| |
|
Welcome to the HEXUS.community discussion forums forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and other features. By joining our free community you will have access to post topics, respond to polls and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! |
| |||||||
Operating systems & applications Looking for that application for Windows? needing advice with your Linux setup? - ask here!  |
 |
| | LinkBack | Thread Tools |
10-10-2004, 03:26 PM
| #1 (permalink) |
| MSFT  Join Date: Jul 2003 Location: %systemroot%
Posts: 1,835
Thanks: 11
Thanked 50 Times in 41 Posts
| Keeping your system healthy and secure I figured it was worth writing a quick* & dirty guide on ways to help keep your system clean of spyware & malware, both proactively and reactively... (* okay, so not really "quick") Proactive System Protection This falls into 4 main categories: hardening, patching, firewalling and anti-malware. Hardening This is the basic principle of making your system "base" settings more secure by disabling services that are not required and removing permissions for existing services for users that do not require them. Examples of software which hardens parts of your system automatically are Spybot Search & Destroy's "Immunizing", and Spyware Blaster. Thse are tools which the user runs once (or periodically if they get updated) to make certain system changes, they are not a constantly-running process. Patching When software is written, it has "bugs". Some bugs are visible to the user as an application crashing, hanging or corrupting data - others can be so obscure that they are never uncovered. Software can also have vulnerabilities. A vulnerability can be viewed as a very specific type of bug, but personally I view it as an "oversight" on the part of the programmer. Vulnerabilities usually come around because of something the programmer neglected to do, rather than did wrong, a classic example is not checking the length of a chunk of data before putting it into a buffer - the "buffer overflow". Sometimes the potential risk of a vulnerability is as trivial as crashing the application, but occasionally a malicious user could insert their own code which is executed and start exposing files or setting up a connection through which the system listens for further instructions. When the vulnerabilities are discovered, the author then has to "patch" their code to prevent it being abused - sometimes it is a simple process, but if the module in question is used by hundreds of other components then it can take a long time to get the testing performed to make sure the patch has no side effects. Part of Windows Update is dedicated to providing the relevant patches for your system, which is why automatic updates being enabled is important. Firewalling This is the process of making sure that network traffic is only allowed through if it matches a predefined set of rules. Traditionally, firewalls are dedicated network devices (actually glorified routers), but "personal" firewalls have become more and more popular in recent years. They have an advantage over network (or "hardware") firewalls - they can look at the actual applications which are trying to establish outbound connections, or set themselves up as a server. A hardware firewall generally looks at the ports being used and decides whether to allow the machine as a whole to make the connection. This is why worms such as Nimda, Code Red and Blaster had such a massive impact - they use the allowed (standard) ports to communicate with web or SQL servers and take advantage of vulnerabilities in the software. (Vulnerabilities that in their cases already had patches available to fix, some for months.) Anti-Malware Anti-virus software has to be the most well-known flavour of anti-malware product - monitoring running processes and file access on a system for known "signatures" of viruses. Depending on who you speak to, trojans, zombies and keyloggers may be considered "viruses", but they don't necessarily have the classic aspects of what makes a virus. A virus might be used to deliver such a piece of malware, but equally it could be a maliciously designed website taking advantage of browser vulnerabilities. Anti-malware products, rather predictably, are designed to look for specific malware products and alert the user to their presence. "Spyware" is a term associated with malware, but is more of a set of products based around the invasion of privacy - uploading your browsing habits to a server, or making "targetted" popup adverts appear on your PC. People have tried to get spyware classed as a virus if it installs itself without the user's knowledge and consent - though often the EULA does mention that the product will be installed, and not everyone reads through the whole text. Reactive System Cleaning This is what happens when you have acquired some kind of nasty that you want to get rid of. Exactly what you do to eradicate the unwanted pest depends on the category it falls into - but ideally if your proactive measures are in place and all signatures up to date, this should not be required very often. Windows-specific Stuff All of the above is very general information applicable in most parts to any OS, not specifically Windows. However, Windows is the only OS I use and here follow some recommendations for tools to aid with system health checking Windows. For system hardening, Spybot Search & Destroy has an "immunization" section, and the tool Spyware Blaster is dedicated to making adjustments to IE and Mozilla/Firefox browsers to harden them. Disabling services that are not required is a good hardening process, but out of the scope of this article as each user may have different requirements - there is no "one size fits all". For patching, it is definitely wise to have automatic updates enabled, and periodically check the vendors website for updates or