Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Larry on November 01, 2007, 06:45:14 PM
-
I don't know if this should be in the H&S forum or not but what the heck. I'm looking to buy some antispyware and virus scanners and I'm willing to pay around $100-150 for them. So what are the best ones you've used?
-
trend-micro fifty bucks
-
AVG anit Virus = FREE
Ad-Aware anti spyware = FREE
http://www.downloads.com
-
avast antivirus. i personally find it far more effective, faster, and more secure than the others i've tried (namely macaffe and norton)
best of all, it's free.
blocks spyware too. can't remember the exact site, google avast antivirus.
-
avast is free.
-
Avast or AVG. All the ones you pay for are charging you for bloat it seems.
-
Personally, I am a fan of the "Computer Associates" Security Suite package. Anti-Virus, Anti-spyware, spam, and firewall protection. I think it is $49 per year, and it is unlimited updates. You can download the software from the Computer Associates Website, or find the boxed software at TigerDirect or other such store.
I have found that it is very effective and does not seem to interfere with running programs like some of the other 'name brands' I have seen or used.
Good luck. Hope this helped.
-
i use Avast.
Where you been Larry i dont see you in the skies anymore :(
-
I use Avast.
A good site for looking at antivirus program performance:
http://www.av-comparatives.org/
-
AVG for everyday computing
For playing AH I boot into a separate profile that runs Aces High and only Aces High.
-
Avast by far and above, free, fast easy to use and you can down load it from:
http://www.avast.com
Spyware...Mmm I use Avast All in one but I would have a seperate spyware programme, something along the lines of Spy Bot S&D from:
http://www.safer-networking.org/
-
I use Nod32 in laptop (work) and avast in XP gaming box.
To Vista box I didn't bother to install an AV - if it gets infected I get a reason to format it away. :D
-
Long time avg user here. Maybe its me but it just seems more user friendly for setting up, configuring.
Adware and spybot for spyware. XPtools for cleaning registry, managing startup programs, and a bunch of other goodies.
-
Avast
Ad-Aware (for scanning)
Spywareblaster (small app that runs in background and prevents installation of spyware)
All Free!
Remember to update them all regularly.
-
The only time ad-aware or spybot has found spyware on my computer was when my wife browsed some sites with Internet Explorer.
As long as you stick to firefox the worst you'll likely get is a tracking cookie. Cookies can be disabled anyway. I run adchecks maybe 1 time a year just to be sure and nothing has been found for 3 years now.
-
Check http://www.av-comparatives.org
Look at both tests, and the last few tests performance.
My choice is NOD32. Althought commercially I like McAfee but its 'good' product is not available to consumers. If you go with AVG, good luck to you.
-
I just reviewed Norton AV 2008 for CPU Magazine. I found it lighter in weight than Kaspersky (which is generally what I regard as the Gold Standard), but not as light as AVG. That said, Norton AV does a lot more than AVG. I actually recommend it now.
Note that I'm just talking about NAV 2008. 2007 is slower. Norton Internet Security and Norton 360 is still rather bloated and slower. With rebates, you can get NAV2008 for around $20-$30.
For spyware cleaning and prevention, SUPERAntiSpyware is really great. I know it has a silly name. The freeware version just cleans existing problems, while the paid version ($30) actively prevents spyware from taking hold. An annual subscription is $15 a year, but you can prepay $10 for a lifetime subscription when you buy it. It is much lighter in weight than WebRoot SpySweeper, and doesn't cause any of the problems that spysweeper does.
I fix computer problems for businesses for a living in addition to being a reviewer for CPU. I rigorously test this stuff myself. These suggestions are based on my experience rather than reading some article.
Sorry for the terse posting - I'm under deadline right now...
-llama
-
NOD32
-
Avast = Free
Adaware = Free
Spybot Search & Destroy = Free
Hijack This = Free
I run Windows XP Pro with Service Pack 2 and the Standard Firewall. Since running all the above programs I have not had one successfull Trojan attack or Virus install on my system. All for FREE too. So save yourself some cash that you can apply to a better joystick or monitor to fly with. :cool:
-
When I couldn't get a Yellow boxed software to scan for virus' on a friend's funky computer I was able to get Avast to do the job. I would not hesitate to use that software at all. And as mentioned several times prior, it is FREE!
-
Originally posted by llama
I fix computer problems for businesses for a living in addition to being a reviewer for CPU. I rigorously test this stuff myself. These suggestions are based on my experience rather than reading some article.
Sorry for the terse posting - I'm under deadline right now...
-llama
I'm a network security pre-sales guy. I specialize in products like Sonicwall, Juniper, Foundry, McAfee (commercial not retail), Foundry, H3C, Aventail, Ciphertrust (now Secure Computing). So I speak from experience too :)
-
AdAware
Spybot Search and destroy
SpywareBlaster
SpywareGuard
Avira Anti-Virus
Comodo Firewall
Comodo BOclean
WinPatrol
All are FREE if you care to check em out.
