The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
The Tools of Computer Security and Malware Prevention.
TetraNitroCubane
Not Angry...Just VERY Disappointed...Registered User regular
Not Angry...Just VERY Disappointed...Registered User regular
With the evolution of the computer virus, spyware, keyloggers, and pretty much malware of all sorts, it’s somewhat difficult to keep up to date with appropriate security measures. It used to be that you could keep yourself relatively secure using a competent virus-scanner, a non-IE browser, and safe surfing habits. Clearly this is no longer enough to keep one safe. I was under the impression that most malware and virus attacks propagated via email attachments, but the more I read, the more I’m convinced that’s not true.
For example, take the recent malware alarm problem (described in part here). It’s a drive-by flash-based attack that many have reported, which is launched from banner ads and immediately redirects browsers to a compromised website. It requires no input from the user, simply viewing the webpage displaying the ads is enough to cause infection - even in Firefox. The ads have surfaced on such ‘safe’ websites as TV guide’s page, The Economist’s webpage, and even the webportal for National Geographic. Last month’s discovery of malware pushers trying to game google results to affect redirects isn’t quite as insidious, but is still troubling. Clearly regulating browsing habits isn’t as airtight as it used to be.
So, after scaring the crap out of myself, I tried to look into increased security measures for my computer, and quickly realized that I’m a total idiot when it comes to comprehending how these things work, or what I should be doing to stay safe, so I’ve come with a bevy of questions about each point in turn. I'm asking a lot here, so I ask for some patience, if you can spare it.
tl;dr: Let’s chat about computer security.
[size=+1]Anti Virus:[/size]
I always assumed having a good, up to date virus scanner is essential. I’ve has some people tell me otherwise, though, and I’m wondering what the general consensus is on the matter. Are they just a waste of system resources?
A lot of folks seem to like AVG or Avast, and some highly recommend kaspersky. Personally, I use NOD32, but have recently been told that NOD misses a majority of common, well-documented virus threats. Is there any definitive best solution? I’ve stuck with NOD because it’s non-intrusive, it scans very fast, and it has a minimal memory footprint. But all of that is worthless if it can’t perform its main function.
[size=+1]Firewalls:[/size]
I know nothing about firewall programs. Back about five years ago, I had a friend who used one, and could never, ever connect to any online games because of it. Have they gotten any better since then? Will a firewall be an unnecessary burden, or is it really a necessary aspect of computer security these days? I know that the windows firewall may as well be Swiss cheese, but I don’t know a thing about which firewall programs are the most effective. A tutorial about using them would be fantastic, as well.
[size=+1]HIPS:[/size]
I know that HIPS stands for Host Intrusion Protection System, but how this differs from a firewall is ambiguous to me. From what I’ve been reading around online, it seems that most HIPS programs are front-end applications that alert you to every process that attempts to run, and gives you the ability to approve or deny the launch. Are these effective measures? It seems to me that eventually the constant choice would fade into noise to an average user, and not provide any protection - also, hidden malware bundled with legitimate programs would easy slip past. Am I misinterpreting the actual use of HIPS?
[size=+1]Sandbox / Virtualization:[/size]
The biggest new trend I’ve seen online has been sandboxing. From what I understand it involves opening programs, or the entire operating system, in an ‘isolated’ space on the computer that can’t influence the rest of the machine in a more permanent way. If the sandbox contracts a virus, then it’s easy to dump and delete the entire thing. Sandboxie seems to be the preferred application, particularly for webbrowsing.
Is it possible to save any files while browsing sandboxed? I do download the occasional file or two, so having them vanish when I quit the browser would be a bit annoying. Also, when browsing sandboxed, will this effectively disable cookies? Will every time I navigate to a website be as if it were the first time, or can it store some information to allow me to remain logged into forums, etc., based on previous actions? Sandboxing seems perfect for avoiding drive-by infections, but if a virus gets loose in the sandbox without user knowledge, can’t it still steal information while the user is running the browser within that sandbox? I’ve no idea how this concept impacts stability and compatibility, either!
[size=+1]Get a Mac:[/size]
No, this isn’t the solution I’m looking for. But I am curious.
I work with huge number of Mac users, and when they see me looking into PC security, they pretty regularly deride me, saying that any Apple based product would be immune to such threats. I gather that most virus threats are targeting specifically toward Windows operating systems, but are Apple based systems really so immune to threats? I’m genuinely curious.
I’m sure I’ve missed some aspects of computer security, but these are the most pertinent ones that come to mind. Any advice would be greatly appreciated, and I invite others to add their own questions to the thread. Hopefully will help several people to keep themselves clean and secure.
