jazzcat you don't seriously claim that A/Vs shut the door 100% to malware? Do you sell your software with any guarantee to that effect? Do you remember blaster the worm?
the procedure i hilighted is simple and can save people, especially the non-expert kind, of loads of troubles.
blog: shut the door to malware
Moderators: fgagnon, nikos, Site Mods
-
jazzcat
- Member
- Posts: 41
- Joined: 2006 Feb 06, 13:34
- Location: UK
-
Robert2
- Gold Member
- Posts: 700
- Joined: 2004 Jun 17, 15:39
-
longfellow
- Silver Member
- Posts: 244
- Joined: 2004 Jun 16, 15:09
Well, the Sony Rootkit -- aka Extended Copy Protection (XCP) -- installed itself on about half a million computers without any of the AV companies detecting either the rootkit or its installation program.jazzcat wrote:But how do you envisage a kernel-mode rootkit, which is a device driver, gets installed in the first place whilst evading anti-virus software?
And, after it was discovered -- by independent researchers -- the AV companies were very slow to respond -- perhaps because the rootkit was from a "legitimate" corporation rather then some anonymous cracker?
I'm not saying AV isn't a useful tool, but computer users should have more than one line of defense, and running as a limited user is a good line of defense.
-
fgagnon
- Site Admin
- Posts: 3737
- Joined: 2003 Sep 08, 19:56
- Location: Springfield
Folks,
I think we don't differ all that much, nor have we necessarily missed anything in the others' arguments except to acknowledge where the others' have valid points before going on to argue from our own perspectives. (I neglected to do that earlier myself.
)
Here's what I read:
nikos recommended a simple minimal sandbox approach where normal PC work can be done using an account with limited privilege credentials, wherein unauthorized installs are prohibited by the OS. He also made a casual statement about A-V's being ineffective; but failed to elaborate on the circumstances. Further, some types of malware can operate even under plain limited accounts (tracking cookies, some adware pop-ups, remotely run JAVA applets) -- so using a limited account is not foolproof, although we can all agree that it helps; so running a good up-to-date A-V program is still important.
jazzcat (and I) find it unfair to not mention that it is only in certain circumstances that A-V's are not effective. And we point out that A-V's can usually intercept even rootkits before they are installed. (But we all agree that effectiveness is not 100%: e.g. longfellow's example**.)
robert2 emphasizes that it's basically all a cat-and-mouse game. And again I think we can all agree there is a lot of cat-and-mouse involved on all levels -- that is why prevention, interception, detection, removal is not 100% and why both the threats and the A-V apps continue to evolve.
In the end I see it as not so much an I'm right. you're wrong thing as a difference in which points we find important to emphasize.
** PS - please correct me if I'm wrong, but didn't the SONY rookit install even from limited accounts?
I think we don't differ all that much, nor have we necessarily missed anything in the others' arguments except to acknowledge where the others' have valid points before going on to argue from our own perspectives. (I neglected to do that earlier myself.
) Here's what I read:
nikos recommended a simple minimal sandbox approach where normal PC work can be done using an account with limited privilege credentials, wherein unauthorized installs are prohibited by the OS. He also made a casual statement about A-V's being ineffective; but failed to elaborate on the circumstances. Further, some types of malware can operate even under plain limited accounts (tracking cookies, some adware pop-ups, remotely run JAVA applets) -- so using a limited account is not foolproof, although we can all agree that it helps; so running a good up-to-date A-V program is still important.
jazzcat (and I) find it unfair to not mention that it is only in certain circumstances that A-V's are not effective. And we point out that A-V's can usually intercept even rootkits before they are installed. (But we all agree that effectiveness is not 100%: e.g. longfellow's example**.)
robert2 emphasizes that it's basically all a cat-and-mouse game. And again I think we can all agree there is a lot of cat-and-mouse involved on all levels -- that is why prevention, interception, detection, removal is not 100% and why both the threats and the A-V apps continue to evolve.
In the end I see it as not so much an I'm right. you're wrong thing as a difference in which points we find important to emphasize.
