So I've used Panda's free cloud AV for a few days and I don't care for it. I fan a scan and it found a "dialer" that MSE did not. Something that irritated me was Panda forcing me to uninstall MSE before I could install it. Yes you can reinstall MSE after installing Panda but Panda should only show me a warning about running two AVs at once not force me to remove it.
Panda's UI & options are very locked down and restricted. Panda "Neutralized" items that it found and that was it. I don't like how this UI gives me almost zero information on what it's doing.
So I've already reinstalled MSE. Not sure when I'm going to remove Panda. I want to see if it's going to slow down my system in anyway first.
So I've used Panda's free cloud AV for a few days and I don't care for it. I fan a scan and it found a "dialer" that MSE did not. Something that irritated me was Panda forcing me to uninstall MSE before I could install it. Yes you can reinstall MSE after installing Panda but Panda should only show me a warning about running two AVs at once not force me to remove it.
Panda's UI & options are very locked down and restricted. Panda "Neutralized" items that it found and that was it. I don't like how this UI gives me almost zero information on what it's doing.
So I've already reinstalled MSE. Not sure when I'm going to remove Panda. I want to see if it's going to slow down my system in anyway first.
That's a shame. I'd been hearing good things about Panda Cloud too, and was wondering how it worked out in practice. From videos and screenshots I've seen, the UI did look a little... 'dumbed down' to put it mildly. I could be oversensitive to that stuff, though, after using NOD for so long.
By the way, I was always under the impression that only one on-access scanner should be run at a time? Is Panda Cloud designed to run along side another on-access scanner? That's actually pretty cool, if true.
If you're looking for another on-demand (not on-access) cloud scanner as a supplement to MSE, there's been some good buzz surrounding Hitman Pro 3.5. It seems to do all of it's scanning 'in the cloud', and uses several different engines from various vendors (I think it's: NOD32, Avira, Prevx, G DATA and a-squared). They've been getting some high praise for rootkit removal efficacy.
Negative strikes against it from what I can gather include some false positives, perhaps more than usual (though I'd probably blame G Data for that). In my opinion I'm not sure I like their pseudo-free approach - Scanning is unlimited, but I guess malware removal is only free for a month after the first removal of any threat. After that a license purchase is required.
I'm fine with just MSE. I also have Malwarebyte's Anti-malware & Spybot-SD installed.
Panda has always had a good engine, I just couldn't stand the UI. I've already uninstalled it because I didn't want to scanners running at the same time.
I'm fine with just MSE. I also have Malwarebyte's Anti-malware & Spybot-SD installed.
Panda has always had a good engine, I just couldn't stand the UI. I've already uninstalled it because I didn't want to scanners running at the same time.
Sounds good. I'd think MSE and MBAM would be more than enough for anyone, given the good reviews I've been seeing for MSE.
So I was reading the Sandboxie site... what exactly is the point of installing the 64 bit version? It seems pretty neutered.
Yeah, I've been asking around at Wilders about this. It's certainly not as effective as the x86 offering. Tuzk has said as much himself, though he also claims that browsing with the x64 version is safer than browsing without it. There are some interesting mitigating factors included, such as the 'drop rights' option enabled by default in the x64 version. That doesn't get past the fact that things in the sandbox still have the potential to contact services they shouldn't. I guess Patch Guard really screwed with Sandboxie's functionality.
Still, I've not seen any reviews of the efficacy of the x64 version. I'm not sure if any malware out there is designed to escape the sandbox. I've been running the x64 Sandboxie for about a week now, but I haven't tested it by purposefully throwing malware at it.
As a last, somewhat more practical/depressing note, the x64 version may be simply Tuzk's way of avoiding criticism and brand damage.
Talking about tarnishing reputation is very nice but there is also a downside to having every Internet reference to Sandboxie include the qualification "but no 64-bit version." That's something you might not have considered.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited February 2010
Interesting bit of news from the last few days: Apparently the latest round of Windows Update patches that were released last week caused a rash of BSoDs on otherwise functioning systems. The reason, it turns out, is that the incapacitated systems experiencing BSoD on boot are (often) infected with the TDL3 rootkit - One of the nastiest currently in the wild, and one of the hardest to detect/remove.
TDL3 likes to hide in low-level kernel drivers, such as 'atapi.sys'. The rootkit calls addresses which the recent kernel updates have rendered invalid. The result is a good `ol BSoD Stop error, which happens even before bootup. Safemode can't be accessed in this situation, so a boot CD or other solution is unfortunately required to solve the issue once encountered.
More on this can be read here and here. Microsoft's official response can be read here.
It's a problem that illustrates just how insidious and nasty TDL3 is, to be able to sleep for so long without ever being noticed. Though ironically, the overwhelming response I've seen so far has been to point the finger at Microsoft for 'breaking' computers with an update. This actually happened once before, when Prevx openly attacked Microsoft for issuing faulty, computer-breaking updates - it turned out to be malware then, too.
I'm becoming increasingly convinced that Firefox 3.6 isn't safe.
I consider myself cautious, I mind where I click and where I browse, but shit like Antivirus Pro or whatever still gets downloaded, installed, and screws me over.
Thankfully, with Malwarebyte and MSE, a safety mode boot and a quick scan clears it right up, but I'm really loosing faith in Firefox (which I've been using for....wow, three, four years now). That, and the fact that it's a memory whore, and I think I need to start looking at better browsers....
I'm becoming increasingly convinced that Firefox 3.6 isn't safe.
I consider myself cautious, I mind where I click and where I browse, but shit like Antivirus Pro or whatever still gets downloaded, installed, and screws me over.
Thankfully, with Malwarebyte and MSE, a safety mode boot and a quick scan clears it right up, but I'm really loosing faith in Firefox (which I've been using for....wow, three, four years now). That, and the fact that it's a memory whore, and I think I need to start looking at better browsers....
Any suggestions?
Firefox was never really as safe as people raved it was. When it started out what made it "safe" was that it wasn't IE.
