Ransom virus?

[wasapi]

Oh. Computer frustration.

A few weeks ago I was hit by a nasty ransom virus. (I was using Norton). I took it to a shop where I trust the guy who works there. He eliminated the virus, and installed Kapersky.

Great. He bought back my laptop and it worked fine. For 3 days.

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows.

It has been working fine the past few days, but I'm still paranoid.

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?

Thank you.

[Rat]

Originally Posted by wasapi

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?

It's a virus that wears reddening make-up.

[AdMan]

Originally Posted by wasapi

OCan anyone help me understand what a "rouge-virus"?

Thank you.

I think he meant rogue:

http://en.wikipedia.org/wiki/Rogue_security_software

[Salerio]

I think you'll have to quit clicking on links and installing weird software - assuming you have turned on your firewall or are behind a decent router with a firewall.

[The Norseman]

Security is always a trade-off. How much security you want versus how much work you want to do to accomplish it.

In this day and age, it might be better time spent for you to concentrate on learning and performing back-ups and/or images or other methods of storing your data and if or when your computer gets virused up, you can do a nuke-it-from-orbit and reinstall from bare metal.

A friend of mine and I were talking about the latest and greatest new virus to be making the corporate rounds and he was telling me what steps are needed in order to remove it. In the place he works, if an employee has a laptop and can come in to the office, they'll do a wipe and reinstall and have the laptop back in a few hours. If, however, the employee is working remotely, they may not get into the office within a month, so the only other option is this extremely long and complicated virus removal procedure. We're talking about finding the names of the executables (because they are randomly named to prevent easy removal) and registry edits, multiple reboots, re-activating executables in Windows (because this virus disables running .exe's so that a person cannot run AV programs), and then on and on.

For home users, especially these days with limited budgets, it's probably far wiser to make sure the stuff you want to keep is good and maybe spend some money on a computer dude/dudette to make a safe image of your hard drive first before trouble happens, as opposed to running AV that may or may not be up to date and hogs system resources or costs money, and so on.

Other than that, a decent hardware firewall or running a firewall on the router/modem that you have is the best option. Even with some changes that have occurred, I still will not particularly recommend either Norton or McAfee for home use. Kaspersky is a good option in my humble opinion.

[Dancing David]

Originally Posted by wasapi

Oh. Computer frustration.

A few weeks ago I was hit by a nasty ransom virus. (I was using Norton). I took it to a shop where I trust the guy who works there. He eliminated the virus, and installed Kapersky.

Great. He bought back my laptop and it worked fine. For 3 days.

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows.

It has been working fine the past few days, but I'm still paranoid.

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?

Thank you.

[canned speech]
First off, get a decent AV with real time scanning. I use MicrosoftSecurityEssential, but you could use the pay for Kaspersky, which is very highly rated.

Secondly get a decent firewall. Scan you data sources like flash drives. Keep your system up to date, ake sure your OS is patched, make sure to update Flash and Java

Third download only from C-Net, MajorGeeks FileHippo and other safe sources.

Fourth Do Not use keygens, warez, cracks, P2P or bit torrents, unless your are very savvy

Fifth Practice Safe Internet :http://users.telenet.be/bluepatchy/m...revention.html

[/canned speech}

[Dancing David]

Originally Posted by The Norseman

A friend of mine and I were talking about the latest and greatest new virus to be making the corporate rounds and he was telling me what steps are needed in order to remove it. In the place he works, if an employee has a laptop and can come in to the office, they'll do a wipe and reinstall and have the laptop back in a few hours. If, however, the employee is working remotely, they may not get into the office within a month, so the only other option is this extremely long and complicated virus removal procedure. We're talking about finding the names of the executables (because they are randomly named to prevent easy removal) and registry edits, multiple reboots, re-activating executables in Windows (because this virus disables running .exe's so that a person cannot run AV programs), and then on and on.

Last year many of the trojans and worms started using all sorts non-.exe files as well, so the old 'scan for .exe' stopped working.

Sigh.

