Oh. Computer frustration.

A few weeks ago I was hit by a nasty ransom virus. (I was using Norton). I took it to a shop where I trust the guy who works there. He eliminated the virus, and installed Kapersky.

Great. He bought back my laptop and it worked fine. For 3 days.

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows.

It has been working fine the past few days, but I'm still paranoid.

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?

Thank you.

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?
It's a virus that wears reddening make-up.

OCan anyone help me understand what a "rouge-virus"?

Thank you.


I think he meant rogue:

http://en.wikipedia.org/wiki/Rogue_security_software

I think you'll have to quit clicking on links and installing weird software - assuming you have turned on your firewall or are behind a decent router with a firewall.

Security is always a trade-off. How much security you want versus how much work you want to do to accomplish it.

In this day and age, it might be better time spent for you to concentrate on learning and performing back-ups and/or images or other methods of storing your data and if or when your computer gets virused up, you can do a nuke-it-from-orbit and reinstall from bare metal.

A friend of mine and I were talking about the latest and greatest new virus to be making the corporate rounds and he was telling me what steps are needed in order to remove it. In the place he works, if an employee has a laptop and can come in to the office, they'll do a wipe and reinstall and have the laptop back in a few hours. If, however, the employee is working remotely, they may not get into the office within a month, so the only other option is this extremely long and complicated virus removal procedure. We're talking about finding the names of the executables (because they are randomly named to prevent easy removal) and registry edits, multiple reboots, re-activating executables in Windows (because this virus disables running .exe's so that a person cannot run AV programs), and then on and on.

For home users, especially these days with limited budgets, it's probably far wiser to make sure the stuff you want to keep is good and maybe spend some money on a computer dude/dudette to make a safe image of your hard drive first before trouble happens, as opposed to running AV that may or may not be up to date and hogs system resources or costs money, and so on.

Other than that, a decent hardware firewall or running a firewall on the router/modem that you have is the best option. Even with some changes that have occurred, I still will not particularly recommend either Norton or McAfee for home use. Kaspersky is a good option in my humble opinion.

Oh. Computer frustration.

A few weeks ago I was hit by a nasty ransom virus. (I was using Norton). I took it to a shop where I trust the guy who works there. He eliminated the virus, and installed Kapersky.

Great. He bought back my laptop and it worked fine. For 3 days.

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows.

It has been working fine the past few days, but I'm still paranoid.

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?

Thank you.

[canned speech]
First off, get a decent AV with real time scanning. I use MicrosoftSecurityEssential, but you could use the pay for Kaspersky, which is very highly rated.

Secondly get a decent firewall. Scan you data sources like flash drives. Keep your system up to date, ake sure your OS is patched, make sure to update Flash and Java

Third download only from C-Net, MajorGeeks FileHippo and other safe sources.

Fourth Do Not use keygens, warez, cracks, P2P or bit torrents, unless your are very savvy

Fifth Practice Safe Internet :http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

[/canned speech}

A friend of mine and I were talking about the latest and greatest new virus to be making the corporate rounds and he was telling me what steps are needed in order to remove it. In the place he works, if an employee has a laptop and can come in to the office, they'll do a wipe and reinstall and have the laptop back in a few hours. If, however, the employee is working remotely, they may not get into the office within a month, so the only other option is this extremely long and complicated virus removal procedure. We're talking about finding the names of the executables (because they are randomly named to prevent easy removal) and registry edits, multiple reboots, re-activating executables in Windows (because this virus disables running .exe's so that a person cannot run AV programs), and then on and on.


Last year many of the trojans and worms started using all sorts non-.exe files as well, so the old 'scan for .exe' stopped working.

Sigh. :)

At least the last DDS scan I did was a short one.

[canned speech]
First off, get a decent AV with real time scanning. I use MicrosoftSecurityEssential, but you could use the pay for Kaspersky, which is very highly rated.

Secondly get a decent firewall. Scan you data sources like flash drives. Keep your system up to date, ake sure your OS is patched, make sure to update Flash and Java

Third download only from C-Net, MajorGeeks FileHippo and other safe sources.

Fourth Do Not use keygens, warez, cracks, P2P or bit torrents, unless your are very savvy

Fifth Practice Safe Internet :http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

[/canned speech}
Yup. Like I said, security depends on how much effort you want to go through to achieve whatever level you're desiring.



Last year many of the trojans and worms started using all sorts non-.exe files as well, so the old 'scan for .exe' stopped working.

Sigh. :)

At least the last DDS scan I did was a short one.
So they run with .com's or .msi's or what? Batch files?

So they run with .com's or .msi's or what? Batch files?

Now two years ago there was a rash of the .scr malware.

But the other were some obscure files I have never heard of from the remote reaches of the registry. I think that some scanners (like M-bam) search the extensions with known exploits to reduce scan time.

I forget the exact ones I have seen, they are usually some weird extension that isn't used very often. I would assume that there is also an instruction on how to run the hook after the call.

I have seen a few, the ones I remember was some obscure graphics or font call call like .bdf, .bdi or .bdj and another was an obscure MS call. I think that they find extensions that just aren't well know

I don't remember the exact extension type. I found it easily because it was sitting in AppData with some garbage style name.

Ah, yeah. I guess this is where I tend to favor the Linux-style making any filetype executable or not (via chmod for example), rather than this blanket Windows-style of simply naming a file with a particular extension and they all are executable. Not that one cannot lock down a Winbox via permissions and such, but it seems to me to be just harder to effectively and easily administer than an equivalent Linuxbox.

