Slashdot Log In
How To Avoid Viruses At Windows Install Time?
Posted by
timothy
on Sun Jun 20, 2004 07:32 PM
from the good-luck-with-all-that dept.
from the good-luck-with-all-that dept.
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
This discussion has been archived.
No new comments can be posted.
How To Avoid Viruses At Windows Install Time?
|
Log In/Create an Account
| Top
| 833 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
If you can stand waiting... (Score:5, Informative)
February? (Score:5, Funny)
If you play a Microsft CD... (Score:5, Funny)
Thanks, I'll be here all week... try the veal...
and play an *BSD CD forwards (Score:4, Funny)
(Last Journal: Sunday September 16, @04:44AM)
Sorry, I couldn't help it!
OP: The 100% best answer (Score:5, Informative)
(Last Journal: Saturday October 01 2005, @10:40AM)
Plug your computer into the LAN side.
Clone the MAC address of your computer.
Change the password on the router to something other than 'admin'.
Plug in your cablemodem into the WAN side.
Enjoy your new worm/virus/trojan free existance.
How many times do we need to spell it out??
Re:If you can stand waiting... (Score:5, Informative)
(http://www.geekxp.net/ | Last Journal: Thursday April 14 2005, @07:38PM)
-Direct X 9.0b + Updates
-XP Powertoys
-SP1 Critical and Recommended Updates
-Pre SP2 Critical and Recommended Updates
- + More
I use it and it is updated every month. Get it while you can!
Re:If you can stand waiting... (Score:5, Informative)
Autopatcher.com [autopatcher.com] also has a Lite version and an UltraLite version.
The UltraLite version contains only Critical and Recommended updates, along with IE and Outlook patches, and weighs in at 89MB.
Re:If you can stand waiting... (Score:5, Insightful)
Re:If you can stand waiting... (Score:5, Interesting)
A system consisting of just the kernel and a few command line tools would be awfully boring and not a particularly fair comparison.
By "Linux" I'm referring to the kernel itself, along with X and the base applications that come along with gnome or KDE. Installing a distro with the base set of libraries, GUI, window manager, apps, etc that give a reasonable approximation of what you get with windows (no gimp, no koffice, etc) will require a considerable amount of downloading of patches if it's as old as XP.
Re:If you can stand waiting... (Score:5, Informative)
Absolutely. Just install the hotfixes that pertain to kernel vulnerabilities.
But it's the *RIGHT* thing to do from a security point of view. If you're file-server is running X & Gnome & KDE & Wine & Kazaa, you're *BEGGING* for trouble.
While you can't avoid installing the gui and what not in windows, you can turn off almost all of the running services. Technically, not that I'd advise it, you could avoid running IE, Outlook Express, etc...and forgo patching them in a server environment. Just don't run any apps either.
The hard part about microsoft is that it's really hard to do that, since (as the article pointed out) the default install has everything with all the holes pre-installed and running.
So does a default install of many distros...ones as old as XP even more so.
I'm not a Microsoft advocate, I dislike Microsoft products for multiple reasons, but the size of the patches isn't one of them. All I'm saying is that when comparing a default (normal size) linux distro install to a default windows one, the amount of patches you need to install are similar.
Re:If you can stand waiting... (Score:4, Insightful)
I think you'll find they went one better and digitally sign every update with their private key.
Re:If you can stand waiting... (Score:5, Interesting)
(http://phorm.phormix.com/ | Last Journal: Monday May 19 2003, @12:08PM)
Or better yet, use a morphix [morphix.org] bootCD. You should be able to download the patches to Welchia et al directly (not using windows update), then reboot w/o the network cable in, patch, reboot, and you should be able to get the other less critical updates without being infected by RPC viruses.
Re:If you can stand waiting... (Score:5, Informative)
Re:If you can stand waiting... (Score:5, Informative)
Actually, what you can do is use Wine or WinEX and install Internet Explorer 5.5 from an old 5.5 installation CD on Linux,... download then burn to CD and you'll be great. I did that just now and i have to say thank you for the link.
It seems that any useful links, MS hides behind a rediculous naming scheme for some odd reason.
Thank you again, if I had MOD points, I'd certianly give them to you.
Re:If you can stand waiting... (Score:5, Informative)
(Last Journal: Wednesday May 25 2005, @09:20PM)
If you go to the Microsoft download center [microsoft.com], you can download every patch with (almost?) any browser. I downloaded service pack 1 and every patch after that using nothing but Opera.
