[Genesisx]

Keeping an eye out for things that are "out of the ordinary" sometimes is just not enough. Before I got my antivirus software I had some adware on my computer. I knew it was there because I was getting pop ups from doing nothing and certain address like www.yahoo.com were redirected to adware sites. Well I tried to manually detect the process and kill it. Come to find out that there are totally new stealth programming tactics out there. Here are a few that I alone have encountered. A malware program say malware32.exe can redefine its name when viewing process information. The adware I had the file was like hp64.exe but under running processes it was labled as iexplorer.exe with a system tag so task monitor could not close it even in safe mode.

The adware duped itself and put a ssytem lock on the secondary file. So whenever you would try to rename, move or delete it you woudl get "This file is in use" error even when all open processes were killed.

In a diffrent case I had a adware virus append itself to my kernal32.dll file and there was another program executing it. The execution program did not have any malware code in it so it was not labled as malware but the malware information was tagged to the kernal32.dll file and since kernal32.dll is version specific and a system required file it is very hard to clean this file or replace it.

I have seen startup malware that has no lable so when you use those startup management utilities it will not show up on the list as a startup object.

I ended up reformatting because my point of infection at that time was beyond the point of no return. It even got to the point where it killed my AV by corrupting the virus definition archive causing the AV to crash on startup. A full format and a fdisk fixed my problem though. People do not relaise how important it is to invest in quality AV protection. Even if you do practice safe browsing practices that doen't mean you are 100% safe.

Hardware Firewall+ Pro AntiVirus+ Safe browsing practices, will still only protect you about 97%. There are just way to many exploits that are in all the Microsoft software we use.

[Sushii]

Aikar..... have I told you lately that I love you? <3 <3 <3

[Genesisx]

Aikar
You should clean up your original post.

the [list] tags do not work on the new forum.

[Aikar]

not sure why but the convert changed the [/list] to [list], simply reupdated post with same bb code as old post and its fine now.

[Zal]

I'm running into a few issues with the way IE is setup in this guide. Two programs, Steam & Winamp's Online Media Library fail to operate, even when I add those domains to IE's trusted lists.
For steam, all of the mini webpage content loads but I'm unable to follow links (assuming this is scripted in some way).
In winamp, the stream listing fails to show, once again probably scripted.
Is there something additional I need to do to make these work without opening IE back up again to everything else? If not I'll live without but I was hoping someone might have some insight.

[Devon32]

Switch to Firefox And your life becomes much better~!

[Leanaci]

is there a good alternative to AVG, Newest version 8.0 is a huge system recources hog and slow...

[jdadoulos]

I started using AVG, but it is a resource hog. So, I switched to avast! and I love it so much better. There are a lot of great features and it isn't a reource hog. Plus, it is free registration to use the home edition. http://www.avast.com...ast_4_home.html

P.S. Opera (most secure browser out there) and avast! ftw!

[ATBodies]

I second avast! I use it as well and haven't really found any reason to change. Lifehacker just did a little "top 5" on antivirz, and avast! was up there as well, so I think it's safe to say it's at least well recommended.

[Jerkin]

Been using Avast for over a year now. Nice AV.

[Bartimaeus]

not sure if its the super correct place but..

id reccommend nod32 and GMER

[Apollyon]

jdadoulos, on Jun 30 2008, 11:46 AM, said:

I started using AVG, but it is a resource hog. So, I switched to avast! and I love it so much better. There are a lot of great features and it isn't a reource hog. Plus, it is free registration to use the home edition. http://www.avast.com...ast_4_home.html

P.S. Opera (most secure browser out there) and avast! ftw!

That's funny, I found the exact opposite to be true. I used to use Avast! but got sick of it, switched to AVG and love it. Lol, to each his own.

[jdadoulos]

Apollyon, on Jun 30 2008, 10:12 PM, said:

That's funny, I found the exact opposite to be true. I used to use Avast! but got sick of it, switched to AVG and love it. Lol, to each his own.

That is funny!

[jdadoulos]

Here is an interesting tid bit on AVG... http://it.slashdot.o...0...54&from=rss

[Saty]

I was recently hacked...and a friend pointed this guide out to me, which is very helpful. A few things I'm noticing though. I'm trying to setup my NoScript, and when I go to this step:

Go to the Advanced Tab, You will see Sub-Tabs -> Click on Untrusted Tab (if not already selected). You want to make sure all of these are selected.

My "Forbid 'Web Bugs'" tab is greyed out. I'm not really a computer pro, but I really want to make sure I'm secure when/if I get my account restored (cautiously optimistic). Any help you can offer me here would be greatly appreciated. For now I'm going to setup what I can and come back to it after I get a reply. Thanks in advance!

Hmm woops sorry for the double post but I dont seem to have the editing capability on my own posts, so there's another thing I noticed as well:



I was able to select all of these except for the "Check Banner Links" option, which does not appear in my Options menu. I noticed that I am on version 0.7.5.5 of this plugin whereas Aikar's shows 0.7.5.3, so I'm guessing it's just because its a newer version? Just wanna make sure I'm ok.

Thanks again-

[Aikar]

jdadoulos, on Jul 4 2008, 05:46 AM, said:

Here is an interesting tid bit on AVG... http://it.slashdot.o...0...54&from=rss

That slashdot author is a complete moron. There is absolutely nothing wrong with that if AVG is doing it if its protecting people's PC.

Does that author not understand being able to block an antivirus scanner simply by useragent would defeat the purpose of the feature? What a moron.

@Saty, my Forbid Web Bugs is still checkable on latest ver so dunno, but your safe anyways.