Speaking of which, @wasapi, another trick to help reduce the instances of viruses is to make certain directories read-only. Windows 7 is much better at write and file access than previous versions, but it never hurts to manually change some directories that the standard Win7 setup doesn't cover.

Ah, yeah. I guess this is where I tend to favor the Linux-style making any filetype executable or not (via chmod for example), rather than this blanket Windows-style of simply naming a file with a particular extension and they all are executable. Not that one cannot lock down a Winbox via permissions and such, but it seems to me to be just harder to effectively and easily administer than an equivalent Linuxbox.

Speaking of which, @wasapi, another trick to help reduce the instances of viruses is to make certain directories read-only. Windows 7 is much better at write and file access than previous versions, but it never hurts to manually change some directories that the standard Win7 setup doesn't cover.

Computers came into my life only about 10 years ago. (This was about the first forum I saw, and it was new.) I'm a slow learner when it comes to computers, and I had to read your reply about 3 times before I understood! But thank you. Good advise.

I guess without knowing what caused the infection it would be difficult to recommend good defensive measures. My two favourites are Firefox with the NoScript extension (prevents running most JavaScript unless you specifically allow it) and the MVPS HOSTS file. However, the HOSTS file trick is useful only if the virus got to your computer by way of a compromised or malicious advertisement. I don't know how common that is.

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.
Well, yes, but I think that when a news site (it's nearly always news sites) wants to run scripts from two dozen different domains, and I have seen that many, it's probably not something I want to see anyway. At the very least, it's an education to see where each site is pulling scripts from.

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows

Just out of curiosity, which Linux distribution did he install?

There's lots of different Linux operating systems, each one a different experience. For example, I can't stand OpenSuse, but like Ubuntu. According to DistroWatch (http://distrowatch.com), the top ten major Linux distributions are...
Linux Mint
Ubuntu
Fedora
Debian
OpenSuse
Arch Linux
PCLinuxOs
CentOS
Mageia
Slackware
FreeBSD
(The last two are mostly for hardcore expert users.)

Of course, if you're happy with Windows you should stick with it.

There's lots of different Linux operating systems, each one a different experience. For example, I can't stand OpenSuse, but like Ubuntu. According to DistroWatch (http://distrowatch.com), the top ten major Linux distributions are...
Linux Mint
Ubuntu
Fedora
Debian
OpenSuse
Arch Linux
PCLinuxOs
CentOS
Mageia
Slackware
FreeBSD
(The last two are mostly for hardcore expert users.)

Of course, if you're happy with Windows, you should stick with it.


This is one reason why I (not too much of a techie, and a Windows user) don't feel very comfortable trying out Linux... Where to start??

I usually recommend Ubuntu to newbies only because of the ease of installation using Wubi (http://www.ubuntu.com/download/ubuntu/windows-installer) (Wubi Wiki (https://wiki.ubuntu.com/WubiGuide)) and it's similarities to what they're used to OS-wise (although that's not really an issue nowadays for most flavors of Linux).

While I can't contribute to a discussion about Linux due to extreme ignorance, here's my take on the current state of Windows and malware.

I don't see any extra value gained for a home user to pay for security software. There are numerous 'free' options out there that are just as adequate as something you pay for. I cannot count the number of machines I've cleaned malware off of, while fully up-to-date and "premium" versions of security software sit in the tray, unaware of any problems.

(That said: a) I've not yet encountered any computer running Kaspersky's suite; and b) I also don't see a reason to drop any currently subscribed-to security software. Just don't renew when the subscription ends.)

Next, like real estate, the most important three things on Windows are: updates, updates, and updates. Microsoft has done a decent enough job of responding to security criticisms to the point where malware writers are not focusing on Windows or Interent Explorer as attack points as much as they did in years past. These days, the most common attack vectors are through vulnerabilities in what I call the "trusted browser helper apps": Adobe Reader and Flash Player, and Java. (Quicktime is also a common point of attack, but less so than the above trio.)

While Adobe and Oracle (Java) are good at responding to vulnerability reports with patches, in my opinion, Adobe's update system is bad to the point of useless. Oracle is only slightly better, but also relies on the user to allow the update to run. Given the "ransom virus" environment we live in today, one can't blame the user for not trusting something sitting in their tray, asking to be allowed to run.

Fortunately, Secunia also sees that as a problem, and has released a free application for home users that attempts to update most programs automatically. It is mostly successful in that effort, but even it it is not able to update all programs, it is easier to explain to someone how to use the one, single trustworthy program in their tray to apply updates to the whole computer, than it is to explain how to update Java, then how to update Flash, then how to update Reader, then how to update Quicktime/iTunes, etc.

OK, now the links.

Microsoft Security Essentials, as mentioned by Dancing David, for antivirus/antimalware:
http://microsoft.com/securityessentials

Comodo Internet Security - Free for home use. Has antivirus; fully-functional and configurable firewall; "Defense+", which grants the ability to only allow 'trusted' programs to run; and a "sandbox" mode.
http://tinyurl.com/comodohomeinternet

Secunia Personal Software Inspector - application vulnerability scanner and updater:
http://secunia.com/vulnerability_scanning/personal/

MalwareBytes Antimalware - very effective malware removal tool that's easy to use:
http://malwarebytes.org

ETA: Ghostery - ad script and cookie blocker:
http://www.ghostery.com

Oh, yeah, I guess I should mention that I'm a Computer GuyTM.

