Solve : Logging into Windows for websurfing?

1.	Solve : Logging into Windows for websurfing?
Answer» When logged into Windows, it's safer to websurf in a limited user account (rather than an administrator user account) because then if you do get infected by malware, the malware won't have administrator account privileges, and so has less ability to harm your computer. But what if you're logged into a limited user account (and not simultaneously logged into an administrator user account) but you're running any software (such as HideMyIP) with administrator privileges (because it won't run otherwise)? In that case, could malware take advantage of administrator level privileges in attacking your computer? While using a Least-Privilege User Account (or Limited User Account, LUA) can prevent you from being infected by some kinds of malware, the truth is that using a Limited User Account doesn't save you from every kind of infection. Most malware makes use of administrator privileges to infect computers, but that's not all of them. One of the goals of current malware is to steal user information. This dirty job can be done even from a guest account; even from there it is possible to intercept and log keystrokes. Using a limited user account, we can indeed have a high level of security. Let's SEE a basic example: most types of malware try to write a copy of their code into the Windows or Windows system directory, and try to get startup permissions by adding registry keys under HKEY_LOCAL_MACHINE Windows registry subtree, that contain information about the local computer system. This key is common to every user created on that machine, this would mean that the infection will be active anyway, no matter which user starts the machine. I would highly recommend using a quality anti-virus and firewall rather than putting your trust on this protecting you.Some users leave the real Administrator account with no password. Not a good idea.Quote from: Geek-9pm on February 28, 2010, 07:08:15 PM Some users leave the real Administrator account with no password. Not a good idea. Snickers, aka MICROSOFT... for ages if you setup a new computer and created the admin account with a different name (like your name) other than Admin, it would still create the default Admin account but without a password and not even telling you. A big backdoor for your computer! (funny but going a bit off subject here)a Limited User Account such as the default account settings provided by both Vista and Windows 7 is the single most effective malware prevention method, with no exceptions. No number of Anti-Virus PROGRAMS can protect you in the same way that not running as administrator can. Both combined are nearly inpenetrable to the educated user. First, the reason it is so effective is simple- the method by which 99.9% of all malware get's onto the host machine is via a trojan of some form. Traditionally this gains access to the PC via the browser or by piggybacking onto other software and they usually install themselves silently. However, in order to access the paths and registry locations required to properly "install" (infect) a PC, the process being run will need administrator privileges. Since traditionally Windows XP and earlier have defaulted to creating users with full administrator privileges, this has been a problem. Windows Vista, or namely, UAC, has changed this. (yes I know Linux had Graphical sudo, but Linux was hardly vulnerable to win32 PE executables anyway). UAC prevents this by executing processes using a privilege token that is the same as the user account with the administrator abilities stripped out. When administrator privileges are required, windows displays the UAC prompt, which requires an administrator password, and then creates the process using a Full privilege token. Now, the question here is wether having a process running as administrator poses a security risk. Well, that depends. In order to take advantage of a process being run in the administrator account, a malware process would need to get itself executing within that process. The general method of doing this is to do something called "process injection". And here's the catch. Process injection requires administrator privileges. So, that's out. That leaves things like security flaws in the program. For example, if you run a program as administrator, and that program reads scripts in a certain folder, then malware could place a script there that performs the installation required for the malware itself, and since the script is being run within a administrator allowed process this is allowed. Most programs that allow scripts to run automatically both allow this feature to be disabled and also have at least basic security that prevents this sort of thing, such as a warning when a new script file is added. In general, Running a process as an administrator does not "EXPOSE" you. Since, in most cases the malware would need to explicitly target the exact program and version you are running as admin, in addition to any number of other things that make it awkward or simply not worth the time to implement. Personally, I don't use an Antivirus. And I've seen first-hand that an AV solution is really more trouble then it's worth. This is more caused by a cahnge in user habits then by any inherent problem with the AV solution itself. Some people install an Anti-virus and consider themselves invincible. they are no longer careful opening attachments, or programs, because "their AV will protect them". the illusion of protection afforded by a traditional anti-virus solution is worse than no protection at all. An interesting read on this subject can be found here. The main point here is that while everybody dances around about how effective a particular AV is, they forget that the