Anyway if you want a browser with a sandbox mode you have two options: IE8 (assumeing you're not on XP) and Chrome.
I'm becoming increasingly convinced that Firefox 3.6 isn't safe.
I consider myself cautious, I mind where I click and where I browse, but shit like Antivirus Pro or whatever still gets downloaded, installed, and screws me over.
Thankfully, with Malwarebyte and MSE, a safety mode boot and a quick scan clears it right up, but I'm really loosing faith in Firefox (which I've been using for....wow, three, four years now). That, and the fact that it's a memory whore, and I think I need to start looking at better browsers....
Any suggestions?
Firefox was never really as safe as people raved it was. When it started out what made it "safe" was that it wasn't IE.
Anyway if you want a browser with a sandbox mode you have two options: IE8 (assumeing you're not on XP) and Chrome.
I'm in Windows 7, Professional. I've been using IE8 for general browsing more, and have grown more familiar with it.
Synthesis on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I'm becoming increasingly convinced that Firefox 3.6 isn't safe.
I consider myself cautious, I mind where I click and where I browse, but shit like Antivirus Pro or whatever still gets downloaded, installed, and screws me over.
Thankfully, with Malwarebyte and MSE, a safety mode boot and a quick scan clears it right up, but I'm really loosing faith in Firefox (which I've been using for....wow, three, four years now). That, and the fact that it's a memory whore, and I think I need to start looking at better browsers....
Any suggestions?
Firefox was never really as safe as people raved it was. When it started out what made it "safe" was that it wasn't IE.
Anyway if you want a browser with a sandbox mode you have two options: IE8 (assumeing you're not on XP) and Chrome.
I'm in Windows 7, Professional. I've been using IE8 for general browsing more, and have grown more familiar with it.
First of all, I'd certainly agree with Shroud about using some kind of sandboxing method or browser. I'd temper the suggestion for IE8, though, with a bit of caution surrounding the numerous security flaws that have been uncovered lately - but if you have it configured appropriately, things should be more secure. Make sure you're running in protected mode, and also make sure you've got the UAC on (ideally set to maximum).
If you wish to keep using Firefox, or just want to tighten up any browser, you can install Sandboxie. Or for hardened security, browse from a virtual machine.
Additional advice: Whatever browser you wind up using, find a way to block flash and javascript. Use Adblocker and Noscript on Firefox, or use whitelisting practices in other browsers (Whitelisting is how I have to do things in Opera, at least. Not sure about Chrome or IE). These Rogue A/V suites mainly get into systems via hijacked banner ads, iframes injected into legitimate pages, and other drive-by download exploits. If you've disabled javascript for whatever domain launches their fake UI on redirect, you'll never even see the script run, and it won't download. It's not 100% security, but it's a good start to cut some of these threats off at the knees.
Lastly, I'd be wary if this stuff keeps cropping up on you. There's a possibility that you've got a lurking infection that's not getting fully cleaned on each cycle. Some of the rogue A/Vs are leveraging rootkits these days.
I'm becoming increasingly convinced that Firefox 3.6 isn't safe.
I consider myself cautious, I mind where I click and where I browse, but shit like Antivirus Pro or whatever still gets downloaded, installed, and screws me over.
Thankfully, with Malwarebyte and MSE, a safety mode boot and a quick scan clears it right up, but I'm really loosing faith in Firefox (which I've been using for....wow, three, four years now). That, and the fact that it's a memory whore, and I think I need to start looking at better browsers....
Any suggestions?
Firefox was never really as safe as people raved it was. When it started out what made it "safe" was that it wasn't IE.
Anyway if you want a browser with a sandbox mode you have two options: IE8 (assumeing you're not on XP) and Chrome.
I'm in Windows 7, Professional. I've been using IE8 for general browsing more, and have grown more familiar with it.
First of all, I'd certainly agree with Shroud about using some kind of sandboxing method or browser. I'd temper the suggestion for IE8, though, with a bit of caution surrounding the numerous security flaws that have been uncovered lately - but if you have it configured appropriately, things should be more secure. Make sure you're running in protected mode, and also make sure you've got the UAC on (ideally set to maximum).
If you wish to keep using Firefox, or just want to tighten up any browser, you can install Sandboxie. Or for hardened security, browse from a virtual machine.
Additional advice: Whatever browser you wind up using, find a way to block flash and javascript. Use Adblocker and Noscript on Firefox, or use whitelisting practices in other browsers (Whitelisting is how I have to do things in Opera, at least. Not sure about Chrome or IE). These Rogue A/V suites mainly get into systems via hijacked banner ads, iframes injected into legitimate pages, and other drive-by download exploits. If you've disabled javascript for whatever domain launches their fake UI on redirect, you'll never even see the script run, and it won't download.
Lastly, I'd be wary if this stuff keeps cropping up on you. There's a possibility that you've got a lurking infection that's not getting fully cleaned on each cycle. Some of the rogue A/Vs are leveraging rootkits these days.
I suppose I should consider this sandbox feature. I'm fairly confident that I don't have something lurking (given that I have both MSE and Malewarbyte running regularly), but I guess there is a possibility, no matter how remote.
I'm actually still on the fence about UAC (I am really tired of those messages every single time)--setting it to maximum might be the ultimate fix, but my god is it irritating enough on 'normal'. In the past, being cautious and diligent has been effective (I went 2 and a half years on the same installation of Vista Home Premium before I switched to Windows 7, using this method--did a lot of cleaning, but never suffered any drops in performance). Recently, it's just gotten worse.
I regularly update everything, include IE8 on a semi-daily basis, which helps. I might check out Chrome--it's been suggested, but I've heard mixed things about it too.
Synthesis on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I suppose I should consider this sandbox feature. I'm fairly confident that I don't have something lurking (given that I have both MSE and Malewarbyte running regularly), but I guess there is a possibility, no matter how remote.
I'm actually still on the fence about UAC (I am really tired of those messages every single time)--setting it to maximum might be the ultimate fix, but my god is it irritating. In the past, being cautious and diligent has been effective (I went 2 and a half years on the same installation of Vista Home Premium before I switched to Windows 7, using this method). Recently, it's just gotten worse.