This is one reason why I (not too much of a techie, and a Windows user) don't feel very comfortable trying out Linux... Where to start??

My only (extremely short) foray into Linux was with a "Live CD". It is the OS installed to a bootable CD, leaving your Windows installation and hard drive completely intact. I used Knoppix http://www.knoppix.com/, and I learned a lot with it. Of course, that was nearly 10 years ago, so not only has most of that knowledge leaked out of my brain by now, but I will also readily defer to other members who know Linux better than me as to what Live CD distro would be the best one to start on.

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.

My personal combination is Opera browser and Ghostery (http://www.ghostery.com). Opera includes an awesome built-in ad blocker - I get so used to not seeing any ads when I browse, I'm often surprised by them on someone else's computer. Ghostery will automatically block all ad-related JavaScript - the only pop-up I see is a list of what ad agencies have been thwarted. Ghostery has plug-ins for most browsers.

(Guess I should've mentioned Ghostery in that previous post... I'll do that now)

Oh. Computer frustration.

A few weeks ago I was hit by a nasty ransom virus. (I was using Norton). I took it to a shop where I trust the guy who works there. He eliminated the virus, and installed Kapersky.

Great. He bought back my laptop and it worked fine. For 3 days.

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows.

It has been working fine the past few days, but I'm still paranoid.

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?

Thank you.

If you're using linux then the chances of you getting a virus are pretty remote so I wouldn't worry to be honest. The vast majority of malware you're likely to come across on the net is aimed at Windows.

It's possible that if you got the the same virus within 3 days that he didn't remove all aspects of it or forgot to check for scheduled tasks that reloaded it.

If you got a different one then it points to your browsing behaviour being risky. Maybe time to get your porn from another source ;-) It's quite unusual for malware to get past Kaspersky

Other things you could do, if you were still using Windows, would be to keep Flash, Java and Acrobat Reader updated (many droppers use these as vectors), keep Windows updated, use Chrome instead of IE and join Web of Trust. The most surefire method is to use a sandbox like SandboxIE and ensure it sandboxes not only your browsers but the aforementioned plugins too. Browsing with that in place makes it very hard indeed to get infected. A slightly less draconian app but also highly effective is GesWall.

But as I say, if you're using Linux you're pretty safe from those sorts of malware.

Microsoft Security Essentials isn't actually very good. It rates quite poorly on tests compared to Kaspersky and others and I regularly remove viruses from MSE protected machines in my job so I would not recommend it particularly.

Speaking of which, @wasapi, another trick to help reduce the instances of viruses is to make certain directories read-only. Windows 7 is much better at write and file access than previous versions, but it never hurts to manually change some directories that the standard Win7 setup doesn't cover.

Unless someone like us is able to provide such a specific list, I think the problem with this approach for a non-techie is the possibility of breaking something that Windows needs. Also, the viruses are very adept at installing themselves in such places where you cannot set the directory to read-only.

I'm going backwards in the thread (sorry!), but I agree with much of your first post. The caveat with imaging, in my opinion, is that the image would have to be refreshed often given the "patch" environment we live in today. Virtualization might be an option along those lines, making it easier for generating updated virtual machines ("images"). The VM management can be handled by batch scripts that any user can run, including one to "restore" the last known clean VM over an infected one. I'm about to start experimenting with such an approach, if I can just find that round tuit that I lost.

I fail to see how that would work anyway. Often malware hides in folders that need to writeable.

Microsoft Security Essentials isn't actually very good. It rates quite poorly on tests compared to Kaspersky and others and I regularly remove viruses from MSE protected machines in my job so I would not recommend it particularly.

I agree that it MSSE is nothing more than basic protection. I generally recommend it to people because it is free and updates along with the rest of MS software. I currently have little to no confidence that anything you pay for grants better protection than that.

Can you provide a link or two to the comparison tests you mention?

It rates quite poorly on tests compared to Kaspersky and others and I regularly remove viruses from MSE protected machines in my job so I would not recommend it particularly.

Well that is probably the 'nut behind the wheel' syndrome or operator error. Most of teh machines I clean at work have some sort of trojan someone has downloaded.

:)

No I don't believe it is that. I really do not rate MSE in it's ability to protect against rogueware and similar web-vectored malware. Much of my job is virus removal for business and residential customers and I think I'm getting a pretty decent picture of what works and what doesn't. I used to install MSE for customers myself but found I got calls from customers getting infected. I now sell Kaspersky and I don't get those calls.

Recent AV-test.org results rated MSE as 2.5 for protection. Kaspersky gets 6.0. This takes into account the all-important real-world, zero-day attack tests (which appear to be best for trying to measure the sort of fake-AV droppers we come across the most). MSE got a pretty poor 68% whilst Kaspersky gets 100%. That's a major difference. Avast gets 93% which is also significantly better. AV Comparatives also tested MSE alongside other AVs and whilst it did a little better (mostly because of the way they rate as far as I can tell), it still didn't rate in their top-tier. Given you can pick up a 3-user pack of Kaspersky for about £20 if you shop around I see little point in not going top-tier.

They all have their strengths and weaknesses. I still use MSE on drives I've slaved to my bench machine because it does a good job of finding infections. It's also pretty light on resources, fast for scanning, simple to use and quiet. Where is not strong is preventing drive-by attacks. Since that is how most of my customers get infected I cannot recommend.

