Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Getback on December 02, 2015, 06:11:29 AM
-
I'm no expert on this subject. However I'd like to share what little I know.
I recently purchased a new computer and I still don't know what was wrong with the other one but it did at one time have a nasty virus. Then the new computer felt like it was under attack. At that point I activated the Anti-virus program which included a firewall. After running the software it found nothing. Yet I did some research. After reading several articles I learned you should have two AV programs, one for viruses and one for malware. I used to do this regularly but had gotten away from it for some unknown reason.
So I ran the malware software on the new computer and it found nothing. Then I ran it on my everyday computer and there were 51 unwanted programs on it. I thought wow! Something tells me that my old gaming computer, the one I just replaced, will be full of these. As soon as I get it set up in my spare bedroom we'll see.
I really don't like running anything on my gaming computer but it has become a necessary evil. I would advise everyone to do the same.
-
Yet I did some research. After reading several articles I learned you should have two AV programs, one for viruses and one for malware.
That is not entirely true. Viruses are malware. So an AV program should detect malware.
Some people like to run an AV program and then occasionally use something like malwarebytes to do occasional scans. The reasoning for this is that no single AV program ever is 100% effective, and malwarebytes free version is not "active" (you cannot have AV programs active on a PC or brown stuff meets a fan). So malwarebytes acts as second "passive" AV program you can do weekly or monthly scans with.
-
That is not entirely true. Viruses are malware. So an AV program should detect malware.
Some people like to run an AV program and then occasionally use something like malwarebytes to do occasional scans. The reasoning for this is that no single AV program ever is 100% effective, and malwarebytes free version is not "active" (you cannot have AV programs active on a PC or brown stuff meets a fan). So malwarebytes acts as second "passive" AV program you can do weekly or monthly scans with.
that is spot on Vulcan. :aok these days it does require more then 1 security option. it is amazing how easy it is to catch a virus or even small bugs (as i call them) . some websites load adware just by going to them .
-
That is not entirely true. Viruses are malware. So an AV program should detect malware.
Umm... To confuse people even more by being exact to the point: All malware aren't viruses, so an AV program can't be expected to detect all malware.
Malware means every type of malicious software, including viruses. Some of the subtypes are questionable like adware. I know a university professor who thinks that the book suggestions on Amazon based on his shopping history are a real time saver and good customer service. For me it's spying. Several years ago some adware companies threatened to sue Symantec if they continued to hinder their legitimate business by cleaning adware.
I like the term PUP, Potentially Unwanted Program, because it allows the cleaning of anything without stepping on someone's toes.
-
Be careful because multiple AV programs can create compatibility issues and render both programs useless.
That said Malwarebytes does seem to generally coexist well with many AV programs. I'm running it on my smart phone with Avast.
-
Be careful because multiple AV programs can create compatibility issues and render both programs useless.
That said Malwarebytes does seem to generally coexist well with many AV programs. I'm running it on my smart phone with Avast.
A great piece of wisdom there ^ :salute
Building multi-layered security involves using programs that add instead of multiply. Two active antivirus programs will fight each other, using all of the computer resources. One AV and one anti-malware will fill each other's gaps. Add to that a general hardware firewall (often in your modem) assisted by a more refined software version in your computer - remember, the restriction always wins in case of different settings! For maximized safety do regular backups of your entire system, preferably keeping them in a safe place outside your house.
Last but not least: The biggest risk for all computing safety sits between the keyboard and the back rest.
-
That is not entirely true. Viruses are malware. So an AV program should detect malware.
Some people like to run an AV program and then occasionally use something like malwarebytes to do occasional scans. The reasoning for this is that no single AV program ever is 100% effective, and malwarebytes free version is not "active" (you cannot have AV programs active on a PC or brown stuff meets a fan). So malwarebytes acts as second "passive" AV program you can do weekly or monthly scans with.
With what little I know I disagree. The reasoning is simple, my malware found issues that my AV didn't.
-
With what little I know I disagree. The reasoning is simple, my malware found issues that my AV didn't.
I'm not sure how that disagrees with what I said. And I work in IT security for a living.
-
Umm... To confuse people even more by being exact to the point: All malware aren't viruses, so an AV program can't be expected to detect all malware.
No. That has not been the case for about 8-10 years now. Current AV software is expected to catch malware. If it doesn't then it would be considered rubbish.
The issue as with all things is that nothing is 100% perfect. Malware makers are making huge profits from their activities, so are investing much more in the threats they develop. We are effectively in an IT war at the moment. We see a minimum of 20000 new malware/viruses per day, and sometimes it gets up to 80000.
I regularly/commonly see new threats coming through where signatures are lagging 2-5 days behind. Some of them are absolutely scary (I had a customer get attacked with malformed PNG's that trigger java exploits).