It was less convenient than using WindowsUpdate/IE, but it would still have worked on a linux machine. The best part is, when friends give me their computers to reinstall XP, I don't need to spend four hours downloading patches from scratch.
We have to get creative here. (Score:5, Insightful)
1) Hide behind a NAT router - Install windows disconnected from networks. Find someone with DSL and a NAT router. Intall all the patches from the safety of their home network.
2) Before installing windows, format the disk to have a FAT partition. Boot Knoppix Linux from a CD. get on the internet and download the patches to the FAT partion. Boot Windows - install patches.
Re:If you can stand waiting... (Score:5, Insightful)
My friends help me, I help my friends. It's not my decision what software they put on their computer, and when their courses dictate software that only runs under Windows, it's not my place to say "forget that, ditch your courses and use a MAN'S operating system".
Basically, I don't tell my friends to fuck off because I quite like having friends. I know how to fix their computer in a tenth the time or cost it would take them, they know how to do the same for my car, or my plumbing, or any of a hundred other things.
but if you can't.... (Score:5, Informative)
Here is a fairly comprehensive guide, aptly named: Windows XP: Surviving the First Day [sans.org]
Re:but if you can't.... (Score:4)
(http://www.davefancella.com/ | Last Journal: Wednesday December 31 2003, @02:21AM)
How ironic! Wern't Windows 2000 and Windows XP supposed to be the most secure Microsoft OS's ever?
Right. They were.
And I remember a certain Microsoft CEO of a previous era saying something like, "Windows NT is going to be so easy to use, all point 'n click, that you will be able to hire sysadmins off the street."!
Right, and it happened.
I guess I'm not quite understanding your point.
Re:but if you can't.... (Score:5, Informative)
(Last Journal: Saturday September 02 2006, @12:18AM)
1. Unplug network cable
2. Install Windows XP
3. Upon first boot turn on the Windows Firewall and reconnect network cable
4. http://www.windowsupdate.com [windowsupdate.com]
5. Wait for patches to download, then remove network cable and reboot after patches have installed
6. Return to http://www.windowsupdate.com [windowsupdate.com] and download the remaining patches
7. Reboot (no need to unplug network cable this time) and install a Virus Scanner/Firewall Suite.
This takes an hour and isn't rocket science.
-dk
Re:but if you can't.... (Score:5, Informative)
(Last Journal: Saturday September 02 2006, @12:18AM)
I used to do this on a daily basis, before I switched to a fully automated ris build, and never had an infected machine.
-dk
Re:If you can stand waiting... (Score:5, Informative)
(http://www.wiretapped.us/)
This is exactly how to do it. (Score:4, Informative)
2. Install box
3. Configure TCP/IP and enable windows firewall
4. Plug in network cable
5. Windows update
6. Repeat windows update
Job done.
Re:This is exactly how to do it. (Score:4, Interesting)
SP1 From CD (Score:5, Informative)
(http://www.johngaughan.net/)
When I install Windows it is behind a NAT firewall which helps (no open ports from the outside). The first thing I do is install SP1 from CD, next I update from Windows Update.
I recommend downloading SP1 and burning it in Linux, then using that CD to patch up the Windows box before connecting it to the network.
Re:SP1 From CD (Score:5, Insightful)
There are things the submitter could have done, like stopped all services that listen for connections. Ran Windows XP's firewall on their connection. Unbound Microsoft Networking Client from their NIC, etc. They could have booted up in safe mode with network support.
But the solution you offered is probably the best. I recommend to everybody these days that they run behind a cheap NAT box. It doesn't matter which OS you use, keep your computer off the internet! A NAT box is the simplest and not particulary expensive solution, and it'll leave you much safer and require less effort on the vigilance (note: I didn't no vigilance
We have incompetent IT guys at our place and Sasser is loose on the corporate LAN. We were trying to create a Win2K box but it kept rebooting. We just copied the patch for that over via CDRW, although the submitter could have downloaded everything they needed first from their Linux installation. In carpentry they always say "measure twice, cut once". This person didn't do enough preparation.
Re:SP1 From CD (Score:5, Insightful)
(http://www.grulic.org.ar/~dmoisset | Last Journal: Sunday December 31 2006, @11:00AM)
All the linux update tools I know (apt, red-carpet, urpmi) run perfectly with the firewall up and at maximum paranoia level. So I could install, set my firewall to reject all incoming connections, and update; that would leave me vulnerable only to very basic level exploits (like some hypothetical hole in ICMP).