single, biggest security flaw is the user. ideally, being presented with a elevation dialog should make people think "hey, wait a minute, why does this greeting card from the IRS require admin privileges", but oftentimes people feel that the content that the E-mail, or file claims to posess and the fact that it might contain it is far more important at that time, and simply allow it to continue. Now they are infected. Maybe, if they have an Anti-virus it throws up a warning, but remember, this is from the IRS! and it said right in the e-mail, "this may set off your AV program. Please disable your anti-virus and run this program" so we know it's safe, right? Basically, my point is, protection is completely useless when you have a user that will willingly circumvent it. think of the antivirus as a sort of riot shield protecting the user. All a malware program has to do is convince them to poke their head out for a split second and BLAM- it's taken control.Quote from: Azzaboi on February 28, 2010, 07:15:11 PM Snickers, aka MICROSOFT... for ages if you setup a new computer and created the admin account with a different name (like your name) other than Admin, it would still create the default Admin account but without a password and not even telling you. A big backdoor for your computer! (funny but going a bit off subject here) This was done for compatibility purposes. Stupid, I know. But since Windows is one of the most backward compatible operating systems, and considering it's popularity, it's pretty obvious that MS is protecting the backward compatibility stuff for a good reason. That's the only reason UAC took so long- they even had a somewhat working version in some of the early NT4 (or maybe w2k) beta's, but they took it out due to compatibility issues with some common software applications at the time.Quote a Limited User Account such as the default account settings provided by both Vista and Windows 7 is the single most effective malware prevention method, with no exceptions. No number of Anti-Virus programs can protect you in the same way that not running as administrator can. Both combined are nearly inpenetrable to the educated user. I highly disagree with that (you guys disagree with me all the time, my turn, yay, yay, lol). I just previously pointed out two major holes in the Limited User Account and you will need to be Admin sooner or later anyways. Not using an anti-virus and trusting Microsoft security and it's built-in firewall is being blut and blind. I use Kaspersky Internet Security 2010 which has application control, registry control, plus anti-virus, trojan, scripting, phishing site detection, malicous tools, riskware, adware, spam protection, etc. Are you telling me a Limited User Account is protected over all that? It would tell me if there's a change in a file, registry, startup, etc. Quote Basically, my point is, protection is completely useless when you have a user that will willingly circumvent it. think of the antivirus as a sort of riot shield protecting the user. All a malware program has to do is convince them to poke their head out for a split second and BLAM- it's taken control. I agree with that thou, it's funny how an application says to disable your anti-virus while installing... what's the point if your not monitoring what's it up to.Quote from: Azzaboi on February 28, 2010, 07:46:43 PM I highly disagree with that (you guys disagree with me all the time, my turn, yay, yay, lol) http://www.codinghorror.com/blog/2007/08/trojans-rootkits-and-the-culture-of-fear.html http://www.codinghorror.com/blog/2005/07/the-dancing-bunnies-problem.html http://www.codinghorror.com/blog/2007/06/the-windows-security-epidemic-dont-run-as-an-administrator.html AFAIK Jeff Atwood knows what he's talking about. Even if he does use C#. heh. Also of interest: http://chuvakin.blogspot.com/2007/04/answer-to-my-antivirus-mystery-question.html Which brings to the fore several interesting notes. Quote Not using an anti-virus and trusting Microsoft security and it's built-in firewall is being blut and blind. Yeah. Alright then. I have windows firewall disabled, No AV at all. In the last 7 or so years that I've been using PCs heavily I have had only a single infection. Well, I've only had a single infection that I count. I usually got something minor like Vundo or something every few months- I say got, because that was when I was using XP, and I was running under the admin account. Only takes a few minutes to clean manually. Most annoying part is the fact that I had to reboot. I haven't had a single infection since I started using Vista and Windows 7. When I discovered I had an infection, my first thought was to install an AV to clean it. Too bad the AV didn't recognize any threats at all. In fact, if I was any average user, I probably would have never even found out even if I had an AV installed; but if I had an AV installed I probably would have felt "safer" and not become suspicious and started process explorer. process Explorer revealed that not a single Executable could be verified against it's publisher. Then I grabbed my XP disk and found that not a single exe was the same size as the one on the disc; same story with DLLs. a quick search of my symptoms, the main one that tipped me off being that my HTML files were being hijacked when I edited them, and I found out I had the virut File Infector virus. I think I tried a few of the remover tools, but meh, it was a waste of time. So I just reformatted my C: drive and reinstalled XP; then I simply ran a quick command on my D: drive to remove any and all infections remaining: Code: [Select]for %A in (exe dll ocx) do for /f "tokens=" %P in ('dir /s /b .