fixes to any software you use (a lot of software now has built-in update checking). A personal firewall is a good idea even if you have a router with built-in firewall - I'm not going to make a specific recommendation as my personal experience has only been with a handful, but I strongly recommend that one is used on every machine which has any connectivity with others (through dial-up or LAN). (The software sticky in this forum has a list of products recommended by people who frequent here.) Anti-malware products: as with personal firewalls you will find different people have different opinions of anti-virus products, so no suggestion from me other than "use one!". Spyware Guard - from the author of SpywareBlaster, this is a memory-resident tool which monitors your machine's memory for known spyware products For "reactive" system health checking, if you suspect or know you have some pest and want to figure out how to find and kill it, there are a few tools: Spybot Search & Destroy has been mentioned a couple of times - definitely worth keeping this up to date and running periodic checks on your system HijackThis is not too user-friendly, but a great tool to get an idea of what might be something you want to remove, it can generate a text log of its findings so you can ask others for advice if you think something is suspect Autoruns is a tool to give you a complete analysis of what is being launched on your PC every time you log in, complete with description, publisher (if present in the executable) and path Process Explorer will show you every process running on your system at that exact time, the parent/child relationship (processes that spawn other processes), even down to individual threads Yes, there are other tools available, I have only listed ones I use myself. PROACTIVE PROTECTION IS BETTER THAN REACTIVE CLEANING Computer security is multi-layered - there is no single solution: - harden - check for patches regularly - use a personal firewall - use anti-malware tools (at least anti-virus) All the above information is my personal opinion, there will undoubtedly be people who disagree with certain points (hey, this is the Internet after all  ), but I hope some of you find it useful.Maybe even useful enough to sticky, who knows. ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~ [ Personal Website ] - [ Technet Blog ] Main PC: Win7 x64 / Asus P6T Deluxe / Core i7 920 / 12GB DDR3 / 120GB SSD / GeForce GTX285 Server: W2K8 R2 / Asus P5K Premium / Core2 E6750 / 8GB DDR2 / 150GB, 500GB SATA2 / GeForce 9800GTX HTPC: Win7 x64 / Asus P5E-VM HDMI / Core2 E6850 / 4GB DDR2 / 400GB SATA2 / ATI 3650 Silent |
|  |
|
10-10-2004, 08:03 PM
| #3 (permalink) |
| I live in a giant bucket.  Join Date: Jul 2003 Location: South Africa
Posts: 617
Thanks: 0
Thanked 0 Times in 0 Posts
| Well written. I'd just like to mention, though, that most DIY hardware firewalls (Smoothwall, etc.) would be set up to prevent any incoming connections, unless you specifically configure ports to allow traffic in. Having this setup has quite easily protected my network from all virsuses that take advantage of unsecured ports (Blaster, etc.).  |
|
| |
|
10-10-2004, 08:04 PM
| #4 (permalink) |
| More l33t than dangel  Join Date: Jul 2003 Location: /dev/urandom
Posts: 14,305
Thanks: 42
Thanked 389 Times in 281 Posts
| don't think you're making it quite clear enough how much some of the windows defaults put you at risk - and even if you try and be careful when using IE, you're orders of magnitude safer with a replacement for it   |
|
| |
|
10-10-2004, 08:22 PM
| #5 (permalink) |
| MSFT Join Date: Jul 2003 Location: %systemroot%
Posts: 1,835
Thanks: 11
Thanked 50 Times in 41 Posts
| Originally Posted by eldren Absolutely, any firewall I would expect to have incoming ports blocked unless explicitly opened or forwarded, the point was that outbound ports generally aren't blocked on firewalls in home setups - it would just cause too many support calls when Joe Average can't even get his new online game to stay connected for more than 30 seconds, wants to chat using ICQ with his mates, or clicks a link with http://www.somesite.com:86/some_folder, for example, and wonders why it doesn't work.
Originally Posted by directhex It wasn't my intention to go into that area or that much depth - I deliberately tried to keep it as general as possible.
With a personal firewall & AV product you have the tools to prevent or protect you to a huge degree - anything beyone that, in terms of disabling services, changes to permissions, etc. is too situation-specific. Plus, I didn't want to sound like Steve Gibson Informing users to simply use alternative software when they have unpatched parts of the OS is not my intention either, and I was avoiding making recommendations of specific "full-blown" applications as that way lies danger. Windows can be hardened, and users can do more to avoid silly actions that affect their systems, but anyone that is going to that degree already knows all that is in this overview, or is using Linux so is happy with editing config files by hand, using Make files and checking MD5s I would guess I'd love to live in a world where everyone knows what PGP is and how to use it, where users aren't logged in as admins (and know why), and where ISPs block inbound TCP ports for their customers unless they requested them opened, for example, but I think that is a pipe-dream. ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~ [ Personal Website ] - [ Technet Blog ] Main PC: Win7 x64 / Asus P6T Deluxe / Core i7 920 / 12GB DDR3 / 120GB SSD / GeForce GTX285 Server: W2K8 R2 / Asus P5K Premium / Core2 E6750 / 8GB DDR2 / 150GB, 500GB SATA2 / GeForce 9800GTX HTPC: Win7 x64 / Asus P5E-VM HDMI / Core2 E6850 / 4GB DDR2 / 400GB SATA2 / ATI 3650 Silent |
|
| |
|
| Breadcrumb | ||||||
| ||||||
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| |