-
Calm Win for AV = Free (Open Source)
Coutner Spy for spyware = $20 (the only one I've ever paid for, and worth it)
Made a misteak not to long ago, Spybot, adaware, trend micro... alot of them didn't remove everything. Counter spy actually nailed it and saved me the trouble of a reinstall, since my restores were deleted.
It's free for 2 weeks.
-
AVG Free - Antivirus
Spybot Search & Destroy - for Spyware/adware
Adaware (free) - If you want a backup to spybot
Spywareblaster - (Backup for Spybot's Tea Timer
Comodo Firewall - Faster then Zonealarm and just as good. Vista version is still in beta though, but works pretty good so far.
Windows Firewall is useless. It does little to stop outgoing connects. Zonealarm used to be good at that also, but when a recent version of ZA installed an MS update, without telling clients, that made me start thinking about a replacement.
The Key protection that both ZA and Comodo give a user is the outgoing protection. If any malware gets past your defenses, it will most likely try and phone home. Both ZA and Comodo will stop this and give the user a chance to say 'Yay or Nay'. That's and excellent backup to your normal defenses.
Firefox - Internet Browser - Don't use internet enema, as it's one of the weakest links in system protection. You have to tweak it a lot just to give you some protection. Firefox does a better job with minimal tweaking. You can also try Opera too. I've never used it, but hear good things about it.
These are all Free programs. I've been installing them in client's systems since the early 90's, (except for comodo which wasn't out then). Never pay for your system protection, the free programs are just as good as the 'pay' bloatware.
I've never had anything get by AVG. Norton and Mcafee are bloatware.
Norton doesn't play well with other software, is a pain-in-the-butt to remove for most end-users, and still lets malware get past it. Ya gotta wonder about a program that has to have a separate 'removal' program on top of the standard uninstaller that comes with it. (Ofcourse norton claims it's for corrupted uninstalls.... yeah right. Do some searching and you'll find a lot of users saying otherwise...)
The important thing here, is not to take anyone's word as gospel on this. Search for reviews on all the products, (end users reviews are better then the 'paid for reviewing sites'), and get a general feeling from them, and what is said here before deciding.
There was an article on one of the major sites recently that said the free programs were performing as good as and in many cases better then the pay programs. I wish I'd bookmarked it, but couldn't find it after a quick search today.
Good Luck!
Wabbit
-
Originally posted by wabbit
I've never had anything get by AVG. Norton and Mcafee are bloatware.
Errr I've seen plenty get past AVG, not to mention its high level of false positives. McAfee is not bloatware, McAfee Enterprise 8.5i is one of the best AV scanners I've ever used. If you're experience is limited to the McAfee retail products then I agree.
You really need to look at AV Comparitives retrospective tests ( http://www.av-comparatives.org/ ) to see how poorly products like AVG (which fails the test complete on a regular basis).
BTW your blind faith in ZA and Comodo is amusing. Comodo is probably your best choice in personal firewalls, but having faith that these will stop malware getting out is misplaced: http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php#firewalls-ratings
IMHO personal firewalls are snake oil. They're only good for locking down well behaved applications. If you want to see a good top notch solution look at McAfee 8.5i Enterprise's features, especially Access Protection. Unfortunately this is not a retail product.
As far as end user reviews go I'd also say thats bad advice wabbit. I'm a security person, I'm knee deep in this stuff day after day. I've seen all sorts of reviews, and the reviews all have the same fault - they're written by people completely clueless or without skill in the relevant field (security!).
-
Now that I have a little more time to pontificate on this...
Here's the thing about antivirus software: for most users, it isn't really needed, but for the rest, the very best is needed. Paradoxical, No?
Here's the deal. In the old days, the main way 99% of users got a virus was via Floppy disk and via email attachments. Floppies are all but dead now and Email attachments are routinely checked by your ISP/Yahoo/AOL/Gmail/Hotmail/whatever before you even download them to your email client. Plus, you can tell a user to NEVER open EXE, COM, VBS, and BAT files (hey, sometimes they listen ).
Here's a true story. I have Kaspersky at my mom's house (uses AOL) and at a particular client's office (10 machines) that used to always get viruses (this latter group wouldn't pay for AV updates, let it lapse, and then viruses would get through - they've changed their ways after they paid me to clean the same user's machine something like 3 times one year). I switched this office to Gmail, BTW.
Anyway, in two years, Kaspersky's logs show NO VIRUSES coming in by email. Z-E-R-O. AOL and Gmail is catching everything before Kaspersky even scans it.
AV scanners are desperately needed, on the other hand, if the user uses Kaazaa or some other P2P program to download illegal and pirated stuff, uses warez sites to get serialz and crackz, or has kids who use instant messenger software to chat with friendz and share files. So much of this stuff is infected with viruses that it's crazy.
