How to prevent malware from running on your PC

I'd not call Windows-Update a "Trojan" (even not a "Greek", because the Trojan Horse was not Trojan, but Greek, though ;-)

Yours, VB.

Please don't forget, that NAT is not a security technology, and many NAT implementations are not secure. If you're using a NAT router (we both mean masquerading when we say "NAT", I guess), then you should filter anyway.

Yours, VB.

I know this situation very well.

Usually, they don't understand at all, what's goin' on. So we have to explain.

Hm,

But of course, in fact it's Microsoft's job to do so. But they don't do i.e. by offering Service Packs for the older Windows releases, which stop all services as the default configuration for stand-alone PCs. I'm happy, that they at least are delivering a packet filter with Windows XP in SP2 now, which works - the Windows firewall.

I really don't understand, why people are paying money for "Personal Firewalls" and not are blaming Microsoft for this security desaster they have to answer for.

Yours, VB.

approximately

Is that all? Steve Gibson is claiming over twenty times that for some of his tools.

Perhaps it is mostly experienced people who have downloaded your tools so far, in other words those who didn't really need them or were just curious to have a look.

I haven't used your tools myself, but I have no doubt that they do exactly what they are intended to do and are likely to be of the highest quality available for such tools.

Jason

Because there is a simple solution, one that, like every other OS, has solutions that don't involve the vendor. I would never stick a default setup Linux box on the live internet, nor a Windows PC, nor a MAC with OS/X.

People should not trust Windows SP2 firewall as it's not been proven, can be circumvented by the user or a script, and is not monitoring outbound traffic.

What I can't understand is why you think Windows SP2 firewall is enough for anyone.

Likely, because he believes that following pretty well established Safe Computing Practices (a/k/a SafeHex) mitigates the need for using a software firewall with application or communication control.

To proof, that it's possible? Yes.

Yes. And I don't want to compete with him. Please don't compare me with him. I offered

No, not at all. The more experienced people usually are downloading Torsten's script, because this is much easier to modify or adapt. My job only was to make this understanding accessible for most of the users.

I just implemented a small Windows program out of this script to open these possibilities also for the unexperienced user. And it works.

The German magazin "PC Professional" (which is the German sister magazin of the PC Magazin, I guess) requested me to write an article for them, and they had a "Personal Firewall" test themselves - they aknowledged, what I'm telling.

The 250.000 downloads are what was downloaded from my own website, not including the people who used this tool, because it's on many CDs from many magazins in Germany now.

Thank you for trusting ;-) But: what would be best is, that Microsoft finally make those tools uunnecessary by implementing a default configuration for any release of Microsoft Windows people are using, which is secure.

Then there is no need any more for such tools. And this will be best.

To the background of this process:

I'm active in the Chaos Computer Club, ERFA Ulm / Chaostreff Bad Waldsee. Just enter my name in Google ;-)

We were shocked, that Microsoft were offering head money for pupils, who are rampaging in the age of 17 by downloading "virus construction kits" from the net and creating viruses like "Sasser".

I think, paying bounty hunters for the head of pupils cannot be the way to solve the security mistakes of Microsoft. Of course, such pupils have to be punished, but Microsoft also have to do their home- work first.

So I wanted to show how easy it is (and 50k and one day work are enough) to secure a Windows PC that it cannot be target of worms like sasser any more. It was in the days before Windows XP SP2.

I had the hope, that then some people will understand, that we don't need bounty hunters, but secure systems. And that does not mean, that Microsoft have to invest hundreds of millions of $, but that it's enough to think about it to solve the worst problems.

Yours, VB.

I can't deny that I knew it would be painful for you to be compared with Steve Gibson, but what is the big difference? He is offering free software too. If your software is targeted at inexperienced home users then why bother saying that they are free to improve it? None of them will be able to compile it, never mind improve it. Perhaps Gibson knows this.

As I see it, Steve Gibson also sees it as his job to make things accessible to inexperienced home users, but perhaps not exactly the same things as you do.

Gibson's software also does what it claims, as far as I know, and it shouldn't be very difficult for anyone who wants his source code to get it because he does everything in assembler.

Gibson has gone much further, have you appeared on TV yet?

XP SP2 seems to be the closest they've got so far. But suppost the original release of 2000 or XP had actually been XP SP2. Would we still be here discussing other ways that home users' PCs could be made to run hostile code? I think we would.

Not quite as many hits as Steve Gibson but an exponential increase shouldn't see it take long :)

Well they have to do something to reduce the incidence of worms like Sasser and I think it's likely that they have many people who are better versed in politics than software.

So Microsoft have already fixed that with SP2. Now we just have to wait for home users to all do a clean install of XP SP2

Steve Gibson also appears to think that Microsoft don't understand security and that it's his job to provide tools to fix it until they do.

There is honestly no need to write a long reply Volker, and please don't be too hurt that I saw many parallels between you and Steve Gibson.

Jason

Interesting Idea, but, I don't run a personal firewall application on any systems except for laptops. Even with more than 1000 nodes in managed environments, we disable the Windows XP SP2 firewall service, but, we also have control of the inbound and outbound connections and filter content OUT of smtp, ftp, http, etc...