** PS - please correct me if I'm wrong, but didn't the SONY rookit install even from limited accounts?
-
Robert2
- Gold Member
- Posts: 700
- Joined: 2004 Jun 17, 15:39
Hi,
To emphasize the sandbox approach once more, here is from http://www.sandboxie.com (Sandboxie is freeware):
"About Sandboxie
When you run a program on your computer, data flows from the hard disk to the program via read operations. The data is then processed and displayed, and finally flows back from the progam to the hard disk via write operations.
For example, if you run the Freecell program to play a game, it starts by reading the previously recorded statistics, displaying and altering them as you play the game, and finally writing them back to disk for future reference.
Sandboxie changes the rules such that write operations do not make it back to your hard disk.
Sandboxie [creates] a transient storage area, or sandbox. Data flows in both directions between programs and the sandbox. During read operations, data may flow from the hard disk into the sandbox. But data never flows back from the sandbox into the hard disk.
If you run Freecell inside the Sandboxie environment, Sandboxie reads the statistics data from the hard disk into the sandbox, to satisfy the read requested by Freecell. When the game later writes the statistics, Sandboxie intercepts this operation and directs the data to the sandbox.
If you then run Freecell without the aid of Sandboxie, the read operation would bypass the sandbox altogether, and the statistics would be retrieved from the hard disk.
The transient nature of the sandbox makes it is easy to get rid of everything in it. If you were to throw away the sandbox, by deleting everything in it, the sandboxed statistics would be gone for good, as if they had never been there in the first place.
Sandboxie and the Web
Protecting your Freecell statistics using Sandboxie may be a good idea when a less qualified player comes along, but you will probably want to play most of your games outside the sandbox. On the other hand, you may want to run your Web browser inside the sandbox most of the time. This way any incoming, unsolicited software (spyware, malware and the like) that you download, is trapped in the sandbox. Changes made to your list of Favorites or Bookmarks, hijacking of your preferred start page, new and unwanted icons on your desktop -- all these, and more, are trapped in and bound to the sandbox.
You could also try a new toolbar add-on, browser extension or just about any kind of software. If you don't like it, you throw away the sandbox, and start again with a fresh sandbox. On the other hand, if you do like the new piece of software, you can re-install it outside the sandbox so it becomes a permanent part of your system.
Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.
Download Sandboxie and give it a try.
The Alternative
Sandboxie is free so you really don't have to look around for an alternative. If you find it makes your Web experience that much safer, you are encouraged to register the program for a small fee. However, if you still don't like or can't use Sandboxie for whatever reason, here are some alternatives.
Anti-Virus Software, Anti-Spyware Tools
These tools scan your computer files and registry settings looking for known viruses and unsolicited software (spyware). Such tools can only remove viruses and spyware they can identify, and usually only after that software has made its way into your computer. Contrast this with the Sandboxie approach, which keeps the viruses and spyware trapped in the sandbox, and makes them disappear when you throw away the sandbox.
Untrusted Browsing
The ActiveX mechanism lets Web sites run little programs in your computer. These are mostly well-natured programs, for example automatic download managers or automatic toolbar installation. Some not-so-well-natured Web sites use this mechanism to install spyware into your computer. You could browse with ActiveX disabled (by turning it off, or by switching to a browser that doesn't offer support for ActiveX), but you would be trading security over functionality. With Sandboxie, you can keep ActiveX turned on, and have both security and functionality."
Acronis True Image Home (http://www.acronis.com), besides creating backups and mirror images of hard drives, also includes a "sandbox" module. Here is from the Acronis True Image Home help:
"The Try&Decide feature allows to create a virtual replica of your system without the need to install special virtualization software. You can perform various potentially dangerous operations on your system without having to worry about their consequences to the actual system. After making virtual changes you may apply the changes to the actual system if they are to your satisfaction or discard them if you do not like the results. The Try&Decide feature is somewhat similar to a sandbox, which is a controlled, secure area, where you can surf the Web knowing that your personal information is safe, download files from the Internet, open E-mail attachments without dire consequences, etc. Usually the sandbox is a virtual environment completely isolated from the real system and all the programs running there; also downloaded files or changes made in files disappear when the sandbox is closed. There might be cases, however, when you will want to save, e.g. downloaded applications after making sure that they do not pose a threat to the computer. The Try&Decide feature will provide you with such ability in addition to having the above features of a sandbox."
