S
Straight Talk
I'm so sick of folks waving "just" try this scanner, "just" try this
"removal tool" as if these were magically simple ways to solve
problems.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
I'm so sick of folks waving "just" try this scanner, "just" try this
"removal tool" as if these were magically simple ways to solve
problems.
C
cquirke (MVP Windows shell/user)
I'm so sick of folks waving "just" try this scanner, "just" try this
"removal tool" as if these were magically simple ways to solve
problems.
I quite agree with you, especially with respect to online scanning
(which has always seemed the ultimate leap of faith).
Formal scanning is in the same complexity frame as building a system
to stay clean (given that the last attempt to do that, failed, which
is why the topic arises in the first place) or data in and malware out
when planning a restore of backups.
The reason is that the underlying problem has that complexity built
into it. Occam's Razor meets the Halting Problem, and the Halting
Problem wins ... hey, a new tag is born!
So my posts on this topic are a lot longer than "just" this or "just"
that, and it is harder than it needs to be, because MS haven't forseen
the need to formally clean PCs. After all, Windows is now "so
secure", it never gets infected, so the need doesn't arise? What "95%
of spam is sent through botnets" problem?
I wish the "wipe vs. clean" argument would fade away, because it is as
silly as "are PCs infected because of code exploits or dumb users?"
There is no duality here. Both approaches are complex, and
appropriate to various circumstances. It's no good having a kidney
transplant for a bad liver, just because you don't have a liver donor.
I'll leave you (or rather, more simplistic others, as I think you're
aware of what's involved) with two final thoughts:
1) If the perfect malware is undetectable...
....then should all normally-working PCs be considered infected and
"just" wiped and rebuilt? Or "just" all PCs that show any ill-defined
problems, given that most malware is imperfect?
IOW, if you cannot be shure you can exclude malware, the problem
expands beyong "infected PCs" to "PCs that may be infected".
2) Do users want to kill malware enough?
If a user has a chice between a working system that happens to send
out masses of spam via thier "all you can eat" broadband connection,
and "just" wiping the box and not preserving any data, which do you
think they will choose?
Does history of piracy, file sharing, etc. suggest users will swallow
pain to "do the right thing" for nameless others?
When Occam's Razor meets the Halting Problem,---------- ----- ---- --- -- - - - -
the Halting Problem wins
S
Straight Talk
Thanks for the info cquirke. It sounds like "malware" is a real
problem. If you have Norton 360 - or any major anitviral/anitspam
program are you truly protected from these things.
No.
I always wonder if they really do what they claim. I do my scans and
my Norton gives me the "thumbs up" but I wonder....
Good idea.
C
cquirke (MVP Windows shell/user)
On Fri, 20 Jul 2007 22:26:16 -0500, The Sand
I see the av as the "goalie as last resort"; if it's popping up all
the time to tell you it stopped this or that, then you are taking too
many risks. Ideally, it should never see anything to catch, i.e. you
should play your game so well that no malware ever gets close enough
to take a shot at the goalie.
Antivirus catches most things, irrespective of how they get in.
Risk management may block only certain routes of entry, but can do so
more absolutely than av.
So the two approaches mesh really well.
The problem is, a pure network worm can go global in under an hour,
and a 1-generation spam-out can get malware to you and your av vendor
at about the same time. Both scenarios make your "daily av update"
look a bit weak to rely on, even before you factor in the time an av
vendor needs to rev-eng a new malware and dev a fix for it.
The good ones will be careful about what they claim to do ;-)
Scanning the whole system for malware (while standing in the infected
OS) can be worse than a waste of time. If the av's let something
through, then both you and the av have failed. Using the same av that
failed to catch it "live" isn't a winning strategy; even if the av's
now updated to "see" the malware, the active malware is
well-positioned to prevent itself from being removed.
Don't EVER thing ANY antivirus will protect you so well that you can
take stupid risks. That's like thinking you can crash into oncoming
traffic because you're wearing a seatbelt...
(and yes, "physical world analogy alert"... how's it going with your
desktop, folders and files out there? Where do you think those
concepts came from, or "virus" for that matter?)
Thanks for the info cquirke. It sounds like "malware" is a real
problem. If you have Norton 360 - or any major anitviral/anitspam
program are you truly protected from these things.
I see the av as the "goalie as last resort"; if it's popping up all
the time to tell you it stopped this or that, then you are taking too
many risks. Ideally, it should never see anything to catch, i.e. you
should play your game so well that no malware ever gets close enough
to take a shot at the goalie.