When I review AV stuff these days, (and I used to be the primary AV guy for Windows Magazine back in the day), I find my tests mirror what av-comparatives come up with pretty closely. I have my own email server, and it defaults to sending all EXE, BAT, COM, and VBS attachments to a separate account, so I get a very large fresh sample in just a couple of days (about a thousand in a week is average these days). I also download various exes from P2P systems. Then I copy these files over to my various test systems in my lab, install and update the various AV programs, unplug the network cables, and then let a lot of these viruses run wild, and see what happens. NOD32, AntiVir, Kaspersky, and Norton AV do very well. AVG does not. MacAfee is usually somewhere in between.
If you never do this "risky behavior," AVG is perfectly fine, and resource-light and free to boot. But if you do this sort of stuff, even just once, it simply isn't enough.
Norton AV gets a bad rap for being bloated these days for two reasons: 1. most people don't get norton AV by itself; they get Norton Internet Security (which has NAV baked in) or Norton 360 (ditto) and these two can easily overload a system, and 2. they haven't tried it since NAV2007 came out, which really killed the bloat, and NAV2008 did it even more.
Firewalls: You just gotta get a hardware firewall if you at all care about security. Period. Even if you just have 1 PC and DSL, you should get a consumer-grade hardware firewall and let it block the inbound stuff, AND CHANGE THE BLOODY DEFAULT PASSWORD.
For software firewalls, Comodo is quite good, but you know, if you don't care about outbound blocking (and I don't most of the time) the XP default firewall is pretty OK, especially when a hardware firewall is really taking care of business.
Your AV and Antispyware programs should be the things killing rogue apps that are trying to phone home BEFORE an outbound firewall tries to block them. If your software firewall blocking a rogue app, then it's too late - the rogue app is installed and broadcasting.
So, to sum up: the original poster is asking for what we think the best apps are for security. For me, I would recommend, based on my tests and my experience with clients:
AV: Kaspersky 2007 or NAV 2008
Spyware: NOTHING if you're having no problems. If you suspect problems, then Spybot Search & Destroy and Ad-Aware for cleaning (both are free). If Spyware continues to trouble you, then SUPERAntiSpyware to clean the system and to try to keep new stuff out.
Firewall: Nothing or WinXP's, plus a hardware firewall. If you insist on outbound blocking, then Comodo.
Browser: Firefox. Blocks a lot of crud that IE is happy to let in.
And Windows Update turned on to full automatic mode.
-Llama
-
OK I got a legit question for you llama about personal routers with and without "firewalls" in them.
Am I mistaken in my understanding that to get past the router they basically have to "hack" through it? with the router tables and internal / external IP's they can't "see" your PC without going after the router correct?
Now I know there are ways past these, but if you are smart, change the admin password to something legitimately secure, and re-configure the internal IP scheme you should be relatively safe... especially if you do not open any ports.
I will take my home system for example. I have a custom router name, host name, domain name, local IP of the 10.xxx.xxx.xxx variety, custom subnet to allow only 2 IP's (for my 2 PC's), custom password of 16 chars / symbols.
I went over 2 years not running any anti-virus, or spyware, I do go to "bad" sites, and every 8-12 months or so just for fun check my system out. never gotten a thing, not even a sign. I do use firefox (with adblock and noscript) for everything except win updates, and do those manually.
so is it luck, or my router that has kept me "safe"?
-
JB,
Intersting question.
(And for the record, my my primary machine is XP WITHOUT any AV, Antispyware, and with no sofware firewall turned on, but it's behind a consumer-grade firewall/router. It is Ghosted regularly, so I always have a fallback backup, but for fun I installed two of my recommended AV apps and let it scan last month. Results: 0. "Risky" behavior? Just a litte on this machine. I have a dedicated machine - or use a virtual machine in VMWare on this machine - to "test" the risky behavior. This mirrors your experience.)
Re: Hacking through a router: you are basically correct (but there's a gotcha) in that the router/firewall blocks direct access from the internet to your machine for the purposes of hacking through to it. BUT you COULD have a background program initiating the connection to the outside world through which a hack can occur, ESPECIALLY if you have UPnP turned on with the router (this opens up ports on the fly so things like Kaazaa can get through without you having to manually open up ports.) I generally turn UPnP off and manually open ports and manually direct them to specific static IP addresses on my LAN.
It sounds as though you know a bit about TCP/IP, and that's good. What you've done essentially prevents additional machines from joining your LAN, which is good, but that really isn't necessary if you're just trying to block hacks in. The router set to NOT forward ports unnecessarily is enough.
Basically, you should only open up those ports you need opened. My router lets port 80 (and a few others for mail, FTP, SSH, and others) in to my server, a handfull of very high ports for a certain online game to my gaming machine (the one without any protection, BTW), and then a few more ports to another machine for P2P testing and torrents. All the others bounce away.
BTW, based on what you've said, I'm guessing you have a NetGear brand firewall/router. Am i right? ;-)
Merely visiting "bad websites" and not getting infected is really a function of the web browser's security, or perhaps your AV software (in some cases). I'm guessing you're using Firefox or Opera (oh wait, you said you did. good.), which resist "drive-by downloads" much better than IE. Good.
