Efficient WEB protection - which program?

[FromTheRafters]

Using biological parallels only goes just so far. Time to stir up some
mud and murky-up the water.

Malaria is an infection

But it's not a virus.

but it is spread by mosquitos,

In a computervirus sense, it is *carried* by mosquitoes - it *spreads*
by self-replication like a worm (not a virus). In a biological sense it
is spread by mosquitoes.

not by people passing it on to others.

People are 'hosting' the infections, the mosquitoes are *not* infected.
The mosquitoes are only the transmission vector between the humans.

In a computervirus sense, this is very wormlike. When you start invading
cells and co-opting their internal factories to reproduce more cell
invaders you start to look more like computer *viruses*.

 

[Dustin]

The fully installed anti virus application that is installed on one's
computer that performs both "On Access" and "On Demand" scanning will
scan those files types. That is one of the two main reasons why MBAM
supplements anti virus software and does not replace anti virus
software. The second is MBAM doesn't specifically "target" viruses
because MBAM can't "clean" the malicious code from an infected file
where code has been; prepended, appended or cavity injected. For that
matter MBAM can't "clean" a trojanized file either. At best MBAM will
delete these files. To my knowledge, with the present version MBAM
can't detect or clean MBR code either.

All correct.

However, I don't have intimate knowledge on the IP protection of the
full and paid-for Professional version.

I do.. It's just a blocking program. Peerblock is actually more
advanced...

 

[Dustin]

The term 'virus' for some reason has popular appeal where the correct
term of 'malware' is rather dull. It doesn't matter what you call a
virus at your dinner table, but it matters here.

Which you would want to know specifically in order to suggest a proper fix

I use Avira Free Antivirus, and don't use any web protection
thingies. Another computer I have running Avast! Antivirus (free).

I'm undecided between the two myself.

None of those will stop Javascript from running, which is what the OP
really needed anyway IMO.

NoScript will.

 

[Bear]

[snip]
You're wasting your time complaining about it, I remember when Usenet
was full of pedants making the same distinctions about spam.

it hardly takes a pedant to recognize that there's no such thing as an
infection that doesn't spread.

How does it get to your computer?

non-viral malware can BE spread (like manure) but it doesn't spread
itself (like an infectious disease).

it gets on your computer by way of being purposefully placed somewhere
(by a human being) where you (or some automated part of your computer)
are likely to run it.

the key difference between viral and non-viral malware is that
dependance on intentional malicious action by a person. after a virus
is released into a population, it just keeps going and going
autonomously without interference, but non-viral malware doesn't go
anywhere without someone laying some sort of trap.

and the reason that's important is because autonomous action can (in
theory) be mitigated with autonomous defenses, but human action cannot.

Are you saying nothing has to be done to get a virus to your computer
but simply visit the place where it resides and it will automatically
crawl to your machine....or run without any action on your part at that
place beyond any injection action by the place.

 

[kurt wismer]

Are you saying nothing has to be done to get a virus to your computer
but simply visit the place where it resides and it will automatically
crawl to your machine....or run without any action on your part at that
place beyond any injection action by the place.

no. what i'm saying is that (unlike non-viral malware) viruses doesn't
need to be aimed, fired, commanded, or otherwise manipulated by an
attacker once they've been introduced into a victim population. they
still need to be executed because they're still programs, but some
will require victim users to behave a certain way and others won't.

 

[kurt wismer]

On Mon, 16 Jan 2012 22:04:04 -0800 (PST), kurt wismer

[snip]
You're wasting your time complaining about it, I remember when Usenet
was full of pedants making the same distinctions about spam.
it hardly takes a pedant to recognize that there's no such thing as an
infection that doesn't spread.

Using biological parallels only goes just so far. Time to stir up some
mud and murky-up the water.

Malaria is an infection

But it's not a virus.

indeed, it's a parasitic single celled organism that infects and
reproduces within red blood cells.

In a computervirus sense, it is *carried* by mosquitoes - it *spreads*
by self-replication like a worm (not a virus). In a biological sense it
is spread by mosquitoes.

in a biological sense it spreads by itself, in so far as it spreads
from one cell to another by itself. when hopping from one person to
another it requires a carrier, just as it would require a carrier if
it were hopping from one country to another, or one planet to another.
often that carrier is a mosquito, but it could just as easily be a
hypodermic needle, or anything else capable of scratching or
puncturing the skin.

biological viruses also usually require a carrier medium to hop from
one animal to the next, although that carrier often takes the form of
a doorknob or a cloud of spittle that erupts from the faces of the
infected. there are other carriers as well, but the cloud of spittle
has grossed me out sufficiently already, so i'll leave STDs and things
like ebola up to the imagination.

