|
Hi Simon,
Are you running Windows? IIRC, most attacks are web based against Microsoft Windows.
Simon Stevens wrote: I'm running Comodo firewall ... and I'm behind a NAT router.
Are DNS and HTTP ports open? Ouch. Take a look at source port routing to get past the firewall.
Simon Stevens wrote: I'd rather save my CPU cycles for something usful.
I'm playing devil's advocate: Such As? The System Idle Thread could share some of it's cycles.
Jeff
|
|
|
|
|
Jeffrey Walton wrote: Are you running Windows?
Normally. I think the firefox + noscripts really keeps the worst stuff out. I've tried various linux distros and never really got into them. Although I've got into open office recently, so thats another tie to MS dropped. I think I'd miss visual studio too much though. the alternatives just aren't as good, and .net on linux just wasn't up to a good enough standard last time i tried.
Jeffrey Walton wrote: Are DNS and HTTP ports open?
Not normally. I occasionally open up a few ports if I fancy a bit of multiplayer gaming, but thats what the firewall's for, and where possible i use port triggering instead of just opening the ports.
Jeffrey Walton wrote: Such As? The System Idle Thread could share some of it's cycles.
Unfortunatly it's not that simple. Yes, if the virus scanner could just use up idle cycles that would be fine, but it's also going to take up memory, which means my apps page fault more. and as it scans files it will have to throw the hard disk around to scan each file, which means pages will take longer to be retrieved as the disk is always busy. Even if you turn off the background scanner and just use the scan on access ability, it still going to kick in and do extra stuff every time you read a file, which could be 30-40 source files, half a dozen binaries, same again in symbol files, the compiler binaries, and goodness knows what else, everytime you hit build.
Maybe one day I'll get burned and change my tune, but it's all worked so far. (my pc runs far smoother than my parents pc (newer) which has a virus scanner and is clearly virus/spyware infested. I've wiped it an reinstalled everything so many times I've actually done an image of the hard disk now to save time )
The real solution to the spyware/virus problem is proper education not software that scans anything and everything you do.
Simon
|
|
|
|
|
Hi Simon,
Simon Stevens wrote: Jeffrey Walton wrote:
Are DNS and HTTP ports open?
Not normally.
They must be if you cruise the web.
Simon Stevens wrote: The real solution to the spyware/virus problem is proper education not software that scans anything and everything you do.
Many viruses and worms do not require user interaction. When I contracted a SSA, it took Blaster and Welchia less than 4 hours to infect about 100,000 hosts.
I'm not aware of any Enterprise which does not use Antivirus software (except for two small ones). The first which does not has about 400 hosts, the xecond is a little larger - about two thousand hosts. Both had managers who did not appreciate (perhaps 'understand' is a better word) the security aspects of Networking. Their argument was similar - we don't want our 'File Server' (or other server) bogged down.
I'm a Security Engineer/System Administrator (I program for fun). I believe it is bad karma. I cannot think of one colleague who would agree with you.
Jeff
|
|
|
|
|
Jeffrey Walton wrote: Simon Stevens wrote:
Jeffrey Walton wrote:
Are DNS and HTTP ports open?
Not normally.
They must be if you cruise the web.
Maybe I misunderstand how my router works then. (That is totally a possibility, I'm no networking expert) But i thought that by using NAT, any incoming data for a specific port at my ip address, would just hit a wall at the router, unless the data was in response to outgoing data from my pc. theres 3 pcs behind my router, how will the router know which computer to forward a random packet too? surely it won't and the packet will just be ignored. I don't have any port forwarding set up under normal circumstances, and web browsing works fine. Am I making a critical misunderstanding? Besides, I don't just leave all my trust in the NAT, I have a firewall. It's only av I don't like.
Jeffrey Walton wrote: Many viruses and worms do not require user interaction.
How do they get on then? I use a script blocker in a 'whitelist' mode for blocking all sites javascript/java/flash/silverlight/etc except those i authorise, I read email in plain text format, and i have autorun disabled for all drives. And my firewall should block any genuine "attacks".