%A') do del %P there were a few other extensions I deleted, but I forget what they were. then I ran a MBAM scan to check for remnants and I was finished. I had to reinstall a few programs but I hardly consider that a loss. Quote Are you telling me a Limited User Account is protected over all that? No, not really. It would also require some common sense, But every single one of those features is easily replaced with due diligence. Kaspersky is one of the better commercial products though. But as far as I'm concerned Anti-Virus programs are designed for people that do not and probably have no desire to understand how an infection occurs. that's what it's for- it's automated. Quote application control I have no idea what this does, so I don't know what an equivalent would be. Quote registry control no program can access the important infection vectors of the registry without running with the appropriate privileges. since having UAC enabled means that this will show a UAC dialog, that should raise a bajillion red flags. Of course the real "prevention" here should have been not running whatever this program is in the first place. Quote trojan If somebody is even going so far as to trust that a file isn't a trojan enough to run it then the battle is already lost. putting yet another stop-gap measure such as this is just yet another dialog for the determined user to not read. After all- if UAC is enabled they already skipped that before the trojan ran at all. Quote scripting This doesn't even make sense. Client-Side scripts running in a browser would need to take advantage of flaws in the script interpreter to do anything remotely malicious, and script files like vbs, wsh, pl, py, and so forth should be associated with a text editor rather then their interpreter (in the extreme case, personally the only script files I usually run are the ones I write myself, and those I do download are only run after I read them to see what they do. That's why scripts are incredibly useless for delivery of viruses (and yes, I know about melissa and ILOVEYOU, I'll get to those in a moment), they are plain text. anybody can read them. "macro" viruses IMO opinion are not viruses but rather a public display of a evident security flaw in the program that is hosting them. Most E-mail viruses- who am I kidding - ALL e-mail viruses can only be deployed "automatically" by outlook. For example, early Script viruses such as ILoveYou took advantage of a feature that was designed to make things easier, which was that macros could be run the moment the file was downloaded from the server. basically what it did was use that event to send itself to everybody in it's address book. Nowadays, every single one of these unavoidable holes has been plugged by disabling macros until the user consents to enable them. Once you give the user the choice, it's their fault if they make the wrong one at the wrong time. (this is why the user in question needs to really know what they are doing). Quote phishing site detection This is not really a seperate "detection" they just wanted another checkmark. because the only way you can get to a phishing site is to either click a link in an E-mail that points to that URL, or by getting infected by a trojan. the diligent user knows how to detect a trojan, and it's really really really really easy. The answer? Don't download from an source you don't trust. Some people have accepted this idea that somehow a file can be infected while you download it, so you have to scan every file you download for trojans. That is pure BALONEY. If you download from a source you trust, such as the manufacturers site for a product, Then the product will be an untainted file. of course this doesn't quite cover the extreme case where the site was sabotaged my hackers and the download page changed, but As far as I'm concerned any company so lax on their security policy to allow something like this has about a million warning signs on their home page, the first indicator being the 20 or so contrived awards their products have won. Quote malicous tools Again, not a separate category. only way these can get on your PC is through a trojan. Additionally the detection of such things as keyloggers via hueristics is often laughably simple. Take the link the Karl Petersons MSDN article where he discovers McAffee's magical ability to detect keyloggers is as simple as seeing if the file contains the text "Software/Microsoft/Windows/CurrentVersion/Run", First off, this detection simply doesn't work at all if the application uses Unicode strings. Secondly, as Karl discovered, this entire thing can be worked around by reversing the string. How's that for security. Quote riskware proper, basic research should be taken before download and trying any software product. Quote adware pretty much the same as above, EXCEPT it's often delivered via trojans (also covered) Quote spam protection I have absolutely no idea what this is doing in a Security suite. Spam doesn't threaten anybody's security. This is just a feature they added for another checkmark on the box. Come to think of it, I'm surprised they haven't started including word processors and used that as an extra checkmark against their "competition" (I don't mean kaspersky, I mean the security companies in general). Quote It would tell me if there's a change in a file, registry, startup, etc. Every single one of those changes means that a program made that change. As far as I'm concerned, if you ever let a program get far enough so as to execute, you already failed Security 101. As "bulletproof" as these tools may seem there are always ways around them. As an example, let's look at the "startups" and how to avoid a AV program from detecting changes. First off, All AV programs detect changes in files and registry keys by hooking the registry and file functions; such as RegCreateKey,RegOpenKey,RegOpenKeyEx, etc