I regularly update everything, include IE8 on a semi-daily basis, which helps. I might check out Chrome--it's been suggested, but I've heard mixed things about it too.
If you're cautious, and have been running MSE and MBAM regularly (particularly on-access MBAM), I'd agree that you're probably pretty safe. The hell of a rootkit, though, is that no matter what you're running it can pretty much evade detection, regardless of how good your A/V is. And some of these rogues slip past MSE. Hell, a lot slip past NOD. You said some of these rogues actually got to the point of installing onto your machine, is the only reason I bring it up. If one of them dropped files on your machine, you might consider running an Anti-rootkit scanner. But maybe I'm being over paranoid.
UAC can be a pain, true. The better solution is to run as a limited user, but if you find UAC annoying, a limited user account would probably drive you up the wall. A better solution might be to just force your browser into a 'dropped rights' situation, so that no matter what your privileges are on your account, your browser won't be able to install or save things to sensitive locations. You can check out this article on 'Drop my rights' (Edit: Ugh. Old article. This hiddeous webpage has ironically more updated information) - Or else Sandboxie has an option to do this by default for each program in the sandbox.
And, unfortunately, a lot of programs out there leave gaping security holes wide open for months before patching. Adobe did recently (Just ask Google). There's at least one for IE8 out there, but I don't know if it's just proof of concept, or in the wild. Patching is very, very good - don't get me wrong. I've just been shocked lately at how slow to react some developers are.
UAC can be a pain, true. The better solution is to run as a limited user, but if you find UAC annoying, a limited user account would probably drive you up the wall. A better solution might be to just force your browser into a 'dropped rights' situation, so that no matter what your privileges are on your account, your browser won't be able to install or save things to sensitive locations. You can check out this article on 'Drop my rights' (Edit: Ugh. Old article. This hiddeous webpage has ironically more updated information) - Or else Sandboxie has an option to do this by default for each program in the sandbox.
I think I've done something to this effect in the past--or rather, I had a friend of mine set it up on my last laptop, out of a recommendation, about 4 years ago, and found it to be well suited. I might be worth doing it again, I'll look into it.
I also use Spyware Blaster, this is a black list tool for browsers. It does not run in the back ground so it doesn't degrade performance. It can also disable flash for the entire PC.
As long as you enable Protected Mode for all security zones and keep security settings set well enough IE8 should be ok. I keep UAC set to Full, normal should be ok as long as you have Protected mode enabled for everything. Having SmartScreen enabled actually helps as well.
A good reason to run in Protected Mode and as a non administrator.
Or not use IE.
Now if only I could convince a certain someone that I'm not a fucking idiot and can manually check on my Windows Updates. This is the only reason that piece of shit is still being used on this machine. You know this would be an excellent place to ask since it does coincide with protection.
For Vista, or even Windows 7, is using anything other than IE as your default browser going to stop the automatic updates?
I've read that for Windows 7 you can even remove IE, so I'd imagine the updates aren't dependant upon it... but I can't find any documentation about it. This is the deal breaker on whether I can toss out this useless browser once and for all, and it would -have- to come from Microsoft directly.
Windows Update in Vista/7 is it's own control panel, and doesn't run through IE. You can chuck it out if you want.
(Although IIRC removing it doesn't actually delete it from the system, just removes the shortcuts; otherwise other apps that use IE like Steam would break.)
Ayulin on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited February 2010
So the Adobe Flash plugin was updated recently. The patch addresses some security concerns. The current version is 10.0.45.2, and you can check which version your browser is using here.
A word of caution, until I can figure out more: Apparently the buzz on Wilders is that the update might be packed-in with something called the 'Adobe Download Manager' and also tries to install the Google toolbar. I've not gotten any concrete evidence of this, but when I find out more information I'll post clarification.
I'm mostly talking about the Windows side of things (which I thought used the hardware DEP? I'm very uneducated in this topic). As far as I know, the default behavior in Vista and 7 is "Turn on DEP for essential Windows programs and services only", which means DEP won't necessarily be active for every program you use (IM clients, Browsers, etc). The alternative, which is not default, is "Turn on DEP for all programs and services except those I select", which I've heard can cause conflicts with programs like Steam or older applications.
Of course, you can always add non-compatible programs to the exception list, but in those situations I'm always concerned about getting an error and having no way to know what it was from.
I don't know why I didn't see this earlier, but YES, you should absolutely change it to OptOut mode ("Turn on DEP for all programs except those I select"). Read this post over at SA for a good explanation why. I haven't had trouble with steam or any other program, but if DEP kills something you get a message telling you so, so you know it wasn't a random crash.
Why this isn't the default setting, at least for Win7 and Vista, is beyond me.
Okay, so I know a dude who plays a lot of PC games. That's his main thing, right? He's got a lot of stuff on his hard drive, and it'd totally suck if he ever got a virus. Which happens... not too often, but it has. He has no virus protection software, claiming that it just slows down his computer and isn't very effective. When I question him on how he ever removes security threats, he says he just nukes his hard drive, re-installs Windows, then copies everything back on from a portable hard drive. He does this shit MONTHLY, regardless of having an infection or not. Why he doesn't just get Avast or something is beyond me.
Windows Update in Vista/7 is it's own control panel, and doesn't run through IE. You can chuck it out if you want.
(Although IIRC removing it doesn't actually delete it from the system, just removes the shortcuts; otherwise other apps that use IE like Steam would break.)
Ah, but see... do you know where I can see this on Microsofts own website? The fucker apparently thinks that if it's from anywhere else it is a baldfaced flatout lie.
Windows Update in Vista/7 is it's own control panel, and doesn't run through IE. You can chuck it out if you want.
(Although IIRC removing it doesn't actually delete it from the system, just removes the shortcuts; otherwise other apps that use IE like Steam would break.)
Ah, but see... do you know where I can see this on Microsofts own website? The fucker apparently thinks that if it's from anywhere else it is a baldfaced flatout lie.
