How to prevent malware from running on your PC

So you know that's impossible and no one is going to do it. One does the best he or she can do to protect the machine by any means necessary. :)

Duane :)

You obviously don't grasp the concept of how malware is distributed. It is not just about stopping services, not using OE and IE etc, but mailware/virii/worms/trojans utilise known or unknown flaws in the Windows OS to attack a PC whilst connected to the internet. Even good old linux/unix/mac aren't foolproof and can be attacked. To totally protect a PC, you will need to remove all floppy drives, cd/dvd drives, disable USB ports and remove the PC from the internet.

Hi,

because I was mentioning this as a good topic some times already, I want to start the discussion ;-)

I think, to prevent malware running on your PC, you should close the attack vectors, with which malware is distributed onto your PC.

That means:

- you should not offer servers to the Internet, so worms or crackers, who are trying to abuse network services, have no chance; if you're PC is offering such services, stop them or filter away any traffic, which is intended for those services

- you should handle mails and mail attachements carefully; a virus scanner can help here to have a look on every attachement, before you're opening it, but you also should use your brain, because virus scanners cannot be perfect

- you should not use software for communication in the Internet, which implements technology like ActiveX or ActiveScripting, because these are security design flaws; so don't use Internet Explorer or Outlook Express

- you should keep at least every software up to date, you're using in the Internet or for data out of the Internet, because any software could have an exploit you're using for communication

- you should use your brain before inserting disks into your PC, and a virus scanner will help also, if you know, that virus scanners cannot be perfect

And keep your system as simple as possible; increasing complexity anytime is a security risk - try to remove software or to stop software before adding other software, which is intended to control software, which also could be stopped or removed.

Yours, VB.

The real problem with WU is that it's a Trojan. It often changes settings and opens ports. Now, I've done what Volker suggests for many years. But it's a good idea to have a sw firewall (I don't use XP) to block inbound until you can recover from the WU Trojan, assuming you don't have a external router/fw.

Also, I see no harm in using a sw firewall on OS other than XP with its built-in inbound blocking fw. After all, not all malicious code is smart enough to bypass or disable it. So as long as a sw firewall is taken with seventeen grains of salt and anti-BS medicine I don't think the good ones add significant vulnerabilities to the system. And I like the kind of info Sygate gives me sometimes. It's a valuable tool, IMO.

Art

That means an impossible task because you don't know who you're giving the advice to or what their experience or knowledge or situation is. Good advice given to an inexperienced home user may be bad advice if given to an experienced person in a different situation or even an inexperienced business user. So there is no set of rules which, if followed by everyone, will be a good idea for everyone. Therefore I think it's better to leave people alone to come to their own conclusions about personal firewall software. I don't use it, but I have little reason to care if other people do.

That would make it a little difficult for me to get any email as I run my own SMTP server. It would also mean I couldn't use my web server. I don't run a web site of any importance but it's useful for transferring files to other places when required. It would also mean I couldn't do remote access to my PC.

I prefer not to get any viruses instead of relying on software to fight software, however I do sometimes advise other people to use virus scanners because there's at least some chance that the scanner will know about and stop the virus BEFORE it does damage.

You're going to have difficulty with Windows Update then, not to mention the games the kids insist on playing (which use shockwave).

Many vendors use updates as an excuse to get users to purchase the latest version. How are users going to tell the difference between this and genuine security updates?

That means that the person inserting the disk needs to have a brain. This is not always the case in my experience.

Jason

Yeah, that's it. great comment! That will help.

-Frank

Question: With DSL, fixed IP, WinXP, Windows Firewall (default config), no Internet services, Firefox browser, Outlook Express in high-security mode (no ActiveX)...is a NAT router of any value and why?

thanks, nf

Yes, it keeps things from reaching your computer - period - it means that even if there is a hole in the OS or the Firewall provided by MS, that it won't be reached unless you invite it in.

Surprising.

Which flaws do you mean? Exploits in the IP/ICMP implementation itself? This is possible, but somewhat seldom. There were some exploits, but since some years, no-one heard of new found exploits there.

