST message clears, mash on F8 until you have the option to load various Windows Safe-Modes. Choose Safe Mode with Networking, and let things load up. Once you're in, download, install, and update MalwareBytes AntiMalware as necessary. Let it run a full scan, and then take action to remove any nasties. Follow this up with an A/V scan from one of the entries on the list below to make sure you're clean. Mix and match removal tools and other anti-malware solutions as necessary (It'll really depend on what you're dealing with). This approach has variable success, but can do the trick in some cases.
If you're going to try to clean an infected system from the infected partition, one of the strongest, most effective tools to root out the malware is ComboFix. Note that this is extremely powerful software, and inappropriate usage will damage your system. The link above will take you to a guide that's pretty comprehensive, so just be sure you're following along appropriately. In many cases, ComboFix is a pretty stellar way to combat even rootkits.
A couple of additional notes about this method: First is that sometimes MalwareBytes works pretty stellar in Safe Mode, but sometimes it's not ideal. The creators themselves have said MBAM isn't designed to run in Safe Mode, but anecdotal evidence suggests that's the only way to root out some nasties. Your mileage may vary, so you might want to try scanning both in and out of Safe Mode. Second, if malware is pestering you to the point that you can't even run any security/cleanup software, try using RKill to terminate the nasty process before launching your cleaners. There are several flavors of RKill to try, but you only need to use one. The others are there as alternatives in case one is blocked.
Safe Browsing by limiting what sites you visit is no longer effective. Obviously, you're safer if you avoid porn/piracy/illegal sites on the internet, but that doesn't make you 100% safe. An emergent and popular threat known as "Malvertising" means that ANY website - no matter how safe and trusted - can potentially expose you to malware. The New York Times, National Geographic, Snopes, and other websites have all infected people who simply visited their pages. Of course, there are a number of actions you can take to mitigate the danger.
- Ensure everything is updated. Obviously you want your OS up to date, so rely on critical updates and service packs from Windows Update. But don't neglect your other third-party programs. Browsers are regularly patched for security purposes. PDF readers and IM clients are similarly patched. As OS patches become more automated, third-party software will become increasingly targeted, so play it safe and up to date.
- Browser Safety. This is a tricky issue I'm reluctant to weigh in on, so hopefully thread contributors can assist. It's difficult to call any one browser 'more secure' than others these days, so long as we're talking about the latest versions. IE 6 and IE 7 should be treated as ebola-carrying monkeys, and not touched with a ten-foot pole. IE 8 apparently has much better default security, and lower privileges, and has been regarded as much more secure than previous versions. Firefox is imminently customizable, and can be made secure if configured properly. Ditto for Chrome, Safari, and Opera.
Chrome and Safari should have methods for selective script blocking as well, but I'm unfamiliar with them at this time. I'll fill in this space if someone in the thread can provide details!
- DON'T PANIC: Modern malware is often 'Scareware' that tries to pressure the user into making an uninformed, rash decision to install malicious software. If you see a popup telling you that it's found a virus on your machine, treat it with suspicion. Do you recognize the name of the software? It is a security suite you're running? If not, you're likely looking at a browser-generated fraud. Clicking anywhere on the dialogue (i.e. even the 'X', 'NO', or 'Cancel' buttons) will launch a download of rogue anti-virus software. The best way to deal with it is to ctrl-alt-del to call up the task manager, and kill the browser entirely. Then do a scan with Malwarebytes just to be sure it didn't do anything nasty. Above all, stay in control. If you're not sure of what you're seeing, find a way to record messages/screenshots before taking action.
Additionally, remember to apply the same ideals to communications in general. Don't let someone pressure you into thinking your bank account, credit card, or Paypal are being frozen and they need your password right now!! Anyone who asks you for your password and login information over any channel (IM, email, even the phone) is either an idiot or a thief. Regardless of which they are, you don't want them having that information.
- News Refresh Inbound. Please hold
More will be added to the list as time goes on. Until then, be safe!