At least the last DDS scan I did was a short one.

[The Norseman]

Originally Posted by Dancing David

[canned speech]
First off, get a decent AV with real time scanning. I use MicrosoftSecurityEssential, but you could use the pay for Kaspersky, which is very highly rated.

Secondly get a decent firewall. Scan you data sources like flash drives. Keep your system up to date, ake sure your OS is patched, make sure to update Flash and Java

Third download only from C-Net, MajorGeeks FileHippo and other safe sources.

Fourth Do Not use keygens, warez, cracks, P2P or bit torrents, unless your are very savvy

Fifth Practice Safe Internet :http://users.telenet.be/bluepatchy/m...revention.html

[/canned speech}

Yup. Like I said, security depends on how much effort you want to go through to achieve whatever level you're desiring.

Originally Posted by Dancing David

Last year many of the trojans and worms started using all sorts non-.exe files as well, so the old 'scan for .exe' stopped working.

Sigh.

At least the last DDS scan I did was a short one.

So they run with .com's or .msi's or what? Batch files?

[Dancing David]

Originally Posted by The Norseman

So they run with .com's or .msi's or what? Batch files?

Now two years ago there was a rash of the .scr malware.

But the other were some obscure files I have never heard of from the remote reaches of the registry. I think that some scanners (like M-bam) search the extensions with known exploits to reduce scan time.

I forget the exact ones I have seen, they are usually some weird extension that isn't used very often. I would assume that there is also an instruction on how to run the hook after the call.

I have seen a few, the ones I remember was some obscure graphics or font call call like .bdf, .bdi or .bdj and another was an obscure MS call. I think that they find extensions that just aren't well know

I don't remember the exact extension type. I found it easily because it was sitting in AppData with some garbage style name.

[The Norseman]

Ah, yeah. I guess this is where I tend to favor the Linux-style making any filetype executable or not (via chmod for example), rather than this blanket Windows-style of simply naming a file with a particular extension and they all are executable. Not that one cannot lock down a Winbox via permissions and such, but it seems to me to be just harder to effectively and easily administer than an equivalent Linuxbox.

Speaking of which, @wasapi, another trick to help reduce the instances of viruses is to make certain directories read-only. Windows 7 is much better at write and file access than previous versions, but it never hurts to manually change some directories that the standard Win7 setup doesn't cover.

[wasapi]

Originally Posted by The Norseman

Ah, yeah. I guess this is where I tend to favor the Linux-style making any filetype executable or not (via chmod for example), rather than this blanket Windows-style of simply naming a file with a particular extension and they all are executable. Not that one cannot lock down a Winbox via permissions and such, but it seems to me to be just harder to effectively and easily administer than an equivalent Linuxbox.

Speaking of which, @wasapi, another trick to help reduce the instances of viruses is to make certain directories read-only. Windows 7 is much better at write and file access than previous versions, but it never hurts to manually change some directories that the standard Win7 setup doesn't cover.

Computers came into my life only about 10 years ago. (This was about the first forum I saw, and it was new.) I'm a slow learner when it comes to computers, and I had to read your reply about 3 times before I understood! But thank you. Good advise.

[Blue Mountain]

I guess without knowing what caused the infection it would be difficult to recommend good defensive measures. My two favourites are Firefox with the NoScript extension (prevents running most JavaScript unless you specifically allow it) and the MVPS HOSTS file. However, the HOSTS file trick is useful only if the virus got to your computer by way of a compromised or malicious advertisement. I don't know how common that is.

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.

[Rat]

Originally Posted by Blue Mountain

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.

Well, yes, but I think that when a news site (it's nearly always news sites) wants to run scripts from two dozen different domains, and I have seen that many, it's probably not something I want to see anyway. At the very least, it's an education to see where each site is pulling scripts from.

[Brian-M]

Originally Posted by wasapi

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows

Just out of curiosity, which Linux distribution did he install?

There's lots of different Linux operating systems, each one a different experience. For example, I can't stand OpenSuse, but like Ubuntu. According to DistroWatch, the top ten major Linux distributions are...