Meh. All I can find are short references to it being "included in Control Panel" in Vista and up.
Also, a quick visit to Wikipedia says that removing IE does delete the actual executable, but leaves behind the stuff that lets Steam/other IE-reliant programs work.
That being said, you don't have to completely remove IE... just not using it would be fine :P Plus, it's a lot more secure in Vista/7, since it has Protected Mode; again, IIRC, the last few major exploits for it only affect Windows XP or Vista/7 if Protected Mode is off.
Okay, so I know a dude who plays a lot of PC games. That's his main thing, right? He's got a lot of stuff on his hard drive, and it'd totally suck if he ever got a virus. Which happens... not too often, but it has. He has no virus protection software, claiming that it just slows down his computer and isn't very effective. When I question him on how he ever removes security threats, he says he just nukes his hard drive, re-installs Windows, then copies everything back on from a portable hard drive. He does this shit MONTHLY, regardless of having an infection or not. Why he doesn't just get Avast or something is beyond me.
There's gotta be a way to convince this guy.
Install MSE wait a few days and then let him know what you did and point out that he didn't even notice. And don't lead into it with things like "did you notice anything about yout computer," just tell him I installed a low resource AV a "few" days ago. Don't tell him how many days either for awhile. Let him try to figure it out.
Okay, so I know a dude who plays a lot of PC games. That's his main thing, right? He's got a lot of stuff on his hard drive, and it'd totally suck if he ever got a virus. Which happens... not too often, but it has. He has no virus protection software, claiming that it just slows down his computer and isn't very effective. When I question him on how he ever removes security threats, he says he just nukes his hard drive, re-installs Windows, then copies everything back on from a portable hard drive. He does this shit MONTHLY, regardless of having an infection or not. Why he doesn't just get Avast or something is beyond me.
There's gotta be a way to convince this guy.
Install MSE wait a few days and then let him know what you did and point out that he didn't even notice. And don't lead into it with things like "did you notice anything about yout computer," just tell him I installed a low resource AV a "few" days ago. Don't tell him how many days either for awhile. Let him try to figure it out.
I guess you could bring up the fact that in copying everything from the last drive, you could also copy malicious software too.
Synthesis on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Okay, so I know a dude who plays a lot of PC games. That's his main thing, right? He's got a lot of stuff on his hard drive, and it'd totally suck if he ever got a virus. Which happens... not too often, but it has. He has no virus protection software, claiming that it just slows down his computer and isn't very effective. When I question him on how he ever removes security threats, he says he just nukes his hard drive, re-installs Windows, then copies everything back on from a portable hard drive. He does this shit MONTHLY, regardless of having an infection or not. Why he doesn't just get Avast or something is beyond me.
There's gotta be a way to convince this guy.
Install MSE wait a few days and then let him know what you did and point out that he didn't even notice. And don't lead into it with things like "did you notice anything about yout computer," just tell him I installed a low resource AV a "few" days ago. Don't tell him how many days either for awhile. Let him try to figure it out.
I guess you could bring up the fact that in copying everything from the last drive, you could also copy malicious software too.
Additionally, I'd point out that removing malware is one thing, but preventing it is far more important. It's not always obvious if you've been hit, after all.
A full nuke-and-rebuild will certainly get rid of most anything that might infect your computer (barring contaminated backups and/or nasty, nasty, rare BIOS viruses). Cleaning it up would be easy if he reformats and reinstalls on a monthly basis, sure, but the damage is done at that point. If he's a heavy gamer, then he risks losing his login credentials. If he uses Steam, his account might get hijacked - Even if that gets returned to him by Steam Support, he'll almost certainly get VAC banned, and if he wants to play online he'll have to repurchase his games.
Losing credit card information, banking information, and that sort of thing (if he uses those on his gaming computer) are much more of a damaging hassle than reformatting.
People seem to operate on the misconception that 1) Malware is noticeable when it gets on your computer, and 2) Malware is designed to delete and damage your files. Most modern malware is designed to sleep in your system and harvest financially beneficial information. The scareware rogue A/V infections tend to be more notable and in your face, but they're almost always packed in with a trojan or rootkit that's much harder to notice. If you've got TDL3 on your machine, chances are you'll never even notice it's there.
Windows Update in Vista/7 is it's own control panel, and doesn't run through IE. You can chuck it out if you want.
(Although IIRC removing it doesn't actually delete it from the system, just removes the shortcuts; otherwise other apps that use IE like Steam would break.)
Ah, but see... do you know where I can see this on Microsofts own website? The fucker apparently thinks that if it's from anywhere else it is a baldfaced flatout lie.
Meh. All I can find are short references to it being "included in Control Panel" in Vista and up.
Also, a quick visit to Wikipedia says that removing IE does delete the actual executable, but leaves behind the stuff that lets Steam/other IE-reliant programs work.
That being said, you don't have to completely remove IE... just not using it would be fine :P Plus, it's a lot more secure in Vista/7, since it has Protected Mode; again, IIRC, the last few major exploits for it only affect Windows XP or Vista/7 if Protected Mode is off.
Meh... that wouldn't be good enough for him, I don't mind the new IE all that terribly... it's just the fact that it indeed is still insecure. There's no protection against java for instance, and what has most of the things our scanners have picked up been coming from? That's right, Java. He can't get the stick out of his ass to think that trying another browser might not be so bad, IE is apparently a damned god-browser or something to him. It's rough dealing with this person, he's one of the types that thinks they know a hell of a lot, and he does know some things, but is severely lacking in their trust of online sources. Nothing I can do though, computer is in his name and the idiot would raise hell if me or his son went and slapped Firefox on here anyway.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited February 2010
Aaaaaand this right here is exactly why I've been trying my best to avoid the Adobe download manager in every form.
Because of an undisclosed flaw in the way Download Manager works, the "attacker can force an automatic download and installation of any executable he desires," Raff wrote in a blog post. "So, if you go to Adobe's Web site to install a security update for Flash, you really expose yourself to a zero-day attack."
