The w32/storm.exe virus sent as email attachments, the Storm Worm-based botnet in general, or the Storm Worm "infected" websites with the IFRAME inject? Either way, lots.
I'm not really sure what we're debating here.
My argument is that, assuming you have an up to date alternative browser like Firefox or Opera, you should feel free to visit what I call "non-risky" sites protected with something free like AVG without significant fear.
I guess you're saying "Not so fast, even 'safe' sites can have risk. You should always have something more serious than AVG."
And I suppose if I didn't have to deal with budgets that can't afford virus-sensing "smart" firewalls, I might have have that attitude too. Security is always a cost/benefit analysys, and in the Aces High world, decreased game performance due to "too much security" is a cost that must be balanced in addition to financial ones.
But getting back to your example of the Storm Worm infected sites - as I recall (again, no Googling), the IFRAME attack targeted only those browsers not up to date. In fact, I seem to recall the patch that blocked the automatic download had been released more than a year (two years?) after the GOP's site was one of the first that was compromised this past August or September. Patched browsers were presented with a "Do you want to download patch.exe? Yes/No" warning, as I recall.
I cannot recall of ANY reports were a current browser automatically downloaded anything related to Storm.
Now I'm checking google...
Well, as of October 2007, the Safari 3 beta is automatically downloading exes. Sigh. IE and Firefox dont. This comes from TrendMicro. (
http://blog.trendmicro.com/zero-day-flaw-in-safari-3003-web-browser-for-windows/)
My argument to that big AV company, and to you too, is that if a user can't be bothered to keep their browser up to date, then I think it's very unlikely that they'll keep their AV up to date, ESPECIALLY after that first's years definitions have started to get old because they don't want to pony up for another year's subscription. And, at least for drive by downloads, an updated browser is the best defence, IMO.
I have enough test machines (real and virtual) and security software licenses that I can pretty much check out any site with drive-bys and see what happens and report back here. Please send me some so I can test.
PM is fine if you don't want these URLS out there for anyone to click.
I seriously want to report on what's best for my clients and for the readers of CPU, and you've given me plenty to think about. However, you honestly haven't convinced me. Your credentials are impressive, but from what you've said so far, it seems your focus is blocking malware at the firewall level, but for all of my clients (and certainly, everone here on the AH forums), such blocking is done via software at the PC level (excluding the consumer-grade NAT firewall, of course), which is the same level at which the browser interacts with the data stream. Different focus.
-Llama