• Linux Mint
• Ubuntu
• Fedora
• Debian
• OpenSuse
• Arch Linux
• PCLinuxOs
• CentOS
• Mageia
• Slackware
• FreeBSD

(The last two are mostly for hardcore expert users.)

Of course, if you're happy with Windows you should stick with it.

[AdMan]

Originally Posted by Brian-M

There's lots of different Linux operating systems, each one a different experience. For example, I can't stand OpenSuse, but like Ubuntu. According to DistroWatch, the top ten major Linux distributions are...

• Linux Mint
• Ubuntu
• Fedora
• Debian
• OpenSuse
• Arch Linux
• PCLinuxOs
• CentOS
• Mageia
• Slackware
• FreeBSD

(The last two are mostly for hardcore expert users.)

Of course, if you're happy with Windows, you should stick with it.

This is one reason why I (not too much of a techie, and a Windows user) don't feel very comfortable trying out Linux... Where to start??

[Sam.I.Am]

I usually recommend Ubuntu to newbies only because of the ease of installation using Wubi (Wubi Wiki) and it's similarities to what they're used to OS-wise (although that's not really an issue nowadays for most flavors of Linux).

[Krul]

While I can't contribute to a discussion about Linux due to extreme ignorance, here's my take on the current state of Windows and malware.

I don't see any extra value gained for a home user to pay for security software. There are numerous 'free' options out there that are just as adequate as something you pay for. I cannot count the number of machines I've cleaned malware off of, while fully up-to-date and "premium" versions of security software sit in the tray, unaware of any problems.

(That said: a) I've not yet encountered any computer running Kaspersky's suite; and b) I also don't see a reason to drop any currently subscribed-to security software. Just don't renew when the subscription ends.)

Next, like real estate, the most important three things on Windows are: updates, updates, and updates. Microsoft has done a decent enough job of responding to security criticisms to the point where malware writers are not focusing on Windows or Interent Explorer as attack points as much as they did in years past. These days, the most common attack vectors are through vulnerabilities in what I call the "trusted browser helper apps": Adobe Reader and Flash Player, and Java. (Quicktime is also a common point of attack, but less so than the above trio.)

While Adobe and Oracle (Java) are good at responding to vulnerability reports with patches, in my opinion, Adobe's update system is bad to the point of useless. Oracle is only slightly better, but also relies on the user to allow the update to run. Given the "ransom virus" environment we live in today, one can't blame the user for not trusting something sitting in their tray, asking to be allowed to run.

Fortunately, Secunia also sees that as a problem, and has released a free application for home users that attempts to update most programs automatically. It is mostly successful in that effort, but even it it is not able to update all programs, it is easier to explain to someone how to use the one, single trustworthy program in their tray to apply updates to the whole computer, than it is to explain how to update Java, then how to update Flash, then how to update Reader, then how to update Quicktime/iTunes, etc.

OK, now the links.

Microsoft Security Essentials, as mentioned by Dancing David, for antivirus/antimalware:
http://microsoft.com/securityessentials

Comodo Internet Security - Free for home use. Has antivirus; fully-functional and configurable firewall; "Defense+", which grants the ability to only allow 'trusted' programs to run; and a "sandbox" mode.
http://tinyurl.com/comodohomeinternet

Secunia Personal Software Inspector - application vulnerability scanner and updater:
http://secunia.com/vulnerability_scanning/personal/

MalwareBytes Antimalware - very effective malware removal tool that's easy to use:
http://malwarebytes.org

ETA: Ghostery - ad script and cookie blocker:
http://www.ghostery.com

Oh, yeah, I guess I should mention that I'm a Computer Guy^TM.

[Krul]

Originally Posted by AdMan

This is one reason why I (not too much of a techie, and a Windows user) don't feel very comfortable trying out Linux... Where to start??

