Ron Reaugh said:
"Some time ago" seems to be confirming what I said.
Now did your test PC have a then current virus checker and a then current
firewall?
Yes it had a virus checker with all updates.
Yes it had all Windows updates.
If by firewall you mean personal firewall software then no it didn't because
this would have made no difference.
Personal firewalls do not stop Internet Explorer downloading whatever the
user requests as far as I'm aware.
They also do not stop Internet Explorer downloading something the user
didn't request.
The only way to keep addware off Windows 98 is to stop it reaching the PC.
click.
OK. so I assume you finished the experiment and can tell us when "two
popular virus scanners" DID start finding it?
As already stated the fully updated scanners were not finding anything wrong
with the file after a week.
I then decided to get rid of the file in case it was detected and frightened
anyone in the future.
I'm not in the business of collecting malware.
It would surprise me if current virus scanners don't detect it but there is
no way for me to find out.
"never" implies incompetence/fraud or that the infection was a very special
one target thing.
Using the current model of anti-virus software I don't see how any virus
scanner vendor can be expected to get an update done and distributed to
users before malware has executed on their PC.
This is simply not possible unless they turn their efforts to time travel
instead of malware detection.
I cannot recall a virus I came across this year which hadn't executed and
done damage to a user's PC BEFORE their virus scanner was updated to detect
it. The last one was due to a 12 year old using MSN messenger in an XP
administrator account. This left the user helpless because task manager
wouldn't run and IE wouldn't go to any anti-virus sites. AVG took more than
24 hours to start detecting it and I don't see how they could have done it
any faster.
Is it only me who thinks that there may be something wrong with this model?
when
OK, so tell us all the secret solution save the daily clean OS install that
seems so popular here
There are no secrets.
Ask yourself why businesses of any size don't use (or shouldn't be using)
the current home user model.
Ask yourself why users in these businesses who have email and web browsing
access think that they have full Internet access and don't notice any
difference between Internet access at work and Internet access at home.
A few of these users may wonder why they never get any viruses at work but
can't keep viruses off their home PC.
From the DOS prompt I can see a file C:\NULL that has a 5/5/05 date.
Since
5/5 both a full manual AVG and Trend HouseCall 6 run have been done
on
this
PC finding nothing.
So where and how did this file C:\NULL that AVG claims is Trojan
horse
Downloader.Generic.ML appear from? Was it really there since 5/5
but
went
unnoticed by both AVG and Trend HouseCall 6 and then this morning
AVG
suddenly downloaded a new definition file which started seeing this
trojan?
Virus scanners don't have any magical ability to detect trojans, they
have
to be told what is a trojan and what isn't via the updates.
Right but 5/5/05 is over 30 days old...am I some special case alpha
infection point?
Nope, you're just an average Windows user who got the trojan that wasn't
widespread enough to be noticed immediately.
I find that unlikely but barely possible.
Barely possible would be more than enough for me. I'd rather make it
impossible. To do that you arrange to prevent any executable code getting
where you don't want it. This is likely to be impossible with a Windows 98
PC connected directly to a broadband connection where everything has
complete access to everything else.
Consider an external firewall box which stops it getting to the PC in the
first place.
An anti-virus
vendor may manage to do an update in less that a day if the
virus/trojan
is
all over the news but it may otherwise take longer. Trojan
writers
are
not
under any obligation to send copies of their trojans to anti-virus
vendors.
OR did something penetrate all the firewalls and suddenly
spawn
this
file
which AVG quickly recognized?
I have no idea where C:\NULL came from but if it were on my PC I would
want
to know what it was.
If I was sitting at the PC which had C:\NULL on it then I'd look in
C:\NULL
to see what was there.
After one noticed it. I don't inspect c:\ or c:\win or
c:\win\system[32]
hourly to spot undesirable files. That's what I got AVG etc. for.
I don't either, but I don't allow additional executable files on to the
system in the first place, so I don't have to go file spotting very often
on
my own machines. I also don't need AVG.
I'd also find out whether anything in there was referenced during
startup.
For that I'd need spybot S&D in advanced mode or
http://www.hijackthis.de/
or just regedit.
What likely happened here?
Impossible to say. One possibility is that you got something via an
unpatched IE vulnerability.
I was under the impression that there weren't any of these that have
resulted in actual infections any time recently. Lots of new
vulnerabilities keep being found and reported and fixed. And
that's
all
before there is any infections/penetrations using them and that's what
I've
been hearing for over a year.
Who have you been hearing this from?
Where have you been hearing the other from?
Ask yourself why there is a cumulative update every month.
YES, please do so. Have you been reading about the intense
preemptive
work
going on to find the holes before the hackers. From what I've heard that's
been effective down to with a day or two for the last year or two.
References otherwise?
How about the experiment I did with the isolated windows 98 PC described
above.
"Some time ago"....
Why does it make a difference?
All Windows and anti-virus updates were in place at the time.
HMM, now that sounds like something I'd say.
Filter it out before it reaches the PC.
YES, now if someone would care to describe in more detail why that came to
pass rather than hyperbole and paranoid rantings then I'd be happy. Is that
protection model many are using totally bogus?
There are various reasons why the current home user model is not likely to
change any time soon.
I'll list a few of the reasons I can think of, there may be many others.
1. Cost. Proper external firewall/proxy boxes start at three figures.
2. Time and effort. Good external boxes can be made out of free software and
an old PC, but time and effort is required to set it up. A certain level of
knowledge is also required for successful configuration whether you use a
ready made solution or a free software one. You can pay someone to do it for
you but then we're back to cost.
3. Knowledge. Windows 98 is not likely to be possible to secure for the
average home Windows user if connected directly to broadband. Later versions
of Windows are better but cannot be used in a secure manner because this
breaks too many existing applications. Windows applications are still being
written which require access to more than they should be able to access if
they are to work properly. I won't bother stating that you could use an
operating system other than Windows because I've met people who think that
Windows and computers are the same thing.
Jason
Run it from Safe mode w/Internet Access (in order to update) (or update