Kaspersky has slow scans, is harder to use and can be irritating at times but in terms of proactive protection, it's great. I've tested Kaspersky by trying to get infected by visiting sites on the Malware Domain List, which is where I get many of my practice infections from, and I'm yet to manage to get the VM infected. 90%+ of the time it refuses to visit the page but even if I turn that function off, it still protects. My testing of MSE has not offered the same protection and I've successfully infected my machines several times.

Testing isn't perfect. My experience isn't perfect. But I've not reason from either to say MSE is particularly good.

This test includes proactive measures and you can see MSE rates poorly in protection - http://www.av-test.org/en/tests/test-reports/julaug-2011/

This one: http://www.av-comparatives.org/images/stories/test/ondret/avc_retro_nov2011.pdf does not including many proactive features such as web blocking so the results are less varied but still MSE is in the bottom 3: http://www.av-comparatives.org/images/stories/test/ondret/avc_retro_nov2011.pdf

Thanks for the informative reply, NeilC. When I searched, av-comparatives.org came up first. I glanced through, but it didn't seem to put Kaspersky's at the top of the list. Other hits were either AV vendors themselves, or magazines whose impartiality I've come to trust less and less (PC World rating Norton #1, for instance... we all know that's not been true for years). I'll give av-test.org a look.

ETA: Actually, performance has also been a reason I've moved customers to MSSE, as I noticed some of the common free AV apps, AVG in particular, as resource hogs. MSSE seemed to have a smaller, more focused footprint. And in retrospect, perhaps that's one reason it is not as effective.

Thanks for the informative reply, NeilC. When I searched, av-comparatives.org came up first. I glanced through, but it didn't seem to put Kaspersky's at the top of the list. Other hits were either AV vendors themselves, or magazines whose impartiality I've come to trust less and less (PC World rating Norton #1, for instance... we all know that's not been true for years). I'll give av-test.org a look.

ETA: Actually, performance has also been a reason I've moved customers to MSSE, as I noticed some of the common free AV apps, AVG in particular, as resource hogs. MSSE seemed to have a smaller, more focused footprint. And in retrospect, perhaps that's one reason it is not as effective.

What comes top depends on how you test. I dare say being the absolute top performer for one lab's tests doesn't matter but if it consistently appears in the top 1/3 whilst other tools consistently appear in the bottom 1/3 one recognises the trend.

I know what you mean about the footprint. It also benefits from never trying to trick you into paying for it or installing some crappy toolbar etc. The other reason techs like MSSE is because it's so quiet so you don't get after-sales calls about decisions needing to be made or customers accidentally opening up their systems by pressing the wrong buttons. It definitely has some advantages.

NeilC,
I have found that almost always at work, where we use Forefront without real time scanning (Don't ask me why, it is a mystery), that almost every case of infection is caused by the user downloading a trojan. Now once we get a worm on the net all bets are off.

Now at home where I use MSSE , I have had very few issues, now that does not mean that it rates with Kaspersky, goodness no. I recommend that product , Eset or Sophos for people who want to pay.

Now part of my success with MSSE is that I use Comodo firewall as well. I would say MSSE is adequate for someone who shows a little prudence.

Now my work experience involves two grade schools with about 150 machines at one and around 350 at the other. The one thing that I have encountered is the Google images that load hijackers, although Google is great about removing them. With Windows7 and Forefront things have been stable except for trojans, yesterday it was a shop to win bho in a .dll that someone downloaded.

And as I said once we get a worm on the net all bets are off.

I would never say MSSE is great, but as a free product I have found it adequate and less bloated than some others.

There is no doubt that users cause a lot of their own problems. I've run machines without no AV for ages I don't get infected despite visting all manner of dodgy sites. Yet others seems to get infected regularly. I think a good AV should take that into account but it's hard to replace technical common sense. |I used to work at a school as it happens. They used Symantec which seemed very effective. I think the main thing was that it was well locked down so users and viruses with user level access couldn't do much.

So how does this google image thing work? What happens when you click on an "infected image"

It is sort of sad, when you click on the image (say to copy it), it starts a ransom ware bit of code. Users that have listened to me know to just turn off the machine. Others usually end up activating it. One out of ten times turning the machine off doesn't work and it needs to be cleaned.

But as I said Google takes them down very quickly.

It is sort of sad, when you click on the image (say to copy it), it starts a ransom ware bit of code. Users that have listened to me know to just turn off the machine. Others usually end up activating it. One out of ten times turning the machine off doesn't work and it needs to be cleaned.

But as I said Google takes them down very quickly.
Are you saying that just clicking the image itself causes infection? I'm aware such a thing is theoretically possible, but I'd have to say I've never seen it. I've many times come across those ones that do an impression of a Windows Security Centre window and that try to send you an executable when you click on them, but that's still only a link to an executable, and I would have thought that turning off the machine is a bit of an overreaction, notwithstanding users' willingness to go ahead and download and run a random executable.

Computers came into my life only about 10 years ago. (This was about the first forum I saw, and it was new.) I'm a slow learner when it comes to computers, and I had to read your reply about 3 times before I understood! But thank you. Good advise.

Yes, sorry about that. I re-read what I wrote and figured I could have cleaned it up quite a bit. I was kinda all over the map there.

I guess without knowing what caused the infection it would be difficult to recommend good defensive measures. My two favourites are Firefox with the NoScript extension (prevents running most JavaScript unless you specifically allow it) and the MVPS HOSTS file. However, the HOSTS file trick is useful only if the virus got to your computer by way of a compromised or malicious advertisement. I don't know how common that is.