etc. However, consider that the registry data is all stored as a file on disk. a program can easily open this file and change the data in the registry as it sees fit, and the AV program will be none the wiser. "but it can detect the file change!" Sure, but only if the "virus" uses the standard File Access Functions. There is more then one way to skin a cat. For example, I've seem plenty of AV programs that hook the CreateFile() Function, which is used for opening files. And yet, at the same time, they leave _lopen() completely unhooked. take a guess what functions hackers often use? of course, then the AV programs started hooking that function. So Virus writers started using the Native NT API to open and edit files, and since by this time they've already gotten Admin permissions, they may as well just install a driver (Oh wait! but guess what stops THAT from happening! Nope, it isn't the AV program, but the OPERATING SYSTEM, which requires all drivers be signed!) THIS is why AV programs are slow, they have to hook half a kazillion functions and perform a hueristical analysis on every single parameter to determine wether it's legit. Not to mention once again the fact that they often don't take into account the various unicode substitutes. for example, a registry key that has a name contain "th" might be monitored by the AV program (or more precisely, every single registry access scanned to make sure this key is untouched (I'm ignoring the direct file access route, for now). But here's the kicker- the "hacker" can easily pass in a unicode string using the combined "th" ligature character (same goes for other letter combinations, such as ae) and the same key is accessed, because Windows properly expands the ligature. (Actually, this can depend on the language). Now, there is still the additional issue that the AV has to monitor registry changes done by directly accessing the registry files on disk. There is not a Single Anti-virus on the market that does this. And for good reason. it's both impossible and would make things even slower. It would need to analyze every single possible combination, every single parameter. For example, it might use the FileSeek() and "ReadFile()" Functions to search for the position in the registry file to store the data to create the run key. This simply cannot be stopped. The only way to do that would be to either block on every single read/writefile that is performed on the registry files (which, in a strange coincidence, will break regedit) Or to stop on every single comparison that includes that text. And even then your adding even more and more legitimate programs being falsely flagged as doing something malicious. This reduces the users trust in the program, making them ever more likely to consider a program that is being flagged as being perfectly legit and allowing it to continue even in those extreme cases where it detects the changes. Sure, they could detect the changes via writeFile, as well, bu detecting them again but the virus could just as easily write out each character individually, or write out the key name starting from the end. Now one may be asking, "why assume they have admin permissions?" Well, that's quite simple. remember, UAC and limited user accounts are useless, and since they don't stop anything we may as well pretend the user let it run as an administrator (which as I stated is all the more likely, since they have an AV, right? they are invincible!) The BC programmer is right. So many computer users become complacent after they install an antivirus program that has a good reputation. The fact is that even the best antivirus programs can always stop about half of the possible kinds of attack that can occur. Fortunately, or maybe not, at any one time there are a number of virus attacks that are current and the antivirus programs concentrate on the current variations of the attacks. But it is just not possible for these programs to catch every possible attack that might come to your computer. The fundamental reason is this: the antivirus programs have a library or a database of historical attacks that been made before. Using this database they form models of what they think would be the current state of the attack. Or, to put it in plain language, they are guessing about the war game. In this war game the user never comes out a winner, the user is always in the defense and does not have a real offense. This all has to do with a fundamental way computers are designed and the way the Internet was designed. At one time it was thought to be a good idea to have the computers to be easy to modify and the Internet could deliver almost anything. Now looking back that seems like it was not such a good idea. But, on the other hand, if we put all sorts of filters and restraints on what you can do on the Internet, then it would be very difficult to come up with new innovative methods of communication. Some types of Internet communication actually require that you modify the browser, and possibly even part of the operating system, in order to produce a more pleasant web experience. This is not just my opinion, nor just what BC said. Most of the regular posters here on this forum will confirm the malware issue is much worse than what most people imagine. Something like 40% of the posts on this forum have the do with mall where issues.Quote from: Geek-9pm on March 01, 2010, 12:42:40 AM This is not just my opinion, nor just what BC said. Most of the regular posters here on this forum will confirm the malware issue is much worse than what most people imagine. Something like 40% of the posts on this forum have the do with mall where issues. heh, that's the opposite of my first link. (http://www.codinghorror.com/blog/2007/08/trojans-rootkits-and-the-culture-of-fear.html)