My only (extremely short) foray into Linux was with a "Live CD". It is the OS installed to a bootable CD, leaving your Windows installation and hard drive completely intact. I used Knoppix http://www.knoppix.com/, and I learned a lot with it. Of course, that was nearly 10 years ago, so not only has most of that knowledge leaked out of my brain by now, but I will also readily defer to other members who know Linux better than me as to what Live CD distro would be the best one to start on.

[Krul]

Originally Posted by Blue Mountain

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.

My personal combination is Opera browser and Ghostery (http://www.ghostery.com). Opera includes an awesome built-in ad blocker - I get so used to not seeing any ads when I browse, I'm often surprised by them on someone else's computer. Ghostery will automatically block all ad-related JavaScript - the only pop-up I see is a list of what ad agencies have been thwarted. Ghostery has plug-ins for most browsers.

(Guess I should've mentioned Ghostery in that previous post... I'll do that now)

[NeilC]

Originally Posted by wasapi

Oh. Computer frustration.

A few weeks ago I was hit by a nasty ransom virus. (I was using Norton). I took it to a shop where I trust the guy who works there. He eliminated the virus, and installed Kapersky.

Great. He bought back my laptop and it worked fine. For 3 days.

Another ransom virus. I called him and he told me it was a rouge-virus. So, he talked me into installing Linux after he removed the second virus, saying it was safer then Windows. I hated it. So, he reinstalled Windows.

It has been working fine the past few days, but I'm still paranoid.

Other then the Kapersky, is there any thing else I can do to keep it - hopefully - virus-free? Can anyone help me understand what a "rouge-virus"?

Thank you.

If you're using linux then the chances of you getting a virus are pretty remote so I wouldn't worry to be honest. The vast majority of malware you're likely to come across on the net is aimed at Windows.

It's possible that if you got the the same virus within 3 days that he didn't remove all aspects of it or forgot to check for scheduled tasks that reloaded it.

If you got a different one then it points to your browsing behaviour being risky. Maybe time to get your porn from another source ;-) It's quite unusual for malware to get past Kaspersky

Other things you could do, if you were still using Windows, would be to keep Flash, Java and Acrobat Reader updated (many droppers use these as vectors), keep Windows updated, use Chrome instead of IE and join Web of Trust. The most surefire method is to use a sandbox like SandboxIE and ensure it sandboxes not only your browsers but the aforementioned plugins too. Browsing with that in place makes it very hard indeed to get infected. A slightly less draconian app but also highly effective is GesWall.

But as I say, if you're using Linux you're pretty safe from those sorts of malware.

Microsoft Security Essentials isn't actually very good. It rates quite poorly on tests compared to Kaspersky and others and I regularly remove viruses from MSE protected machines in my job so I would not recommend it particularly.

[Krul]

Originally Posted by The Norseman

Speaking of which, @wasapi, another trick to help reduce the instances of viruses is to make certain directories read-only. Windows 7 is much better at write and file access than previous versions, but it never hurts to manually change some directories that the standard Win7 setup doesn't cover.

Unless someone like us is able to provide such a specific list, I think the problem with this approach for a non-techie is the possibility of breaking something that Windows needs. Also, the viruses are very adept at installing themselves in such places where you cannot set the directory to read-only.

I'm going backwards in the thread (sorry!), but I agree with much of your first post. The caveat with imaging, in my opinion, is that the image would have to be refreshed often given the "patch" environment we live in today. Virtualization might be an option along those lines, making it easier for generating updated virtual machines ("images"). The VM management can be handled by batch scripts that any user can run, including one to "restore" the last known clean VM over an infected one. I'm about to start experimenting with such an approach, if I can just find that round tuit that I lost.

[NeilC]

I fail to see how that would work anyway. Often malware hides in folders that need to writeable.

[Krul]

Originally Posted by NeilC

Microsoft Security Essentials isn't actually very good. It rates quite poorly on tests compared to Kaspersky and others and I regularly remove viruses from MSE protected machines in my job so I would not recommend it particularly.

I agree that it MSSE is nothing more than basic protection. I generally recommend it to people because it is free and updates along with the rest of MS software. I currently have little to no confidence that anything you pay for grants better protection than that.