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.

I always, always recommend an updated HOSTS file, simply because it's taking advantage of how the computers intrinsically work and takes only miliseconds to check before heading out to the DNS servers. Speaking of which, I always, always recommend using a company like openDNS and statically set my home and router DNS servers to openDNS. I have noticeably faster response times as compared to my current ISP and if you join up for a free openDNS account, you can set up webfilters that are not located on the home computer (I had a step-son who was really into computers and I didn't trust that he wouldn't discover how to get around filters that were set on the home computers).

While I can't contribute to a discussion about Linux due to extreme ignorance, here's my take on the current state of Windows and malware.

I don't see any extra value gained for a home user to pay for security software. There are numerous 'free' options out there that are just as adequate as something you pay for. I cannot count the number of machines I've cleaned malware off of, while fully up-to-date and "premium" versions of security software sit in the tray, unaware of any problems.
I agree. It's more often than not just a money drain for home users to pay for these AV services/apps.


Next, like real estate, the most important three things on Windows are: updates, updates, and updates. Microsoft has done a decent enough job of responding to security criticisms to the point where malware writers are not focusing on Windows or Interent Explorer as attack points as much as they did in years past. These days, the most common attack vectors are through vulnerabilities in what I call the "trusted browser helper apps": Adobe Reader and Flash Player, and Java. (Quicktime is also a common point of attack, but less so than the above trio.)

While Adobe and Oracle (Java) are good at responding to vulnerability reports with patches, in my opinion, Adobe's update system is bad to the point of useless. Oracle is only slightly better, but also relies on the user to allow the update to run. Given the "ransom virus" environment we live in today, one can't blame the user for not trusting something sitting in their tray, asking to be allowed to run.
When appropriate, I recommend people to NOT RUN Adobe Acrobat reader and remove it from their system and instead, use Foxit pdf reader or another similar lightweight and robust reader. The vulnerabilities that Adobe has in their bloated, resource-hogging reader are legion.



My personal combination is Opera browser and Ghostery (http://www.ghostery.com). Opera includes an awesome built-in ad blocker - I get so used to not seeing any ads when I browse, I'm often surprised by them on someone else's computer. Ghostery will automatically block all ad-related JavaScript - the only pop-up I see is a list of what ad agencies have been thwarted. Ghostery has plug-ins for most browsers.

(Guess I should've mentioned Ghostery in that previous post... I'll do that now)
I heart you. I run Opera and Ghostery too and go so far as to carry the Opera portable with me to run on others' machines (when appropriate).

Ghostery is a wonderful little program that I wish I knew about earlier.

Are you saying that just clicking the image itself causes infection? I'm aware such a thing is theoretically possible, but I'd have to say I've never seen it. I've many times come across those ones that do an impression of a Windows Security Centre window and that try to send you an executable when you click on them, but that's still only a link to an executable, and I would have thought that turning off the machine is a bit of an overreaction, notwithstanding users' willingness to go ahead and download and run a random executable.

Turning off the machine is something the users understand, and yes clicking on the image on the Google page was sufficient. I saw a teacher do it, as I sat next to him. Now in many cases the problem is the user clicks the 'close window X' and the executes the program. So no the image click itself does not infect the machine but sometimes closing that window will.

Most users gets glassy eyes when I say something like 'Press Ctrl+Alt+Del and use the process tab to find iexplore.exe, highlight it and end the process', shoot I tell them the name of our AV repeatedly and tell them not to respond to anything that is a warning not from our AV, they go ahead and click any way.

So restarting/logging off the machine without clicking the popup window is something they seem to be able to do, at times, if the moon is in the correct quadrant and the wind comes off the right quarter.

Unless it says they won something free or they can get coupons! :D

Turning off the machine is something the users understand, and yes clicking on the image on the Google page was sufficient. I saw a teacher do it, as I sat next to him. Now in many cases the problem is the user clicks the 'close window X' and the executes the program. So no the image click itself does not infect the machine but sometimes closing that window will.
Curious. I have not used IE at home for years, but have been compelled to use it at work for at least a decade, as were all of our users. Never have I come across an infection that can run simply by clicking on an image, nor by closing a window. And some of these were very stupid users. Always any infectious things I've seen bring up a dialogue box asking yes or no at some stage in their delivery. And yes, if the user sees an offer of free stuff in that dialogue box, they will click yes.

The caveat with imaging, in my opinion, is that the image would have to be refreshed often given the "patch" environment we live in today.

That brings up another problem. If a virus, trojan or other form of malware gets on your computer, and doesn't make it's presence known immediately, you could end up making an image of an infected system.

Which means that every time you restore from image, your system would become infected again.

My only (extremely short) foray into Linux was with a "Live CD". It is the OS installed to a bootable CD, leaving your Windows installation and hard drive completely intact. I used Knoppix http://www.knoppix.com/, and I learned a lot with it. Of course, that was nearly 10 years ago, so not only has most of that knowledge leaked out of my brain by now, but I will also readily defer to other members who know Linux better than me as to what Live CD distro would be the best one to start on.

Puppy Linux (http://puppylinux.org/main/Overview%20and%20Getting%20Started.htm) is pretty good for a live distro. You can also install it on a thumb drive.

On the home page it claims...

