Agnitum Outpost blocking everything

[kurt wismer]

Art wrote:
[snip]

Since when does logic need to be defended? And don't rely on security
by obscurity. Kerio, Sygate and Outpost are just as likely to be
disabled by malware as ZA and the others you mentioned.

true, but with kerio (and possibly others) you'd have to give the
process that would potentially disable kerio permission to run before it
would be able to disable kerio...

Here's another Kerio killer that allegedly works on Win 2K/XP:

http://securityresponse.symantec.com/avcenter/venc/data/w32.kelvir.az.html

it "attempts" to kill kerio - but as i said, you first have to tell
kerio to permit the process to launch...

if nothing else this helps deal with the "i didn't know it was a
program" problem...

 

[Art]

it "attempts" to kill kerio - but as i said, you first have to tell
kerio to permit the process to launch...

if nothing else this helps deal with the "i didn't know it was a
program" problem...

And here's one that includes Outpost:

http://securityresponse.symantec.com/avcenter/venc/data/trojan.tooso.b.html

Art

http://home.epix.net/~artnpeg

 

[Art]

And supposed experts are still advising them to use online scans (often the
same experts who advise flushing System Restore first).

Well, I'm a member of the "flushing" gang. So shoot me

Art

http://home.epix.net/~artnpeg

 

[Shane]

Well, I'm a member of the "flushing" gang. So shoot me

Thought you probably were, Art! <vbg>

However, I'm sure you can appreciate the logic of flushing after the scan as
opposed to before it. I agree that when one's system works ok one might as
well flush. But the recommendation to flush first is on a par with that to
permanently disable SR, in which case why not say just that?

Shane

 

[Art]

Thought you probably were, Art! <vbg>

However, I'm sure you can appreciate the logic of flushing after the scan as
opposed to before it. I agree that when one's system works ok one might as
well flush. But the recommendation to flush first is on a par with that to
permanently disable SR, in which case why not say just that?

Well, I always thought the assumption is that the system is clean when
you flush in a malware cleanup scenario. It sems to me certain av such
as AVG have the most difficulty, but I'm not sure. IOW, it seems that
after a malware cleanup, the damn scanner keeps on whining about
malware in the _RESTORE folder ... and users post wanting to know
what to do. So we tell them to temporarily disable System Restore, and
they do and everone is happy. Except. I guses, some MVPs or whatever
those characters are on the Win ME n.g. They're never happy to see
their precious MS SR flushed! Heaven Forbid!

Art

http://home.epix.net/~artnpeg

 

[Shane]

Well, I always thought the assumption is that the system is clean when
you flush in a malware cleanup scenario. It sems to me certain av such
as AVG have the most difficulty, but I'm not sure. IOW, it seems that
after a malware cleanup, the damn scanner keeps on whining about
malware in the _RESTORE folder ... and users post wanting to know
what to do. So we tell them to temporarily disable System Restore, and
they do and everone is happy. Except. I guses, some MVPs or whatever
those characters are on the Win ME n.g. They're never happy to see
their precious MS SR flushed! Heaven Forbid!

A large no. of people say to flush before the cleanup. I think anyone who
counts on the Win ME groups are - these days, anyway - pragmatic about it
and happy for the archive to be flushed post- cleanup.

If this guy: hadn't
flushed and we could ascertain that the infection was recent enough, it
would have been easy for him to restore to before that time.


Shane

 

[Shane]

A large no. of people say to flush before the cleanup. I think anyone who
counts on the Win ME groups are - these days, anyway - pragmatic about it
and happy for the archive to be flushed post- cleanup.

If this guy: hadn't flushed and we could ascertain that the infection was recent
enough, it would have been easy for him to restore to before that time.


Shane

This is for Peter.


Shane

 

[Art]

A large no. of people say to flush before the cleanup. I think anyone who
counts on the Win ME groups are - these days, anyway - pragmatic about it
and happy for the archive to be flushed post- cleanup.

If this guy: hadn't
flushed and we could ascertain that the infection was recent enough, it
would have been easy for him to restore to before that time.