Can you provide a link or two to the comparison tests you mention?

[Dancing David]

Originally Posted by NeilC

It rates quite poorly on tests compared to Kaspersky and others and I regularly remove viruses from MSE protected machines in my job so I would not recommend it particularly.

Well that is probably the 'nut behind the wheel' syndrome or operator error. Most of teh machines I clean at work have some sort of trojan someone has downloaded.

[NeilC]

No I don't believe it is that. I really do not rate MSE in it's ability to protect against rogueware and similar web-vectored malware. Much of my job is virus removal for business and residential customers and I think I'm getting a pretty decent picture of what works and what doesn't. I used to install MSE for customers myself but found I got calls from customers getting infected. I now sell Kaspersky and I don't get those calls.

Recent AV-test.org results rated MSE as 2.5 for protection. Kaspersky gets 6.0. This takes into account the all-important real-world, zero-day attack tests (which appear to be best for trying to measure the sort of fake-AV droppers we come across the most). MSE got a pretty poor 68% whilst Kaspersky gets 100%. That's a major difference. Avast gets 93% which is also significantly better. AV Comparatives also tested MSE alongside other AVs and whilst it did a little better (mostly because of the way they rate as far as I can tell), it still didn't rate in their top-tier. Given you can pick up a 3-user pack of Kaspersky for about £20 if you shop around I see little point in not going top-tier.

They all have their strengths and weaknesses. I still use MSE on drives I've slaved to my bench machine because it does a good job of finding infections. It's also pretty light on resources, fast for scanning, simple to use and quiet. Where is not strong is preventing drive-by attacks. Since that is how most of my customers get infected I cannot recommend.

Kaspersky has slow scans, is harder to use and can be irritating at times but in terms of proactive protection, it's great. I've tested Kaspersky by trying to get infected by visiting sites on the Malware Domain List, which is where I get many of my practice infections from, and I'm yet to manage to get the VM infected. 90%+ of the time it refuses to visit the page but even if I turn that function off, it still protects. My testing of MSE has not offered the same protection and I've successfully infected my machines several times.

Testing isn't perfect. My experience isn't perfect. But I've not reason from either to say MSE is particularly good.

This test includes proactive measures and you can see MSE rates poorly in protection - http://www.av-test.org/en/tests/test...s/julaug-2011/

This one: http://www.av-comparatives.org/image...ro_nov2011.pdf does not including many proactive features such as web blocking so the results are less varied but still MSE is in the bottom 3: http://www.av-comparatives.org/image...ro_nov2011.pdf

[Krul]

Thanks for the informative reply, NeilC. When I searched, av-comparatives.org came up first. I glanced through, but it didn't seem to put Kaspersky's at the top of the list. Other hits were either AV vendors themselves, or magazines whose impartiality I've come to trust less and less (PC World rating Norton #1, for instance... we all know that's not been true for years). I'll give av-test.org a look.

ETA: Actually, performance has also been a reason I've moved customers to MSSE, as I noticed some of the common free AV apps, AVG in particular, as resource hogs. MSSE seemed to have a smaller, more focused footprint. And in retrospect, perhaps that's one reason it is not as effective.

[NeilC]

Originally Posted by Krul

Thanks for the informative reply, NeilC. When I searched, av-comparatives.org came up first. I glanced through, but it didn't seem to put Kaspersky's at the top of the list. Other hits were either AV vendors themselves, or magazines whose impartiality I've come to trust less and less (PC World rating Norton #1, for instance... we all know that's not been true for years). I'll give av-test.org a look.

ETA: Actually, performance has also been a reason I've moved customers to MSSE, as I noticed some of the common free AV apps, AVG in particular, as resource hogs. MSSE seemed to have a smaller, more focused footprint. And in retrospect, perhaps that's one reason it is not as effective.

What comes top depends on how you test. I dare say being the absolute top performer for one lab's tests doesn't matter but if it consistently appears in the top 1/3 whilst other tools consistently appear in the bottom 1/3 one recognises the trend.