Seriousy Adobe, what the fuck? You guys need to get your shit together.
Edit: Related to what I posted earlier about this - It looks like only the IE and Firefox versions of the latest flash update come packed-in with the download manager. Opera didn't get one when I broke down and updated via their packaged installer. I found a few ways to update the Flash plugin manually, but my attempts at doing them resulted in browser instability, unfortunately.
Further news has surfaced in the last few days about a rash of infections spreading through ad servers. This one is particularly nasty owing to the big-name ad servers that have been leveraged for the attack. Avast! has a blog update about it here. One of the more disturbing quotes is this:
The ad infiltration method is growing in popularity alongside with the website infections. Now we are facing probably the biggest ad poisoning ever made – all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous web indexers. User interaction is not needed in this attack – infection begins just after poisoned ad is loaded by the browser – it is not a type of social engineering.
It looks like the payload is executed via javascript and PDF, but the delivery through ads is what's more worrisome to me. This is one infection 'safe browsing habits' alone won't prevent, and it's unfortunately becoming more common.
TetraNitroCubane on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited February 2010
Double post for important information. Sorry to bump.
There's been a nasty security hole found in Firefox. Apparently it's 'in the wild' and could allow remote execution of code. Secunia classifies this as 'highly critical'. The Register has more information here. No one has any workaround or mitigating advice at the moment.
It also sounds like the people who discovered the exploit are holding onto the details in an attempt to sell them, so until Mozilla can figure out what's going on for themselves (or they pay the fee), no patch is in the works.
Jesus. Their business model is that they develop exploits, don't disclose them to vendors, and then sell them off for thousands of dollars as penetration testing? I already knew that there's sometimes a pretty fine line between the security and malware industries, but that's shockingly overt.
Okay, so I know a dude who plays a lot of PC games. That's his main thing, right? He's got a lot of stuff on his hard drive, and it'd totally suck if he ever got a virus. Which happens... not too often, but it has. He has no virus protection software, claiming that it just slows down his computer and isn't very effective. When I question him on how he ever removes security threats, he says he just nukes his hard drive, re-installs Windows, then copies everything back on from a portable hard drive. He does this shit MONTHLY, regardless of having an infection or not. Why he doesn't just get Avast or something is beyond me.
There's gotta be a way to convince this guy.
Because A/V isnt perfect. Once you connect to the internet all bets are off.
You can even make an install disc where it has all your software setup and ready to go.
Okay, so I know a dude who plays a lot of PC games. That's his main thing, right? He's got a lot of stuff on his hard drive, and it'd totally suck if he ever got a virus. Which happens... not too often, but it has. He has no virus protection software, claiming that it just slows down his computer and isn't very effective. When I question him on how he ever removes security threats, he says he just nukes his hard drive, re-installs Windows, then copies everything back on from a portable hard drive. He does this shit MONTHLY, regardless of having an infection or not. Why he doesn't just get Avast or something is beyond me.
There's gotta be a way to convince this guy.
Because A/V isnt perfect. Once you connect to the internet all bets are off.
You can even make an install disc where it has all your software setup and ready to go.
For the OP: In my opinion, Avira almost qualifies as malware. It pops up ads when I least expect them, that's pretty close to my definition of malware. And I don't care if that can be turned off or not, that's a dealbreaker.
So far I'm pretty happy with MS Security Essentials, because the active scanning can be deactivated and that's all I want: Just being able to right click a folder and say "Yo, scan this shit now, dog"
FencingsaxIt is difficult to get a man to understand, when his salary depends upon his not understandingGNU Terry PratchettRegistered Userregular
edited February 2010
So when I click on a link in google, I sometimes get an ad to some bullshit instead. Search and Destroy and Malwarebytes AntiMalware cannot detect anything wrong. Suggestions?
So when I click on a link in google, I sometimes get an ad to some bullshit instead. Search and Destroy and Malwarebytes AntiMalware cannot detect anything wrong. Suggestions?
Check your proxy settings?
Malkor on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
So when I click on a link in google, I sometimes get an ad to some bullshit instead. Search and Destroy and Malwarebytes AntiMalware cannot detect anything wrong. Suggestions?
There are a number of things you can try. The fact that S&D doesn't find anything isn't surprising, but MBAM not doing the trick might be worrisome. This may be a rootkit type infection. Have you used an A/V scanner yet, and if so, which one?
I'd start by checking your HOSTS file with notepad (should be in \Windows\system32\drivers\etc\), and verifying that your DNS settings haven't been tampered with. Overall, though, these are just symptoms, and even if they're responsible for your redirects, correcting them won't solve the problem of how they were changed to begin with.
I'd recommend scanning with MBAM in safe mode, and / or using a LiveCD to scan your computer from outside of the operating system. If you want several second opinions at once, go ahead and try out Hitman Pro 3.5. Hitman uses several A/V scanners at once, and also boasts the ability to catch a few nasty rootkits. You don't have to buy their stuff, though, if you find anything. There's a 30-day free license if you want to use it, but honestly if it finds something nasty I'd just reformat and reinstall instead of doing that.
So when I click on a link in google, I sometimes get an ad to some bullshit instead. Search and Destroy and Malwarebytes AntiMalware cannot detect anything wrong. Suggestions?
There are a number of things you can try. The fact that S&D doesn't find anything isn't surprising, but MBAM not doing the trick might be worrisome. This may be a rootkit type infection. Have you used an A/V scanner yet, and if so, which one?
I'd start by checking your HOSTS file with notepad (should be in \Windows\system32\drivers\etc\), and verifying that your DNS settings haven't been tampered with. Overall, though, these are just symptoms, and even if they're responsible for your redirects, correcting them won't solve the problem of how they were changed to begin with.
I'd recommend scanning with MBAM in safe mode, and / or using a LiveCD to scan your computer from outside of the operating system. If you want several second opinions at once, go ahead and try out Hitman Pro 3.5. Hitman uses several A/V scanners at once, and also boasts the ability to catch a few nasty rootkits. You don't have to buy their stuff, though, if you find anything. There's a 30-day free license if you want to use it, but honestly if it finds something nasty I'd just reformat and reinstall instead of doing that.
