Fog Creek Software
Discussion Board




Anti-anti-virus

I don't get the anti-virus movement.

I've been connected for the net for 10 years this October. Never used AV software. Never ever had a virus. Had a couple of worms; but now live behind a router with NAT - no more worms. Router doesn't even have the firewall turned on because NAT seems to take care of it.

My last experience with AV software is that it caused many more problems than it solved. The number of strange problems I've seen on people's machines which were eventually solved by turning off the AV scanning... well, lots.

It works for me. I don't open messages from Anna Kournikova telling me that she loves me. I don't open attachments from someone I don't know without checking them out first (a. am I really expecting anything? b. is it executable?, c. look inside exe with notepad - usually some suspicious literals).

I recently helped a friend in the village out with her PC. New PC connected through an ADSL modem for 5 days. 43 viruses & worms according to Symantec website free virus scan.

Rebuilt the machine. Reconnected to the Net. Within 40 minutes the worms were back (this was spooky).

Downloaded (with the bandwidth the worm would let me have) latest Norton AV on trial. Eventually managed to download and eventually managed to run it (nasty things kept trying to close the window. I was watching cmd.exe keep getting kicked off in task manager which seemed to be followed by some odd named tasks (such as ms32cfg.exe)). Got it running. various viruses detected / removed. Eventually the AV software reckoned it was finished, fully scanned, nothing nasty going on... and yet still there was a pesky nasty in the system busy writing itself into the startup list as soon as I removed it and doing 'things' in the background.

Anyway, the solution? Another rebuild and a proper ADSL router. Worth paying the money for I reckon

(I really don't understand how it got infected so damned quickly after rebuilding)

gwyn
Sunday, August 22, 2004

The one time I was infected with a nasty trojan (a keystroke logger/password stealer, as it turned out), three different AV programs failed to detect the trojan.  I eventually removed it manually.  At least, I _think_ I removed it.

J. D. Trollinger
Sunday, August 22, 2004

I am with you Gwynn.

I don't use any AV protection.

I just back up regularly.  If I somehow manage to contract a virus, then I will reformat.

Aussie chick
Sunday, August 22, 2004

Some of the worms/attacks are coming through RPC and open ports. The halflife of an uninfected windows machine with no updates or patches is about 20 minutes on the internet.

My advice is to get one of the update discs from MS, and the next time you wipe a drive, install the updates from the disc BEFORE connecting to the internet. Should cut infections down by a significant margin.

Peter
Sunday, August 22, 2004

In the corporate world there are too many Lusers. You have to have anti-virus software because people will open anything and everything.

Jack of all
Sunday, August 22, 2004

Jack of all is right.

"I don't open messages from Anna Kournikova telling me that she loves me. I don't open attachments from someone I don't know without checking them out first (a. am I really expecting anything? b. is it executable?, c. look inside exe with notepad - usually some suspicious literals)."

Antivirus is for people that do all of those things that you don't.

Ant that's a *lot* of people.

.NET Developer
Monday, August 23, 2004

The only virus I've ever gotten was from 3.5" floppies, back in the day.  And I, too, don't do this and that and the other.  I must agree that antivirus is for businesses, where all it takes is one clueless individual to screw things up for everybody.

Kyralessa
Monday, August 23, 2004

Either all you guys are very lucky... not can't be. Your PCs must be infected with all kinds of malware. Why spend time manually removing malware from your PC? And how can you be sure you have removed all of it? Every script kiddie in the world must have your credit card numbers and bank details by now!

Kechi
Monday, August 23, 2004

I'm with Gwyn. The last virus I had was DOS virus from a floppy... dir? somtething like that. Never had any virus for the last 10 years and I'm on the internat for 8+ hours a day.

It's scary that having anti-virus is considered normal. People forced to use anti-virus instead of simply
1) installing firewall and
2) not opening attachments from strangers

People that don't wash their hands or, better analogy, don't use condoms, should be prepared to take some medicine. But it doesn't mean everyone has to take this medicine all the time.

Last month I had problems with my ISP and tech support person asked me if I have all the anti-virus updates installed. I said no. She said I have to. I said I don't have any anti-virus software. She told me that it's not acceptable and I _must_ install some. That's amazing.