I know what you mean about the footprint. It also benefits from never trying to trick you into paying for it or installing some crappy toolbar etc. The other reason techs like MSSE is because it's so quiet so you don't get after-sales calls about decisions needing to be made or customers accidentally opening up their systems by pressing the wrong buttons. It definitely has some advantages.

[Dancing David]

NeilC,
I have found that almost always at work, where we use Forefront without real time scanning (Don't ask me why, it is a mystery), that almost every case of infection is caused by the user downloading a trojan. Now once we get a worm on the net all bets are off.

Now at home where I use MSSE , I have had very few issues, now that does not mean that it rates with Kaspersky, goodness no. I recommend that product , Eset or Sophos for people who want to pay.

Now part of my success with MSSE is that I use Comodo firewall as well. I would say MSSE is adequate for someone who shows a little prudence.

Now my work experience involves two grade schools with about 150 machines at one and around 350 at the other. The one thing that I have encountered is the Google images that load hijackers, although Google is great about removing them. With Windows7 and Forefront things have been stable except for trojans, yesterday it was a shop to win bho in a .dll that someone downloaded.

And as I said once we get a worm on the net all bets are off.

I would never say MSSE is great, but as a free product I have found it adequate and less bloated than some others.

[NeilC]

There is no doubt that users cause a lot of their own problems. I've run machines without no AV for ages I don't get infected despite visting all manner of dodgy sites. Yet others seems to get infected regularly. I think a good AV should take that into account but it's hard to replace technical common sense. |I used to work at a school as it happens. They used Symantec which seemed very effective. I think the main thing was that it was well locked down so users and viruses with user level access couldn't do much.

So how does this google image thing work? What happens when you click on an "infected image"

[Dancing David]

It is sort of sad, when you click on the image (say to copy it), it starts a ransom ware bit of code. Users that have listened to me know to just turn off the machine. Others usually end up activating it. One out of ten times turning the machine off doesn't work and it needs to be cleaned.

But as I said Google takes them down very quickly.

[Rat]

Originally Posted by Dancing David

It is sort of sad, when you click on the image (say to copy it), it starts a ransom ware bit of code. Users that have listened to me know to just turn off the machine. Others usually end up activating it. One out of ten times turning the machine off doesn't work and it needs to be cleaned.

But as I said Google takes them down very quickly.

Are you saying that just clicking the image itself causes infection? I'm aware such a thing is theoretically possible, but I'd have to say I've never seen it. I've many times come across those ones that do an impression of a Windows Security Centre window and that try to send you an executable when you click on them, but that's still only a link to an executable, and I would have thought that turning off the machine is a bit of an overreaction, notwithstanding users' willingness to go ahead and download and run a random executable.

[The Norseman]

Originally Posted by wasapi

Computers came into my life only about 10 years ago. (This was about the first forum I saw, and it was new.) I'm a slow learner when it comes to computers, and I had to read your reply about 3 times before I understood! But thank you. Good advise.

Yes, sorry about that. I re-read what I wrote and figured I could have cleaned it up quite a bit. I was kinda all over the map there.

[The Norseman]

Originally Posted by Blue Mountain

I guess without knowing what caused the infection it would be difficult to recommend good defensive measures. My two favourites are Firefox with the NoScript extension (prevents running most JavaScript unless you specifically allow it) and the MVPS HOSTS file. However, the HOSTS file trick is useful only if the virus got to your computer by way of a compromised or malicious advertisement. I don't know how common that is.

NoScript takes quite a bit of getting used to, especially these days when a singe web page will get JavaScript snippets from as many as a dozen sites or more. Functionality breaks all over the place. I've found that pages that want to display video that's hosted at another site are the worst: often I have to allow access to as many as three different sites before the video will play.