The risky behavior I'm talking about is downloading EXE files that are supposed to be the latest PhotoShop, or maybe a crack for photoshop, or some new screensaver that has naked women pole dancing during idle times. Installing that stuff is risky alright, and I'm not talking about the WifeAck. Your firewall won't help you there. That's what AV is for.
-Llama
-
Sorry llama, but your advice is ok for 2 years ago. It needs a bit of an update. If you visit ***ANY*** website then you are participating in risky behaviour.
To assume that by avoiding 'risky' websites such as porn sites will save you (or even using browsers other than IE) is a mistake.
You have to understand malware is no longer the realm of script kiddies doing stuff for kicks or a reputation. Malware biggest culprits are organized crime (ie the russian mafia). No I am not joking, malware is big business now.
Just today someone hit 40,000 chinese web servers with a javascript malware injection. I've seen websites such as Asus hit with malware injections, theres even been banking websites hit.
My recommendation? Make sure you have a good router/firewall, minimum spec should list "Stateful Packet Inspection". Make sure you have good commercial grade AV, Nod32, Symantec, McAfee, check the av-comparitives reports. Make sure you have good commercial grade antispyware.
Finally, if you do online banking and you bank supports two factor authentication GET IT. Or at least enquire.
-
Originally posted by Vulcan
Sorry llama, but your advice is ok for 2 years ago. It needs a bit of an update. If you visit ***ANY*** website then you are participating in risky behaviour.
To assume that by avoiding 'risky' websites such as porn sites will save you (or even using browsers other than IE) is a mistake.
I guess we'll have to agree to disagree on this, because I don't agree with you.
As a professional reviewer, it is also my job to filter out what is a vendor's sales pitch, what is a scare tactic, and what is a legitimate concern, based on my experience with other products and what I see in the field at clients.
I know what I have to clean off of client systems, how often I do it, and what the logs of various security programs say, and it just doesn't jive with "any" website being a risk, provided you get regular Windows/Firefox/Opera/Safari updates.
I was just at a major security vendor's HQ in San Francisco two months ago, for example. This was a hard core technical meeting spanning 3 days - no press relations or marketing people there other than to make introductions. One of the security programs protects against "drive by downloads," which is what we're talking about here.
In order to demonstrate this product's effectiveness, the browser HAD to be an older version (IE6 and Firefox 1.5.something, I beleive, PLUS a few patches behind for IE). Indeed, the security caught and stopped the drive-by download all the time from a variety of sites, but when I insisted we install the latest IE7 and Firefox 2.0.0.3 (I beleive), this security component never found anything. Why? Becasue the browser blocked it before the security app had a chance to. Two software engineers confirmed this with me. Ultimately, the marketing gal informed me that this level of protection is intended for users who are lax in their browser updates. Two weeks later. Over the phone. Riiiight.
BTW, what are the odds that a user who is lax about OS/Browser updates will also be lax about updating their security suite? About 95% as far as I'm concerned. This makes the drive-by-downloading protection a fairly weak feature in the real world, and I've reported as such.
And finally, I think this is a good debate, and I'm hoping to be proved wrong, for if I am, I think it will be a service to my readers and my clients.
I just don't think you've done it yet. ;-)
Respectfully,
Llama
-
llama, I've had this discussion many times before.... look at this thread (me on a NZ bbs I haunt):
http://www.gpforums.co.nz/showthread.php?s=&threadid=285280&perpage=25&pagenumber=4
Mid this-av-discussion I found a link to a NZ Audio retailers website in another thread. Low and behold that retailer had a framed link for a banner advertiser who had been comprimised and was trying to install malware via java (which would've worked in non-IE browsers).
In my role I've designed, deployed, and configured 1000-2000 seat sites (thats reletively big for the NZ market). This includes configuration of boxes from Sonicwall, Juniper, Foundry, Aventail, etc. Guiding the users through how their system works and observing behaviour post configuration on live large sites. Several of these sites give me unfettered access so that if they have an issue/question I can look into the problem and advise on it.
Yesterday I was slipping in a secondary Sonicwall Pro 5060 (~2Gbps firewall) in as a HA Failover unit to a site yesterday. I also probably have one of the only Sonicwall E7500's in the southern hemishere (~5Gbps firewall) - currently registered as Marks Home Firewall much to my bosses consternation :P
I have a lot of experience and have observed a lot of real world activity. I've seen how dumb users, how browsers are used by the majority (how usually turn security way down to get various apps to work right).
So I disagree with you.Unless you get your hands dirty with this technology you're always second guessing what is really going on.
So I have a lot of hands on experience.
edit: one question for you llama, no googling allowed, how much do you know about the storm worm?
-
The w32/storm.exe virus sent as email attachments, the Storm Worm-based botnet in general, or the Storm Worm "infected" websites with the IFRAME inject? Either way, lots.