Check your proxy settings?
I agree with all of this. It's probably a Proxy, Hosts File, or a address redirector. If S&D and MBAM didn't find it, try SuperAntiSpyware, I've had good luck with that specific product lately. If you know what to look for in their logs, HijackThis can also help clear this type of thing up.
maerdred on
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited February 2010
Brief news update: Adobe fixed their download manager flaw. Supposedly the fix is automatic. You can read more about it here, should you desire.
Because A/V isnt perfect. Once you connect to the internet all bets are off.
You can even make an install disc where it has all your software setup and ready to go.
Yeah, but if the virus hits your backups...
Again, it's about prevention more than resolution. If you know you've got malware, and you're able to keep clean backups, nothing is more effective or recommended than a fresh format and reinstallation (at least in my opinion). But reinstalling won't fix stolen accounts (games, email, banking, social networking), which are caused by Keyloggers and other nasty shit which is designed to install and run without your knowing it's there. A/V and other security software serve a valuable function in this case.
I'll also concede that A/Vs don't get everything. Just about everything, including champions NOD and MSE, fail to block the rapidly evolving rogues. But they shouldn't be used on their own - Layered security is more important these days. Limited user accounts, software restriction policies, properly configured / sandboxed browsers, and a good anti-malware all work fine in tandem and take very little in the way of resources.
For the OP: In my opinion, Avira almost qualifies as malware. It pops up ads when I least expect them, that's pretty close to my definition of malware. And I don't care if that can be turned off or not, that's a dealbreaker.
So far I'm pretty happy with MS Security Essentials, because the active scanning can be deactivated and that's all I want: Just being able to right click a folder and say "Yo, scan this shit now, dog"
I've certainly added your testimonial to the OP! Thanks for the input.
Posts
http://www.cloudantivirus.com/en/
Panda's UI & options are very locked down and restricted. Panda "Neutralized" items that it found and that was it. I don't like how this UI gives me almost zero information on what it's doing.
So I've already reinstalled MSE. Not sure when I'm going to remove Panda. I want to see if it's going to slow down my system in anyway first.
That's a shame. I'd been hearing good things about Panda Cloud too, and was wondering how it worked out in practice. From videos and screenshots I've seen, the UI did look a little... 'dumbed down' to put it mildly. I could be oversensitive to that stuff, though, after using NOD for so long.
By the way, I was always under the impression that only one on-access scanner should be run at a time? Is Panda Cloud designed to run along side another on-access scanner? That's actually pretty cool, if true.
If you're looking for another on-demand (not on-access) cloud scanner as a supplement to MSE, there's been some good buzz surrounding Hitman Pro 3.5. It seems to do all of it's scanning 'in the cloud', and uses several different engines from various vendors (I think it's: NOD32, Avira, Prevx, G DATA and a-squared). They've been getting some high praise for rootkit removal efficacy.
Negative strikes against it from what I can gather include some false positives, perhaps more than usual (though I'd probably blame G Data for that). In my opinion I'm not sure I like their pseudo-free approach - Scanning is unlimited, but I guess malware removal is only free for a month after the first removal of any threat. After that a license purchase is required.
Panda has always had a good engine, I just couldn't stand the UI. I've already uninstalled it because I didn't want to scanners running at the same time.
Sounds good. I'd think MSE and MBAM would be more than enough for anyone, given the good reviews I've been seeing for MSE.
Yeah, I've been asking around at Wilders about this. It's certainly not as effective as the x86 offering. Tuzk has said as much himself, though he also claims that browsing with the x64 version is safer than browsing without it. There are some interesting mitigating factors included, such as the 'drop rights' option enabled by default in the x64 version. That doesn't get past the fact that things in the sandbox still have the potential to contact services they shouldn't. I guess Patch Guard really screwed with Sandboxie's functionality.
Still, I've not seen any reviews of the efficacy of the x64 version. I'm not sure if any malware out there is designed to escape the sandbox. I've been running the x64 Sandboxie for about a week now, but I haven't tested it by purposefully throwing malware at it.
As a last, somewhat more practical/depressing note, the x64 version may be simply Tuzk's way of avoiding criticism and brand damage.
TDL3 likes to hide in low-level kernel drivers, such as 'atapi.sys'. The rootkit calls addresses which the recent kernel updates have rendered invalid. The result is a good `ol BSoD Stop error, which happens even before bootup. Safemode can't be accessed in this situation, so a boot CD or other solution is unfortunately required to solve the issue once encountered.
More on this can be read here and here. Microsoft's official response can be read here.
It's a problem that illustrates just how insidious and nasty TDL3 is, to be able to sleep for so long without ever being noticed. Though ironically, the overwhelming response I've seen so far has been to point the finger at Microsoft for 'breaking' computers with an update. This actually happened once before, when Prevx openly attacked Microsoft for issuing faulty, computer-breaking updates - it turned out to be malware then, too.
I consider myself cautious, I mind where I click and where I browse, but shit like Antivirus Pro or whatever still gets downloaded, installed, and screws me over.
Thankfully, with Malwarebyte and MSE, a safety mode boot and a quick scan clears it right up, but I'm really loosing faith in Firefox (which I've been using for....wow, three, four years now). That, and the fact that it's a memory whore, and I think I need to start looking at better browsers....
Any suggestions?
Firefox was never really as safe as people raved it was. When it started out what made it "safe" was that it wasn't IE.
Anyway if you want a browser with a sandbox mode you have two options: IE8 (assumeing you're not on XP) and Chrome.
I'm in Windows 7, Professional. I've been using IE8 for general browsing more, and have grown more familiar with it.
First of all, I'd certainly agree with Shroud about using some kind of sandboxing method or browser. I'd temper the suggestion for IE8, though, with a bit of caution surrounding the numerous security flaws that have been uncovered lately - but if you have it configured appropriately, things should be more secure. Make sure you're running in protected mode, and also make sure you've got the UAC on (ideally set to maximum).