I always, always recommend an updated HOSTS file, simply because it's taking advantage of how the computers intrinsically work and takes only miliseconds to check before heading out to the DNS servers. Speaking of which, I always, always recommend using a company like openDNS and statically set my home and router DNS servers to openDNS. I have noticeably faster response times as compared to my current ISP and if you join up for a free openDNS account, you can set up webfilters that are not located on the home computer (I had a step-son who was really into computers and I didn't trust that he wouldn't discover how to get around filters that were set on the home computers).

[The Norseman]

Originally Posted by Krul

While I can't contribute to a discussion about Linux due to extreme ignorance, here's my take on the current state of Windows and malware.

I don't see any extra value gained for a home user to pay for security software. There are numerous 'free' options out there that are just as adequate as something you pay for. I cannot count the number of machines I've cleaned malware off of, while fully up-to-date and "premium" versions of security software sit in the tray, unaware of any problems.

I agree. It's more often than not just a money drain for home users to pay for these AV services/apps.

Quote:

Next, like real estate, the most important three things on Windows are: updates, updates, and updates. Microsoft has done a decent enough job of responding to security criticisms to the point where malware writers are not focusing on Windows or Interent Explorer as attack points as much as they did in years past. These days, the most common attack vectors are through vulnerabilities in what I call the "trusted browser helper apps": Adobe Reader and Flash Player, and Java. (Quicktime is also a common point of attack, but less so than the above trio.)

While Adobe and Oracle (Java) are good at responding to vulnerability reports with patches, in my opinion, Adobe's update system is bad to the point of useless. Oracle is only slightly better, but also relies on the user to allow the update to run. Given the "ransom virus" environment we live in today, one can't blame the user for not trusting something sitting in their tray, asking to be allowed to run.

When appropriate, I recommend people to NOT RUN Adobe Acrobat reader and remove it from their system and instead, use Foxit pdf reader or another similar lightweight and robust reader. The vulnerabilities that Adobe has in their bloated, resource-hogging reader are legion.

Originally Posted by Krul

My personal combination is Opera browser and Ghostery (http://www.ghostery.com). Opera includes an awesome built-in ad blocker - I get so used to not seeing any ads when I browse, I'm often surprised by them on someone else's computer. Ghostery will automatically block all ad-related JavaScript - the only pop-up I see is a list of what ad agencies have been thwarted. Ghostery has plug-ins for most browsers.

(Guess I should've mentioned Ghostery in that previous post... I'll do that now)

I heart you. I run Opera and Ghostery too and go so far as to carry the Opera portable with me to run on others' machines (when appropriate).

Ghostery is a wonderful little program that I wish I knew about earlier.

[Dancing David]

Originally Posted by Rat

Are you saying that just clicking the image itself causes infection? I'm aware such a thing is theoretically possible, but I'd have to say I've never seen it. I've many times come across those ones that do an impression of a Windows Security Centre window and that try to send you an executable when you click on them, but that's still only a link to an executable, and I would have thought that turning off the machine is a bit of an overreaction, notwithstanding users' willingness to go ahead and download and run a random executable.

Turning off the machine is something the users understand, and yes clicking on the image on the Google page was sufficient. I saw a teacher do it, as I sat next to him. Now in many cases the problem is the user clicks the 'close window X' and the executes the program. So no the image click itself does not infect the machine but sometimes closing that window will.

Most users gets glassy eyes when I say something like 'Press Ctrl+Alt+Del and use the process tab to find iexplore.exe, highlight it and end the process', shoot I tell them the name of our AV repeatedly and tell them not to respond to anything that is a warning not from our AV, they go ahead and click any way.

So restarting/logging off the machine without clicking the popup window is something they seem to be able to do, at times, if the moon is in the correct quadrant and the wind comes off the right quarter.

Unless it says they won something free or they can get coupons!

[Rat]

Originally Posted by Dancing David

Turning off the machine is something the users understand, and yes clicking on the image on the Google page was sufficient. I saw a teacher do it, as I sat next to him. Now in many cases the problem is the user clicks the 'close window X' and the executes the program. So no the image click itself does not infect the machine but sometimes closing that window will.