Answer»

When logged into Windows, it's safer to websurf in a limited user account (rather than an administrator user account) because then if you do get infected by malware, the malware won't have administrator account privileges, and so has less ability to harm your computer. But what if you're logged into a limited user account (and not simultaneously logged into an administrator user account) but you're running any software (such as HideMyIP) with administrator privileges (because it won't run otherwise)? In that case, could malware take advantage of administrator level privileges in attacking your computer?
While using a Least-Privilege User Account (or Limited User Account, LUA) can prevent you from being infected by some kinds of malware, the truth is that using a Limited User Account doesn't save you from every kind of infection.

Most malware makes use of administrator privileges to infect computers, but that's not all of them.

One of the goals of current malware is to steal user information. This dirty job can be done even from a guest account; even from there it is possible to intercept and log keystrokes.

Using a limited user account, we can indeed have a high level of security. Let's SEE a basic example: most types of malware try to write a copy of their code into the Windows or Windows system directory, and try to get startup permissions by adding registry keys under HKEY_LOCAL_MACHINE Windows registry subtree, that contain information about the local computer system. This key is common to every user created on that machine, this would mean that the infection will be active anyway, no matter which user starts the machine.

I would highly recommend using a quality anti-virus and firewall rather than putting your trust on this protecting you.Some users leave the real Administrator account with no password. Not a good idea.Quote from: Geek-9pm on February 28, 2010, 07:08:15 PM

Some users leave the real Administrator account with no password. Not a good idea.

Snickers, aka MICROSOFT... for ages if you setup a new computer and created the admin account with a different name (like your name) other than Admin, it would still create the default Admin account but without a password and not even telling you. A big backdoor for your computer!

(funny but going a bit off subject here)a Limited User Account such as the default account settings provided by both Vista and Windows 7 is the single most effective malware prevention method, with no exceptions.

No number of Anti-Virus PROGRAMS can protect you in the same way that not running as administrator can. Both combined are nearly inpenetrable to the educated user.

First, the reason it is so effective is simple- the method by which 99.9% of all malware get's onto the host machine is via a trojan of some form. Traditionally this gains access to the PC via the browser or by piggybacking onto other software and they usually install themselves silently.

However, in order to access the paths and registry locations required to properly "install" (infect) a PC, the process being run will need administrator privileges. Since traditionally Windows XP and earlier have defaulted to creating users with full administrator privileges, this has been a problem.

Windows Vista, or namely, UAC, has changed this. (yes I know Linux had Graphical sudo, but Linux was hardly vulnerable to win32 PE executables anyway). UAC prevents this by executing processes using a privilege token that is the same as the user account with the administrator abilities stripped out. When administrator privileges are required, windows displays the UAC prompt, which requires an administrator password, and then creates the process using a Full privilege token.

Now, the question here is wether having a process running as administrator poses a security risk. Well, that depends. In order to take advantage of a process being run in the administrator account, a malware process would need to get itself executing within that process. The general method of doing this is to do something called "process injection". And here's the catch.

Process injection requires administrator privileges.

So, that's out. That leaves things like security flaws in the program. For example, if you run a program as administrator, and that program reads scripts in a certain folder, then malware could place a script there that performs the installation required for the malware itself, and since the script is being run within a administrator allowed process this is allowed. Most programs that allow scripts to run automatically both allow this feature to be disabled and also have at least basic security that prevents this sort of thing, such as a warning when a new script file is added.

In general, Running a process as an administrator does not "EXPOSE" you. Since, in most cases the malware would need to explicitly target the exact program and version you are running as admin, in addition to any number of other things that make it awkward or simply not worth the time to implement.

Personally, I don't use an Antivirus. And I've seen first-hand that an AV solution is really more trouble then it's worth. This is more caused by a cahnge in user habits then by any inherent problem with the AV solution itself. Some people install an Anti-virus and consider themselves invincible. they are no longer careful opening attachments, or programs, because "their AV will protect them". the illusion of protection afforded by a traditional anti-virus solution is worse than no protection at all. An interesting read on this subject can be found here.

The main point here is that while everybody dances around about how effective a particular AV is, they forget that the single, biggest security flaw is the user. ideally, being presented with a elevation dialog should make people think "hey, wait a minute, why does this greeting card from the IRS require admin privileges", but oftentimes people feel that the content that the E-mail, or file claims to posess and the fact that it might contain it is far more important at that time, and simply allow it to continue. Now they are infected. Maybe, if they have an Anti-virus it throws up a warning, but remember, this is from the IRS! and it said right in the e-mail, "this may set off your AV program. Please disable your anti-virus and run this program" so we know it's safe, right?