[Devon32]

I found AVG a memory hog sometimes, so I switched to Avast and gave it a try and it found a virus on my System restore volume that AVG never found, it must have been there for awhile I'm sure. I like Avast kinda better then AVG now since it uses less memory then AVG and doesn't make me lag massively during scan.

[Raist5150]

Concerning the FFXIAH attack vector:

One thing you could do is block the FFXIAH ad server from loading any ads (I never pay any attention to them myself). I simply added a dummy entry in my hosts file:

127.0.0.1 ads.ffxiah.com

It breaks back button functionality (have to use the nav links), and loads the ugly blank picture frame in the ad spots--but should stop anything from getting downloaded through the flash ads without having to deal with toggling the security settings to view content when you go to other sites.

Can probly do the same with other sites as well. Just right click an object to view it's properties. Should be able to determine the root of the URL being used from there, and make a local host entry for that DNS name.

Raist

[Kuuhalee]

[ I posted this over on BlueGartr, but I thought that it would be good to have it here as well ]



I realize that everyone has been beaten over the head recently by mountains of information from message board threads and fellow players on how to improve their security, but I feel that an important program has been missed.

Many people log on to their Windows installation as Administrator or as an account that has Administrator-like access. This is inherently a Bad Thing©, but for the sake of ease of use it is generally allowed and passed off as acceptable. Of course, this means that their web browser -- a conduit for which new web based attacks can be passed through -- is generally running using those very same Administrator rights.

Why is a web browser allowed Administrator rights when the only thing that it should be doing is serving up web pages and the occasional file download?

(That's a lot of rights you have there, Firefox.)

[ Installing and Using DropMyRights ]

Enter DropMyRights. This program allows a user to easily restrict the rights of certain programs without the need for the creation of another lesser account or the Run As service. You can download the program installation file from this Microsoft Developer's page :

Article : http://msdn.microsof...y/ms972827.aspx
Direct Download : http://download.micr...ropmyrights.msi

DropMyRights has three settings that each grant a program run by DropMyRights a different set of rights : 'N' (Normal User; Similar to a 'Guest' Account), 'C' (Constrained User; Restricted Normal User) and 'U' (Untrusted User). For a typical installation of Firefox, using the 'N' option is best. Attempting to use the 'C' or 'U' option for Firefox will most likely be met with the program failing to run and/or crashing. I have yet to find a program that can successfully utilize the 'U' option (even Notepad crashes, seriously).



(NOTE - The full path to the executable files in the screen shots below have been substituted for <Path> for ascetic reasons.)

( 1 ) Using this simple command-line program is very easy, even for the average user. After you have downloaded the DropMyRights installer, simply go through the installation process and choose an easy to remember install folder. After the installation is finished, right click on the shortcut to your web browser of choice and select 'Properties'.

( 2 ) Move your cursor to the beginning of the 'Target' field and type in the full path to the DropMyRights program. Then move to the end of the 'Target' field and add a space, followed by the letter 'N'. This tells DropMyRights to run the program and restrict it with normal user rights. Press 'Ok' to confirm the changes to the shortcut.

( 3 ) Essentially, after step number two you are ready to use the shortcut and have completed the installation of DropMyRights. A typical installation of Firefox or Internet Explorer should run perfectly fine under its newly reduced user rights (Internet Explorer can even run using the 'C' option). However, you will probably now notice that the icon for the web browser shortcut has changed.

Optionally you can right click on the shortcut again, select 'Properties' and press the 'Change Icon' button available on the shortcut window. You can then browse to the folder where your web browser is installed, select the executable file for the browser and choose its icon to be displayed on the shortcut once again.

Is this the end-all be-all solution for stopping trojans and viruses caught from the web? Unfortunately not, but it is a very strong deterrent. With just the 'N' option selected from DropMyRights, the web browser no longer has write access to the Windows folder and sub-folders thereof, has restricted access to the Windows registry and a number of other restrictions.

Another bonus is that the reduced rights granted to a program by DropMyRights are inherited by any other programs that it runs in turn. This means that if a virus uses the web browser to run its code, the virus is subject to the same reduced rights as the web browser and thusly may completely fail.

Also remember that DropMyRights is usable for not only web browsers, but any program that you want. Personally I use DropMyRights on my E-Mail client and instant message client (AIM; which I was able to squeeze by with the 'C' option). Hopefully this small utility will add further security to everyone's accounts.

(There we go, much better.)

[ Advanced Usage of DropMyRights ]

(DISCLAIMER - It's late/early and I'm tired, so I'm going to brush over this section lightly. If you feel that you are up to the tweaking described below, go for it. Otherwise, do not attempt it.)

I was very happy to have Firefox running with reduced rights, but I really wanted to lock down the web browser even further. To this end, my ultimate goal was to use the 'Constrained User' option for web browsing, but no matter what I seemed to do the local install of Firefox kept crashing.

The somewhat haphazard solution that I found was to use PortableFirefox (http://portableapps....irefox_portable) along with editing the Permissions of several key folders. After I extracted the files from the PortableFirefox executable to a new folder, I added the 'Authenticated Users' group ('Everyone' group also works) to that folder's Permissions and gave them Modify, Read, Write, Execute rights. Next, I did the same thing for the Temp folder underneath 'Documents and Settings\<User>\Local Settings' (Needed for the program to unpack necessary files). Lastly, I gave similar rights to a download folder so that I could download files to the hard drive easily.

After all of that, I made the shortcut to the FirefoxPortable loader as per the instructions above except that I used the 'C' option. Everything loaded just fine and I was now happily browsing under a very restricted set of rights.

('Restricted' is such a beautiful word.)

[ATBodies]

Nice guide! I haven't decided whether or not I'll use it just yet, but it is nice to know about this option regardless.