Curious. I have not used IE at home for years, but have been compelled to use it at work for at least a decade, as were all of our users. Never have I come across an infection that can run simply by clicking on an image, nor by closing a window. And some of these were very stupid users. Always any infectious things I've seen bring up a dialogue box asking yes or no at some stage in their delivery. And yes, if the user sees an offer of free stuff in that dialogue box, they will click yes.

[Brian-M]

Originally Posted by Krul

The caveat with imaging, in my opinion, is that the image would have to be refreshed often given the "patch" environment we live in today.

That brings up another problem. If a virus, trojan or other form of malware gets on your computer, and doesn't make it's presence known immediately, you could end up making an image of an infected system.

Which means that every time you restore from image, your system would become infected again.

Originally Posted by Krul

My only (extremely short) foray into Linux was with a "Live CD". It is the OS installed to a bootable CD, leaving your Windows installation and hard drive completely intact. I used Knoppix http://www.knoppix.com/, and I learned a lot with it. Of course, that was nearly 10 years ago, so not only has most of that knowledge leaked out of my brain by now, but I will also readily defer to other members who know Linux better than me as to what Live CD distro would be the best one to start on.

Puppy Linux is pretty good for a live distro. You can also install it on a thumb drive.

On the home page it claims...

Puppy Linux enables you to save money while doing more work, even allowing you to do magic by recovering data from destroyed PCs or by removing malware from Windows. See these example articles: recovering files from Windows and safe Internet banking with Puppy Linux.

So it might also come in handy if you're computer is crippled by a virus and you want to recover some files that haven't been backed up recently, but I haven't tried using it for that. Although, if a ransom virus encrypts or damages your files, even a live CD isn't going to be any use recovering them.

[Blue Mountain]

Originally Posted by The Norseman

I always, always recommend an updated HOSTS file, simply because it's taking advantage of how the computers intrinsically work and takes only miliseconds to check before heading out to the DNS servers.

Just curious, do you run a hosts file to reduce the chance of getting infected by malware, or because you can't stand the ads? (I can't use the "risk of malware" excuse at home because I'm running Linux )

Quote:

Speaking of which, I always, always recommend using a company like openDNS and statically set my home and router DNS servers to openDNS. I have noticeably faster response times as compared to my current ISP and if you join up for a free openDNS account, you can set up webfilters that are not located on the home computer (I had a step-son who was really into computers and I didn't trust that he wouldn't discover how to get around filters that were set on the home computers).

At the risk of sounding like one of the four Yorkshiremen, I run my own DNS server. ("DNS? You were lucky to 'ave DNS! We 'ad to look up the IP addresses ourselves in a book and type 'em in by 'and!") Primarily because I also run my own DHCP server. So when a computer on my home network gets an IP address from DHCP, the local DNS gets updated with its name.

I'd like to marry the approach of running my own DNS server with the HOSTS file; that is, have DNS look up in HOSTS first before sending the query off to the net for resolution. But I'm not sure if it's even possible to do that in BIND, and I haven't bothered to do a DuckDuckGo or Google search to what else may be out there. (I also don't need the parental controls because I don't have any teenagers at home.)

[Brian-M]

Originally Posted by Blue Mountain

(I can't use the "risk of malware" excuse at home because I'm running Linux )

Linux malware does exist. It's just nowhere near as prevalent as Windows malware.

http://en.wikipedia.org/wiki/Linux_malware

[Krul]

Originally Posted by NeilC

I know what you mean about the footprint. It also benefits from never trying to trick you into paying for it or installing some crappy toolbar etc. The other reason techs like MSSE is because it's so quiet so you don't get after-sales calls about decisions needing to be made or customers accidentally opening up their systems by pressing the wrong buttons. It definitely has some advantages.

Yes, all those points you mention are also factors that have leaned me towards it. That said, it isn't without it's share of issues, as it is with all things. Just now, I had an installation that seemed to be stuck in a loop, pinning the CPU, and grabbing up all available RAM. All I did was reset the service, and it stopped, so at this point, I don't know what caused it. (and yes, I consider malware on the machine to be a possibility )