Antivirus catches most things, irrespective of how they get in.
Risk management may block only certain routes of entry, but can do so
more absolutely than av.
So the two approaches mesh really well.
The problem is, a pure network worm can go global in under an hour,
and a 1-generation spam-out can get malware to you and your av vendor
at about the same time. Both scenarios make your "daily av update"
look a bit weak to rely on, even before you factor in the time an av
vendor needs to rev-eng a new malware and dev a fix for it.
I always wonder if they really do what they claim.
The good ones will be careful about what they claim to do ;-)
I do my scans and my Norton gives me the "thumbs up"
Scanning the whole system for malware (while standing in the infected
OS) can be worse than a waste of time. If the av's let something
through, then both you and the av have failed. Using the same av that
failed to catch it "live" isn't a winning strategy; even if the av's
now updated to "see" the malware, the active malware is
well-positioned to prevent itself from being removed.
Don't EVER thing ANY antivirus will protect you so well that you can
take stupid risks. That's like thinking you can crash into oncoming
traffic because you're wearing a seatbelt...
(and yes, "physical world analogy alert"... how's it going with your
desktop, folders and files out there? Where do you think those
concepts came from, or "virus" for that matter?)
Dreams are stack dumps of the soul--------------- ----- ---- --- -- - - -
S
Straight Talk
Okay... so if these programs we purchased (Norton and the like) aren't
doing a good job protecting us like we think they are... what do you
use???
I don't use any kind of anti-whatever stuff, actually. I put all my
efforts into preventing it in the first place. That doesn't mean I
would recommend others to do the same just like that, though.
or recommend we do to protect ourselves from "Malware" etc. All
advice is good...
A good start is to learn understanding the risks. If you don't
understand the channels through which malware can get in you're likely
to do stupid things that security software won't keep protecting you
from.
The vast majority of malware infections still comes down to the user
not paying proper attention (clicking links in e-mails, opening e-mail
attachments, running questionable programs obtained from e.g.
file-sharing app's a.s.o.). You need to be constantly aware of what
you're doing and not install and run any piece of code you run into -
no matter how sweet the guy who sends it to you seems to be.
Then there are malware infections and stuff like ad ware annoyances
spread through client side scripting (code run locally on your
machine) like ActiveX (a flawed MS concept found in IE), Java, Java
Script, VB Script etc. being executed in your web browser, your mail
client etc.
Then there are the nasty malware infections taking advantage of flaws
in software - something you can do almost nothing against except from
running not awfully flawed software and keeping it patched.
The best thing you can do for starters is to harden your OS (configure
it securely and reduce the amount of code running to a minimum). Get
help from someone who knows how to do this - and then keep your OS and
other software patched!!
Run a limited user account for daily tasks and use only the
administrator account for what it was meant for.
Stay away from awfully flawed software like Outlook and Internet
Explorer except for sites you trust that won't run without it. Use a
browser that allows you to easily control whether scripting is allowed
to run by site (e.g. "Opera" or "Firefox with the NoScript plug in").
C
cquirke (MVP Windows shell/user)
On Sun, 22 Jul 2007 15:00:58 -0500, The Sand
Me2. When I found safer UI settings were set back to unsafe duhfaults
upon making an XP "Gold" user account a "limited user", I thought "to
hell with this; I'd rather have my choice of settings and admin
exposure, thanks". I don't know whether XP SP2 is still as broken;
it's a lot of work setting up a new user account, and I don't relish
doing it for nothing if the OS is too brain-dead to keep my settings.
Microsoft, as in PSS? Or Window' internal logic?
Windows is weak on protecting per-account registries, but these things
can usually be fixed via Bart. Often, it is either:
- a corrupted user registry hive log file
- rename away old log file
- repair file system
- a corrupted user registry hive
- harvest previous copy of the hive via Bart
- rename things so this is in effect
- test from Bart via RunScanner
- if OK, test Safe Mode, then Windows etc.
On "harvesting registry hives via Bart", see;
http://cquirke.blogspot.com/search?q=System+Restore+Bart+hive
That sounds crap. If a malware is cleaned up, you need to know
everything about it; where the file was, what it was called, the same
of the malware and perhaps a link to a write-up, what the malware was
doing at the time it was caught, what registry clean-up was done, etc.
Else you break the "no unlogged changes to the system" rule.
I switched from "neutral, but not recommended" to "avoid" on Norton AV
when they started including commercial malware (DRM) within the
package. If I have to go hand to hand with malware, I do NOT want to
have to ask myself: "Is this stealth file part of the malware of
Norton's 'special code'? If I remove this, will I kill the av?"