I'm not really sure what we're debating here.
My argument is that, assuming you have an up to date alternative browser like Firefox or Opera, you should feel free to visit what I call "non-risky" sites protected with something free like AVG without significant fear.
I guess you're saying "Not so fast, even 'safe' sites can have risk. You should always have something more serious than AVG."
And I suppose if I didn't have to deal with budgets that can't afford virus-sensing "smart" firewalls, I might have have that attitude too. Security is always a cost/benefit analysys, and in the Aces High world, decreased game performance due to "too much security" is a cost that must be balanced in addition to financial ones.
But getting back to your example of the Storm Worm infected sites - as I recall (again, no Googling), the IFRAME attack targeted only those browsers not up to date. In fact, I seem to recall the patch that blocked the automatic download had been released more than a year (two years?) after the GOP's site was one of the first that was compromised this past August or September. Patched browsers were presented with a "Do you want to download patch.exe? Yes/No" warning, as I recall.
I cannot recall of ANY reports were a current browser automatically downloaded anything related to Storm.
Now I'm checking google...
Well, as of October 2007, the Safari 3 beta is automatically downloading exes. Sigh. IE and Firefox dont. This comes from TrendMicro. (http://blog.trendmicro.com/zero-day-flaw-in-safari-3003-web-browser-for-windows/)
My argument to that big AV company, and to you too, is that if a user can't be bothered to keep their browser up to date, then I think it's very unlikely that they'll keep their AV up to date, ESPECIALLY after that first's years definitions have started to get old because they don't want to pony up for another year's subscription. And, at least for drive by downloads, an updated browser is the best defence, IMO.
I have enough test machines (real and virtual) and security software licenses that I can pretty much check out any site with drive-bys and see what happens and report back here. Please send me some so I can test.
PM is fine if you don't want these URLS out there for anyone to click.
I seriously want to report on what's best for my clients and for the readers of CPU, and you've given me plenty to think about. However, you honestly haven't convinced me. Your credentials are impressive, but from what you've said so far, it seems your focus is blocking malware at the firewall level, but for all of my clients (and certainly, everone here on the AH forums), such blocking is done via software at the PC level (excluding the consumer-grade NAT firewall, of course), which is the same level at which the browser interacts with the data stream. Different focus.
-Llama
-
My focus isn't just at a firewall level. UTM firewalls are not 100% assured to block virus's or malware. In a commercial situation I push a 3 tiered approach. Both a UTM firewall and good desktop AV/malware protection, coupled with proper reporting/alerting functionality (you'd be suprised at how many skip the 3rd bit when it is the easiest and cheapest bit of all - usually free).
For private user I push a reasonable firewall (SPI at least) plus good AV. AVG in my books is bad for two reasons, it has high false positives, and it has low proactive hits on new malware. AVG scores extremely badly on new stuff. Whereas products like NOD score very well (McAfee does 'ok').
I have absolutely no faith in a browsers ability to keep a user protected. I also have no faith in a user being smart enough to not click on a link emailed to them and enter sensitive credentials. I've been having a 'discussion with our Mac guys about the new apple malware. They seem to think that having to enter a username/password negates the malware entirely. They have no idea how unaware users of what this can me, and how readily users will enter that information to be able to see some sort of (porn) video.
Between all the browsers exploits come and go, and between user ignorance, I have no faith. That is why I push a good commerical AV solution.
Now, as for 'smart' UTM firewalls. How much do you think one costs?
You can by a Sonicwall TZ-150 Wireless TotalSecure bundle for ~US$340. That gives you a UTM Layer7 firewall, with 4 switch ports, built in wireless b/g AP, 1 Year of Gateway Antivirus, Intrusion Prevention, Gateway Antispyware, Web Content Filtering, and ViewPoint reporting software (as well as the enhanced warranty). Given what some people spend on PC's, accessories etc. Thats not that expensive. And if you have kids the content filtering is a great bonus. Sonicwall even have a lower end AV/IPS/Spyware only gateway (no idea on $$$).
So what I push/preach is not out of reach for small business or even home users.
-
Is there a way to reroute the filtered content to yourself? If so, I'm sold! :D
-
Vulcan,
You've been supplied with ample evidence that suggests my claims are on the mark, including:
* The software engineers and the marketing flack of a major AV company demonstrating that their drive-by-downloader protector doesn't get activated when the browser is current.
* The Storm Worm IFRAME flaw stories all around the Net, stating that older, unpatched browsers are affected and vulnerable, but patched, current browsers aren't.
* The TrendMicro link I provided a few posts ago.
* My main PC, running without AV for 3 years, and visiting thousands of typical sites, is uninfected, as verified by Kaspersky and NAV2008 5 weeks ago, while using a current browser.
* JB73 Reports the same thing. (these last two are anecdotal, of course, but at least they are actual, specific examples)
I have asked, repeatedly, for EVIDENCE that shows the vulnerability you assert that patched, up-to-date browsers have. I've asked for URLs to test. I've thus far seen none.