I've not used windows update, but the poster said it asked to lower the firewall, and I think that's a weak point.
Re:SP1 From CD (Score:4, Informative)
(Last Journal: Sunday February 18 2007, @11:40AM)
I run behind a firewall as well. Last time I did a WinXP install (not that long, unfortunately), I had no problems.
But I don't install or enable any services during an initial installation, just the core OS. I don't do anything but install manufacturer's drivers before installing an anti-virus product.
After the anti-virus is fully updated, then I start dealing with Windows updates.
At no point have I ever had to disable hardware or software firewalls to install Windows updates. I have no idea why they continue to insanely recommend you remove all your security just to download updates -- you don't need to.
In fact, the only time I shut down the antivirus is during a disconnected defrag. And there is no way to disable the hardware firewall.
If you're connecting directly to the net with a Windows box, you're just getting what you deserve. Either hide it behind a hardware firewall, or accept the fact that you're just another spambot-in-waiting.
Easy (Score:5, Informative)
(http://das.doit.wisc.edu/)
(Or, read all the posts about how you can put together some huge, convoluted update CD that's never completely up-to-date instead of just spending $35 on a little hardware firewall.)
Re:Easy (Score:5, Insightful)
Re:Easy (Score:4, Informative)
(Last Journal: Wednesday November 21, @10:04AM)
I've installed Windows once (98, several years ago) and even I know about turning the firewall on. Why?
Because this is at least the fouth freaking article Slashdot has run on this question!!!
(Remember the one that linked to an article about "Installing Windows Safely" and all the posts were "Instead of linking to a large PDF, why not tell people to just turn the firewall off?"?)
Re:Easy (Score:4, Interesting)
Re:Easy (Score:5, Informative)
I would update windows before updating the firewall, that way you don't have to worry so much about being shutdown while the firewall is down.
my
Re:RTFQ (Score:5, Insightful)
That depends entirely on what software you are talking about. All a hardware fireall is, is a firewall from a company that realized people won't pay $$ for a piece of software. I.e its a software firewall, just running on some different hardware.
Re:RTFQ (Score:4, Insightful)
(http://home-at-yo-mammas.house.com/)
You're fucking kidding, right?
So, what you're saying is, a majority of Fortune 500 companies can throw their Cisco PiX firewalls away and just install ZoneAlarm? Think of the money they'll save!
So that's what the second step to profit is...
Re:RTFQ (Score:5, Interesting)
There's really no such thing as a hardware firewall. All hardware firewalls are in fact software firewalls running on a peice of hardware, just like all software firewalls do. Perhaps a better re-statement of your point is to say that you should use a seperate non-windows-based firewall rather than one which is installed locally on the windows machine. Personally I use a Sparc/Linux box for this, but you can have good results just using a netgear nat box or something. NAT is the ultimate home firewall anyways, just dont start routing inbound ports through it to your PC and you're gtg.
Re:Easy (Score:4, Funny)
(http://www.lightandmatter.com/)
Well, yeah, but c'mon, there are plenty of ways to do it without spending any extra money on hardware or software. Some possibilities:
- Use Lindows as a substitute for Windows.
- Wait for the next version of Windows. MS says they're making security a top priority now, so I'm sure the next version won't have any vulnerabilities.
- Run DOS -- I don't think anybody is writing viruses that can infect it.
- When your machine gets attacked, look at your log files to see where the attack came from, find out who their ISP is, and then send a polite letter by U.S. mail asking them to make their customer stop behaving badly. Repeat until all the bad, naughty machines are gone from the internet.
- Start your own internet. Only people you trust are invited to join it, and nobody is allowed to link it to the bad, old internet.
- Call MS tech support and ask for help.
OK, I admit that last one was a little silly.Its easy... (Score:5, Informative)
I have to reinstall most of my family's computers when I go home, I made all of them have routers.
-Bill
XP software firewall is useless before SP2 (Score:5, Insightful)
(http://www.majid.info/)
Firewall (Score:5, Informative)
(http://www.jpaz.com/)
Re:Firewall (Score:5, Informative)
Easy (Score:5, Informative)
(Last Journal: Friday March 11 2005, @02:01PM)
Use another machine to burn a copy of the latest service pack, and the Sasser worm fix, and whatever other updates you want to include.
After installing, install the updates from the CD, then check windows update for anything else.
Probabl redundant at this point, but... (Score:4, Informative)
(Last Journal: Saturday November 29 2003, @03:51AM)
I've had success installing Windows XP and upgrading it with only Microsoft's Internet Connection Firewall enabled.