The next big thing in security is ATD (Advanced Threat Detection), also called (incorrectly) APT, and (confusingly) Sandbox. The problem is it is not like the 'sandbox' AV client most people are familiar with - and requires significant resources to run (ie business grade only).
-
No. That has not been the case for about 8-10 years now. Current AV software is expected to catch malware. If it doesn't then it would be considered rubbish.
I stand corrected, my examples may be outdated.
However, many Anti-Virus and Anti-Malware programs have an option to search for Potentially Unwanted and Potentially Dangerous programs. In my book they rate as malware, but since their detection and removal has been set optional the judgement is up to the user. I'm not trying to say some viruses were "nicer" than others, but especially the new ones can have a very small footprint. For what I've learned about current viruses and adware, the latter can really cripple a computer. But since slowing down can be considered as a choice rather than nuisance, AV programs may not clean them. At least not by default. This information I know is up to date. This is one thing why I feel it to be important to clarify the terminology. The other thing is rogue Anti-xxx programs that try to scare people by tagging every cookie and temporary file as harmful.
-
The alternative is to shutdown/block the attack vectors. No matter how many are created daily, there are a limited number of attack vectors they all use.
Of course, you have to be able to give up all the "sparklies" (no java, no javascript, no activex, no flash, no file associations....) to do that. It is always a tradeoff.
-
I try to run without javascript enabled, but the problem with that is the vast majority of web pages end up being unusable or, in may cases, totally blank, with javascript off. So I enable it on a per site basis, but that is actually pretty useless as a security measure because even well known sites have been hacked to deliver malware. The only true solution is to pretty much give up on the internet and go read a book.
-
Oh, I also forgot to mention I have a hardened firewall. I tend to forget about that. It catches any bad guys before they can get to any of my computers.
There is one filter which catches any binary data in the WEB port(s) data stream which is not supposed to be there. It lets me know about it so I can enable or disable that data coming through. Another filter checks the image data to ensure it is not carrying a bad guy.
35+ years on the net and nothing has nailed me yet.
-
I stand corrected, my examples may be outdated.
However, many Anti-Virus and Anti-Malware programs have an option to search for Potentially Unwanted and Potentially Dangerous programs.
That's a good point. Yet another bit of security trivia . Many years ago there was a company called Gator, they made adware. If you went and downloaded shareware from places like download.com it often had gator bundled in. Buried in the EULA was the acceptance you'd get gator installed. Gator injected ads into browsers.
Some AV companies then added gator to their detections, and by default it was classified as a 'virus'. Gator then sued said AV companies and won. So now we have the malware category and potentially unwanted programs. So the AV companies don't get sued.
-
The alternative is to shutdown/block the attack vectors. No matter how many are created daily, there are a limited number of attack vectors they all use.
Of course, you have to be able to give up all the "sparklies" (no java, no javascript, no activex, no flash, no file associations....) to do that. It is always a tradeoff.
The most common vector is email.
And you don't have to give up all the sparklies if you have a good firewall scanning all that traffic ;)
-
Probably almost everyone has a hardware firewall (say a WiFi router) but what fraction of those people do you think know how to program it?
-
The most common vector is email.
And you don't have to give up all the sparklies if you have a good firewall scanning all that traffic ;)
Very true. LOL! I forgot the most common attack vector. DOH!
I mentioned shutting all that down fluff as an option as most people do not have a decent firewall, even though they think they do.
I still shut off many things as they are just a nuisance to me. Java will never be installed on any of my computers, for example.
-
Probably almost everyone has a hardware firewall (say a WiFi router) but what fraction of those people do you think know how to program it?
That's so very true! I've been trying to find instructions about what and how to program it, but that information can't be found in the manuals. "This function" allows you to set "this function" as enabled or disabled doesn't really give you any information. So after several brands of modem/routers I've simply set the firewall to "on" using default settings. So far both my operator and myself have being happy with that - I've worked on cases where the service provider has closed the connection until the virus traffic has been cut down.
-
Probably almost everyone has a hardware firewall (say a WiFi router) but what fraction of those people do you think know how to program it?
Those firewalls are very simplistic. One should not rely on those to provide proper security against many different attack vectors. About the most consistent thing they do is prevent outsiders from asynchronously attacking your network. What they don't stop is most everything else.
There are many dedicated firewall devices available. The best are going top cost quite a bit, but then provide more than passive protection. Vulcan can talk about that better than I can, as I built my firewall.
-
Most of them are just packet filters. Not even what I would class as a firewall.
Packet Filters < Stateful Packet Inspection Firewalls < Deep Packet Inspection Firewalls.
Packet filters merely check packets against basic policies and are very easily bypassed/attacked. They do not detect data content such as virsuses or malware.
SPI firewalls have a state table, so are robust against being bypassed/and stateful attacks. They do not detect data content such as virsuses or malware.
Only a DPI Firewall will detect and block malware and viruses.
There is a range of SPI firewalls that try to pretend to be DPI but are not really (often the freebie stuff using proxy to do AV scanning). However they are better than just SPI.