To emphasize the sandbox approach once more, here is from http://www.sandboxie.com (Sandboxie is freeware):
"About Sandboxie
When you run a program on your computer, data flows from the hard disk to the program via read operations. The data is then processed and displayed, and finally flows back from the progam to the hard disk via write operations.
For example, if you run the Freecell program to play a game, it starts by reading the previously recorded statistics, displaying and altering them as you play the game, and finally writing them back to disk for future reference.
Sandboxie changes the rules such that write operations do not make it back to your hard disk.
Sandboxie [creates] a transient storage area, or sandbox. Data flows in both directions between programs and the sandbox. During read operations, data may flow from the hard disk into the sandbox. But data never flows back from the sandbox into the hard disk.
If you run Freecell inside the Sandboxie environment, Sandboxie reads the statistics data from the hard disk into the sandbox, to satisfy the read requested by Freecell. When the game later writes the statistics, Sandboxie intercepts this operation and directs the data to the sandbox.
If you then run Freecell without the aid of Sandboxie, the read operation would bypass the sandbox altogether, and the statistics would be retrieved from the hard disk.
The transient nature of the sandbox makes it is easy to get rid of everything in it. If you were to throw away the sandbox, by deleting everything in it, the sandboxed statistics would be gone for good, as if they had never been there in the first place.
Sandboxie and the Web
Protecting your Freecell statistics using Sandboxie may be a good idea when a less qualified player comes along, but you will probably want to play most of your games outside the sandbox. On the other hand, you may want to run your Web browser inside the sandbox most of the time. This way any incoming, unsolicited software (spyware, malware and the like) that you download, is trapped in the sandbox. Changes made to your list of Favorites or Bookmarks, hijacking of your preferred start page, new and unwanted icons on your desktop -- all these, and more, are trapped in and bound to the sandbox.
You could also try a new toolbar add-on, browser extension or just about any kind of software. If you don't like it, you throw away the sandbox, and start again with a fresh sandbox. On the other hand, if you do like the new piece of software, you can re-install it outside the sandbox so it becomes a permanent part of your system.
Sandboxie intercepts changes to both your files and registry settings, making it virtually impossible for any software to reach outside the sandbox.
Sandboxie traps cached browser items into the sandbox as a by-product of normal operation, so when you throw away the sandbox, all the history records and other side-effects of your browsing disappear as well.
Download Sandboxie and give it a try.
The Alternative
Sandboxie is free so you really don't have to look around for an alternative. If you find it makes your Web experience that much safer, you are encouraged to register the program for a small fee. However, if you still don't like or can't use Sandboxie for whatever reason, here are some alternatives.
Anti-Virus Software, Anti-Spyware Tools
These tools scan your computer files and registry settings looking for known viruses and unsolicited software (spyware). Such tools can only remove viruses and spyware they can identify, and usually only after that software has made its way into your computer. Contrast this with the Sandboxie approach, which keeps the viruses and spyware trapped in the sandbox, and makes them disappear when you throw away the sandbox.
Untrusted Browsing
The ActiveX mechanism lets Web sites run little programs in your computer. These are mostly well-natured programs, for example automatic download managers or automatic toolbar installation. Some not-so-well-natured Web sites use this mechanism to install spyware into your computer. You could browse with ActiveX disabled (by turning it off, or by switching to a browser that doesn't offer support for ActiveX), but you would be trading security over functionality. With Sandboxie, you can keep ActiveX turned on, and have both security and functionality."