Basically, my point is, protection is completely useless when you have a user that will willingly circumvent it. think of the antivirus as a sort of riot shield protecting the user. All a malware program has to do is convince them to poke their head out for a split second and *BLAM*- it's taken control.Quote from: Azzaboi on February 28, 2010, 07:15:11 PM

Snickers, aka MICROSOFT... for ages if you setup a new computer and created the admin account with a different name (like your name) other than Admin, it would still create the default Admin account but without a password and not even telling you. A big backdoor for your computer!

(funny but going a bit off subject here)

This was done for compatibility purposes. Stupid, I know. But since Windows is one of the most backward compatible operating systems, and considering it's popularity, it's pretty obvious that MS is protecting the backward compatibility stuff for a good reason. That's the only reason UAC took so long- they even had a somewhat working version in some of the early NT4 (or maybe w2k) beta's, but they took it out due to compatibility issues with some common software applications at the time.Quote

a Limited User Account such as the default account settings provided by both Vista and Windows 7 is the single most effective malware prevention method, with no exceptions.

No number of Anti-Virus programs can protect you in the same way that not running as administrator can. Both combined are nearly inpenetrable to the educated user.

I highly disagree with that (you guys disagree with me all the time, my turn, yay, yay, lol). I just previously pointed out two major holes in the Limited User Account and you will need to be Admin sooner or later anyways. Not using an anti-virus and trusting Microsoft security and it's built-in firewall is being blut and blind.

I use Kaspersky Internet Security 2010 which has application control, registry control, plus anti-virus, trojan, scripting, phishing site detection, malicous tools, riskware, adware, spam protection, etc. Are you telling me a Limited User Account is protected over all that? It would tell me if there's a change in a file, registry, startup, etc.

Quote

Basically, my point is, protection is completely useless when you have a user that will willingly circumvent it. think of the antivirus as a sort of riot shield protecting the user. All a malware program has to do is convince them to poke their head out for a split second and *BLAM*- it's taken control.

I agree with that thou, it's funny how an application says to disable your anti-virus while installing... what's the point if your not monitoring what's it up to.Quote from: Azzaboi on February 28, 2010, 07:46:43 PM

I highly disagree with that (you guys disagree with me all the time, my turn, yay, yay, lol)

http://www.codinghorror.com/blog/2007/08/trojans-rootkits-and-the-culture-of-fear.html

http://www.codinghorror.com/blog/2005/07/the-dancing-bunnies-problem.html

http://www.codinghorror.com/blog/2007/06/the-windows-security-epidemic-dont-run-as-an-administrator.html

AFAIK Jeff Atwood knows what he's talking about. Even if he does use C#. heh. Also of interest:

http://chuvakin.blogspot.com/2007/04/answer-to-my-antivirus-mystery-question.html

Which brings to the fore several interesting notes.

Quote

Not using an anti-virus and trusting Microsoft security and it's built-in firewall is being blut and blind.

Yeah. Alright then.

I have windows firewall disabled, No AV at all. In the last 7 or so years that I've been using PCs heavily I have had only a single infection. Well, I've only had a single infection that I count. I usually got something minor like Vundo or something every few months- I say got, because that was when I was using XP, and I was running under the admin account. Only takes a few minutes to clean manually. Most annoying part is the fact that I had to reboot. I haven't had a single infection since I started using Vista and Windows 7.

When I discovered I had an infection, my first thought was to install an AV to clean it.

Too bad the AV didn't recognize any threats at all. In fact, if I was any average user, I probably would have never even found out even if I had an AV installed; but if I had an AV installed I probably would have felt "safer" and not become suspicious and started process explorer.

process Explorer revealed that not a single Executable could be verified against it's publisher.

Then I grabbed my XP disk and found that not a single exe was the same size as the one on the disc; same story with DLLs. a quick search of my symptoms, the main one that tipped me off being that my HTML files were being hijacked when I edited them, and I found out I had the virut File Infector virus. I think I tried a few of the remover tools, but meh, it was a waste of time. So I just reformatted my C: drive and reinstalled XP; then I simply ran a quick command on my D: drive to remove any and all infections remaining:

Code: [Select]for %A in (exe dll ocx) do for /f "tokens=*" %P in ('dir /s /b *.%A') do del %P

there were a few other extensions I deleted, but I forget what they were. then I ran a MBAM scan to check for remnants and I was finished. I had to reinstall a few programs but I hardly consider that a loss.