Most of the worms I know - and how I myself would implement malware, if I would be interested in - rely on bugs of services (i.e. like buffer overflows) which can be used to run arbitrary code, or are using exploits in Internet Explorer or the ActiveX infrastructure around. Sometimes, with the Witty-Worm, they're using the "Personal Firewall" software itself for distributing.

If there are no services reachable, then this attack vector is closed.

A second main target for attacks is PEBKAC. This is much more difficult. Social engineering attacks have a broad range to be implemented, and new ideas are being found every day. I think, this is the most difficult topic, because "don't try to solve social problems with technology, it will not work".

Technology can help here a little, though. At least, it has to be as easy as possible for the user to use systems, which are using reliably authorization methods like cryptography and certificates, and to distinguish between reliable information and questionable information.

I think, the main topic for this field will be, how can this reliably flagged to the user. Here, we're in the fledgling stages yet. The technics used today like SSL are much more too complicated to use - who of the users does really know, what a certificate is and how to check, if this window with such curious questions pops up?

A third main target are the programs, which are used for communication, say: the browser, the MUA, the IRC-client, the IM app, but also wordprocessing and spreadsheet applications, as well as sound-playing and video-playing applications, because people like to exchange such documents. Sometimes also Windows-Explorer is such an application *sigh* - think about the preview-exploit.

It is a very bad idea here to involve the user in security topics at all, like it is done with this infamous ActiveX technology for example. Here we shouldn't ask the user anything, but provide secure applications.

We need reliable technology with those programs. And here virus scanners can help to find out if somebody is spreading poisoned documents, if some provider failed.

Yes, of course. But, your point being?

Also clear. But, your point being?

Yours, VB.

Yes, this is the point.

Yes. We have to distinguish between people, who have to do so, and people who don't. But I think, we could say: "only offer as less services as possible, because then the surface, which can be attacked, is as small as possible", can we? Then, for home users, the sentence "do not offer servers to the internet" usually is true, is it?

Yes. But is this a good idea?

I think, ActiveX is a design flaw. You're getting the same functionality it offers if it's used for webbrowsers (say: plugins) without having a system-wide concept like COM for such plugins, but only a browser-dependend one. So attacks against arbitrary components in the whole system like with the problem, Tom Ferris recently published, are not possible any more.

To abandon ActiveX and to implement a plugin concept will eliminate such problems.

I think, this was a Microsoft seminar, was it? Because, only for Microsoft products there are so many spyware problems today. :-P

This is too nearsighted. The technology also has to be unsecure, if it should be abused. Usually, if it's complicated, then it's hard to secure.

But of course, if a technology is unsecure, and popular and widespread, then it likely is going to be abused.

I think, this is one of the main misunderstandings, we're suffering from. Security is nothing, you can add, and not at all "on top".

Security is something, which is in your concept.

If it's not in your concept, usually it's very hard (if not impossible) to add later.

Of course not.

Yours, VB.

OK, sorry, this is capable of being misunderstood, what I wrote. I mean, "for home users".

Yes.

The first can be done with Internet Explorer as an exception. The second also is available for other browsers as a simple plugin, not as a COM compatible ActiveX control.

I think, this is vendor specific. It is in the liability of the vendor to make this clear, and to offer security updates also for older releases. Perhaps people who watch this and publicize about vendors, who don't, can help.

Yes, PEBKAC. But I think, it will not work without involving users. Of course, they have to be involved as less as possible. But education and training for such topics is necessary.

Yours, VB.

Art wrote: [Windows Update]

I don't think so.

Yours, VB.

You can have more than one PC with one single internet connection ;-) For security purposes? Here: no.

Yours, VB.

I recently had occassion to do a fresh install of Win 98SE. As is my custom, I then proceeded to disable services and make sure the adapters were bound to TCP/IP only. The netstat -an result was empty as usual.

After doing a Windows Update ... downloading and installing all patches and IE 6 sp1 ... I rebooted and to my surprise the Windows logon screen appeared. Sure enough, my work had been nullified and netstat -an showed all the usual NETBIOS ports listening. I had been on line for quite some time with DSL servcice wide open to attack. Luckily, I took no hits.