BTW, I was surprised when Free Agent took me directly to the post in
your n.g. link above. In all the years I've been using it, I've never
seen such a link. That was cool

I understand your position. But the posts I recall seeing on the virus
lists have been like what I described. I don't think any of the
regulars here are really gulty of being "flush it happy" But maybe
some are and I haven't noticed.

I'm interested in the issue of what to do before a total backup to
removeable media. And those who use and set a SR point would have
the same problem. How does one ascertain that his system is clean?

Even the best av and spyware scanners might miss stuff. Personally,
I use a number of general or generic "sniffing" checks as well, and of
course I familiarize myself with normal running processes and items in
some registry Run keys at least. But average users would have a
helluva time with this sort of thing, and I can never really say that
I'm clean with total certainty before I backup. So it's a continual
issue and open question IMO.

BTW, one little thing that at least gives me some warm fuzzies is
to update KAV and enable its realtime monitor. Then when I backup
on Win ME using XXCOPY, KAV will block copying any malware it
finds. Tested using eicar.com.

This saves wear and tear on my hard drives. I rarely scan complete
drives on demand any more. And when I do scan it's just Windows. When
nothing is ever found, you tend to eventually go lighter and lighter
on the on-demand scans.

But what do _you_ advise average users to do before setting a SR
point? That's my question

Art

http://home.epix.net/~artnpeg

 

[Shane]

BTW, I was surprised when Free Agent took me directly to the post in
your n.g. link above. In all the years I've been using it, I've never
seen such a link. That was cool

Yes. I tested it before sending and I was quite surprised it worked.

I understand your position. But the posts I recall seeing on the virus
lists have been like what I described. I don't think any of the
regulars here are really gulty of being "flush it happy" But maybe
some are and I haven't noticed.

Maybe they too are becoming pragmatic and I haven't noticed because I'm
rarely here anymore. Or maybe you don't waste your time reading posts from
those copy/paste regulars (equivalent to most of the new mvp's and mvp
wannabes - particularly on the XP groups - who simply parrot what the av
bloatware companies say).

I'm interested in the issue of what to do before a total backup to
removeable media. And those who use and set a SR point would have
the same problem. How does one ascertain that his system is clean?

Even the best av and spyware scanners might miss stuff. Personally,
I use a number of general or generic "sniffing" checks as well, and of
course I familiarize myself with normal running processes and items in
some registry Run keys at least. But average users would have a
helluva time with this sort of thing, and I can never really say that
I'm clean with total certainty before I backup. So it's a continual
issue and open question IMO.

Yes, I agree totally. There's a point at which we just have to have faith
that it's clean. Kind of a metaphor for Life, if I may spout some bollocks!

BTW, one little thing that at least gives me some warm fuzzies is
to update KAV and enable its realtime monitor. Then when I backup
on Win ME using XXCOPY, KAV will block copying any malware it
finds. Tested using eicar.com.

This saves wear and tear on my hard drives. I rarely scan complete
drives on demand any more. And when I do scan it's just Windows. When
nothing is ever found, you tend to eventually go lighter and lighter
on the on-demand scans.

Absolutely, I do the same. I do sometimes worry that I'm growing lax!
Actually sometimes I get bored with never getting malware infections! I
mean, it's much more entertaining than the clap!

But what do _you_ advise average users to do before setting a SR
point? That's my question

Not sure I understand it, Art. I mean the system will set points daily, or
am I being obtuse?


Shane

 

[Art]

Absolutely, I do the same. I do sometimes worry that I'm growing lax!
Actually sometimes I get bored with never getting malware infections! I
mean, it's much more entertaining than the clap!

LOL! I have the same feeling. I haven't yet set up a goat machine with
just a raw install of Win 2K on it as a honeypot, but I often think it
would be quite a bit of fun. Then for futher amusement, I'd write
uo a report and put it up at my web site. Honeypot results of the day,
with data on which av products detect and clean the nasties. Be
intersting too to see how long it takes nowdays to start taking hits.

Not sure I understand it, Art. I mean the system will set points daily, or
am I being obtuse?

I thought you could set points yourself. If not, SR is far worse and
more dangerous to average users than I ever thought. You see, I never
used it since I use a cloned drive on my wife's ME PC.