I'll now settle for published reports that make this claim.
When I'm saying that "I'm not convinced," I am asking that you convince me. Present evidence. Please. I'm shooting for the truth here. It doesn't serve my clients or my readers if I am wrong, and my goal is to learn what's true.
Simply stating "I know what I'm talking about" isn't evidence. Even someone with the best credentials could be wrong. *I* could be wrong.
And finally, thanks for the heads-up on the Sonicwall TZ-150. That's a very fair price point for all those features. I can think of one client already who would probably want one. Heck, *I* want one.
Anyway, the whole point of this post is: "Evidence, Please."
-Llama
-
to add fuel to the anecdotal evidence I will admit a few things that I wouldn't normally as things for your guys to check on.
I sometimes go to adult sites found via google that require joining, and have multiple pop-ups even with firefox. I until a few months ago used "Ares" to DL music, sometimes even "recent" pop hits for my friends wife (they are so bad browsing they actually got a BHO, a keylogger, a trojan, and a virus using firefox all in 1 week). I also download torrents.
I am also lax in my actual windows updates. I do them about every 6 months.
Now I will call myself smart for conversation lol, but say I get a pop up that looks like a windows message I know that if the cursor is a "hand" it is not a real windows message. things like that are so common it scares me. I know when "your PC may be infected!!!111" is fake, as I don't have software running to watch that. I keep a pretty close eye on my services running, and use cprocess to see actual modules under a process. when I do my yearly or so inspection I download the latest ad-aware, spybot, hijack this, and avast on a separate machine, jump drive it to the pc, install it and download any updates. once ready I disconnect the network, boot to safe mode, and spend 3 hours searching the system.
most recently all I found was 22 tracking cookies from the usual ad sites, nothing special. most of them were from the past week's browsing, and I knew they were there I was just to lazy to bother getting rid of them.
For what you guys are debating I have a perfect example. A guy I know as a friend of a friend has asked for my help a few times fixing his PC. after the first time I stopped returning his calls. This guy spent a 1/2 hour explaining how "the FBI was looking at his temp files" and the "virus alerter" told him to get a temp file cleaner because he was looking for "teen thumbnails". :( :rolleyes: :confused: :cry
after not even being able to install ad-aware after 2 hours of working on downloading it I told him I had to re-format his PC. he said that wasn't possible as his wife's nursing school stuff was on the PC, and their kids had spilled soda in the CDR drive so we couldn't even back up anything.
Some people are, and forever will be helpless when it comes to this stuff. I don't care what you sell them, they will kill their systems, and perpetuate the cycle of malicious stuff on the internet. that I can guarantee from actual experience.
-
Originally posted by llama
I have asked, repeatedly, for EVIDENCE that shows the vulnerability you assert that patched, up-to-date browsers have. I've asked for URLs to test. I've thus far seen none.
Try some yl18.net URL's, they're in strife at the moment.
Oh and: http://www.kb.cert.org/vuls/id/715737
Vulnerability Note VU#715737
Mozilla Firefox jar URI cross-site scripting vulnerability
Overview
Mozilla Firefox contains a vulnerability that may allow an attacker to execute code, or conduct cross-site scripting attacks.
I. Description
The jar protocol is designed to extract content from compressed files. Mozilla based browsers include support for jar: URIs that are of the form jar:http://![filename path] From the GNUCITIZEN blog, jar: content run within the scope/origin of the secondary URL. Therefore, a URL like this: jar:[url]https:// example.com/test.jar!/t.htm, will render a page which executes within the origin of https://example.com.
To successfully exploit this vulnerability, an attacker could place a specially crafted archive file on a vulnerable site and convince the user to open the file with a Mozilla based browser. An attacker could use sites that allow user-submitted content distribute malicious archived files.
II. Impact
This vulnerability may allow an attacker to execute cross-site scripting attacks on sites that allow users to upload pictures, archives or other files. If the user opens the malicious URI with a Firefox Addon, an attacker might be able to execute arbitrary code.
III. Solution
We are currently unaware of a practical solution to this problem.
-
Vulcan,
Thanks. I'm at a clients' now, so I obviously can't test. I'll check it out on some test systems tonight.
-Llama
-
pandora jar
:aok
err, oops lol. was a jar that would grab the songs you listened to off pandora. what a PITA to get it going though. have to manually write a batch file, jump through this and that hoop, glad I stopped bothering with it almost a year ago.
oh and thanks for the notice vulcan, I always keep noscript going and up to date, that should help the article says.
-
Vulcan,
Thanks for the link. I don't think you're gonna like my findings.