Odd (Score:5, Insightful)
(http://www.fantasticdamage.com/)
How do you get these worms? This sounds incredulous...
Re:Odd (Score:4, Interesting)
(http://www.ironicentertainment.org/ | Last Journal: Thursday June 05 2003, @09:09AM)
I recall one particular instance at work where an outside laptop that was infected got plugged into the network (our network has about 2000 various boxes connected to it). Our security team got alerted by our intrusion detection systems was on the way to whack the offending user with a clue stick and unplug the laptop. Too late....
During that time I had just finished ghosting a machine with SP4 integrated into the build. In only a matter of a minute or two the new box I was working on became infected and started doing net sweeps of its own (the whole process of infection was done silently of course). I don't doubt the tales of machines becoming infected in a very short period of time given the rate of infection with RPC based worms because I have seen it. All it takes is one rogue machine to infect other boxes it can talk to.
Re:Odd (Score:5, Interesting)
(http://www.artcrime.com/ktakki/ | Last Journal: Thursday April 26 2007, @11:12PM)
Here's a snippet of the log from my Linksys router:The timestamp is hours:minutes:seconds. XXX.XXX.XXX.XXX is my WAN address (redacted), an East Coast Verizon DSL line. Port 445 is probably being targetted by W32.Sasser.
Sixteen attempts in 3 minutes and 12 seconds.
A couple of things are interesting about this log excerpt. First, there are no attempts from the 141.154.* netblock (where my WAN address resides). Second, I usually see a number of different ports listed (139, 1025, 1026, 1080, 3129, 5000), from both viruses and people probing for open proxies. Then again, it's Sunday night. I've noticed that virus traffic is higher during business hours in the US.
k.
Get a router. (Score:5, Insightful)
Firewall (Score:4, Informative)
Why don't you try turning the firewall on? It will block the RPC calls that are necessary to infect your machine with the most recent series of worms and allow you to install whatever patches are necessary worry free.
Plus, it just makes your PC safer in general.
Use NAT (Score:4, Interesting)
Perhaps also turning on the firewall just actually might work. Windows is targeted for the average Joe. Microsoft doesn't want to have to incur the support costs of explaining to average Joe how firewalls work, so they suggest you keep it off.
If you've really been using Linux that long, you'd have a clue. Really, this submission just sounds like a troll...
Use a firewall or a cd burner, or both (Score:4, Informative)
(http://elitemrp.net/)
this site [windows-help.net] tells you how to slipstream your XP cd with SP1A
Simple, Get an external Router. (Score:3, Interesting)
Alternatively, shut down all the services so that you have nothing listening, but if you're too lazy to do that, go out and spend $40 on a Netgear router and voila, you're safe from that crap.
Re:Simple, Get an external Router. (Score:5, Informative)
(http://hypocrite.org/)
It is highly unlikely that you could run an unprotected XP system with no firewall and no patches, hooked up via a cable modem or ADSL, for even ten minutes before getting infected.
Re:Simple, Get an external Router. (Score:5, Interesting)
Sunday, June 20, 2004 20:12:54 Unrecognized access from 24.164.33.43:9118 to UDP port 1026
Sunday, June 20, 2004 20:16:48 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:16:51 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:16:57 Unrecognized access from 218.88.103.123:3822 to TCP port 1025
Sunday, June 20, 2004 20:21:46 Unrecognized access from 195.250.112.73:35973 to TCP port 443
Sunday, June 20, 2004 20:22:18 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:22:21 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:22:27 Unrecognized access from 222.183.185.252:3881 to TCP port 1025
Sunday, June 20, 2004 20:31:26 Unrecognized access from 193.227.0.37:3365 to UDP port 1434
Sunday, June 20, 2004 20:45:50 Unrecognized access from 24.164.31.171:8860 to UDP port 1026
Re:Simple, Get an external Router. (Score:4, Funny)
Sunday, June 20, 2004 20:45:50 Unrecognized access from 24.164.31.171:8860 to UDP port 1026
^^ RIGHT THERE! That was 14 minutes! You could have EASILY installed a few critical updates. You just need to install them between attacks, and unplug your network cable before each new attack starts.
How hard is that? What is everyone here complaining about?