For example, take the recent malware alarm problem (described in part here). It’s a drive-by flash-based attack that many have reported, which is launched from banner ads and immediately redirects browsers to a compromised website. It requires no input from the user, simply viewing the webpage displaying the ads is enough to cause infection - even in Firefox. The ads have surfaced on such ‘safe’ websites as TV guide’s page, The Economist’s webpage, and even the webportal for National Geographic. Last month’s discovery of malware pushers trying to game google results to affect redirects isn’t quite as insidious, but is still troubling. Clearly regulating browsing habits isn’t as airtight as it used to be.
So, after scaring the crap out of myself, I tried to look into increased security measures for my computer, and quickly realized that I’m a total idiot when it comes to comprehending how these things work, or what I should be doing to stay safe, so I’ve come with a bevy of questions about each point in turn. I'm asking a lot here, so I ask for some patience, if you can spare it.
tl;dr: Let’s chat about computer security.
[size=+1]Anti Virus:[/size]
I always assumed having a good, up to date virus scanner is essential. I’ve has some people tell me otherwise, though, and I’m wondering what the general consensus is on the matter. Are they just a waste of system resources?
A lot of folks seem to like AVG or Avast, and some highly recommend kaspersky. Personally, I use NOD32, but have recently been told that NOD misses a majority of common, well-documented virus threats. Is there any definitive best solution? I’ve stuck with NOD because it’s non-intrusive, it scans very fast, and it has a minimal memory footprint. But all of that is worthless if it can’t perform its main function.
[size=+1]Firewalls:[/size]
I know nothing about firewall programs. Back about five years ago, I had a friend who used one, and could never, ever connect to any online games because of it. Have they gotten any better since then? Will a firewall be an unnecessary burden, or is it really a necessary aspect of computer security these days? I know that the windows firewall may as well be Swiss cheese, but I don’t know a thing about which firewall programs are the most effective. A tutorial about using them would be fantastic, as well.
[size=+1]HIPS:[/size]
I know that HIPS stands for Host Intrusion Protection System, but how this differs from a firewall is ambiguous to me. From what I’ve been reading around online, it seems that most HIPS programs are front-end applications that alert you to every process that attempts to run, and gives you the ability to approve or deny the launch. Are these effective measures? It seems to me that eventually the constant choice would fade into noise to an average user, and not provide any protection - also, hidden malware bundled with legitimate programs would easy slip past. Am I misinterpreting the actual use of HIPS?
[size=+1]Sandbox / Virtualization:[/size]
The biggest new trend I’ve seen online has been sandboxing. From what I understand it involves opening programs, or the entire operating system, in an ‘isolated’ space on the computer that can’t influence the rest of the machine in a more permanent way. If the sandbox contracts a virus, then it’s easy to dump and delete the entire thing. Sandboxie seems to be the preferred application, particularly for webbrowsing.
Is it possible to save any files while browsing sandboxed? I do download the occasional file or two, so having them vanish when I quit the browser would be a bit annoying. Also, when browsing sandboxed, will this effectively disable cookies? Will every time I navigate to a website be as if it were the first time, or can it store some information to allow me to remain logged into forums, etc., based on previous actions? Sandboxing seems perfect for avoiding drive-by infections, but if a virus gets loose in the sandbox without user knowledge, can’t it still steal information while the user is running the browser within that sandbox? I’ve no idea how this concept impacts stability and compatibility, either!
[size=+1]Get a Mac:[/size]
No, this isn’t the solution I’m looking for. But I am curious.
I work with huge number of Mac users, and when they see me looking into PC security, they pretty regularly deride me, saying that any Apple based product would be immune to such threats. I gather that most virus threats are targeting specifically toward Windows operating systems, but are Apple based systems really so immune to threats? I’m genuinely curious.
I’m sure I’ve missed some aspects of computer security, but these are the most pertinent ones that come to mind. Any advice would be greatly appreciated, and I invite others to add their own questions to the thread. Hopefully will help several people to keep themselves clean and secure.
TetraNitroCubane on
0
Posts
AV software. None if perfect, none will catch everything. And few will actually search for "non viral" items like malware/spyware. Many that do search for it are fairly poor. The problem with most AV applications out there is that they tend to be very much reactive, as opposed to proactive. This means that they will only update to defend against a particular virus or group of virii once they exist. They will not seek out things like Windows or application security flaws and make sigs that flag things that try to use them in this way. At best some may have some generic heuristic signatures that attempt to identify "virus like" behavior.
So long as you keep up to date on any one of the better received pieces of AV software, you're ok on that front. Many of the other complaints stem from particular pieces of software being very bloated, or eating tremendous amounts of resources, both of which can be very true. Personally I use NAV Corporate... since it's free from work.