To protect yourself from the WU trojan, you can keep the install file of your favorite software fw on CD and install it immediately after installing Windows and before going online. Do your OS hardening _after_ doing WU since it will undo some of your work. Then if your sw firewall is disabled for any reason, you'll still be safe going online.

Art

That's one reason why a quick run of both netstat (I prefer tcpview) and shields up is a good idea after a fresh install (including updates and applications) of any version of Windows. But it's a much better idea for home users to be behind an external firewall box which filters incoming connection requests by default. This doesn't have to be NAT but NAT is likely to be the cheapest way. There is no reason why this filtering cannot be done in a DSL or cable modem but this may create an administration problem (and thus cost a lot of money) for ISPs. Some of us would rather do our own filtering but it would be best for ISPs to do it for others.

Jason

Thanks for the reply.

I worked for years behind a software NAT- & firewall-equipped server. HTTP and mail services were not behind NAT, only workstations. Neither server nor workstation were ever infected until one day I browsed some 'reputable' news sites (NYTimes, CNN, NBC...) with lots of advertisements. I did not click on any ad, yet IE5 got hijaacked by CoolWebSearch. IP sharing is good, but I don't see that NAT did much for security. Stricter security settings, switching to FireFox, email filtering, and using a blocker HOSTS file* were sufficient to avoid another intrusion. But I'm advising an elderly lady who's switching from AOL dialup to DSL, and if I'm missing something--that HW NAT is going to add protection for her system with no internet services running and NetBIOS unbound from the NIC--I'd like to know specifically what it is. My biggest concern is that her system not get infected with a mass mailer or dos attack zombie.

nf

• formatting link

I am a home user :)

Jason

usually is >true, is it?

Yes it's usually true, but imagine yourself face to face with an inexperienced home Windows user and say "do not offer servers to the internet". What kind of look would you expect on their face?

Yes it's usually true, but it can be as true as it likes without making any difference if there is no way to make it happen.

Jason

Some food for thought from _The Six Dumbest Ideas in Computer Security_:

bread-crumbs under the stove, >right? Wrong! That's a dumb idea. One of the best ways to discourage hacking on the Internet is to give the >hackers stock options, buy the books they write about their exploits, take classes on "extreme hacking kung >fu" and pay them tens of thousands of dollars to do "penetration tests" against your systems, right? Wrong! >"Hacking is Cool" is a really dumb idea.

behavioral aspects of hacking and >computer security. He says it better than I ever could:

their crimes. Anonymity and >freedom from personal victim confrontation increased the emotional ease of crime, i.e., the victim was only >an inanimate computer, not a real person or enterprise. Timid people could become criminals. The >proliferation of identical systems and means of use and the automation of business made possible and >improved the economics of automating crimes and constructing powerful criminal tools and scripts with great >leverage."

problem. It's not a technology >problem, at all. "Timid people could become criminals." The Internet has given a whole new form of >elbow-room to the badly socialized borderline personality. The #4th dumbest thing information security

media plays directly into this, >by portraying hackers, variously, as "whiz kids" and "brilliant technologists" - of course if you're a >reporter for CNN, anyone who can install Linux probably does qualify as a "brilliant technologist" to you. I >find it interesting to compare societal reactions to hackers as "whiz kids" versus spammers as "sleazy con >artists." I'm actually heartened to see that the spammers, phishers, and other scammers are adopting the >hackers and the techniques of the hackers - this will do more to reverse society's view of hacking than any >other thing we could do.

of the "Hacking is Cool" dumb >idea. Think about it for a couple of minutes: teaching yourself a bunch of exploits and how to use them >means you're investing your time in learning a bunch of tools and techniques that are going to go stale as >soon as everyone has patched that particular hole. It means you've made part of your professional skill-set >dependent on "Penetrate and Patch" and you're going to have to be part of the arms-race if you want that

learn how to design security >systems that are hack-proof than to learn how to identify security systems that are dumb?

the next 10 years. I'd like to >fantasize that it will be replaced with its opposite idea, "Good Engineering is Cool" but so far there is no >sign that's likely to happen.

I don't think you would disagree with the other points in the article.