First of all, the news is 2 days old, and most of the yl18.net files are no longer working (I'm remoting into my home test machine - I'm just too curious to wait, trying to find some live ones - no luck yet). The best I can do right now is to read the security forums of two days ago, when people were actually able to check out the sites live. There are few screenshots, but this is an interesting one:
(http://www.iamthellama.com/yl18.png)
(http://www.iamthellama.com/yl18.png)
It shows IE7 (which i am going to assume is fully patched, but you never know) rejecting the automatic download of stuff. Yes, the user is prompted to do something. Foolish users can and will allow for it to download and run, but many (most?) AV products will prompt the user anyway. Changing the prompt from the browser to the AV app isn't necessarily better security. I know norton would probably automatically block it, and I hope others would do, but I'm guessing there's probably a lot of prompting going on from various AV programs.
I'm searching for infected sites with:
http://www.google.com/search?hl=en&hs=ciV&q=%3Cscript+src%3D%22http%3A%2F%2Fyl18.net&btnG=Search
and I must admit that the hacking is spread over a broad swath of the internet, ranging from real estate agents, tire stores, the Cincinatti Rodeo (I had no idea there was such a thing), so there's no doubt that "typical" websites can be compromised.
However, can up to date browsers let in malicious code automatically? It doesn't seem so.
The hackinthebox post you directed me to even alludes to this:
"...This code downloads, without prompting, a small number of executable droppers, and executes them on vulnerable systems ." (my emphasis)
This is typically weaselly journalism that can be interpreted ambiguously, probably because the writer didn't fact check it properly. Is only execution possible on vulnerable systems? Downloading and executing? The sentence could be read both ways.
The screenshot suggests BOTH downloading and executing are only possible on vulnerable systems.
Thoughts?
-Llama
-
Whoops. It occurs to me that the screenshot only shows ONE thing being blocked. There were probably many things that needed blocking. How many actually were? I dunno. I wasn't there and the forum poster didn't say.
Hmmmm.....
Llama
-
You underestimate the stupidity of users and social engineering. Most would look at the download prompt and see Microsoft Corporation and click on OK.
I know plenty who refuse to use IE7 as well (it has its own issues). And as you can see above other browsers are not flawless. Usually there is enough time between flaw discoveries and flaw fixes to release valid exploits.
Unless a user gets a prompt saying "OI STUPID THIS IS A VIRUS!" they will click on "OK run it". As the mac community is currently finding out.
Your faith sits on the browser being up to date and the user being knowledgeable enough not to click.
My focus is on providing automated solutions which intervene on user action so that when the user clicks on OK run it the AV steps in and sorts em out (or in the case of a 'smart' firewall the content never gets to the user to ask them to run it in the first place).
-
Oh and I usually monitor here for 'stuff' thats going on: http://isc.sans.org/
-
Vulcan,
So here we are, a few days later, and I think we're losing sight of the original discussion. When asked what security software I recommended, I said (copy and paste follows):
AV: Kaspersky 2007 or NAV 2008
Spyware: NOTHING if you're having no problems. If you suspect problems, then Spybot Search & Destroy and Ad-Aware for cleaning (both are free). If Spyware continues to trouble you, then SUPERAntiSpyware to clean the system and to try to keep new stuff out.
Firewall: Nothing or WinXP's, plus a hardware firewall. If you insist on outbound blocking, then Comodo.
Browser: Firefox. Blocks a lot of crud that IE is happy to let in.
And Windows Update turned on to full automatic mode.
and I wrote one post later:
Merely visiting "bad websites" and not getting infected is really a function of the web browser's security, or perhaps your AV software (in some cases).
I think we've both established that modern patched browsers (usually - I guess we could debate that too) block drive by downloads, but can be made to present "socially engineered text" that manages to trick users to allow the downloads to happen anyway. You say a good AV software is vitally necessary to then prevent the downloads to run after the user is tricked.
So do I. Note the recommendation of NAV2008 or Kaspersky 2007. And yet despite this, my description of "not getting infected is really a function of the web browser's security, or perhaps your AV software" still stands.
I think the only point of contention we have here my saying that some users visiting "typical sites" with updated browsers are "good enough" with AVG. I think if the user in question is aware of the attempt that will be made to trick them into agreeing to download stuff, then AVG is fine.
I agree with you, however, that if the user is more likely to "click first and ask questions later" (and we both know all about those users - my business is ultimately based on them), more robust AV software is necessary.
Another Example: a very good friend of mine, who is a fairly good PC consultant, just let me look over his notebook this morning, because it was acting very very VERY slow (80% CPU utilization at idle). Totally rootkitted. He was running AVG and using IE6 (why?! why?! Oh God Why?!?!) to check out some security sites in China earlier this week (he never got more specific, and I don't need to know.) Clearly, AVG with an older, unpatched browser is not enough.
But I never said it was...
-Llama
-
Originally posted by Vulcan
Unless a user gets a prompt saying "OI STUPID THIS IS A VIRUS!" they will click on "OK run it". As the mac community is currently finding out./B]
First of all, I'm writing this on a macbook pro of all things.. :lol
I'm not really an Apple fan, but got this for a tool now so I got to deal with it. I've found that most Apple users have been lulled down to a false sense of security. They really believe Mac is invulnerable to viruses and malware because they have been so rare in the past.