Acronis True Image Home (http://www.acronis.com), besides creating backups and mirror images of hard drives, also includes a "sandbox" module. Here is from the Acronis True Image Home help:
"The Try&Decide feature allows to create a virtual replica of your system without the need to install special virtualization software. You can perform various potentially dangerous operations on your system without having to worry about their consequences to the actual system. After making virtual changes you may apply the changes to the actual system if they are to your satisfaction or discard them if you do not like the results. The Try&Decide feature is somewhat similar to a sandbox, which is a controlled, secure area, where you can surf the Web knowing that your personal information is safe, download files from the Internet, open E-mail attachments without dire consequences, etc. Usually the sandbox is a virtual environment completely isolated from the real system and all the programs running there; also downloaded files or changes made in files disappear when the sandbox is closed. There might be cases, however, when you will want to save, e.g. downloaded applications after making sure that they do not pose a threat to the computer. The Try&Decide feature will provide you with such ability in addition to having the above features of a sandbox."
-
longfellow
- Silver Member
- Posts: 244
- Joined: 2004 Jun 16, 15:09
IIRC, the SONY Rootkit needed admin rights to install.fgagnon wrote:** PS - please correct me if I'm wrong, but didn't the SONY rookit install even from limited accounts?
But I have read of so-called "user-mode" rootkits which will install from limited accounts. Apparently, they are not as robust as their kernal-mode cousins, and much easier to detect.
This page gives more detail, under the section "Windows Rootkits":
http://www.viruslist.com/en/analysis?pubid=168740859
-
narayan
- Platinum Member
- Posts: 1430
- Joined: 2002 Jun 04, 07:01
OK guys. You have discussed enough obscure points in enough depth.
Now how about a neat summary for us mere mortals?
What we need is not the why's, but the what's.
We don't have the background knowledge to understand the finer points of this subject anyway!
We also understand that it is impossible to be absolutely safe.
Given that, what are the do's and don'ts to get the maximum-possible protection for our PCs against rootkits and other such beasts?
Now how about a neat summary for us mere mortals?
What we need is not the why's, but the what's.
We don't have the background knowledge to understand the finer points of this subject anyway!
We also understand that it is impossible to be absolutely safe.
Given that, what are the do's and don'ts to get the maximum-possible protection for our PCs against rootkits and other such beasts?
-
ckit
- Silver Member
- Posts: 269
- Joined: 2004 Jun 10, 12:24
AntiVirus = Avira AntiVir (any variant will do)
Browser = Firefox + NoScript + Adblock Plus
Spyware = Spybot - Search and Destroy
I always run my computer in Administrator mode and I'm fine but then again I grew up with 2x XT machines so I have loads of experience getting in and out of trouble
Anyone remember XtreeGold or XTGold?
Best DOS file manager ever, a pity v4 for Windows was a disaster.
Browser = Firefox + NoScript + Adblock Plus
Spyware = Spybot - Search and Destroy
I always run my computer in Administrator mode and I'm fine but then again I grew up with 2x XT machines so I have loads of experience getting in and out of trouble
Anyone remember XtreeGold or XTGold?
Best DOS file manager ever, a pity v4 for Windows was a disaster.
-
nikos
- Site Admin
- Posts: 16295
- Joined: 2002 Feb 07, 15:57
- Location: UK
-
narayan
- Platinum Member
- Posts: 1430
- Joined: 2002 Jun 04, 07:01
-
fgagnon
- Site Admin
- Posts: 3737
- Joined: 2003 Sep 08, 19:56
- Location: Springfield
narayan,
What ckit posted is a short version of what I was trying to say.
Following is my longer list of how to keep malware off your computer:
1. Run your computer from a non-administrative account except when necessary to install intended applications or make intended cofiguration modifications. While not foolproof, this policy is a good safeguard against evolving threats which your Anti-Virus and Anti-Spy tools don't (yet) recognize. {This was nikos' recommendation at the outset.}
2. Keep all your popular software apps up-to-date for their security vulnerability patches. Especially important for Adobe Reader, MS Office products (Word, Excel, etc.), your email client, Sun's Java, your media players, Flash plug-ins. We did not discuss this earlier in this thread but it is of paramount importance because files you download (or get from friends or co-workers) and open or "play" can be loaded with nasties.
3. Run a current antivirus application (there are many good ones to choose from), and keep it up-to-date.
4. Run a good internet browser and keep its vulnerability patches up-to-date. Again, there are multiple good choices. Mozilla Firefox and MS Internet Explorer are both excellent nowadays security wise even though IE gets more bad press each time a vulnerability is discovered.