Let's organize an anti-anti-virus movement! :)

igrek
Monday, August 23, 2004

I don't either. Something about it hogging the CPU that bothers me.

I'm just careful and all patched up.

Alex
Monday, August 23, 2004

I used to feel this way, but now I have AVG installed. I'm behind software and hardware firewalls, but I still get the occasional virus, I think from another computer on the network. It doesn't really hog CPU cycles, and you let it run every once in a while just to be safe.

It's better than THINKING you're safe and then finding out someone has your online banking information.

www.MarkTAW.com
Monday, August 23, 2004

Same here: no AV, no problems (I use on online one every moth to make sure).

I'd install one just to err on the safe side, but haven't seen one that doesn't cause heaps of problems and slowdowns yet.

Just me (Sir to you)
Monday, August 23, 2004

Until recently, I did not use AV-SW. Never contacted a virus, although I was online for many many hours a day for the past 10 years.  Never opened attachments or executables unless I really trusted the origin. Did not use IE, Outlook Express, or Office, but cheaper and safer alternatives.

Now that I am using AV, I think it is crap.

Karel Thönissen
Monday, August 23, 2004

This one is for the folks that do not use AV... How exactly do you "know" that you have nothing on your PC that should not be there?

Can't agree more about the using a NAT router though. I always shudder when people here in the UK get the free speedtouch usb modems from their isp connect to the internet with no firewall and wonder why their PC is a wreck in a couple of weeks.

nakedCode
Monday, August 23, 2004

I install programs from original CDs, don't use pirated software and don't download unknown executables from the Internet. My computer is behind the firewall, I don't run TCP/IP servers and don't have any ports open.

How on Earth could I get something on my computer that is not supposed to be there?

igrek
Monday, August 23, 2004

Please forgive my ignorance, but how exactly does a router protect you?

Ged Byrne
Monday, August 23, 2004

What do you do if you open an attachment from someone you do know - for instance many viruses use a persons address book to send it - therefor it looks like a mail being received from someone you know as opposed to a stranger.
While i agree that antivirus software is mostly aimed at the business user, the majority of people will also have a pc in the house and are just as silly in the house as they are at work. Its also far easier for someone to setup a piece of anti virus software than it is for them to setup a firewall but having both is even better.

Fothy
Monday, August 23, 2004

A mate of mine worked for a bank when the "I love you" virus hit.  He was there till 2 o'clock the following morning clearing up after the idiots who'd opened it in the 6 minutes from when it first entered the bank followed by 2-3 weeks with people sending it back & forth between London & Hong Kong as traders opened the damn thing first thing in the morning without looking.

AV is the same as any other safety measure - it's there to catch you when someone cocks things up.  If you don't cock things up great - but on the whole I err on the side of safety.

a cynic writes...
Monday, August 23, 2004

I see:

http://en.wikipedia.org/wiki/NAT

The IP address is altered by the router so that direct connectivity is not made with the internet.

Looks to be worth the investment.

Ged Byrne
Monday, August 23, 2004

NAT is a good first-defence.

However, it is not completely safe.

It does protect you from worms, generally.  Unless you have a server on your side that is accessible from outside in some way.

It does not protect you from social engineering (open this exe!) nor from browser hijacking (but you don't visit those kind of sites do you?).

Some worms can burn through it.  Broadcast UDP for example, or pretending to be a DNS response or whatnot.  Depends upon the setup of you NAT.

Always have up-to-date virus software and a proper firewall with stateful packet inspection.  Zonealarm is generally though sufficient.  Blackice has a bad name.  Stopping 'unauthorised' outgoing connections is pretty useless anyway.

i like i
Monday, August 23, 2004

Talking of NAT, where is he? (Ersoz, I mean.) Haven't read any posts of his here for some time.


Monday, August 23, 2004

Maybe he caught a virus. :)

sgf
Monday, August 23, 2004

"(I really don't understand how it got infected so damned quickly after rebuilding)"

Because there are millions of infected Microsoft Windows pc's on the net trying 24/7 to infect others.

To the person that *Thought* they uninstalled the keylogger.  Repave.  Your crazy trusting a once compromised machine.

Why does a router help?  Because most of the ones you buy for home use will allow block all incoming ports.  If your computer initiates the connection then the router allows traffic back to you, but the router will not allow machines on the internet to initiate the contact with your pc.  You are non-routable.  Basically this means worms can't touch your pc.

