|
Jeffrey Walton wrote: Vulnerabilities in applications and the Operating System.
What, vulnerabilities in windows, noooo
well, hopefully a firewall/nat combination is enough to keep these out.
Jeffrey Walton wrote: The script blocker is good. Better would be a hardened browser, but most people do not like using it. Basically, you classify the Internet Zone as 'Low'.
Yeah, I see that this would go one step further than what I've got. e.g. I could download a zip, or even a virus infected .exe from a site without whitelisting the site on my setup, but this is where the common sense comes in.
As you clearly know a fair bit in this deparment maybe you could help with this:
Given my setup, no scripts can run without whitelisting and lets assume for now that my firewall prevents viruses like Sasser, Welcjia and Blaster as you described. If I was to (manually) download a virus infected .exe file from a site. Would the virus be able to propagate on my system without me running the .exe file? I have always made the assumption that it wouldn't. And what about an infected disk/usb stick. With auto run turned off, surely I would actually have to manually run the infected file before the virus can infect my pc? Finally, what about things like file indexing services (like the windows desktop search etc) that scan files and index them to speed up searching. Would it be possible for them to scan an infected file and trigger some execuatable code in the infected file? Here, I'm assuming a vulnerability could exist in the indexing software that would somehow cause code to be ran.
Simon
|
|
|
|
|
Same here, nothing running apart from Vista's firewall, mind you I imagine the college network is pretty tied down anyway. If I do want to investigate something dubious I just fire up a virtual machine and let it wreak havoc
|
|
|
|
|
We use a hardware firewall + Sophos AV running on servers and all workstations.
Sincerely,
-Mark
mark@msdcweb.com
http://www.msdcweb.com
|
|
|
|
|
Mark Miller wrote: hardware firewall
But that would mean a pretty complex configuration and a significant investment of time and money. Nevertheless the gains from the pains are good anyway.
Vasudevan Deepak Kumar
Personal Homepage Tech Gossips
A pessimist sees only the dark side of the clouds, and mopes; a philosopher sees both sides, and shrugs; an optimist doesn't see the clouds at all - he's walking on them. --Leonard Louis Levinson
|
|
|
|
|
Not really very complex or expensive, considering the alternatives.
A good firewall can be pricey, that is true, but very good hardware firewalls for a small office (less than 5 computers) can be had for less than US$100.00.
Sophos AV is centrally installed on the server and workstations - once that is done, it is pretty much automatic, with updates coming to the server and getting pushed out to the clients automatically several times per day.
Sophos AV is one of the few AV packages that can be running all of the time without severely impacting system performance, unlike Norton or McAfee which are generally NOT configured to scan all activity on the workstation all of the time due to the serious drag on the system.
We (as well as literally hundreds of my customers machines) have been using Sophos for nearly 8 years and have never had a virus incident on any protected machine.
The price for Sophos AV for virtually any size business is generally less than the other "name-brands".
If you would like more information about Sophos AV and AS (anti-spam) products, email me directly.
Sincerely,
-Mark
mark@msdcweb.com
http://www.msdcweb.com
|
|
|
|
|
Admittedly I work for a hospital and they are paranoid. However:
No patient data on workstations, everything has to be on a SAN or server. Then:
-external facing servers are behind a hardware firewall
-servers have file level and packet level live scanning
-workstations have file level and packet level live scanning
-typical email filtering
so literally before something ends up on my workstation it has:
gone through a firewall
been packet scanned, then file scanned by the gateway server
been packet scanned, then file scanned by my workstation
In addition to this, we do a weekly full AV scan on all workstations.
|
|
|
|
|
I use CA, its good and not like that yellow clown box nortan antivirus
Wisdom is often meant as the ability and desire to make choices that can gain approval in a long-term examination by many people.
|
|
|
|
|
I also use CA Antivirus and AntiSpyware. I like the fact that they have small memory footprints, and don't start scanning and hogging resources on their own. I tried their firewall, but find it too intrusive for development.
M.Neff
|
|
|
|
|
I used to use CA (for about 3 years, I think). However, their Vista 32 version doesn't work right (it pegs a CPU core after a few minutes in Explorer), and they still don't have a Vista 64 version with the realtime scanner.