Art

http://home.epix.net/~artnpeg

 

[Heather]

I thought you could set points yourself. If not, SR is far worse and
more dangerous to average users than I ever thought. You see, I never
used it since I use a cloned drive on my wife's ME PC.

Hi Art......Shane is probably fast asleep. I set Restore Points before
adding a new program or update, for instance. Then if I have to remove it
or it gives me trouble, I just delete it and then go back to that particular
Restore Point. I frankly think it is worth its weight in gold!! Saved my
bacon a few times!!

Cheers.....Heather

 

[John S.]

SNIP


Yes. I tested it before sending and I was quite surprised it worked.

OK, I give in!

I use Free Agent and can't figure out how you can use a message
ID to go to the message.

It's a bit OT for this thread, but please let the secret out.

(I have version 1.21/32 - perhaps there is a later version?)

Cheers,

John S

 

[Shane]

LOL! I have the same feeling. I haven't yet set up a goat machine with

just a raw install of Win 2K on it as a honeypot, but I often think it
would be quite a bit of fun. Then for futher amusement, I'd write
uo a report and put it up at my web site. Honeypot results of the day,
with data on which av products detect and clean the nasties. Be
intersting too to see how long it takes nowdays to start taking hits.

Yes, that would be interesting. And I guess really you need Win 2K to do it
with. I mean, sod buying another XP licence to do something MS ought to pay
us to do!

I thought you could set points yourself. If not, SR is far worse and
more dangerous to average users than I ever thought. You see, I never
used it since I use a cloned drive on my wife's ME PC.

Yes, you can - as Figgs says. But the system will set one if you don't,
anyway - and certainly following flushing unless you leave it disabled or
you're running something that doesn't allow the required idle time. So I
rarely bother to set one manually.

If it's someone else's machine I'm personally cleaning, I'll do multiple
scans and have faith that nothing's getting past KAV and Sysclean/PCScan and
Stinger/Viruscan etc. Harden as much as I can get away with. And when
reasonably sure the pc is clean and working well, I will flush SR.

If offering advice, I try to explain the SR/flushing issue and Safe Hex so's
they can make up their own mind.

But, increasingly, if thinking hurts them too much: unless they're family, I
tend now to leave them to it. This is why I rarely post anymore. It seems to
me there are fewer and fewer intellects on the ngs and more and more whose
self-esteem is invested in being 'seen to be an expert' in the sexy subject
of Security, or, on the MS groups, being made an MVP. Life is too short.


Shane

 

[Shane]

Hi Art......Shane is probably fast asleep.

Who'd have thought it, eh, Figgs? I probably was!

Shane

 

[Shane]

OK, I give in!

I use Free Agent and can't figure out how you can use a message
ID to go to the message.

It's a bit OT for this thread, but please let the secret out.

(I have version 1.21/32 - perhaps there is a later version?)

Ah, but I'm using OE. Just in recent years those links haven't worked (for
me) in OE, either. Notably, perhaps, the original message was sent via the
MS web ng interface, so maybe sending in html makes a difference? Otherwise,
I sent using XP SP2's version of OE, which is different to other OE6
versions.

Shane

 

[Art]

Yes, that would be interesting. And I guess really you need Win 2K to do it
with. I mean, sod buying another XP licence to do something MS ought to pay
us to do!


Yes, you can - as Figgs says. But the system will set one if you don't,
anyway - and certainly following flushing unless you leave it disabled or
you're running something that doesn't allow the required idle time. So I
rarely bother to set one manually.

And you can't disable the automatic setting of points daily? You see,
I picture millions of typical users with malware/spyware on their PCs
they aren't aware of, continually backing it up. That make me shudder.
They'll be cleaning up malware and then restoring it Any sane
scheme of backup/restore would be entirely in the hands of the user.
There's no getting around the personal responsibility of users. So, as
always, user education (or least some instruction) is paramount.

If it's someone else's machine I'm personally cleaning, I'll do multiple
scans and have faith that nothing's getting past KAV and Sysclean/PCScan and
Stinger/Viruscan etc. Harden as much as I can get away with. And when
reasonably sure the pc is clean and working well, I will flush SR.

If offering advice, I try to explain the SR/flushing issue and Safe Hex so's
they can make up their own mind.