I can avoid that mess for free, and do.
Thanks for the thanks - it's a pleasure ;-)
ashtrays in the lounge, when I don't even have a car?"
Thanks for your replies cquirke and Straight Talk. I do think I have a
better understanding of malware now...
I don't consider myself an "idiot user" or a "risk taker" when using my
computer but I also don't think (after reading this) that I do all I can
either. I run everything from my "Administrator Account."
Me2. When I found safer UI settings were set back to unsafe duhfaults
upon making an XP "Gold" user account a "limited user", I thought "to
hell with this; I'd rather have my choice of settings and admin
exposure, thanks". I don't know whether XP SP2 is still as broken;
it's a lot of work setting up a new user account, and I don't relish
doing it for nothing if the OS is too brain-dead to keep my settings.
Recently when my comptuer crashed Microsoft set up a new account
Microsoft, as in PSS? Or Window' internal logic?
and put my data into the new one (the administrator account got
corrupted.) So, maybe running everything from one account is
not such a good idea.
Windows is weak on protecting per-account registries, but these things
can usually be fixed via Bart. Often, it is either:
- a corrupted user registry hive log file
- rename away old log file
- repair file system
- a corrupted user registry hive
- harvest previous copy of the hive via Bart
- rename things so this is in effect
- test from Bart via RunScanner
- if OK, test Safe Mode, then Windows etc.
On "harvesting registry hives via Bart", see;
http://cquirke.blogspot.com/search?q=System+Restore+Bart+hive
I have Norton 360 on both my systems and I never hear them "flag"
anything. The new 360 doesn't have the logs the old Norton had - which
I don't like. They have this "statistics" page but it doesn't have near
the info the old logs had (like if you were attacked, your firewall and
what it's done, scans and how long they take, email, etc.)
That sounds crap. If a malware is cleaned up, you need to know
everything about it; where the file was, what it was called, the same
of the malware and perhaps a link to a write-up, what the malware was
doing at the time it was caught, what registry clean-up was done, etc.
Else you break the "no unlogged changes to the system" rule.
So, you really don't know with them now - what they are really doing.
I switched from "neutral, but not recommended" to "avoid" on Norton AV
when they started including commercial malware (DRM) within the
package. If I have to go hand to hand with malware, I do NOT want to
have to ask myself: "Is this stealth file part of the malware of
Norton's 'special code'? If I remove this, will I kill the av?"
I can avoid that mess for free, and do.
As for "harden your OS (configure it securely and reduce the
amount of code running to a minimum.)" by Straight Talk. I'll
need help with that... but I'll get it.
Thanks for the information... I know it helps more than just me when
you take the time to reply here.
Thanks for the thanks - it's a pleasure ;-)
"Why do I keep open buckets of petrol next to all the-- Risk Management is the clue that asks:
ashtrays in the lounge, when I don't even have a car?"
C
cquirke (MVP Windows shell/user)
On Mon, 23 Jul 2007 00:04:58 -0500, The Sand
Cool! It's not often that one gets to deal with PSS (most Windows is
OEM, and *as* an OEM, I don't have access to PSS) but whenever I have
done, as for example in this case...
http://cquirke.mvps.org/sp2intel.htm
....they've been really good.
Yes, I agree!
I asked the question as Windows will automatically spawn new account
settings and/or use a temporary account set that is discarded when you
log out or shut down, when it detects the "real" account to be bad.
There are a whole lot of Qs and As that arise when *that* happens
;-)
in medicine is the Retrospectoscope
Microsoft, as in PSS? Or Window' internal logic?
To answer your question, Microsoft PSS - he was fabulous! It was $59
and he spent 4 hours with me one day. I Emailed him before bed because
I encountered another problem and he CALLED me in the morning and spent
another 2 hours with me that day.
Cool! It's not often that one gets to deal with PSS (most Windows is
OEM, and *as* an OEM, I don't have access to PSS) but whenever I have
done, as for example in this case...
http://cquirke.mvps.org/sp2intel.htm
....they've been really good.
often in life things are "not" as good as they should be so when that is
"reversed" it is worth a mention.
Yes, I agree!
I asked the question as Windows will automatically spawn new account
settings and/or use a temporary account set that is discarded when you
log out or shut down, when it detects the "real" account to be bad.
There are a whole lot of Qs and As that arise when *that* happens
;-)
The most accurate diagnostic instrument------------ ----- ---- --- -- - - - -
in medicine is the Retrospectoscope