Puppy Linux enables you to save money while doing more work, even allowing you to do magic by recovering data from destroyed PCs or by removing malware from Windows. See these example articles: recovering files from Windows (http://help.artaro.eu/index.php/windows-vista/troubleshooting-windows-vista/recover-files-from-hard-disk-vista.html) and safe Internet banking (http://www.itnews.com.au/News/157767,nsw-police-dont-use-windows-for-internet-banking.aspx) with Puppy Linux.

So it might also come in handy if you're computer is crippled by a virus and you want to recover some files that haven't been backed up recently, but I haven't tried using it for that. Although, if a ransom virus encrypts or damages your files, even a live CD isn't going to be any use recovering them.

I always, always recommend an updated HOSTS file, simply because it's taking advantage of how the computers intrinsically work and takes only miliseconds to check before heading out to the DNS servers.
Just curious, do you run a hosts file to reduce the chance of getting infected by malware, or because you can't stand the ads? (I can't use the "risk of malware" excuse at home because I'm running Linux ;) )

Speaking of which, I always, always recommend using a company like openDNS and statically set my home and router DNS servers to openDNS. I have noticeably faster response times as compared to my current ISP and if you join up for a free openDNS account, you can set up webfilters that are not located on the home computer (I had a step-son who was really into computers and I didn't trust that he wouldn't discover how to get around filters that were set on the home computers).

At the risk of sounding like one of the four Yorkshiremen, I run my own DNS server. ("DNS? You were lucky to 'ave DNS! We 'ad to look up the IP addresses ourselves in a book and type 'em in by 'and!") Primarily because I also run my own DHCP server. So when a computer on my home network gets an IP address from DHCP, the local DNS gets updated with its name.

I'd like to marry the approach of running my own DNS server with the HOSTS file; that is, have DNS look up in HOSTS first before sending the query off to the net for resolution. But I'm not sure if it's even possible to do that in BIND, and I haven't bothered to do a DuckDuckGo or Google search to what else may be out there. (I also don't need the parental controls because I don't have any teenagers at home.)

(I can't use the "risk of malware" excuse at home because I'm running Linux ;) )

Linux malware does exist. It's just nowhere near as prevalent as Windows malware.

http://en.wikipedia.org/wiki/Linux_malware

I know what you mean about the footprint. It also benefits from never trying to trick you into paying for it or installing some crappy toolbar etc. The other reason techs like MSSE is because it's so quiet so you don't get after-sales calls about decisions needing to be made or customers accidentally opening up their systems by pressing the wrong buttons. It definitely has some advantages.

Yes, all those points you mention are also factors that have leaned me towards it. That said, it isn't without it's share of issues, as it is with all things. Just now, I had an installation that seemed to be stuck in a loop, pinning the CPU, and grabbing up all available RAM. All I did was reset the service, and it stopped, so at this point, I don't know what caused it. (and yes, I consider malware on the machine to be a possibility :))

Now my work experience involves two grade schools with about 150 machines at one and around 350 at the other.

I do not envy you! :D

About 10 years ago, I had a private school customer with only 50 computers, all grades (including high school). I upgraded the PCs from Win98 to W2K and added group policy and passwords to lock them down. The day after I set up one of the high school classrooms, the assistant principal calls, saying that the teacher and he could not log on. "It's weird - that keyboard is different from the other classrooms' keyboards. The control key is above the tab key, but on the others, it's at the bottom." Through my laughter, I told him to press tilde-Alt-Del and see if he can log on, which, of course, he could. I still wonder how the kid(s) who did it were able to keep mum that whole time.

(This has replaced the "my cup holder is broken" tale as my favorite "silly human with a computer" story)

When appropriate, I recommend people to NOT RUN Adobe Acrobat reader and remove it from their system and instead, use Foxit pdf reader or another similar lightweight and robust reader. The vulnerabilities that Adobe has in their bloated, resource-hogging reader are legion.

That's a great point - I forget about Foxit and other alternatives. The bloat itself should be reason enough to drop Adobe's reader -ridiculous amount of code to display a 25 KB file.

I heart you. I run Opera and Ghostery too and go so far as to carry the Opera portable with me to run on others' machines (when appropriate).

Ghostery is a wonderful little program that I wish I knew about earlier.

But of course! What else would The Norseman use, but Opera! :D

I didn't know about a portable version of Opera; I'll go check that out. I do have it sync'ing between my desktop, netbook, and mobile.

That brings up another problem. If a virus, trojan or other form of malware gets on your computer, and doesn't make it's presence known immediately, you could end up making an image of an infected system.

Which means that every time you restore from image, your system would become infected again.

Of course, you are correct. What a "chase your tail" cycle we work in!

So I guess we could add a few steps to run thorough scans prior to updating the image, as well as having a massive drive available for keeping previous, known clean images.

Or, just unplug the computer from the Internet. :)

Puppy Linux (http://puppylinux.org/main/Overview%20and%20Getting%20Started.htm) is pretty good for a live distro. You can also install it on a thumb drive.

So it might also come in handy if you're computer is crippled by a virus and you want to recover some files that haven't been backed up recently, but I haven't tried using it for that. Although, if a ransom virus encrypts or damages your files, even a live CD isn't going to be any use recovering them.

Thanks, I'll give that a look. For data recovery or malware removal on Windows boxes, though, I have found the Ultimate Boot CD 4 Win to be the best boot disk option.

"DNS? You were lucky to 'ave DNS! We 'ad to look up the IP addresses ourselves in a book and type 'em in by 'and!"