I'm using Avast! now, which doesn't have those problems. I did like CA, though, back on XP.
--
Russell Morris
Morbo: "WINDMILLS DO NOT WORK THAT WAY!"
|
|
|
|
|
After throwing out Symantec Antivirus, we're using Nod32, lightwight and non-intrusive, looks like Symantec will never regain the leadership in Antivirus Software.
WPF - Imagineers Wanted
Follow your nose using DoubleAnimationUsingPath
|
|
|
|
|
Thats true. I have changed all Norton Symantec with the New and fastest NOD32 and WOW, windows is faster.
Always update your PC with the latest OS Patches, Last Virus Signature, and install a good Firewall (Hardware), to keep your computer safe.
|
|
|
|
|
I have been very happy with NOD32 as well!
|
|
|
|
|
Yep I'll chirp in on the Nod32 as well, I have tried about 3-5 different anti-virus programs & Nod32 is the best by far & has the best rating for catching viruses in the wild.
My 2nd choice is Avast Antivirus, it has a free license for home users & I use it on my home pc's & it seems to do the job.
I can not afford the risk of not having an AV (which is what the companies would like you to belive anyway), it just not worth it for the sake of a few bucks & cpu cycles.
|
|
|
|
|
What about the free version of AVG?
C#, ASPX, SQL, novice to NHibernate
|
|
|
|
|
Hi, I dont like to product bash (unconstructive negativity is a waste of everyones time) so lets just say Yes I have tried it & it caused more problems that it solved. There definatly is a market for AVG though
|
|
|
|
|
... as not doing so is by far the most likely way for your machine to get infected with something nasty. Also:
* don't open any dodgy email attachments
* if you are planning on downloading a program, do a quick google search to see if it is malware in disguise
* ideally, only install programs which are digitially signed, although, sadly, a lot of useful programs still are not
|
|
|
|
|
Paul Sanders (AlpineSoft) wrote: ... as not doing so is by far the most likely way for your machine to get infected with something nasty.
as doing so is a great way of getting your machine infected with an update that renders it totally useless.
Marc
|
|
|
|
|
Ho ho, very funny. That does happen occasionally I suppose, but it's never happened to me on the five machines on which I run XP and the one on which I (reluctantly) run Vista . Windows can roll your registry back to what it was before the update and can also uninstall an update (from Add/Remove programs, check the 'show updates' box).
Sorry if I sound a bit po-faced, but I happen to believe that Windows Update is an essential tool to keep out the gremlins and I would not like people to be put off using it by a one-line forum post. No offence taken, I hope. Certainly none intended.
|
|
|
|
|
T-shirt saying: Have you downloaded your Microsoft security update today?
djj
|
|
|
|
|
I get the feeling I'm in a minority of one here
|
|
|
|
|
I personally keep auto-update on for workstations...but I NEVER EVER EVER turn them on for Servers. I have monthly maintenance set up about 2 weeks after they're release so that the patch to the patch that broke the first patch's patch is released
|
|
|
|
|
Yes, that makes a lot of sense. But how do you know when it is 'safe' to install whatever updates are pending for a particular server? Do you have a 'sacrificial goat' to install them on first, or if not, how _do_ you do it?
|
|
|
|
|
Oh, that's easy. I have a virtual machine that I use as the 'sacrificial goat'. At some point during the week before maintenance I'll set up the 'Update Shrine', pray to the Gods of Redmond, turn around counter-clockwise 0010 times, then sacrafice the VM Goat. If the update is a service pack then I find a help desk technician to sacrafice prior to the Goat.
Oh yeah...on a completely unrelated subject...anyone looking for a job as a help desk tech...Vista's SP is due out soon
|
|
|
|
|
Tee hee
|
|
|
|
|
Paul Sanders (AlpineSoft) wrote: Make sure you have Windows Update turned on...
I so completely disagree on this.
You should update regularly sure, but you should do it manually.
Often automatic updates install stuff that is not yet supported for your product. Small eg.: IE7.
V.
I found a living worth working for, but haven't found work worth living for.
|
|
|
|