Jeffrey Walton wrote: I'm not aware of any Enterprise which does not use Antivirus software
I'd never advocate that a business/enterprise turn off all their av software. the average pc use just isn't knowlegable enough to avoid viruses. And business have different needs. For example, as a home user, I recive all my email in plain text format, don't automatically download attachments (in fact generally just ignore them totally), but this is probably too restrictive for a business.
Simon
|
|
|
|
|
Hi Simon,
Simon Stevens wrote: How do they get on then?
Vulnerabilities in applications and the Operating System. For example, Sasser[^] was a worm which exploited a vulnerability in LSASS. To propogate, the worm simply needed to find other Windows machines. No interaction required.
Welcjia[^] and Blaster[^] were two others. They were participants in the Worm Wars. Each would exploit a different vulnerability. Once a host was infected, the one worm would remove the other worm, and then patch the vulnerability which the other worm used for penetration. Some deemed them 'White Worms' because of the removal/patching behavior - I do not.
Simon Stevens wrote: I use a script blocker in a 'whitelist' mode for blocking all sites javascript/java/flash/silverlight/etc except those i authorise
The script blocker is good. Better would be a hardened browser, but most people do not like using it. Basically, you classify the Internet Zone as 'Low'.
If the site uses JavaScript or Macromedia extensions, it must be added to the Trusted zone so that the script/ActiveX/etc can execute. If you want to download content from a site (such as a ZIP file from CodeProject), it too should be a Trusted site.
Jeff
|
|
|
|
|
Jeffrey Walton wrote: Vulnerabilities in applications and the Operating System.
What, vulnerabilities in windows, noooo
well, hopefully a firewall/nat combination is enough to keep these out.
Jeffrey Walton wrote: The script blocker is good. Better would be a hardened browser, but most people do not like using it. Basically, you classify the Internet Zone as 'Low'.
Yeah, I see that this would go one step further than what I've got. e.g. I could download a zip, or even a virus infected .exe from a site without whitelisting the site on my setup, but this is where the common sense comes in.
As you clearly know a fair bit in this deparment maybe you could help with this:
Given my setup, no scripts can run without whitelisting and lets assume for now that my firewall prevents viruses like Sasser, Welcjia and Blaster as you described. If I was to (manually) download a virus infected .exe file from a site. Would the virus be able to propagate on my system without me running the .exe file? I have always made the assumption that it wouldn't. And what about an infected disk/usb stick. With auto run turned off, surely I would actually have to manually run the infected file before the virus can infect my pc? Finally, what about things like file indexing services (like the windows desktop search etc) that scan files and index them to speed up searching. Would it be possible for them to scan an infected file and trigger some execuatable code in the infected file? Here, I'm assuming a vulnerability could exist in the indexing software that would somehow cause code to be ran.
Simon
|
|
|
|
|
Same here, nothing running apart from Vista's firewall, mind you I imagine the college network is pretty tied down anyway. If I do want to investigate something dubious I just fire up a virtual machine and let it wreak havoc
|
|
|
|
|
We use a hardware firewall + Sophos AV running on servers and all workstations.
Sincerely,
-Mark
mark@msdcweb.com
http://www.msdcweb.com
|
|
|
|
|
Mark Miller wrote: hardware firewall
But that would mean a pretty complex configuration and a significant investment of time and money. Nevertheless the gains from the pains are good anyway.
Vasudevan Deepak Kumar
Personal Homepage Tech Gossips
A pessimist sees only the dark side of the clouds, and mopes; a philosopher sees both sides, and shrugs; an optimist doesn't see the clouds at all - he's walking on them. --Leonard Louis Levinson
|
|
|
|
|
Not really very complex or expensive, considering the alternatives.
A good firewall can be pricey, that is true, but very good hardware firewalls for a small office (less than 5 computers) can be had for less than US$100.00.
Sophos AV is centrally installed on the server and workstations - once that is done, it is pretty much automatic, with updates coming to the server and getting pushed out to the clients automatically several times per day.
Sophos AV is one of the few AV packages that can be running all of the time without severely impacting system performance, unlike Norton or McAfee which are generally NOT configured to scan all activity on the workstation all of the time due to the serious drag on the system.
We (as well as literally hundreds of my customers machines) have been using Sophos for nearly 8 years and have never had a virus incident on any protected machine.
