Trevor Best <no****@besty.org.uk> wrote in
news:42***********************@news.zen.co.uk:
Lyle Fairfield wrote:
[a set of quite valid complaints about Symantec AV]
As I've said many times, I don't run any AV software. I do have AVG
Anti-Virus (a free program) so that I can scan when I have suspect
files that I want to check before opening.
But I long ago stopped giving up CPU cycles to AV scanning.
How do I keep from getting infected?
1. I use an email client (Pegasus Mail) that is specifically
designed to be unable to automatically execute any email content.
2. I have my SpamAssassin proxy set to mark as SPAM any email it
identifies as including a Microsoft executable (which includes EXE,
SCR and so forth).
3. I never use Internet Explorer for browsing the web. I used to
occasionally, because support.microsoft.com was crippled in any
browser but IE, but nowadays it renders exactly same in
Mozilla-based browsers as in IE, with exactly the same features. Of
course, I'm also now using
http://google.com/microsoft.html, which
is easier to find things than MS's own searching tools. I've been
using Mozilla as my primary browser since version 0.9.3, installed
in August 2001.
4. I open attachments only when I've been informed that they are on
the way.
5. I know how to read email headers and can tell a spoofed email
from a real one (it's not all the difficult), if it's not already
obvious from the subject/content of the message.
6. I have taken the time to understand NTFS security and have set up
my computer accordingly, never running as administrator (unless
necessary), and making sure that certain default file associations
are neutered (especially Windows Scripting Host -- this doesn't
disable WSH, just makes it so that you have to call it explicitly
for a script to work).
7. I do not install any music software, since every one of them that
I've ever looked at installs spyware. Of course, I don't have any
desire to *use* that kind of software. Oh, I do have iTunes
installed, but use it only to play music, not to write CDs or rip
MP3s (I already have good software for those tasks).
Aside from AV issues, I do these things:
1. I never connect directly to the Internet, instead putting a NAT
router between my PC and my cable modem. This blocks all nefarious
incoming scans (I don't have any common ports redirected to my PC,
either; if I were running a testbed HTTP server, I'd be running it
on any port *but* 80).
2. I run a software firewall (Tiny Personal Firewall, an old
version, before they went commercial and screwed up the program)
that allows me to control all outgoing connections. I've authorized
only those programs that have need to make an outgoing connection in
order to work, and by default block all other ports without
notification. If I install new software that really needs the
connection, I temporarily turn on notification to allow me to
authorize the narrowest connection possible (restricting on ports,
IP addresses, protocols).
3. I don't allow any of my web browsers to connect directly to the
Internet. Instead, they all connect through a proxy, Web Washer
(which filters out ads and other things). This has the effect that
any web page that is using non-standard ports (i.e., not 80 or 443)
is blocked (that trick is used by a lot of nefarious exploits).
4. I run only the minimal NT services necessary for my PC to
operate, and make sure that anything that can make network
connections is disabled (unless absolutely required). When Blaster
hit, I was on vacation for 3 weeks, and at the time (because of
RoadRunner problems), my PC was firewalled but *not* behind a NAT
router. My PC was *not* infected, because my firewall blocked the
incoming connection, and because I'd disabled the remote component
of RPC services. I have MSDE installed, but it is disabled. I have
MySQL installed, but it is disabled. I have any number of other
services that by default allow network connections, but I've made
sure that all of them are DISABLED. When I need them, I turn them on
(along with blocking external connections with my firewall
software). That said, any time there are networked vulnerabilities
found in Windows, I download the patch from MS and install it (I do
not unable automatic updates from Windows Update for two reasons: 1.
I want to choose which updates to apply, and 2. I want to download
the patches so that if I have to rebuild my PC and re-apply the
patches, I can do it *before* connecting to the Internet).
5. In regard to pop-ups and spyware and the like, I never see any.
I've been using a browser that blocks pop-ups since August 2001
(Mozilla; before that, WebWasher was blocking most pop-ups already,
since it allows filtering out JavaScripts connected to the OnOpen
and OnClose events of web pages). I was shocked this past summer to
be staying at the home of someone who used Internet Explorer
unprotected, and saw exactly what kind of a mess you end up with. I
was stunned and couldn't figure out why people would put up with
this stuff!
Now, I'm not saying that I'm not vulnerable -- I do have to be
diligent to make sure I keep things set up right and don't forget to
re-enable my firewall software any time I temporarily disable it for
some purpose, and so forth. And, of course, occasionally, the
software I use turns out to have a vulnerability. The latest is the
IDN spoofing vulnerability, which applies to every recent browser
(which, of course, excludes IE, because it's not a recent browser
and has no IDN encoding support, unless you install an ActiveX
plugin). But there's a temporary fix for Mozilla-based browsers and
there will be a permanent fix within the week (the new code is
already in testing). In this case, IE is not vulnerable because it's
codebase is old enough that it predates the implementation of the
IDN encoding standard. This article explains what you need to know
about it:
http://www.securityfocus.com/columnists/298
That article also has an interesting set of comments on AV software,
where it is pointed out that all AV software scans ZIP files, but
they all ignore all the other common compressed formats (e.g., RAR).
This exemplifies one of the reasons I've always been incredibly
annoyed with the AV software makers -- they are reactive. They
catche the stuff they already know about, but fail to build in any
features that catch things for virus-like behavior. They are stuck
in the pattern-matching mindset (there's no other explanation for
scanning only one kind of compressed file).
For instance, there never should have been any Word macro virus
except the first one, because all that was needed was to scan Word
files for VBA that included the finite collection of dangerous
commands included in VBA (file operations, Shell(), obfuscated code,
etc.). But that's not the way the AV software makers did it -- they
did it with pattern matching.
Granted, macro viruses are gone now, because they were so easy to
scan for, and the number of possibilities were so small (compared to
EXEs, for instance). But they could have been eliminated a few
months after the first macro viruses came out, permanently.
On the other hand, I consider the cost of AV software to be a
Microsoft tax, as it's a result of MS's bad design decisions
(nefarious software might run once, but it shouldn't be able to
install itself in a fashion that re-starts after a reboot -- this is
easily accomplished by applying appropriate security settings to
certain registry keys; it could also have been accomplished by
making writes to those registry keys user-confirmable).
The current Microsoft-created problem is massive spam, because of
all the zombified PCs out there that are being controlled by the
spam networks. This happens because people are running as
administrators and are connected directly to the Internet with all
ports wide open. Both of those problems are caused by Microsoft: the
former is encouraged by the initial setup programs on all versions
of Windows, while the latter is the default configuration for
Windows. Both of these problems are very easily remedied, but you
have to *know* that they are problems before you can fix them.
And Microsoft could have easily engineered things better on the
front end. There is certainly no reason whatsoever for Win2K or
WinXP to have shipped by default with all ports open, because by
that time it was clear that open ports connected to the Internet
were a huge danger. But it was only with WinXP Service Pack 2 that
MS woke up and smelled the coffee -- finally fixing something that
should have never have been implemented in the first place.
In any event, it's possible to compute perfectly safely without
being forced to sacrifice one CPU cycle to 3rd-party AV software.
You just have to understand where you're vulnerable and protect
yourself accordingly.
--
David W. Fenton
http://www.bway.net/~dfenton
dfenton at bway dot net
http://www.bway.net/~dfassoc