Firewalls are a mixed bag. Event he best of them can wreak havok on your connection if you don't know what you are doing. Firewalls are important because while most home routers offer firewall or firewall like protection (via NAT) from incoming attacks, firewalls can prevent OUTGOING traffic if your pc wound up getting owned via e-mail/web site/etc. This can be a hardware based firewall (like a higher end router or a dedicated pc) or software (like zonealarm).
HIPS, along with things like IDS (intrusion detection systems) and IDP (intrusion prevention systems) and other similar products are effective so long as they are kept up to date and configured. While something like a firewall can prevent traffic of certain types or by certain programs from going out. More advanced systems can dig deeper and provide protection on a network level as opposed to the host (pc) level. Something like what you are referring to would generally require an exhaustive configuration on the front end, but once set up it would only trigger when something new is added. It's what is called a front end heavy system. You spend a lot of time getting it going, but once it's running you rarely see it... and n this case, when you do see it you will expect it (installing/updating) or are alarmed (something installing in the background).
sandbox/virtual systems.
These act exactly like a normal system. They have Ip addresses, pc nmes, etc. They can often share some resources with the host machine, or more likely, networked machines. So, as to your "can I save files" yes you can. You can save them locally and risk losing them when you have to dump the image and start over, or you can allow it access to a networked share and save everything to that.
These systems are very secure since you can have them infected by everything under the sun, then just dump the image and bring it back up as the "good" image in just a few minutes. How effective it is, and how quick you can get running depends on how well you maintain the image. Basically you will always be reverting to the image (to ensure it's good) updating it, and then saving it. This ensures your OS is always up to date as are the applications. All user files should be stored elsewhere.
Get a Mac/*nix box?
Silly comment. There are a lot better ways to work with PC specific items on non Windows machines nowadays, but they are far from perfect. There are exploits that work on Windows/non windows systems equally (like a recent quicktime exploit). Likewise, Windows boxes are the prime target, hence more effort is taken to break them. Mac/*Nix do have exploits, but they are not as widespread or as public.
The biggest security tool you can have is yourself. Don't open bullcrap, don't forget to keep your system and applications up to date. One of the biggest security minders around is to just practice smart browsing habits, since most of the problems stem from web related resources. If you use IE, keep it up to date and make sure you have the settings appropriate to your habits. For Other browsers, keep them up to date and look into add ons (looking at you firefox) that can make your browsing far more secure.
I used to use ZoneAlarm, but thats when I was connecting directly to my cable modem, or using a hub/switch, and not a routing device. My linksys router has it's built in firewall that's pretty easy to use. Most problems that I cause for myself are due to risky behavior, downloading things from sources that are questionable.
Which brings me to sandboxing.. VMWare is a magical thing. Feed it just a couple gigs of space, install XP on it, and open anything you don't trust in there first. While I don't bother with it for general web-use, if I'm going to download something I dont explicetly trust, I love being able to grab it in my VM, open it up and check it out, and simply dump the OS and revert to a snapshot if it's infected. That being said, if it becomes common practice, i'm sure viruses can be written to detect if they're running on a VM and try to get out to the host.
This is pretty much because nobody gives a shit about Macs.
I'm not trying to snub Mac users, or arguing that the mac OS/hardware platform isn't a quality product. They still just don't have the market share that Windows does.
If you're writing a virus, why wouldn't you write one for windows? They have an enormous foothold on the business environment, where you can potentially access a lot of financial and personal records, as well as a viable business server OS you can attack with the same virus, something Apple doesn't do. You might get some passwords or banking website logins off a mac, but attacking windows PC's opens you to the business environments as well as home pcs.
Mac users can look down their noses on the security issue, but it really comes down to the fact that most of the world still runs on windows, so there's no real reason to attack the Mac OS yet. If they suddenly jump to a 60 or 80% market share, and begin running a server OS, and implemented in business environments, you'll see virus attacks on them just the same.
All you need:
Zone Alarm Firewall
Firefox with NoScript
And last, but not least, Spybot Search & Destroy
All work great for me. I actually tried to install AVG Anti-Virus, and it fucked my computer up badly. Basically said C: = Virus, QUARANTINE!
Removed my admin privileges, the whole deal. YMMV.
Do you not see the correlation here? You went with no A/V for 2 years "without issue". Basically you didn't install A/V and are somehow certain you had no viruses. Then when you did install an A/V product, it took a shit and blew up about the virus content of your C drive.
This kind of thing confuses me to no end, the "I don't have any antivirus, and I never get viruses." Pardon me for being blunt, but how the fuck do you know?
There's a shitload of viruses out there you can have and never notice. Not every virus makes popups and redirects your home page and google results to porn. Some of them sit there nice and quietly and log your keystrokes waiting for you to log into your bank's website, or sniff around for your game serial numbers and activation codes, and you'd never know they were there.