4a. To avoid unknowingly visiting web-sites which are sources of malware, scams and spam install McAfee's free SiteAdvisor add-on to your Firefox or IE browser. ( http://www.siteadvisor.com )
4b. Set your browser options to prohibit running scripts; although that may not give you as "rich" a browsing experience as you prefer.
4c. Pop-ups and other dynamic advertising are usually more of a nuisance than a security threat, so set your browser to block pop-ups and use an add-in such as adBlock to improve the effectiveness. For privacy issues, you can set your browser to not accept third party cookies, or none at all; but again this can adversely affect what your are browsing for.
5. If you permit cookies or scripts (and most of us do at least sometimes, or for some sites), then you should also use an anti-spyware product. The afore-mentioned SpyBot S&D ( http://www.safer-networking.org ) is arguably the best freeware, and can be augmented with LavaSoft's free Ad-Aware ( http://www.lavasoftusa.com ) and/or with WebRoot's for-pay SpySweeper ( http://www.webroot.com ). I prefer to run a sweep regularly, rather than take the performance hit of running them in real time.
6. For when you must browse unknown sites, or risky ones such as those flagged by SiteAdvisor then do so from within a virtual "sandbox" such as that provided by SandBoxie ( http://www.sandboxie.com ) as robert2 described earlier in this thread.
What ckit posted is a short version of what I was trying to say.
Following is my longer list of how to keep malware off your computer:
1. Run your computer from a non-administrative account except when necessary to install intended applications or make intended cofiguration modifications. While not foolproof, this policy is a good safeguard against evolving threats which your Anti-Virus and Anti-Spy tools don't (yet) recognize. {This was nikos' recommendation at the outset.}
2. Keep all your popular software apps up-to-date for their security vulnerability patches. Especially important for Adobe Reader, MS Office products (Word, Excel, etc.), your email client, Sun's Java, your media players, Flash plug-ins. We did not discuss this earlier in this thread but it is of paramount importance because files you download (or get from friends or co-workers) and open or "play" can be loaded with nasties.
3. Run a current antivirus application (there are many good ones to choose from), and keep it up-to-date.
4. Run a good internet browser and keep its vulnerability patches up-to-date. Again, there are multiple good choices. Mozilla Firefox and MS Internet Explorer are both excellent nowadays security wise even though IE gets more bad press each time a vulnerability is discovered.
4a. To avoid unknowingly visiting web-sites which are sources of malware, scams and spam install McAfee's free SiteAdvisor add-on to your Firefox or IE browser. ( http://www.siteadvisor.com )
4b. Set your browser options to prohibit running scripts; although that may not give you as "rich" a browsing experience as you prefer.
4c. Pop-ups and other dynamic advertising are usually more of a nuisance than a security threat, so set your browser to block pop-ups and use an add-in such as adBlock to improve the effectiveness. For privacy issues, you can set your browser to not accept third party cookies, or none at all; but again this can adversely affect what your are browsing for.
5. If you permit cookies or scripts (and most of us do at least sometimes, or for some sites), then you should also use an anti-spyware product. The afore-mentioned SpyBot S&D ( http://www.safer-networking.org ) is arguably the best freeware, and can be augmented with LavaSoft's free Ad-Aware ( http://www.lavasoftusa.com ) and/or with WebRoot's for-pay SpySweeper ( http://www.webroot.com ). I prefer to run a sweep regularly, rather than take the performance hit of running them in real time.
6. For when you must browse unknown sites, or risky ones such as those flagged by SiteAdvisor then do so from within a virtual "sandbox" such as that provided by SandBoxie ( http://www.sandboxie.com ) as robert2 described earlier in this thread.
-
narayan
- Platinum Member
- Posts: 1430
- Joined: 2002 Jun 04, 07:01
-
fgagnon
- Site Admin
- Posts: 3737
- Joined: 2003 Sep 08, 19:56
- Location: Springfield
-
ckit
- Silver Member
- Posts: 269
- Joined: 2004 Jun 10, 12:24