Quote

Are you telling me a Limited User Account is protected over all that?

No, not really. It would also require some common sense,
But every single one of those features is easily replaced with due diligence. Kaspersky is one of the better commercial products though. But as far as I'm concerned Anti-Virus programs are designed for people that do not and probably have no desire to understand how an infection occurs. that's what it's for- it's automated.

Quote

application control

I have no idea what this does, so I don't know what an equivalent would be.
Quote

registry control

no program can access the important infection vectors of the registry without running with the appropriate privileges. since having UAC enabled means that this will show a UAC dialog, that should raise a bajillion red flags. Of course the real "prevention" here should have been not running whatever this program is in the first place.

Quote

trojan

If somebody is even going so far as to trust that a file isn't a trojan enough to run it then the battle is already lost. putting yet another stop-gap measure such as this is just yet another dialog for the determined user to not read. After all- if UAC is enabled they already skipped that before the trojan ran at all.

Quote

scripting

This doesn't even make sense. Client-Side scripts running in a browser would need to take advantage of flaws in the script interpreter to do anything remotely malicious, and script files like vbs, wsh, pl, py, and so forth should be associated with a text editor rather then their interpreter (in the extreme case, personally the only script files I usually run are the ones I write myself, and those I do download are only run after I read them to see what they do. That's why scripts are incredibly useless for delivery of viruses (and yes, I know about melissa and ILOVEYOU, I'll get to those in a moment), they are plain text. anybody can read them. "macro" viruses IMO opinion are not viruses but rather a public display of a evident security flaw in the program that is hosting them. Most E-mail viruses- who am I kidding - ALL e-mail viruses can only be deployed "automatically" by outlook. For example, early Script viruses such as ILoveYou took advantage of a feature that was designed to make things easier, which was that macros could be run the moment the file was downloaded from the server. basically what it did was use that event to send itself to everybody in it's address book. Nowadays, every single one of these unavoidable holes has been plugged by disabling macros until the user consents to enable them. Once you give the user the choice, it's their fault if they make the wrong one at the wrong time. (this is why the user in question needs to really know what they are doing).
Quote

phishing site detection

This is not really a seperate "detection" they just wanted another checkmark. because the only way you can get to a phishing site is to either click a link in an E-mail that points to that URL, or by getting infected by a trojan. the diligent user knows how to detect a trojan, and it's really really really really easy. The answer? Don't download from an source you don't trust. Some people have accepted this idea that somehow a file can be infected while you download it, so you have to scan every file you download for trojans. That is pure BALONEY. If you download from a source you trust, such as the manufacturers site for a product, Then the product will be an untainted file.

of course this doesn't quite cover the extreme case where the site was sabotaged my hackers and the download page changed, but As far as I'm concerned any company so lax on their security policy to allow something like this has about a million warning signs on their home page, the first indicator being the 20 or so contrived awards their products have won.

Quote

malicous tools

Again, not a separate category. only way these can get on your PC is through a trojan. Additionally the detection of such things as keyloggers via hueristics is often laughably simple. Take the link the Karl Petersons MSDN article where he discovers McAffee's magical ability to detect keyloggers is as simple as seeing if the file contains the text "Software/Microsoft/Windows/CurrentVersion/Run", First off, this detection simply doesn't work at all if the application uses Unicode strings. Secondly, as Karl discovered, this entire thing can be worked around by reversing the string. How's that for security.

Quote

riskware

proper, basic research should be taken before download and trying any software product.

Quote

adware

pretty much the same as above, EXCEPT it's often delivered via trojans (also covered)

Quote

spam protection

I have absolutely no idea what this is doing in a Security suite. Spam doesn't threaten anybody's security. This is just a feature they added for another checkmark on the box. Come to think of it, I'm surprised they haven't started including word processors and used that as an extra checkmark against their "competition" (I don't mean kaspersky, I mean the security companies in general).

Quote

It would tell me if there's a change in a file, registry, startup, etc.

Every single one of those changes means that a program made that change. As far as I'm concerned, if you ever let a program get far enough so as to execute, you already failed Security 101. As "bulletproof" as these tools may seem there are always ways around them. As an example, let's look at the "startups" and how to avoid a AV program from detecting changes.

First off, All AV programs detect changes in files and registry keys by hooking the registry and file functions; such as RegCreateKey,RegOpenKey,RegOpenKeyEx, etc etc.