:D

ETA:
I'd like to marry the approach of running my own DNS server with the HOSTS file; that is, have DNS look up in HOSTS first before sending the query off to the net for resolution. But I'm not sure if it's even possible to do that in BIND, and I haven't bothered to do a DuckDuckGo or Google search to what else may be out there. (I also don't need the parental controls because I don't have any teenagers at home.)

Isn't there a way to 'prime' the DNS cache? Or would the HOSTS file be too big to cache efficiently?

ETA2:
Found this. Didn't read it through, but at the top, he lists the goals and ends the item with "Solved". One of them is to preload blacklisted domains in BIND.
http://www.pcreview.co.uk/forums/solved-dns-puzzles-load-hosts-into-dns-cache-and-forward-second-namespace-also-rbl-t1470514.html

Curious. I have not used IE at home for years, but have been compelled to use it at work for at least a decade, as were all of our users. Never have I come across an infection that can run simply by clicking on an image, nor by closing a window. And some of these were very stupid users. Always any infectious things I've seen bring up a dialogue box asking yes or no at some stage in their delivery. And yes, if the user sees an offer of free stuff in that dialogue box, they will click yes.

It could be your users are honest and pay attention to what they are doing.

:D

I'd like to marry the approach of running my own DNS server with the HOSTS file; that is, have DNS look up in HOSTS first before sending the query off to the net for resolution. But I'm not sure if it's even possible to do that in BIND, and I haven't bothered to do a DuckDuckGo or Google search to what else may be out there. (I also don't need the parental controls because I don't have any teenagers at home.)
dnsmasq does what you want, and it can be a DHCP service as well (basically, it'll look up locally, including the hosts file, before forwarding to the upstream DNS servers).

I configure it to give fixed IP addresses to our machines, so they get fixed names (which means they don't need to be in the hosts file, either). Runs like a treat on our Synology server.

That brings up another problem. If a virus, trojan or other form of malware gets on your computer, and doesn't make it's presence known immediately, you could end up making an image of an infected system.

Which means that every time you restore from image, your system would become infected again.
Sure, there's always that risk, though I minimize the risk by doing a complete system image once I have everything installed and updated at that point and then keeping my data separate. I don't bother integrating updates or patches into my imaged backup. This is for home use, though and not for a corporate type structure.



So it might also come in handy if you're computer is crippled by a virus and you want to recover some files that haven't been backed up recently, but I haven't tried using it for that. Although, if a ransom virus encrypts or damages your files, even a live CD isn't going to be any use recovering them.
True, though I understand viruses that damage or destroy files are pretty rare, comparatively speaking.

Just curious, do you run a hosts file to reduce the chance of getting infected by malware, or because you can't stand the ads? (I can't use the "risk of malware" excuse at home because I'm running Linux ;) )
Mainly because I simply can't stand the ads, though with a comprehensive hosts file, I can feel somewhat assured that certain adservers that are prone to serving up virus-laden adbanners are also taken care of.

I modify every computer's hosts file that I get my hands on, when I'm able to, so naturally includes when I run Linux.


The rest of the info about openDNS for example, is for others who may not be aware of some of the benefits of using alternate DNS servers rather than the default ISP servers and not necessarily aimed at you specifically.

It's just another handy free tool that anyone can use and set up for a little extra protection from certain malware vectors (like DNS poisoning, redirects, drive-bys, and so on).

That's a great point - I forget about Foxit and other alternatives. The bloat itself should be reason enough to drop Adobe's reader -ridiculous amount of code to display a 25 KB file.
Ha! I know! For the professional Adobe Acrobat software, yeah, okay, sure I can see that. But for an *****' reader?



But of course! What else would The Norseman use, but Opera! :D

I didn't know about a portable version of Opera; I'll go check that out. I do have it sync'ing between my desktop, netbook, and mobile.
Heh. Funny thing is, I don't usually care much for opera, the music.

Anyway, try this link: http://www.opera-usb.com/

or maybe this one: http://portableapps.com/apps/internet/opera_portable

It could be your users are honest and pay attention to what they are doing.
:D
Whereas I understand the sentiment, I really have to disagree with the specifics that it's fairly common that webpages or ad servers themselves are compromised and can therefore deliver malware content to even those who are careful of where they browse.

Msnbc.com, for example, might not know what content the ad servers they are pulling from have or even that they pull from third-party ad servers with which they have no direct contact.

Of course, you are correct. What a "chase your tail" cycle we work in!

So I guess we could add a few steps to run thorough scans prior to updating the image, as well as having a massive drive available for keeping previous, known clean images.

Or, just unplug the computer from the Internet. :)

Thanks, I'll give that a look. For data recovery or malware removal on Windows boxes, though, I have found the Ultimate Boot CD 4 Win to be the best boot disk option.

I still think Hiren's is the ultimate boot cd of all time. It's even mostly legal now in v.15!

Whereas I understand the sentiment, I really have to disagree with the specifics that it's fairly common that webpages or ad servers themselves are compromised and can therefore deliver malware content to even those who are careful of where they browse.

Msnbc.com, for example, might not know what content the ad servers they are pulling from have or even that they pull from third-party ad servers with which they have no direct contact.

Fair enough, again it was in reference to small unsupervised hosts, like school districts.

Heh. Funny thing is, I don't usually care much for opera, the music.

Me, neither. I was referring to Opera (the browser) being Norwegian. :)

Anyway, try this link: http://www.opera-usb.com/

or maybe this one: http://portableapps.com/apps/internet/opera_portable

Thanks. So that seems to be those 2 different versions, right? I'll check them out.

