David W. Fenton wrote:[color=blue]
> Trevor Best <nospam@besty.org.uk> wrote in
> news:420de9c7$0$32608$db0fefd9@news.zen.co.uk:
>
>[color=green]
>>Lyle Fairfield wrote:[/color]
>
>
> [a set of quite valid complaints about Symantec AV]
>
> As I've said many times, I don't run any AV software. I do have AVG
> Anti-Virus (a free program) so that I can scan when I have suspect
> files that I want to check before opening.
>
> But I long ago stopped giving up CPU cycles to AV scanning.
>
> How do I keep from getting infected?
>
> 1. I use an email client (Pegasus Mail) that is specifically
> designed to be unable to automatically execute any email content.
>
> 2. I have my SpamAssassin proxy set to mark as SPAM any email it
> identifies as including a Microsoft executable (which includes EXE,
> SCR and so forth).
>
> 3. I never use Internet Explorer for browsing the web. I used to
> occasionally, because support.microsoft.com was crippled in any
> browser but IE, but nowadays it renders exactly same in
> Mozilla-based browsers as in IE, with exactly the same features. Of
> course, I'm also now using
http://google.com/microsoft.html, which
> is easier to find things than MS's own searching tools. I've been
> using Mozilla as my primary browser since version 0.9.3, installed
> in August 2001.
>
> 4. I open attachments only when I've been informed that they are on
> the way.
>
> 5. I know how to read email headers and can tell a spoofed email
> from a real one (it's not all the difficult), if it's not already
> obvious from the subject/content of the message.
>
> 6. I have taken the time to understand NTFS security and have set up
> my computer accordingly, never running as administrator (unless
> necessary), and making sure that certain default file associations
> are neutered (especially Windows Scripting Host -- this doesn't
> disable WSH, just makes it so that you have to call it explicitly
> for a script to work).
>
> 7. I do not install any music software, since every one of them that
> I've ever looked at installs spyware. Of course, I don't have any
> desire to *use* that kind of software. Oh, I do have iTunes
> installed, but use it only to play music, not to write CDs or rip
> MP3s (I already have good software for those tasks).
>
> Aside from AV issues, I do these things:
>
> 1. I never connect directly to the Internet, instead putting a NAT
> router between my PC and my cable modem. This blocks all nefarious
> incoming scans (I don't have any common ports redirected to my PC,
> either; if I were running a testbed HTTP server, I'd be running it
> on any port *but* 80).
>
> 2. I run a software firewall (Tiny Personal Firewall, an old
> version, before they went commercial and screwed up the program)
> that allows me to control all outgoing connections. I've authorized
> only those programs that have need to make an outgoing connection in
> order to work, and by default block all other ports without
> notification. If I install new software that really needs the
> connection, I temporarily turn on notification to allow me to
> authorize the narrowest connection possible (restricting on ports,
> IP addresses, protocols).
>
> 3. I don't allow any of my web browsers to connect directly to the
> Internet. Instead, they all connect through a proxy, Web Washer
> (which filters out ads and other things). This has the effect that
> any web page that is using non-standard ports (i.e., not 80 or 443)
> is blocked (that trick is used by a lot of nefarious exploits).
>
> 4. I run only the minimal NT services necessary for my PC to
> operate, and make sure that anything that can make network
> connections is disabled (unless absolutely required). When Blaster
> hit, I was on vacation for 3 weeks, and at the time (because of
> RoadRunner problems), my PC was firewalled but *not* behind a NAT
> router. My PC was *not* infected, because my firewall blocked the
> incoming connection, and because I'd disabled the remote component
> of RPC services. I have MSDE installed, but it is disabled. I have
> MySQL installed, but it is disabled. I have any number of other
> services that by default allow network connections, but I've made
> sure that all of them are DISABLED. When I need them, I turn them on
> (along with blocking external connections with my firewall
> software). That said, any time there are networked vulnerabilities
> found in Windows, I download the patch from MS and install it (I do
> not unable automatic updates from Windows Update for two reasons: 1.