If you wish to keep using Firefox, or just want to tighten up any browser, you can install Sandboxie. Or for hardened security, browse from a virtual machine.
Additional advice: Whatever browser you wind up using, find a way to block flash and javascript. Use Adblocker and Noscript on Firefox, or use whitelisting practices in other browsers (Whitelisting is how I have to do things in Opera, at least. Not sure about Chrome or IE). These Rogue A/V suites mainly get into systems via hijacked banner ads, iframes injected into legitimate pages, and other drive-by download exploits. If you've disabled javascript for whatever domain launches their fake UI on redirect, you'll never even see the script run, and it won't download. It's not 100% security, but it's a good start to cut some of these threats off at the knees.
Lastly, I'd be wary if this stuff keeps cropping up on you. There's a possibility that you've got a lurking infection that's not getting fully cleaned on each cycle. Some of the rogue A/Vs are leveraging rootkits these days.
I suppose I should consider this sandbox feature. I'm fairly confident that I don't have something lurking (given that I have both MSE and Malewarbyte running regularly), but I guess there is a possibility, no matter how remote.
I'm actually still on the fence about UAC (I am really tired of those messages every single time)--setting it to maximum might be the ultimate fix, but my god is it irritating enough on 'normal'. In the past, being cautious and diligent has been effective (I went 2 and a half years on the same installation of Vista Home Premium before I switched to Windows 7, using this method--did a lot of cleaning, but never suffered any drops in performance). Recently, it's just gotten worse.
I regularly update everything, include IE8 on a semi-daily basis, which helps. I might check out Chrome--it's been suggested, but I've heard mixed things about it too.
If you're cautious, and have been running MSE and MBAM regularly (particularly on-access MBAM), I'd agree that you're probably pretty safe. The hell of a rootkit, though, is that no matter what you're running it can pretty much evade detection, regardless of how good your A/V is. And some of these rogues slip past MSE. Hell, a lot slip past NOD. You said some of these rogues actually got to the point of installing onto your machine, is the only reason I bring it up. If one of them dropped files on your machine, you might consider running an Anti-rootkit scanner. But maybe I'm being over paranoid.
UAC can be a pain, true. The better solution is to run as a limited user, but if you find UAC annoying, a limited user account would probably drive you up the wall. A better solution might be to just force your browser into a 'dropped rights' situation, so that no matter what your privileges are on your account, your browser won't be able to install or save things to sensitive locations. You can check out this article on 'Drop my rights' (Edit: Ugh. Old article. This hiddeous webpage has ironically more updated information) - Or else Sandboxie has an option to do this by default for each program in the sandbox.
And, unfortunately, a lot of programs out there leave gaping security holes wide open for months before patching. Adobe did recently (Just ask Google). There's at least one for IE8 out there, but I don't know if it's just proof of concept, or in the wild. Patching is very, very good - don't get me wrong. I've just been shocked lately at how slow to react some developers are.
I think I've done something to this effect in the past--or rather, I had a friend of mine set it up on my last laptop, out of a recommendation, about 4 years ago, and found it to be well suited. I might be worth doing it again, I'll look into it.
I also use Spyware Blaster, this is a black list tool for browsers. It does not run in the back ground so it doesn't degrade performance. It can also disable flash for the entire PC.
http://www.javacoolsoftware.com/spywareblaster.html
As long as you enable Protected Mode for all security zones and keep security settings set well enough IE8 should be ok. I keep UAC set to Full, normal should be ok as long as you have Protected mode enabled for everything. Having SmartScreen enabled actually helps as well.
This is a Reg-hack that will speed up IE's rendering: http://enhanceie.com/dl/fixHTTPMax.reg
I also use OpenDNS with their filtering as well.
Now if only I could convince a certain someone that I'm not a fucking idiot and can manually check on my Windows Updates. This is the only reason that piece of shit is still being used on this machine. You know this would be an excellent place to ask since it does coincide with protection.
For Vista, or even Windows 7, is using anything other than IE as your default browser going to stop the automatic updates?
I've read that for Windows 7 you can even remove IE, so I'd imagine the updates aren't dependant upon it... but I can't find any documentation about it. This is the deal breaker on whether I can toss out this useless browser once and for all, and it would -have- to come from Microsoft directly.
(Although IIRC removing it doesn't actually delete it from the system, just removes the shortcuts; otherwise other apps that use IE like Steam would break.)
A word of caution, until I can figure out more: Apparently the buzz on Wilders is that the update might be packed-in with something called the 'Adobe Download Manager' and also tries to install the Google toolbar. I've not gotten any concrete evidence of this, but when I find out more information I'll post clarification.
I don't know why I didn't see this earlier, but YES, you should absolutely change it to OptOut mode ("Turn on DEP for all programs except those I select"). Read this post over at SA for a good explanation why. I haven't had trouble with steam or any other program, but if DEP kills something you get a message telling you so, so you know it wasn't a random crash.
Why this isn't the default setting, at least for Win7 and Vista, is beyond me.
There's gotta be a way to convince this guy.
Minecraft username is the same. No server yet.
Battle.net: majesticslump@aol.com
Not too active on Steam, my computer sucks. Still no XBL Gold account. DS friend codes in spoiler.
GTA Chinatown Wars: 0388-4661-8548
Jump Ultimate Stars: 5155-6844-1452
Mario Kart: 4811-3240-0433
Scribblenauts: 4812-6335-7531
Starfox Command: 1139-8027-6150
Zelda: Phantom Hourglass: 4211-4545-9789
Ah, but see... do you know where I can see this on Microsofts own website? The fucker apparently thinks that if it's from anywhere else it is a baldfaced flatout lie.
Meh. All I can find are short references to it being "included in Control Panel" in Vista and up.
Also, a quick visit to Wikipedia says that removing IE does delete the actual executable, but leaves behind the stuff that lets Steam/other IE-reliant programs work.