In my own home I have a WatchGuard Firebox firewall, it's removing malicious content all the time, but I don't run any PFW on anything except the latops.

The only reason I run a PFW on a laptop is because I can't trust new client network.

The reason to NOT let SP2 Firewall be your protection is that it will allow File/Printer sharing by default - most vendor provided ones block it by default.

I see no reason to have SP2's firewall when there are quality ones like ZAP and such.

Quibbling over terminology. That's a lost cause anyway to resist the evolution of a living language. Today, for most, hacker == cracker. It may be wrong in the historical sense but it is correct now for the majority.

No one likes reading articles that contradict their viewpoint.

You have no desire to refute the points the article makes?

I don't agree with that:

I don't know yet ;-) This does not sound like an artikle I want to read.

Yours, VB.

I don't want you to use my tools. Please use Torsten's script, my tool only is for people, who feel more comfortable with a Windows program.

I don't want you to buy my tools. In fact, you cannot buy it, because I will not sell it ;-)

And beside my tools, I don't want to sell nonsense to you.

No. Freeware is not Free Software. Please read:

Not the inexperienced home user will improve it. But perhaps, a technician in this discussion here want's to read the source code or even improve it.

And anybody who wants to and is able to can check, what it's really doing.

Perhaps. But I doubt, that Mr. Gibson is doing this for other reasons than making money. I cannot see, why he should spread so much nonsense through the net, if that would be not true.

If this is true, it's crazy - there is no reason why not to use C.

Yes, but with completely other topics, which have nothing to do with that ;-)

Yes. I agree. But where is this for Windows 2000?

Unfortunately not. Even Windows XP SP2 is offering servers in the default configuration, nobody needs. And afterwards they're filtered away again with the Windows-Firewall.

Of course, this does not make sense at all. But they're doing this. And when the Windows-Firewall is not up for some reason (like the bug they had already with PPPoE IIRC), then also Windows XP SP2 is vulnerable again.

My question is: why?

Why don't they change this at last? And why don't they change the absurd idea, that also a Windows client machine in a Windows domain has to offer RPC service to be able to be a member of the domain?

This is a b0rken concept.

Yours, VB.

Mac OS X offers _zero_ servers to the Internet in the default configuration. So does the actual Debian GNU/Linux.

Unfortunately, other Linux distributions are to critizise also.

This is just FUD. Please explain, what do you mean with it. The Windows- Firewall is a simple configuration tool to configure the packet filter in Windows' kernel.

And this packet filter works good, for all what I can see. So please explain, what exactly does not work as expected.

Just like _every_ "Personal Firewall" we tested. See Chippy's autoclicker tool.

I already said enough to that topic, didn't I? Why are you arguing with this in spite of the fact, that you could know, that this will not work anyway?

Yours, VB.

Yes. In fact, I think this is a much better idea then believing that security can be bought in boxes.

Yours, VB.

We tested this. On no box we tested, File/Printer sharing was enabled by default. So this is just wrong what you're saying.

Yours, VB.

Gibson doesn't sell all his tools, but he does push and sell a tool which no-one needs any more provided they have proper backups and a few pennies for a replacement drive. It is true that most people don't have proper backups, but that's a separate discussion.

I don't think C is the best language in the world, but that's a separate discussion. I don't mean I think it's a good idea to do everything in assembler.

Ask the politicians at Microsoft. I'm sure they can come up with a long list of reasons why we must all throw away our Windows 2000 systems and purchase Vista. No doubt one reason will be that it's the most secure and easy to use operating system they've ever produced.

Ask them. If you get any further than banging your head against a brick wall, let me know.

Jason

For most cockroach = bug, and bacteria = bug. Bacteria = cockroach ??

Norton Antibug?

Geo

If you would re-read the thread, you will see that it was "GEO" snipped-for-privacy@home.here in Message-ID: who mentioned "cockroaches", not I.

Sorry for my cynicism, but this seems a convenient ploy on your part to avoid any concrete discussion at all. I have been civil in all my responses to you unless questioning your position on firewalls in being "uncivil".

My general view? I feel you are overly zealous in your dismissal of PFs as limited but useful tools even if they only provide mental comfort to the non-technical user. My 79 year-old father uses his windows-based PC to follow the stock market. He is partially blind, so my 78 year-old mother has to do the technical tasks for him. She has actually begun crying in frustration as I lead her through some of the more arcane tasks because she just doesn't understand why she has to spend time turning off services or applying upgrades. There are millions of users out there, young and old, like my parents.

Your one-size fits all security solution disdainfully ignores a significant part of the PC users out there who can, at least, have a minimal level of security by using a PF.

My impression is that an anti-personal firewall position has become a fad in Germany and pro-UNIX/Linux circles since most of the advocacy I've seen in this groups originates from German UNIX/Linux users.

If someone compares people with cockroaches, then I'm not very interested in what he has to say, sorry.

Sorry, I'm not interested in a discussion which bases on offense and pure polemics.

But if you want to discuss yourself, of course I'm happy to discuss with you. Please feel free to critizise me, tell me your views.

Yours, VB.