Re:Simple, Get an external Router. (Score:5, Interesting)
Re:Simple, Get an external Router. (Score:4, Interesting)
Aside from the terminology, consider that at the peak of infection, many nimda attacks were being logged EVERY SECOND by logging machines setup for capturing and monitoring attacks. Slammer [patcheasy.com] was scanning 55 million hosts PER SECOND. These things just pick random addresses and spit data out. If you haven't been getting any of these hits then either you're behind a firewall, or you're less random than the rest of the internet.
20 minutes is a long time to go without protection in computer time, especially on today's wild west of an internet.
Agreed though, the questioner should have just gone and gotten a firewall (or used one of his linux machines). I've never seen anything on windows update suggest that I turn off my firewall.
Re:Simple, Get an external Router. (Score:5, Interesting)
Worst case scenario (Score:4, Funny)
Slipstream it! (Score:3, Informative)
(http://seventhcycle.net/)
Even better, I would get a hardware firewall, so that none of the ports that worms travel through are even open.
Basic security from automated attacks isn't particularly hard, you know. Why is this even on slashdot?
Download the Service pack before install (Score:4, Informative)
(http://www.flickr.com/photos/txgeek/)
External firewall? (Score:5, Informative)
This solution seems so obvious to me that I wonder why you even bothered to ask. With your apparent technical knowledge, surely you must've thought of this. I'm inclined to think this question was just a veiled way to start an article bashing Microsoft about all the worms affecting their system.
use a nat router firewall (Score:4, Insightful)
For the love of god... (Score:3, Informative)
(http://slashdot.org/)
Autopatcher! (Score:4, Informative)
(http://www.chem.wsu.edu/ | Last Journal: Friday September 15 2006, @01:48PM)
Autopatcher [autopatcher.com]
AutoPatcher was started in October of 2003. It was started by Jason Kelley and was a simple batch program that would install many updates silently. Upon reaching version 2.65, Jason was contacted by Antonis Kaladis, who offered to help make a VB front-end for the program. And thus, the current incarnation of AutoPatcher was born.
Not only does it install all your Windows updates with just one reboot, it can also (optionally) install many other programs such as the Windows XP Powertoys, IESpell, etc. There's even some registry config options such as increasing the max connections per server (IE) to something greater than 2.
i'm installing right now... (Score:5, Interesting)
Firewall (Score:3, Insightful)
(http://www.kajmereso...io/journey_in_BB.ram | Last Journal: Tuesday May 18 2004, @10:41PM)
Found at isc.incidents.org: (Score:5, Informative)
(http://thelifeofbryan.multiply.com/ | Last Journal: Tuesday February 20 2007, @12:20AM)
Re:Windows XP: Surviving the First Day (Score:5, Interesting)
(Last Journal: Friday November 03 2006, @03:51PM)
make sure you block all incoming ports (Score:4, Informative)
(Last Journal: Monday September 13 2004, @04:10AM)
I work for an ISP (Score:3, Informative)
(http://www.linuxsolutionsplus.com/)
Here's your problem(s) (Score:3, Informative)
(http://ellem.is-a-geek.org:5280/...html | Last Journal: Tuesday October 02, @10:35AM)
2 - Download SP1 to a CD.
3 - STOP USING NORTON for ANYTHING OTHER THAN ANTIVIRUS
4 - Read 3 again
Get A Cheap Hardware Firewall (Score:3, Interesting)
No one should have any Windows box directly on a cable/dsl line anyway.
Buy a Linksys Broadband Router (Score:3, Informative)
Seriously -- you can pick one of these puppys up for about $50... and they're incredibally functional if you ever decide to start you own little home network (5 ports is the norm for the price).
I don't give a DAMN what Microsoft says. (Score:4, Interesting)
(http://www.grio.net/)
Firewall is on before I connect to my cable modem if you're going to be DUMB enough to connect it without a hardware firewall protecting the machine. Get an intermediary device like a Linksys or Netgear router, and now you don't have to worry about it. And seriously. Don't install your AV until AFTER you've installed all your updates. You're only complicating the registry before it needs to be.
Seriously, is Slashdot a "News for Nerds", or "HOWTOs for N00bs"? Some of these questions would be better handled by Google and half a brain about networking.
Hardware firewalls. (simple iptables) (Score:3, Informative)
(http://bcgreen.com/~samuel | Last Journal: Friday April 30 2004, @02:42PM)
Get either a dumb hub or a crossover cable, and connect the Windows box by that.
turn on NAT via iptables:
- iptables -t nat -I POSTROUTING -s 192.168.1.0/24 --out-interface eth0 -j MASQUERADE
Turn on packet forwardingiptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
# turn off most packet forwarding (other than outgoing connections above) iptables --policy FORWARD DROP
( echo 1 >
This, of course, presumes that ETH1 is facing your windows box with an IP address in 192.168.1.{1-254}.