Mike
Monday, August 23, 2004

I've never had mumps, or smallpox or anything, and I've never had immunizations.

I think immunizations are just a scam run by the drug companies.

chiro
Monday, August 23, 2004

"I think immunizations are just a scam run by the drug companies."

You really must be a chiropracter, and a "straight" one at that.  You know, the kind that thinks the CDC is a fake, and on payoffs from the drug companies.  Right.  You know, because kids still die of whooping cough.  That's *totally* necessary.  Maybe if I get preventative adjustment to my spine, I can avoid cancer.

Sorry, I realize this is coming off totally trollish, but man, I've got some pent up hostility about this.

Don't read this post.
Monday, August 23, 2004

Chiro: there is a situation in which that is a perfectly reasonable attitude.  Namely, if you are living your life sealed in a plastic bubble and making no direct contact with the outside world.  Because if you never touch another person, or breathe the same air as them, and if everything that enters your closed environment is sterilised first, there is simply no way that you could pick up or pass on a disease.

That's what we computer types call a "firewall".

If your firewall is perfect, there is simply no point in running antivirus software as well.

Iago
Monday, August 23, 2004

And what do you do if the plastic bubble is punctured and you catch an infection?

By the way, I find it very strange that people are using the argument "if you don't have AV software, you can't be sure you have no viruses". As if you can be sure you have no viruses when you do have AV software? It mostly protects from known viruses, but can do precious little against the new ones it doesn't have a signature for.

.
Monday, August 23, 2004

If your system is configured perfectly with no unnecessary services open, there is simply no point in running a firewall as well.

chiro
Monday, August 23, 2004

If you use the information and tools from this site:

http://www.ntsvcfg.de/ntsvcfg_eng.html

<b>directly after installing Windows 2000/XP</b> you won't have many of the problems (viruses etc.) at all. <br>You probably won't need a firewall software, too.

Florian
Monday, August 23, 2004

"I install programs from original CDs, don't use pirated software and don't download unknown executables from the Internet."

You've NEVER downloaded and installed a program from the internet? I remember one spyware scanner on Download.com that had a lot of bad reviews, apparently it ran in 2 seconds and did nothing. One wonders what it was...

Just how far do you go to avoid running "unknown executables from the Internet." ? You've never downloaded some shareware?

"Please forgive my ignorance, but how exactly does a router protect you?"

Most routers (like my Linksys) come with firewalls.

"but you don't visit those kind of sites do you?"

I remember one virus that infected IIS servers and anyone who visited them. What would you do if it got to discuss.fogcreek.com?

"If your system is configured perfectly with no unnecessary services open, there is simply no point in running a firewall as well."

A hardware firewall makes your computer "invisible" to the outside world (as should a software firewall). A software firewall will prevent any programs on your computer that are trying to dial home from doing so, though I suspect most virus makers know this and use some other service to connect to the internet that the firewall can't police.

Configuring your system perfectly sounds a lot more time consuming than installing a firewall.

"What do you do if you open an attachment from someone you do know"

I never open attachments from anyone, no matter how funny they are. There's no reason to make that funny thing an .exe and send it via email.

"A mate of mine worked for a bank when the "I love you" virus hit."

I also worked for a bank when some virus hit (I still have it on a floppy disk somewhere). It infected our server (I guess someone didn't harden it). What a mess that was. It didn't touch my computer though.

www.MarkTAW.com
Monday, August 23, 2004

Gwynn - ditto.

I think the anti-virus programs are worse than the viruses themselves. All they ever did for me was clog up my system resources, mess up my DHCP upon uninstall (thank you Symantec!) and cause all kinds of interaction problems with the software.

I just perform an online scan through TrendMicro every so often, and I've never been hit with a virus in 15+ years.

Then again, I have the discipline to not open attachments, download and install files from known sources, etc. Most people lack this simple concept.

Erik
Monday, August 23, 2004

I'm not sure whether Chiro is kidding/trolling or serious, but it's worth reading up on the epidemiological notion of "herd immunity". The basic notion is that once a critical mass of people (or computers, in this case) are sufficiently protected from infection, epidemics become nearly impossible, because there aren't enough susceptible individuals to maintain the infectious chain reaction.