I know at least a couple users who would still click the link if it shouted 'this is a virus do not click' on their face. My mom is one of them. Sometimes she calls me for help, I ask her to repeat to me what it says on the screen (firewall msg etc) and this solves the problem. She's literally so panicked with the box that her brain refuses to even consider she could solve the problem by reading the message and instructions on the screen.
-
Yup my apple colleagues are quite concerned with the new malware doing the rounds. First because it doesn't actually attack an exploit vector, and uses social engineering.
Second because apple have an immature security industry unlike windows, look at us arguing over which AV is better on the PC pulling out statistics and proper evaluations. Whereas the handful of AV products for the apple are little more than afterthoughts.
Oh and llama, IE6, I still use it. There are still many issues with IE7, and even Firefox has its oddities. So I need IE6 (I usually need two browsers because at least one of them doesn't do 'somethigng' right, be it rendering a page wrong or caching a page it shouldn't).
-
Originally posted by Larry
I don't know if this should be in the H&S forum or not but what the heck. I'm looking to buy some antispyware and virus scanners and I'm willing to pay around $100-150 for them. So what are the best ones you've used?
Avast gets my vote, its free, after 5 years its never let me down. I hear AVG, also free, is good too.
Lavasoft Ad-aware for spyware, same price.
-
Originally posted by Vulcan
Oh and llama, IE6, I still use it. There are still many issues with IE7, and even Firefox has its oddities. So I need IE6 (I usually need two browsers because at least one of them doesn't do 'somethigng' right, be it rendering a page wrong or caching a page it shouldn't).
Vulcan,
Hey, me too. I can't stand IE7, so IE6 is still on my systems. I just wouldn't dream of using it at the various risky sites out there.
Yeah, FF can be vulnerable against zero day attacks for a little while too (though FF got updated like 4 times in the past two months - good for them), but I'm a diehard Opera user myself. Still no guarentee, but an extra layer of obfuscation...
-Llama
-
Hey llama wtf dude:
Virus Attempts % of Attempts
1 HappyTime_3 (Worm) 1 100.0%
1/1 records are shown as detailed information
Source Destination Attempts % of Attempts
12.39.144.18 192.168.60.91 1 100.0%
Was checking our weekly reports and saw this. That IP resolves too: http://www.computerpoweruser.com/ which I visited Friday (Thursday your time) to check out who CPU magazine was (you mentioned you wrote for them).
I checked my browser history, I only went onto your CPU's main page and some forum posts, I revisiting didn't result in any hits. Some I think it must've been imbedded in a banner advertisement.
-
Vulcan,
Heh. Funny stuff.
As luck would have it, I'm doing a review of ESET's NOD32 (which I really like, BTW) this month, so I've had it running on a test machine that only has IE6, and the whole box is behind in its patches by about 8 months.
NOD32 has a web-surfing-protection component, so I went to the CPU website and trolled all around the forums, some articles, and so forth. NOD32 reports nothing. I then tried a VMWare machine with NAV2008, which has a drive-by-download protector and did the same thing with the same browser.
Both logs and quarantines show the same thing, which is to say, nothing.
It seems likely to me that there's a hacked banner ad. That said, I don't have a thing to to with the website, and in fact, I don't even know who runs it or what platform it runs on.
I'm going to forward your note to my editor and let them deal with it. Thanks for the heads-up.
-Llama
-
I'm not a security expert and I don't have the breadth of experience with as many applications, but we run some Secure Computing gear here at the office (IronMail and WebWasher) to which Vulcan referred in an earlier post, and when I look at the Javascript-based malware counts that the WW machine is stopping everyday (we're over 22K instances in just the last 4 months), I'm damn glad we have it. It really is a different world than ten years ago in this area.
That said, for home users I like Avast for those that wouldn't pay for software and NOD32 for those that see the value in greater protection for a few bucks.
-
I've never had a chance to play with the Secure Computing stuff but it does look nice. (Although I trained/qualified in Ironmail before SC brought Ciphertrust).
If anyone was wondering about my previous post, well on Friday I was wondering who CPU magazine was (that Llama said he wrote for) so I went to their website. In browsing their website our work firewall (Sonicwall) blocked a malicious peice of malware, most likely this was embedded in a rolling avertising banner. Many websites use these to gather revenue, and the content is usually hosted somewhere else. CPU Magazine did no wrong but it goes to show how 'trusted' websites can be sources of malware.
-
Bit Defender Antivirus 2008... $25 bucks. Used for the past two years, it has never failed to protect against attacks from viruses and malware/adware.
WinXP, Zone Alarm, Linksys Router
-
This is a fascinnating thread. I must confess I've used most of the spyware fixerspaid for and free and all they EVER find are cookies and it does make me wonder of the spyware thing is just more AV hype. Still do scans nbow and then (Kaspersky does them anyway) with spybot, adaware or Spysweeper. I almost want them to pick something up sometime!
I would always have AV as it will pick up malicious e-mails.