But, increasingly, if thinking hurts them too much: unless they're family, I
tend now to leave them to it. This is why I rarely post anymore. It seems to
me there are fewer and fewer intellects on the ngs and more and more whose
self-esteem is invested in being 'seen to be an expert' in the sexy subject
of Security, or, on the MS groups, being made an MVP. Life is too short.

I know the feeling. It can be different on private lists though. I've
enjoyed being on one that supports claymania.

Cheers

Art

http://home.epix.net/~artnpeg

 

[Art]

OK, I give in!

I use Free Agent and can't figure out how you can use a message
ID to go to the message.

It's a bit OT for this thread, but please let the secret out.

(I have version 1.21/32 - perhaps there is a later version?)

I use 2.0/32.652 There may be a later version yet. I haven't checked
in quite some time.

Art

http://home.epix.net/~artnpeg

 

[Art]

Hi Art......Shane is probably fast asleep. I set Restore Points before
adding a new program or update, for instance. Then if I have to remove it
or it gives me trouble, I just delete it and then go back to that particular
Restore Point. I frankly think it is worth its weight in gold!! Saved my
bacon a few times!!

As I mentioned to Shane, it's the automatic Saving of infestations and
lack of user knowledge that makes me shudder. It's really not all that
easy to ascertain with a high degree of confidence that your PC is
free of malware/spyware before doing a backup.

Fortunately, many of us manage to do ok with our backup/restore
schemes. But when you consider the user education vacuum, it's a
different matter.

Art

http://home.epix.net/~artnpeg

 

[James Egan]

Ah, but I'm using OE. Just in recent years those links haven't worked (for
me) in OE, either.

IIRC they only work in OE if prefixed with the "prefix,
otherwise OE assumes it's an email address.

Agent and Free Agent are both a bit smarter. If the prefix is missing
the program will ask if it's an email address or a news link.

Of course, the link will only work if/while the message is on the
user's news server so it's probably better to find it in the google
archives and link to that instead.


Jim.

 

[Shane]

And you can't disable the automatic setting of points daily?

No. You can't have it enabled but only making manual points - or not by
easily-accessible settings.

You could use one of those progs that don't allow enough idle time. I'd
never thought of that as something desirable but it certainly is
possible. Mike Maltby has an increasingly comprehensive list of what stops
SR making automatic points - various builds of ZoneAlarm, for eg - but I
suppose one could write a little app to do it without using more resources
than necessary to achieve just that end.

You can alter the frequency of automatic restore point creation - via a
registry setting. I've never altered mine as it never interested me:
http://tinyurl.com/a5kv4

Of course, the idea of SR is mostly that it's making restore points for the
unexpected, for when you wouldn't normally bother to do it manually.

You see,
I picture millions of typical users with malware/spyware on their PCs
they aren't aware of, continually backing it up. That make me shudder.
They'll be cleaning up malware and then restoring it Any sane
scheme of backup/restore would be entirely in the hands of the user.

It's generally recognised that SR is no use for going back more than a
week - two at the most - because it doesn't archive everything, so the more
changes meantime, the more out-of-sync the system'll get and the more likely
it'll be in a worse state than before.

You can pretty-much guarantee that it won't keep restore points older than a
week or two - because it FIFO's - by limiting the amount of space allocated.
Unfortunately by default a massive amount of space is allocated. So in
effect it doesn't work out of the box, for those who need it most, as
someone more knowledgable needs to intervene. By default SR on modern drives
will keep restore points going back for months, probably years! Set sensibly
SR won't restore malware beyond about a week of cleaning.

SR never restores automatically, not like the registry is sometimes restored
whether you like it or not. But logically it's more likely to be used by the
naive and/or careless, and in that respect, in the context of security, it
clearly fails.

MS have been slowly correcting stuff - the Windows Firewall being on as
opposed to off in XP SP2 as an example. Yet SR's inadequacies have been
known of and complained about for a long time and not really addressed. The
SP2 Security Center interacts with one's AV to a degree - maybe it's time it
did so to the extent of having the archive operation scanned for nasties.

There's no getting around the personal responsibility of users. So, as
always, user education (or least some instruction) is paramount.

Yes. Can't argue with that!


Cheers yourself!


Shane