Interestingly, immunizing 90% or so of the population is often enough for real-world infections; that means a fair number of individual people can be free riders as long as the population as a whole is sufficiently protected. However, if too many people fail to protect themselves, the population becomes ripe for an epidemic.

So if Chiro's post was serious, then, he can likely still thank vaccines -- even though he was not personally vaccinated, the fact that most other people have been is what protects him. The disease can't get enough of a foothold for him to get exposed.

Obviously there are limits to how far one can take this analogy with computers, but it is suggestive.

John C.
Monday, August 23, 2004

NAT is good. But you still need a firewall + AV:
- your "legal" software talks too much to the internet (ie disclosing system info without prior user's authorization)
- any open port is a security weakness and needs to be policed.
- you need to detect in-code viruses before they install; or in-memory viruses before they become harmful.

At home, I'm using NAT + firewall + AV; the reports show lots of pings blocked every day, lots of potentially harmful inbound traffic, lots of invalid packets (potentially related to certain forms of attack).

Since I'm running IIS, I'm getting about 10-20 potential attacks blocked every day.

Finally, although I haven't had a virus in 10 years (primary prevention works!!!)  I'm still running an AV: the costs of recovering my system after a virus infection are too high.

Dino
Monday, August 23, 2004

I could be wrong, but I think Chiro's initial "immunization" comments were intended to be funny/parodistic, a bit cynical. I laughed anyhow...:)

Jim J.:)
Monday, August 23, 2004

I have AV at work, but just a firewall at home. The firewall is essential, but I've never had a problem with a virus. I've been warned by the AV program at work that it detected a virus in some email, but I've always known that it was bad news and wouldn't have opened it anyway.

Miles Archer
Monday, August 23, 2004

You can get a good check-up of your PC for free at Steve Gibson's site: www.grc.com. Try the Shields Up! test - you might have a nasty surprise.

Data Miner
Monday, August 23, 2004

http://www.nerdsonsite.com/selfhelp/virus_central.html

Dennis Forbes
Monday, August 23, 2004

AV vendors have been promising heuristic super-intelligent protection that will guard against all existing and emerging threats, yet strangely they're still in a position where they scramble to release fixes for specific viruses hours or days after the virus wreaks havoc on the global information system. 

AV is often too little/too late, and it's laughable reading AV advocates proclaiming that the anti-AVers just don't realize that their machine is infected. Speak for yourself. The false sense of security your AV software lulled you into, making you feel that that 0-day copy of Photoshop must be safe has allowed dozens of low distribution trojans to infiltrate your system.

Dennis Forbes
Monday, August 23, 2004

I think exactly like the original poster, but more specifically for spyware programs. I go to a customer's PC and run Ad-Aware and it finds 150 things it wants to get rid of. The customer swears blind that they didn't open any attachments, visit and dodgy sites, etc. But then I think to myself, that's exactly what I do. And when I run Ad-Aware on my own PC it rarely finds anything at all.

It's like when I was using my parents' PC a while back, and there was this 'my web search' toolbar in IE, as well as the Google toolbar I gave them ages ago. No-one had any idea how it got there, in fact they'd never clicked 'yes' to any of those installation windows, never done anything that could install it. But it was there...one of those unsolved mysteries. My business partner had the exact same toolbar on his PC (which lives behind the same firewall as me). He also had no idea where it is from.

James U-S
Tuesday, August 24, 2004

>How on Earth could I get something on my computer that is not supposed to be there?
Answer: a recent trojan came out that appeared when looking at the html as a .gif or .jpg. However, the MIME type was "application." The item is a 2 part executable that installs a trojan on your PC. There is no possible patch for it in IE. The only possible cure was to browse the internet while logged into an account that cannot install software. Law enforcement quickly shut down the sites this trojan was sending your login information (in russia) to as well as most of the sites serving this image (the authors of this trojan had purchased advertising, causing this to be served up by many unsuspecting sites).

Peter
Tuesday, August 24, 2004

> a recent trojan came out that appeared when looking at the html as a .gif or .jpg. However, the MIME type was "application." The item is a 2 part executable that installs a trojan on your PC.

Hold on. There are 3 completely different things, and I don't understand how they are related.

1) HTML is a language for web.
2) MIME has to do with mail.
3) And executable is executable -- someone (or some process) has to execute it!