Do the portable versions take up less RAM? One of the reasons I sought out Opera in the first place was to find a quicker browser than IE or Netscape (yes, that long ago). But now, Opera seems to also have become a monstrous RAM hog. I don't use the Widgets or some of the other advanced features, so if the portable version runs in less space, I just might move to it on my main systems as well.

I still think Hiren's is the ultimate boot cd of all time. It's even mostly legal now in v.15!

I'd seen this mentioned on another forum, but when I found Hiren's page, I couldn't find a link to download it as a whole. I would've assumed it would be on the page "Hiren's Boot CD." I found many pages of links to download tools - do you download them all individually and then use the bootcd.zip to sew them up into a bootable disk? It is not at all clear how to get this disk.

The Ultimate Boot Disk for Windows: is easier and legal.

http://www.ubcd4win.com/

However you have to have an OS disk to make one, and I am not sure about Win7

Last year many of the trojans and worms started using all sorts non-.exe files as well, so the old 'scan for .exe' stopped working.

Sigh. :)

At least the last DDS scan I did was a short one.

You will be surprised to learn what is possible with PDF files. Check last years CCC congress, they had a presentation about that:

http://ftp.halifax.rwth-aachen.de/CCC/27C3/mp4-h264-HQ/27c3-4221-en-omg_wtf_pdf.mp4

Greetings,

Chris

ETA: Oh, and it would be pretty short-sighted to think that only your computer may have a problem. Have a laser printer? Have fun:

http://ftp.halifax.rwth-aachen.de/ccc/28C3/mp4-h264-HQ/28c3-4780-en-print_me_if_you_dare_h264.mp4

Me, neither. I was referring to Opera (the browser) being Norwegian. :)
OOOHHHH! I get it now! I took it for granted that since the Norwegians created it, it was naturally superior! ;)


Do the portable versions take up less RAM? One of the reasons I sought out Opera in the first place was to find a quicker browser than IE or Netscape (yes, that long ago). But now, Opera seems to also have become a monstrous RAM hog. I don't use the Widgets or some of the other advanced features, so if the portable version runs in less space, I just might move to it on my main systems as well.
It's still a lean, mean browsing machine. The tendency for any browser to take up lots of memory depends on how many tabs you have open at any given time.

Right now, as I type this, I'm running 69 tabs open and it's taking just over a gig of my RAM. Many of the pages open are like from youtube and some heavy photo-type sites (like DeviantArt). I've also got Internet Extorter open with four tabs and it's taking 80 megs.

So to crunch some numbers, each Opera tab is taking about 14 megs, while IE is taking 20 megs. These are rough guides, of course, but the responsiveness of Portable Opera is still far better than the native installation of IE in my experience.

My absolutely favoritest feature which only Opera has -- the Notes feature. I use it *extensively* in keeping all kinds of information I run across while browsing to be printed off later.

You will be surprised to learn what is possible with PDF files. Check last years CCC congress, they had a presentation about that:

http://ftp.halifax.rwth-aachen.de/CCC/27C3/mp4-h264-HQ/27c3-4221-en-omg_wtf_pdf.mp4

Greetings,

Chris

ETA: Oh, and it would be pretty short-sighted to think that only your computer may have a problem. Have a laser printer? Have fun:

http://ftp.halifax.rwth-aachen.de/ccc/28C3/mp4-h264-HQ/28c3-4780-en-print_me_if_you_dare_h264.mp4
:)

I know, and having been checking for those firmware updates, yes Adobe is a big hole, especially since most of the users ignore the update warnings.

OOOHHHH! I get it now! I took it for granted that since the Norwegians created it, it was naturally superior! ;)



It's still a lean, mean browsing machine. The tendency for any browser to take up lots of memory depends on how many tabs you have open at any given time.

Right now, as I type this, I'm running 69 tabs open and it's taking just over a gig of my RAM. Many of the pages open are like from youtube and some heavy photo-type sites (like DeviantArt). I've also got Internet Extorter open with four tabs and it's taking 80 megs.

So to crunch some numbers, each Opera tab is taking about 14 megs, while IE is taking 20 megs. These are rough guides, of course, but the responsiveness of Portable Opera is still far better than the native installation of IE in my experience.

My absolutely favoritest feature which only Opera has -- the Notes feature. I use it *extensively* in keeping all kinds of information I run across while browsing to be printed off later.

Sweet, time to play around.

:)

I know, and having been checking for those firmware updates, yes Adobe is a big hole, especially since most of the users ignore the update warnings.

The problem I have with the Adobe updates is their licensing agreement. In essence, section 7 says I give permission for third parties to run whatever they like on my computer through Adobe software.

I just can't bear to update past that part.

But so much of what I want to see on the net is flash based. What's a novice to do?

The problem I have with the Adobe updates is their licensing agreement. In essence, section 7 says I give permission for third parties to run whatever they like on my computer through Adobe software.

I just can't bear to update past that part.

But so much of what I want to see on the net is flash based. What's a novice to do?

Bite the bullet, update and try to keep the third party stuff from infiltrating.

But so much of what I want to see on the net is flash based. What's a novice to do?

Install a different flash player instead?

Linux flash-players such as Gnash (http://en.wikipedia.org/wiki/Gnash) and Lightspark (http://en.wikipedia.org/wiki/Lightspark) have been ported to Windows.

Try these sites:http://getgnash.org
https://launchpad.net/lightspark
Apparently the newest release of lightspark has been made compatible with gnash, so you can have both installed at the same time.