That being said, you don't have to completely remove IE... just not using it would be fine :P Plus, it's a lot more secure in Vista/7, since it has Protected Mode; again, IIRC, the last few major exploits for it only affect Windows XP or Vista/7 if Protected Mode is off.
Install MSE wait a few days and then let him know what you did and point out that he didn't even notice. And don't lead into it with things like "did you notice anything about yout computer," just tell him I installed a low resource AV a "few" days ago. Don't tell him how many days either for awhile. Let him try to figure it out.
I guess you could bring up the fact that in copying everything from the last drive, you could also copy malicious software too.
Additionally, I'd point out that removing malware is one thing, but preventing it is far more important. It's not always obvious if you've been hit, after all.
A full nuke-and-rebuild will certainly get rid of most anything that might infect your computer (barring contaminated backups and/or nasty, nasty, rare BIOS viruses). Cleaning it up would be easy if he reformats and reinstalls on a monthly basis, sure, but the damage is done at that point. If he's a heavy gamer, then he risks losing his login credentials. If he uses Steam, his account might get hijacked - Even if that gets returned to him by Steam Support, he'll almost certainly get VAC banned, and if he wants to play online he'll have to repurchase his games.
Losing credit card information, banking information, and that sort of thing (if he uses those on his gaming computer) are much more of a damaging hassle than reformatting.
People seem to operate on the misconception that 1) Malware is noticeable when it gets on your computer, and 2) Malware is designed to delete and damage your files. Most modern malware is designed to sleep in your system and harvest financially beneficial information. The scareware rogue A/V infections tend to be more notable and in your face, but they're almost always packed in with a trojan or rootkit that's much harder to notice. If you've got TDL3 on your machine, chances are you'll never even notice it's there.
Meh... that wouldn't be good enough for him, I don't mind the new IE all that terribly... it's just the fact that it indeed is still insecure. There's no protection against java for instance, and what has most of the things our scanners have picked up been coming from? That's right, Java. He can't get the stick out of his ass to think that trying another browser might not be so bad, IE is apparently a damned god-browser or something to him. It's rough dealing with this person, he's one of the types that thinks they know a hell of a lot, and he does know some things, but is severely lacking in their trust of online sources. Nothing I can do though, computer is in his name and the idiot would raise hell if me or his son went and slapped Firefox on here anyway.
Seriousy Adobe, what the fuck? You guys need to get your shit together.
Edit: Related to what I posted earlier about this - It looks like only the IE and Firefox versions of the latest flash update come packed-in with the download manager. Opera didn't get one when I broke down and updated via their packaged installer. I found a few ways to update the Flash plugin manually, but my attempts at doing them resulted in browser instability, unfortunately.
Further news has surfaced in the last few days about a rash of infections spreading through ad servers. This one is particularly nasty owing to the big-name ad servers that have been leveraged for the attack. Avast! has a blog update about it here. One of the more disturbing quotes is this:
It looks like the payload is executed via javascript and PDF, but the delivery through ads is what's more worrisome to me. This is one infection 'safe browsing habits' alone won't prevent, and it's unfortunately becoming more common.
There's been a nasty security hole found in Firefox. Apparently it's 'in the wild' and could allow remote execution of code. Secunia classifies this as 'highly critical'. The Register has more information here. No one has any workaround or mitigating advice at the moment.
It also sounds like the people who discovered the exploit are holding onto the details in an attempt to sell them, so until Mozilla can figure out what's going on for themselves (or they pay the fee), no patch is in the works.
Because A/V isnt perfect. Once you connect to the internet all bets are off.
You can even make an install disc where it has all your software setup and ready to go.
I am scared now
Yeah, but if the virus hits your backups...
So far I'm pretty happy with MS Security Essentials, because the active scanning can be deactivated and that's all I want: Just being able to right click a folder and say "Yo, scan this shit now, dog"
Twitter: busfahrer -- Quake Live: busfahrer -- StarCraft II: busfahrer.184 (EU)
Check your proxy settings?
There are a number of things you can try. The fact that S&D doesn't find anything isn't surprising, but MBAM not doing the trick might be worrisome. This may be a rootkit type infection. Have you used an A/V scanner yet, and if so, which one?
I'd start by checking your HOSTS file with notepad (should be in \Windows\system32\drivers\etc\), and verifying that your DNS settings haven't been tampered with. Overall, though, these are just symptoms, and even if they're responsible for your redirects, correcting them won't solve the problem of how they were changed to begin with.
I'd recommend scanning with MBAM in safe mode, and / or using a LiveCD to scan your computer from outside of the operating system. If you want several second opinions at once, go ahead and try out Hitman Pro 3.5. Hitman uses several A/V scanners at once, and also boasts the ability to catch a few nasty rootkits. You don't have to buy their stuff, though, if you find anything. There's a 30-day free license if you want to use it, but honestly if it finds something nasty I'd just reformat and reinstall instead of doing that.
I agree with all of this. It's probably a Proxy, Hosts File, or a address redirector. If S&D and MBAM didn't find it, try SuperAntiSpyware, I've had good luck with that specific product lately. If you know what to look for in their logs, HijackThis can also help clear this type of thing up.
Again, it's about prevention more than resolution. If you know you've got malware, and you're able to keep clean backups, nothing is more effective or recommended than a fresh format and reinstallation (at least in my opinion). But reinstalling won't fix stolen accounts (games, email, banking, social networking), which are caused by Keyloggers and other nasty shit which is designed to install and run without your knowing it's there. A/V and other security software serve a valuable function in this case.
I'll also concede that A/Vs don't get everything. Just about everything, including champions NOD and MSE, fail to block the rapidly evolving rogues. But they shouldn't be used on their own - Layered security is more important these days. Limited user accounts, software restriction policies, properly configured / sandboxed browsers, and a good anti-malware all work fine in tandem and take very little in the way of resources.
I've certainly added your testimonial to the OP! Thanks for the input.
Nice, but I think there's a typo or something in the link
Twitter: busfahrer -- Quake Live: busfahrer -- StarCraft II: busfahrer.184 (EU)