How these 3 things are tied together? Which process starts the malicious executable?

igrek
Tuesday, August 24, 2004

Way back, I had issues w/ Outlook Express and KLEZ.
Till I turned off preview pane

I still run ADAWARE & AVG,
just to be safe

Bella
Wednesday, August 25, 2004

igrek, you...
0- open a web page.
1- The browser parses the html to download all the stuff to display the page.
2- As part of the html, there is this link to a .jpg/gif, so a virus checker won't pay attention to what it (and most folks) would think is a picture.
3- As the browser is doing a GET of the jpg, the web server tells the browser that the MIME type is really an executable. This is called "out of band" communication. The MIME type tells the browser the type of object it is getting (gif/png/pdf/activex control, etc) and the browser is supposed to know what to do with each type of object it gets.
4 - The browser goes "oh, an executable, let me toss it into (temp directory) and see what programs execute that particular MIME type" (the sort of thing that goes on when a page includes a flash file, or a pdf document) and then executes the trojan with the permissions of the current logged in user.
5 - Inside the trojan (cab file which is masquerading as a jpg/gif), the payload is a standard PE executable with 2 components, an installer and a trojan. Think of a ZIP file that is an EXE.
6 - The trojan gets installed and it hooks into IE looking for particular websites (mostly banking) and captures the username and password before it gets to the SSH part of the browser. More benign ones can merely change your start page and hijack some of the settings.
7- the trojan then sends the information to a russian server which has since been shut down.

some details on the malicious jpgs/gifs:

http://isc.incidents.org/diary.php?date=2004-07-23

http://isc.incidents.org/diary.php?date=2004-08-23

http://isc.incidents.org/diary.php?date=2004-07-16

Its called Bagle and/or Exploit-MhtRedir.

Does this answer your questions? or do you have more? does it make sense now? Do I babble on and on, too much?

>AV vendors have been promising heuristic super-intelligent protection that will guard against all existing and emerging threats.
Sorry, that is the "turing stopping problem" in a slightly different disguise. That problem has been proved to be indeterminate, which means that there cannot possibly (even theoretically) ever be code that can tell if some unknown code is a virus; you can only recognize stuff you have seen before.

Peter
Wednesday, August 25, 2004

Peter, thanks for the detailed description.

Everyhing is clear, except p.(4). Does it mean the browser  silently executes anything of type "executable" it downloads, without any confirmation from you?

But then it even doesn't have be that complicated. One can just create a web page with a link to a malicious executable. Once you click on the link, the browser will download it and execute it, following the same logic.

igrek
Wednesday, August 25, 2004

Does the browser execute any code?
No. Some types are known to be suspect, so the browser won't directly execute all types. This is the sort of security bug you can get if you try to filter out only (known) bad data. Someone, somewhere, somehow, some day will discover something that you didn't think of, and walk right in.

Peter
Wednesday, August 25, 2004

It still doesn't answer why the browser executes (or installs?) a program without confirmation. It just should not happen.
Is there some magical type of executable that bypasses all the security in IE?

But I agree with your point: those buggy MS IE/Outlook programs can expose one to a risk even behind the firewall.

I'm not using Outlook, but using IE sometimes. Never got into problems.... yet :)

igrek
Thursday, August 26, 2004

hoser is Nat Ersoz

Nat Ersoz fan
Thursday, August 26, 2004

>It just should not happen.
Yes, that is totally correct. But it happens when you try to be *helpful* and decode invalid stuff. The CAB handler knows to check the validity of CAB files and ask for confirmation, but when the JPG handler object passes the request to the CAB handler, the CAB handler *ASSUMES* that the check has all ready been done. This is the basis for social engineering attacks (well, he alreay talked to Bob, so he must be ok).

Guard 1: hey, I caught this guy crawling in a second floor  window.
Guard 2: the procedure manual only covers guys crawling a ground floor window, or coming in through a door.
Guard 1: so what do we do?
Guard 2: well, its not in the manual, so he must be a customer, let him go.

Peter
Thursday, August 26, 2004

Aha. Now I've got it, thanks.
But then it's definitely a bug in IE. It's strange they haven't fixed it.

igrek
Thursday, August 26, 2004

*  Recent Topics

*  Fog Creek Home