Just because your computer dosen't bluescreen or generate popups does not mean you are virus free. If you go to any non-mainstream website, ever, download warez, or look for porn, chances are you've picked up something in 2 years.
I'm running XP SP2, kept up to date as best I can. I'm protecting it with NOD32, as I said previously. My browser is exclusively Opera (I'm not a fan of Firefox, and I like Opera quite a bit). I regularly scan with SpyBot S&D, which I also try to keep updated as best I can.
I gather that these programs are highly specific in their setup and configuration. I'm beginning to understand that a good firewall might be imperative, as blocking outbound connections is just as critical as inbound connections. I'm still quite interested in HIPS, though, even if the front-end is really heavy. Honestly, not knowing about a program that's installing itself is cause enough for alarm in my book.
Are there any recommendations anyone might give about which Firewall or HIPS to start looking at? I can try to learn more about configuration and setup from there, particularly in light of your second comment EclecticGroove. I'm not trying to be overwhelming, here, but I am quite interested in finding a good starting point!
This sounds like an excellent idea, then. Would VMWare require a second copy of XP to do that second install, though? I'm unfortunately not in a position to buy another copy of the OS. Is using the sandboxed OS for all browsing a bad idea? It seems to me to be the only way to prevent 'drive-by' type infections.
Also, has anyone had any experience with Sandboxie? It seems a bit easier on the install and setup process, but I'm not sure if it will be as effective as other virtualization processes.
This was addressed by Erandus, as well, but it's a good point. I try to browse safe no matter what. I visit only trusted websites and keep myself pretty aware for redirects and false links. But it's becoming very VERY obvious that's not enough anymore. That Flash exploit I mentioned in the OP would have compromised my system if I had visited the Economist's website, which I wouldn't consider a bad habit.
So, I guess that boils down to browser configuration? Is there anything I can do with Opera in this regard? I know the safest thing to do would be to disable Flash altogether, but when I turn off Flash or iFrames, webpages typically look atrocious and don't load properly. Are there alternatives?
Sorry if I keep spewing questions. I'm just a bit undereducated about this stuff, and when I try to read tech pages, it mostly makes my head explode.
EDIT: Forgot to mention:
I thought about as much. :P
Microsoft would probably say it does, but I really don't think you're going to get in any hot water using it as intended here.
Quick google gave me this, just off the cuff, from an MSDN blog site:
Short answer: Yes
Long answer: Chances are you'll never be caught, and Microsoft isn't likely to bother with persuing it.
In response, it is feasible that there are lurking baddies on my hard drive, but I like to think that holes in my security would have come to my attention by now, i.e. tripped a firewall, caused some strange behavior, etc.
It's probably helpful that I'm not usually found trolling for shock images/porn/warez.
By the way, AVG wasn't saying there were viruses present in the C: drive, it was accusing huge swaths of files of being viruses themselves. Stuff like recently installed games, anything having to do with Windows, etc. I think it was some sort of conflict with Spybot, but I have no way of telling now.
I did manage to nuke AVG from orbit, but now I get random 'generic process' termination messages, and my screen will irregularly flash to the desktop background.
If only I could find my boot disks. Anyone know if Toshiba will just mail you something like that?
Or you can do the opposite, build up a Linux system and virtualize your existing Windows install. You aren't stuck with windows on everything.
As to the items I discussed, unless you are running a serious network, or interested in learning, most IDP/IDS items you wil find are not really worth your time, or too much $$ to deal with. However, you may want to look into things like process explorer and other items that give you visibility into the workings of your pc. I'd have to find my "hot lists" of applications I use when tracking down crap on a pc... I haven't had to use it in awhile.
As for browsers? I'm not familiar with Opera enough anymore to say. But for IE it essentially comes down to setting most things to disable or prompt. For Firefox there are add ons like no script, and ones that block flash till you specifically ask for it (but still fills in the flash container).
Provided you stick to mostly safe sites you are ok. But yes, sometimes things get added into legit sites as well, which is where keeping things up to date comes in.
Firewalls are definitely tricky. They're tools to enforce an access control policy. If you don't fully understand what you want to be able to do and what you want to restrict, then it's like being thrown a bunch of Legos that can blow up in your face in certain assemblies with no instructions in the box.
The biggest thing may just be trying to keep up to date with threats. Viruses attached to e-mail or shady sites is old hat. Now malware gets hidden in stuff like IM "worms" and malicious MySpace scripting too. Symantec maintains a blog about security topics here: http://www.symantec.com/enterprise/security_response/weblog/
There are other sites that try to keep up with security as well and there's a lot of cooperation within the industry so you can pick whoever you feel like following.
Steam Profile
3DS: 3454-0268-5595 Battle.net: SteelAngel#1772