However, consider that the registry data is all stored as a file on disk. a program can easily open this file and change the data in the registry as it sees fit, and the AV program will be none the wiser.

"but it can detect the file change!"

Sure, but only if the "virus" uses the standard File Access Functions. There is more then one way to skin a cat. For example, I've seem plenty of AV programs that hook the CreateFile() Function, which is used for opening files. And yet, at the same time, they leave _lopen() completely unhooked. take a guess what functions hackers often use?

of course, then the AV programs started hooking that function. So Virus writers started using the Native NT API to open and edit files, and since by this time they've already gotten Admin permissions, they may as well just install a driver (Oh wait! but guess what stops THAT from happening! Nope, it isn't the AV program, but the OPERATING SYSTEM, which requires all drivers be signed!)

THIS is why AV programs are slow, they have to hook half a kazillion functions and perform a hueristical analysis on every single parameter to determine wether it's legit. Not to mention once again the fact that they often don't take into account the various unicode substitutes. for example, a registry key that has a name contain "th" might be monitored by the AV program (or more precisely, every single registry access scanned to make sure this key is untouched (I'm ignoring the direct file access route, for now). But here's the kicker- the "hacker" can easily pass in a unicode string using the combined "th" ligature character (same goes for other letter combinations, such as ae) and the same key is accessed, because Windows properly expands the ligature. (Actually, this can depend on the language).

Now, there is still the additional issue that the AV has to monitor registry changes done by directly accessing the registry files on disk.

There is not a Single Anti-virus on the market that does this.

And for good reason. it's both impossible and would make things even slower. It would need to analyze every single possible combination, every single parameter. For example, it might use the FileSeek() and "ReadFile()" Functions to search for the position in the registry file to store the data to create the run key. This simply cannot be stopped. The only way to do that would be to either block on every single read/writefile that is performed on the registry files (which, in a strange coincidence, will break regedit) Or to stop on every single comparison that includes that text. And even then your adding even more and more legitimate programs being falsely flagged as doing something malicious. This reduces the users trust in the program, making them ever more likely to consider a program that is being flagged as being perfectly legit and allowing it to continue even in those extreme cases where it detects the changes. Sure, they could detect the changes via writeFile, as well, bu detecting them again but the virus could just as easily write out each character individually, or write out the key name starting from the end.

Now one may be asking, "why assume they have admin permissions?" Well, that's quite simple. remember, UAC and limited user accounts are useless, and since they don't stop anything we may as well pretend the user let it run as an administrator (which as I stated is all the more likely, since they have an AV, right? they are invincible!)

The BC programmer is right.
So many computer users become complacent after they install an antivirus program that has a good reputation. The fact is that even the best antivirus programs can always stop about half of the possible kinds of attack that can occur. Fortunately, or maybe not, at any one time there are a number of virus attacks that are current and the antivirus programs concentrate on the current variations of the attacks. But it is just not possible for these programs to catch every possible attack that might come to your computer.
The fundamental reason is this: the antivirus programs have a library or a database of historical attacks that been made before. Using this database they form models of what they think would be the current state of the attack. Or, to put it in plain language, they are guessing about the war game. In this war game the user never comes out a winner, the user is always in the defense and does not have a real offense.
This all has to do with a fundamental way computers are designed and the way the Internet was designed. At one time it was thought to be a good idea to have the computers to be easy to modify and the Internet could deliver almost anything. Now looking back that seems like it was not such a good idea. But, on the other hand, if we put all sorts of filters and restraints on what you can do on the Internet, then it would be very difficult to come up with new innovative methods of communication. Some types of Internet communication actually require that you modify the browser, and possibly even part of the operating system, in order to produce a more pleasant web experience.
This is not just my opinion, nor just what BC said. Most of the regular posters here on this forum will confirm the malware issue is much worse than what most people imagine. Something like 40% of the posts on this forum have the do with mall where issues.Quote from: Geek-9pm on March 01, 2010, 12:42:40 AM

This is not just my opinion, nor just what BC said. Most of the regular posters here on this forum will confirm the malware issue is much worse than what most people imagine. Something like 40% of the posts on this forum have the do with mall where issues.

heh, that's the opposite of my first link.

(http://www.codinghorror.com/blog/2007/08/trojans-rootkits-and-the-culture-of-fear.html)

Solve : Logging into Windows for websurfing?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment