F
FromTheRafters
Jesper Ravn said:
The principles of "least privilege" and "minimalism" have always been
mitigation factors. Mitigation does not equal prevention.
The principles of "least privilege" and "minimalism" have always been
mitigation factors. Mitigation does not equal prevention.
F
FromTheRafters
Jesper Ravn said:Why do I want that. SRP will prevent the malware from executing in my
userprofile.
LUA will prevent it execute in programfiles and system area.
Catch-22 situation.
My point is that the chances are very low for you to get infected from
trusted sources.
Also, normal "mr and mrs" do not intstall applications every day.
Ok, then do the damn online-scan. Here you have 20-30 AV scanners and
not just one.
http://virusscan.jotti.org/
http://www.virustotal.com/
That could be point 7 on my list. Is it ok with you now.
No, what about programs that the system executes for you without your
being asked beforehand?
M
Mads Petersen
Why would you use a third party firewall compared to the built-in?
filtering outgoing connections is pointless, because it's already gameover
when malware is in ur system when running as local admin, and you can
filter just fine with the built-in also.
Incoming connections to a port that has no service running will be denied by
default OS design.
I can't see the idea in using a third party firewall compared to the
built-in, maybe if you wanted another GUI?
J
Jesper Ravn
FromTheRafters said:
Dong - Round 13
Let us try to break it down a little bit.
Computer with the 6 point are already implemented (10-15 min setup). So far
so good.
I have 2 account
standard = day-to-day operations (web, mail, music, movie, work etc.)
Admin = only used when installing new applications from a trusted source.
Ex. on trusted source = adobe, winzip, Java, MS, winamp etc
When I use my standard account, there is no way to be infected (LUA + SRP).
LUA prevents malware to write in system area
SRP prevents malware to execute in my userprofile
Catch-22 situation
Now I do agree with you, that there is a little chance to get infected when
I use my admin account to install new software.
But is it really a threat?. You only have to follow one rule. Always
download software from trusted sources and think.
You would have the same issue if you want to find a good plummer or
restaurant. What do you do?.
You do some research (google), ask your friends or famile, ask your
co-workers, ask in forums etc.
Even a complete newbie, should be able to handle that.
To me its really that simple. There is no reason to complicate that fact and
spread fear to the users and newbies.
Combin the above with a little education, we will win the war on malware in
a very short time.
/Jesper
F
FromTheRafters
Jesper Ravn said:
From:
http://technet.microsoft.com/en-us/library/cc507878.aspx
"Virus Scanning Programs
Most anti-virus software has a real-time scanner program that starts
when the user logs in and scans all files accessed by the user, looking
for possible virus contamination. Make sure your rules allow your virus
scanning programs to run."
Why would they mention that if it were no longer needed?
Maybe not now, as malware writers have plenty of low hanging fruit to
harvest. Things could change though.
....and then you wake up...
R
Root Kit
Try keeping things in their proper perspective.
As humans we can imagine all kinds of stuff. But try to keep some
realism to the discussion.
and try staying a little serious.
F
FromTheRafters
Root Kit said:
I am serious. AV is still needed even after a strict adherence to what
Jesper has outlined. You could still have your files infected through
worm intrusion or by viral infiltration into the trusted source
scenario.
Another tidbit from the same document:
"Scope of Software Restriction Policies
Software restriction policies do not apply to the following:
[] Drivers or other kernel-mode software.
[] Any program run by the SYSTEM account.
[] Macros in Microsoft Office 2000 or Office XP documents.
[] Programs written for the common language run time. (These programs
use the Code Access Security Policy.)"
Malware is the way it is, because the environment is the way it is.
Reduce the quantity of the low hanging fruit, and malware will become
more sophisticated. AV will still be necessary.
J
Jesper Ravn
FromTheRafters said:
If you follow the 6 headlines I listed previous, none of the above will be a
problem.
I you install drivers/application with a admin account from cracksite.com,
nothing can help you.
Let me try to sum up, how the situation is today regarding "fight malware".
Please have a look at the links below and cry or laugh together with me.
quote:
After I installed spybot, mbma, Hijackthis, also run F-secure, Panda,
Kaspersky online scan (Kaspersky only scan for 51% after running for 7hrs,
so I stopped it and did not finish that scan), my pc is SUPER slow, take
ages to load, worrying might be conflict with my current firewall system
(I read FAQ saying I should only have 1 anti-virus, 1- antispy, 1-
anti-malware, 1-firewall, my firewall also includes anti-virus and anti-spy
function),
I uninstalled spybot, mbma, Hijackthis yesterday while waiting for your
reply.
My pc remains super slow when I try to access the internet even after the
above uninstallation .
As you pointed out in your reply, I should not skip any steps. That is why I
want to ask you first before go ahead.
Do I just need to reinstall Hijackthis, (without reinstall spybot and mbma),
then follow your RSIT instruction?
Or I need to reinstall spybot, mbma, Hijackthis, then continue with your
RSIT steps?
http://www.spywareinfoforum.com/index.php?showtopic=122965&st=0
quote:
I'm in a great deal of a mess. I was downloading different antiviruses
(Kaspersky and a newer ESET) and then I blue screened out of nowhere while
running Kaspersky.
Now everytime I restart I blue screen. I don't know what to do. Can someone
help?
Also, I don't have tanything to backup onto and my laptop didn't come with
the OS discs.
http://www.spywareinfoforum.com/index.php?showtopic=123581
quote:
NIS09 DID NOT Detect 8 Threats & 23 Infected Objects..and 16 suspicious
Objects??
http://community.norton.com/norton/...thread.id=48439&view=by_date_ascending&page=1
The same problems goes on and on in all the security forums today.
The conclusion must be like this "If malware wont take down your computer,
you can be absolutely sure that your Anti 2009 application will do the job".
So, no we don't need more security applications, we need a secure standard
setup and 5 min. education.
/Jesper
F
FromTheRafters
[...]
I laughed, I cried...
I agree, a person shouldn't need all that. Most of it can be done
completely without by just doing as you suggest. Chances are good that a
person will never encounter a virus on their machine in that scenario.
Chances are good that someone will be infected despite the measures to
avoid it - if you don't want to be that person, use antivirus in
addition to those methods.
I laughed, I cried...
I agree, a person shouldn't need all that. Most of it can be done
completely without by just doing as you suggest. Chances are good that a
person will never encounter a virus on their machine in that scenario.
Chances are good that someone will be infected despite the measures to
avoid it - if you don't want to be that person, use antivirus in
addition to those methods.