Home users typically do not use DPI firewalls as they tend to start off a bit more expensive (around us$500 with 1 year of services included and up from there).
-
Unfortunately the bad guys are winning right now, using SSL over port 443 (almost always is open) to connect to the mothership (bad guys HQ networks).
I work with a number of DPI / NG firewalls and WAF, IDP, and reputation/category filters etc for big companies.
For a home users/small business , IT education and awareness is more important than all the Firewalls and Antivirus/Malware programs in the world, even if they do help out.
Cheapest way of getting out of trouble for a small company is to use appliance firewall with proxy and DPI, with reputation/category filters, locked down PC's with good antivirus/antimalware programs
Best way of protecting a website is to use a WAF, they are incredible expensive and manpower hungry though.
-
A good DPI firewall will block access to C&C botnets, and will also SSL Decrypt.
WAF is not necessary for all websites, IPS should be enough. WAF is only really for transactional websites where you think you site might accidentally divulge stuff it should.
Anyone using a proxy based firewall should be shot. They have severe memory and scan limitations.
-
A good DPI firewall will block access to C&C botnets, and will also SSL Decrypt.
WAF is not necessary for all websites, IPS should be enough. WAF is only really for transactional websites where you think you site might accidentally divulge stuff it should.
Anyone using a proxy based firewall should be shot. They have severe memory and scan limitations.
WAF are sometimes required outside of finacial websites (read Governments, Military etc) most also provide functions to allow them to remove some or all numbers of a credit card, or social security numbers, etc, on a in/output stream.
A firewall do not need to be proxy based to be able to use for example Http based proxy functions.
Agreed, a proxy based firewall have limitations (or hefty hardware requirements).
-
What about using a Linux-based software firewall distro on an old spare PC box, i.e., ClearOS (https://en.wikipedia.org/wiki/ClearOS) or IPFire (https://en.wikipedia.org/wiki/IPFire) ?
-
WAF are sometimes required outside of finacial websites (read Governments, Military etc) most also provide functions to allow them to remove some or all numbers of a credit card, or social security numbers, etc, on a in/output stream.
You are confusing IPS and DLP with WAF. WAF's primary function is to validate web transactions (not necessarily financial) against a known rule set or baseline. Commonly they're used to protect, SOAP/XML transactions, or anything hooking into a database. WAF typically have an IPS function though usually very limited. If you're buying WAF for IPS/DLP then that is a very expensive and inefficient way of doing it.
-
WAF appliances are normally modularized, you pay for the functionality your/customers security policy requres, and yes, they are expensive.
-
Oh, I also forgot to mention I have a hardened firewall. I tend to forget about that. It catches any bad guys before they can get to any of my computers.
There is one filter which catches any binary data in the WEB port(s) data stream which is not supposed to be there. It lets me know about it so I can enable or disable that data coming through. Another filter checks the image data to ensure it is not carrying a bad guy.
35+ years on the net and nothing has nailed me yet.
Skuzzy could you elaborate as to what you mean by hardened firewall.
If you remember I just recently had to redo my pc due to ransomware encrypting my pc. To bad for them that I keep nothing of value on my pc, so I just did a reinstall. I use malwarebytes premy, windows firewall generally, but I had turned it off, and the NAT in my modem. None of it worked.
It was a pain getting my pc back to where it was. It had been awhile since I had to do an install and of course I had forgotten many little tidbits. Just do not do it everyday.
So some knowledge on the subject would be appreciated. Some knowledge that did not interfere with the game and would stop this ransomware crap. Best choice for firewall options, best choice for a single virus killer. Also whats best security settings for IE 11?
ty
-
The broadest explanation of a hardened firewall simply means it has more features dealing with securing a connection (packet filtering, stateful data and header checking, application proxies....).
-
Hardening in general IT terms means you do things to lock down something and minimize its attack surface (ie less points of vulnerability). it applies to all IT products not just firewalls.
Firewalls are broken down into:
- packet filters (simplest form, not really effective these days, this is what most home routers are)
- Stateful Packet Inspection (most common but useless against modern attacks/threats)
- Deep Packet Inspection (current technology which is most effective but requires more CPU horsepower)
-
I'm reviewing my logs and I see 52.1.188.138 appears quite often on blocked IP Addresses. It's Amazonas or something like that. I haven't even been to Amazon on that computer.
What's up with that?
-
Reference sparklies, I read somewhere that adobe doesn't use flash as they consider it too insecure...don't know how true that is, but I wouldn't be surprised.
-
It's not true. It's called Edge Animate (An) now, or just Animate.
-
I'm reviewing my logs and I see 52.1.188.138 appears quite often on blocked IP Addresses. It's Amazonas or something like that. I haven't even been to Amazon on that computer.
What's up with that?
Not amazon, but Amazon Web Services. it's a cloud hosted service. Post the logs.