> I want to choose which updates to apply, and 2. I want to download
> the patches so that if I have to rebuild my PC and re-apply the
> patches, I can do it *before* connecting to the Internet).
>
> 5. In regard to pop-ups and spyware and the like, I never see any.
> I've been using a browser that blocks pop-ups since August 2001
> (Mozilla; before that, WebWasher was blocking most pop-ups already,
> since it allows filtering out JavaScripts connected to the OnOpen
> and OnClose events of web pages). I was shocked this past summer to
> be staying at the home of someone who used Internet Explorer
> unprotected, and saw exactly what kind of a mess you end up with. I
> was stunned and couldn't figure out why people would put up with
> this stuff!
>
> Now, I'm not saying that I'm not vulnerable -- I do have to be
> diligent to make sure I keep things set up right and don't forget to
> re-enable my firewall software any time I temporarily disable it for
> some purpose, and so forth. And, of course, occasionally, the
> software I use turns out to have a vulnerability. The latest is the
> IDN spoofing vulnerability, which applies to every recent browser
> (which, of course, excludes IE, because it's not a recent browser
> and has no IDN encoding support, unless you install an ActiveX
> plugin). But there's a temporary fix for Mozilla-based browsers and
> there will be a permanent fix within the week (the new code is
> already in testing). In this case, IE is not vulnerable because it's
> codebase is old enough that it predates the implementation of the
> IDN encoding standard. This article explains what you need to know
> about it:
>
>
http://www.securityfocus.com/columnists/298
>
> That article also has an interesting set of comments on AV software,
> where it is pointed out that all AV software scans ZIP files, but
> they all ignore all the other common compressed formats (e.g., RAR).
> This exemplifies one of the reasons I've always been incredibly
> annoyed with the AV software makers -- they are reactive. They
> catche the stuff they already know about, but fail to build in any
> features that catch things for virus-like behavior. They are stuck
> in the pattern-matching mindset (there's no other explanation for
> scanning only one kind of compressed file).
>
> For instance, there never should have been any Word macro virus
> except the first one, because all that was needed was to scan Word
> files for VBA that included the finite collection of dangerous
> commands included in VBA (file operations, Shell(), obfuscated code,
> etc.). But that's not the way the AV software makers did it -- they
> did it with pattern matching.
>
> Granted, macro viruses are gone now, because they were so easy to
> scan for, and the number of possibilities were so small (compared to
> EXEs, for instance). But they could have been eliminated a few
> months after the first macro viruses came out, permanently.
>
> On the other hand, I consider the cost of AV software to be a
> Microsoft tax, as it's a result of MS's bad design decisions
> (nefarious software might run once, but it shouldn't be able to
> install itself in a fashion that re-starts after a reboot -- this is
> easily accomplished by applying appropriate security settings to
> certain registry keys; it could also have been accomplished by
> making writes to those registry keys user-confirmable).
>
> The current Microsoft-created problem is massive spam, because of
> all the zombified PCs out there that are being controlled by the
> spam networks. This happens because people are running as
> administrators and are connected directly to the Internet with all
> ports wide open. Both of those problems are caused by Microsoft: the
> former is encouraged by the initial setup programs on all versions
> of Windows, while the latter is the default configuration for
> Windows. Both of these problems are very easily remedied, but you
> have to *know* that they are problems before you can fix them.
>
> And Microsoft could have easily engineered things better on the
> front end. There is certainly no reason whatsoever for Win2K or
> WinXP to have shipped by default with all ports open, because by
> that time it was clear that open ports connected to the Internet
> were a huge danger. But it was only with WinXP Service Pack 2 that
> MS woke up and smelled the coffee -- finally fixing something that
> should have never have been implemented in the first place.
>
> In any event, it's possible to compute perfectly safely without
> being forced to sacrifice one CPU cycle to 3rd-party AV software.
> You just have to understand where you're vulnerable and protect
> yourself accordingly.
>[/color]
Fascinating. Perhaps, you should write a book; you could probably easily
find enough things about which NT Services to disable and which not to
disable to fill a chapter. It seems that everytime I disable one,
something goes wrong
--
--
Lyle
--