The price for Sophos AV for virtually any size business is generally less than the other "name-brands".
If you would like more information about Sophos AV and AS (anti-spam) products, email me directly.
Sincerely,
-Mark
mark@msdcweb.com
http://www.msdcweb.com
|
|
|
|
|
Admittedly I work for a hospital and they are paranoid. However:
No patient data on workstations, everything has to be on a SAN or server. Then:
-external facing servers are behind a hardware firewall
-servers have file level and packet level live scanning
-workstations have file level and packet level live scanning
-typical email filtering
so literally before something ends up on my workstation it has:
gone through a firewall
been packet scanned, then file scanned by the gateway server
been packet scanned, then file scanned by my workstation
In addition to this, we do a weekly full AV scan on all workstations.
|
|
|
|
|
I use CA, its good and not like that yellow clown box nortan antivirus
Wisdom is often meant as the ability and desire to make choices that can gain approval in a long-term examination by many people.
|
|
|
|
|
I also use CA Antivirus and AntiSpyware. I like the fact that they have small memory footprints, and don't start scanning and hogging resources on their own. I tried their firewall, but find it too intrusive for development.
M.Neff
|
|
|
|
|
I used to use CA (for about 3 years, I think). However, their Vista 32 version doesn't work right (it pegs a CPU core after a few minutes in Explorer), and they still don't have a Vista 64 version with the realtime scanner.
I'm using Avast! now, which doesn't have those problems. I did like CA, though, back on XP.
--
Russell Morris
Morbo: "WINDMILLS DO NOT WORK THAT WAY!"
|
|
|
|
|
After throwing out Symantec Antivirus, we're using Nod32, lightwight and non-intrusive, looks like Symantec will never regain the leadership in Antivirus Software.
WPF - Imagineers Wanted
Follow your nose using DoubleAnimationUsingPath
|
|
|
|
|
Thats true. I have changed all Norton Symantec with the New and fastest NOD32 and WOW, windows is faster.
Always update your PC with the latest OS Patches, Last Virus Signature, and install a good Firewall (Hardware), to keep your computer safe.
|
|
|
|
|
I have been very happy with NOD32 as well!
|
|
|
|
|
Yep I'll chirp in on the Nod32 as well, I have tried about 3-5 different anti-virus programs & Nod32 is the best by far & has the best rating for catching viruses in the wild.
My 2nd choice is Avast Antivirus, it has a free license for home users & I use it on my home pc's & it seems to do the job.
I can not afford the risk of not having an AV (which is what the companies would like you to belive anyway), it just not worth it for the sake of a few bucks & cpu cycles.
|
|
|
|
|
What about the free version of AVG?
C#, ASPX, SQL, novice to NHibernate
|
|
|
|
|
Hi, I dont like to product bash (unconstructive negativity is a waste of everyones time) so lets just say Yes I have tried it & it caused more problems that it solved. There definatly is a market for AVG though
|
|
|
|
|
... as not doing so is by far the most likely way for your machine to get infected with something nasty. Also:
* don't open any dodgy email attachments
* if you are planning on downloading a program, do a quick google search to see if it is malware in disguise
* ideally, only install programs which are digitially signed, although, sadly, a lot of useful programs still are not
|
|
|
|
|
Paul Sanders (AlpineSoft) wrote: ... as not doing so is by far the most likely way for your machine to get infected with something nasty.
as doing so is a great way of getting your machine infected with an update that renders it totally useless.
Marc
|
|
|
|
|
Ho ho, very funny. That does happen occasionally I suppose, but it's never happened to me on the five machines on which I run XP and the one on which I (reluctantly) run Vista . Windows can roll your registry back to what it was before the update and can also uninstall an update (from Add/Remove programs, check the 'show updates' box).
Sorry if I sound a bit po-faced, but I happen to believe that Windows Update is an essential tool to keep out the gremlins and I would not like people to be put off using it by a one-line forum post. No offence taken, I hope. Certainly none intended.
|
|
|
|
|
T-shirt saying: Have you downloaded your Microsoft security update today?
djj
|
|
|
|
|
I get the feeling I'm in a minority of one here
|
|
|
|
|