People are 'hosting' the infections, the mosquitoes are *not* infected.
The mosquitoes are only the transmission vector between the humans.

In a computervirus sense, this is very wormlike. When you start invading
cells and co-opting their internal factories to reproduce more cell
invaders you start to look more like computer *viruses*.

in a computer virus sense i would think this is more floppy-disk-like,
or flash-drive-like, or maybe dropper-like. the mosquito is acting as
a container for the infectious material. unfortunately it's a
container that coincidentally seeks out victims for it's own reasons.

 

[Etal]

No, not just any "javascript" but, very clearly, the javascript that
installs and runs malware. Both of these programs are advertised to
stop such attacks and, in fact, are supposed to be able to do it -
based, at the very least, on the file execution real time protection
(OK, so in my case it was aided by some other program's security hole
but the fact is that a malicious EXE with a code normally detected by
both of the programs was allowed to be run). That's a big FAIL for
these antivirus products.

I think it hasn't been proposed in this thread, but i think you
should look into HIPS (Host Intrusion Prevention Software) as a help to
stop unwanted execution of for whatever reason unwanted/mistakenly
downloaded programs.
Under WinXP, i'm using an increasingly outdated (Kerio Personal)
Firewall mostly because for me the builtin HIPS (called Application
Behavior Blocking), that prevents programs from running if i don't give
them permission to do so, seems to work very well .. and though it's
been quite a while ago now it has asked if i wanted to permit this
driveby-DL'd program to run or not. I answered .. uh, No! .. and all was
(hopefully) well.

Now, it might be that under WinNT 6.x and up, User Access Control
(UAC) is intended to do this App behaviour blocking, but it seems to be
largely unconfigurable and can't be taught on a case by case basis what
exe's you have decide you want to run and which once you want to block.
So i hope there is some HIPS witch includes AppBlocking that works for
Win7 so i can turn off UAC when i start using it.

 

[Etal]

Ya but ya gotta agree that is for the technically empowered folks who
have the ability to de-code eh, which most people are not. Most
people will try a few scanners or the such and yell for help...that
is unless they have a clean image, then they won't need help.

Doctor i have a cold, i don't care what kind of it is. I demand that you
give me some antibiotics.

Some doctors, do like tireless David here, try to explain that it will
be effectless, and in the bigger picture dangerous to treat a virally
caused cold with something designed to combat ...
But evidently, eventually many doctors give up and, oh well, here you
have your prescription ..

And thus, by public demand, we are rapidly heading back to
pre-penicillin times.

 

[FromTheRafters]

I think it hasn't been proposed in this thread, but i think you should
look into HIPS (Host Intrusion Prevention Software) as a help to stop
unwanted execution of for whatever reason unwanted/mistakenly downloaded
programs.
Under WinXP, i'm using an increasingly outdated (Kerio Personal)
Firewall mostly because for me the builtin HIPS (called Application
Behavior Blocking), that prevents programs from running if i don't give
them permission to do so, seems to work very well .. and though it's
been quite a while ago now it has asked if i wanted to permit this
driveby-DL'd program to run or not. I answered .. uh, No! .. and all was
(hopefully) well.

Now, it might be that under WinNT 6.x and up, User Access Control (UAC)
is intended to do this App behaviour blocking, but it seems to be
largely unconfigurable and can't be taught on a case by case basis what
exe's you have decide you want to run and which once you want to block.
So i hope there is some HIPS witch includes AppBlocking that works for
Win7 so i can turn off UAC when i start using it.

That's not the purpose of UAC, and one should learn to use the computer
with it turned *on*.

 

[Etal]

That's not the purpose of UAC, and one should learn to use the
computer with it turned *on*.

Ok, and i'm not sure i wanna.

 

[FromTheRafters]

Ok, and i'm not sure i wanna.

You're certainly not alone.

IMO, with UAC "off", silent failure should be the result. If one wants
things to work the right way, they should *do* things the right way.

 

[kurt wismer]

     I think it hasn't been proposed in this thread, but i think you
should look into HIPS (Host Intrusion Prevention Software) as a help to
stop unwanted execution of for whatever reason unwanted/mistakenly
downloaded programs.

i'm just as glad it hasn't been mentioned yet. it seems to me like
every person who uses that term has something slightly different in
mind. the term doesn't describe the actual function of software. what
it describes are the goals, but virtually all host-based security
software shares those goals (preventing host intrusions), so the term
is next to useless at identifying a specific technique/technology.

     Under WinXP, i'm using an increasingly outdated (Kerio Personal)
Firewall mostly because for me the builtin HIPS (called Application
Behavior Blocking), that prevents programs from running if i don't give
them permission to do so, seems to work very well .. and though it's
been quite a while ago now it has asked if i wanted to permit this
driveby-DL'd program to run or not. I answered .. uh, No! .. and all was
  (hopefully) well.

that is called application whitelisting. it's good but it has it's
problems. the primary problems a whitelist implementation faces are a)
determining what's safe enough to add to the whitelist (you could
assume everything on your system right now is safe, but you'll still
need to update it as you add more software to the system), and b)
determining what is a program (it seems easy, but only when you make
certain arbitrary assumptions about what qualifies as a program - in
reality it's actually an undecidable problem).

never the less, whitelisting helps and it complements blacklisting
(the use of scanners) quite well.

 

[Bear]

I think it hasn't been proposed in this thread, but i think you should
look into HIPS (Host Intrusion Prevention Software) as a help to stop
unwanted execution of for whatever reason unwanted/mistakenly downloaded
programs.
Under WinXP, i'm using an increasingly outdated (Kerio Personal)
Firewall mostly because for me the builtin HIPS (called Application
Behavior Blocking), that prevents programs from running if i don't give
them permission to do so, seems to work very well .. and though it's
been quite a while ago now it has asked if i wanted to permit this
driveby-DL'd program to run or not. I answered .. uh, No! .. and all was
(hopefully) well.

Now, it might be that under WinNT 6.x and up, User Access Control (UAC)
is intended to do this App behaviour blocking, but it seems to be
largely unconfigurable and can't be taught on a case by case basis what
exe's you have decide you want to run and which once you want to block.
So i hope there is some HIPS witch includes AppBlocking that works for
Win7 so i can turn off UAC when i start using it.

Unless malware gets into one of the programs you've told Kerio is OK.

 

[kurt wismer]

Unless malware gets into one of the programs you've told Kerio is OK.

kerio will detect that the program has changed, in that case, and
prompt the user. then the user has to decide whether they were
expecting that program to change or not.

 

[Etal]

i'm just as glad it hasn't been mentioned yet. it seems to me like
every person who uses that term has something slightly different in
mind. the term doesn't describe the actual function of software. what
it describes are the goals, but virtually all host-based security
software shares those goals (preventing host intrusions), so the term
is next to useless at identifying a specific technique/technology.

Seems i even got the Acronym wrong. The S standing for System, not
Software. The Wiki-page David linked to was a veritable bonanza of
acronyms and initialisms, where sometimes one acronym had changed
function over time and in other cases the same functions had been given
a new name and then a different initialism/acronym too.

that is called application whitelisting.

That is what is available/active in the free version of Kerios PF, and
that i've come to like and think could have given the OP, DK, an extra
layer of protection in this case from how i understood what had happened.
If a new program is launched for the first time, the user (hopefully)
gets a question if this program indeed is to be allowed to run or not.
If it was deliberately DL'd and intended to be run - answer yes, if it
have been driveby downloaded, managed to sneak by your firewall, or you
don't know what it is, answer no. Even if it is too new to be recognized
by AntiVirus/Malware scanners/databases you still have the say if it is
something you /intended/ to run on your machine or not.

it's good but it has it's
problems. the primary problems a whitelist implementation faces are
a) determining what's safe enough to add to the whitelist (you could
assume everything on your system right now is safe, but you'll still
need to update it as you add more software to the system), and b)
determining what is a program (it seems easy, but only when you make
certain arbitrary assumptions about what qualifies as a program - in
reality it's actually an undecidable problem).

never the less, whitelisting helps and it complements blacklisting
(the use of scanners) quite well.

So i'll use something that works quite well, until something that works
even better comes along.

(and what you wrote to Bear about a program changed by malware, is what
i would have written so i just agree with that post here)