You can then either set your Windows box IP address manually, or learn how to turn on dhcpd (i'm not going to go there, but it's not too hard.). In any case, this should be enough NAT protection to allow you to get out on the net from your Windows box without opening it up to inbound virus connections. You can then get to places like Microsoft and Norton's without being pre-emptively infected.
Very very simple. (Score:3, Informative)
(Last Journal: Monday December 22 2003, @01:52PM)
2. Install XP
3. Before connecting to net, enable XP firewall. (Right click on network connection, properties, advanced, "Protect my computer.."
4. Turn on Automatic Updates (Right click on My Computer, properties, then click tick box on automatic updates).
5. Connect to net.
6. Let it patch itself, or if you want, do it manually via Windows Update.
Really, why this simple simple process seems so difficult to Linux users is beyond me. You wouldn't connect a Linux system running say, an old version of Samba or Apache to the net without IP Tables now would you?
Get someone else to do it... (Score:3, Informative)
You say you've been using Linux since 95, yet the obvious solution of using a firewall excapes you! If you're such a linux expert then where's your iptables firewall machine? Or even your $50 router/firewall. I have one for sale for $40 if you want. That's Cdn $$ too! Man, even installing sygate, zonealarm, or any other personal firewall right after winxp is installed would prevent the shit out there from getting onto your machine.
I've been using Linux since 95 too, but I know better to put any machine, Linux or Windows, directly on the net or in the DMZ unless that's my intention. Windows is much worse than other OS's, but I wouldn't even put a fresh linux install of any distribution on the net without doing some work on it first.
I've never gotten a virus or a worm (Score:3, Insightful)
(http://paul-robinson.us/ | Last Journal: Thursday October 25, @07:28AM)
Visa (Score:5, Funny)
(Last Journal: Tuesday April 12 2005, @11:12PM)
Do it right: Use hardware... (Score:3, Informative)
(http://www.bluefeathertech.com/ | Last Journal: Friday November 04 2005, @11:51AM)
I've not had personal experience with them, but others I've spoken with have had good luck with Linksys and D-Link. For my part, I've always depended on our Watchguard Firebox II [watchguard.com] to handle things.
Granted, such a unit is well beyond the cost range of most home setups (unless you get a phenomenal deal on it used, as I did). However, before I had the Firebox, I was part of the Beta testing team for the Zyxel [zyxel.com] 'Prestige 312' combo dual-Ethernet router/firewall. The 312 has been discontinued for some time now, but it performed like a champ for me.
If I were going to pick another unit today, I would look at Zyxel's ZyWall 100 [zyxel.com] series, or something similar. They're quite a bit less expensive than Watchguard's products, and I see no reason they shouldn't work just as well.
If the 100's a little too costly for you, the entire ZyWall series comes in a variety of sizes from 1 on up. The number usually designates the number of VPN connections the unit allows.
If you're a DIY'er, you can, of course, just get hold of a spare PC, stick a couple of NICs in it, load it up with FreeBSD or some such, and turn it into a router/firewall.
The bottom line is that I don't believe any purely software-based firewall can ever be as secure as one that's hardware-based, and dedicated to the purpose of just being a firewall. I certainly don't trust Uncle Bill or Symantec to do it right (witness the problems you've already had).
Happy hunting.
NAT-Router / Hardware-Firewall / Old PC (Score:3, Informative)
(http://slashdot.org/ | Last Journal: Wednesday October 13 2004, @03:52AM)
Like many others said: Get a cheap "internet router" that does NAT (Network Address Translation). If the attackers can't get to the fresh XP machine, they can't kill it. Easy, isn't it? Just turn OFF UPNP support and all DMZ / port forwarding stuff on the router.
If you still have a spare PC (minimum 486SX-25, 8 MB RAM, Floppy, two ethernet cards), give fli4l [fli4l.de] (or any other small Linux router software) a try. Download size is a few MBytes (ask your friends / neighboors), complete boot floppy is created within a few minutes on any Windows system. No linux knowledge required.
Keep the NAT router between the XP machine and your internet connection even after you have completed the XP setup. Though the router may not help against using IE and Outlook, it will help against all TCP and UDP based attacks. All viri and worms that spread by connecting to any TCP or UDP port on your machine will fail to infect your machine thanks to the NAT router.
Tux2000
router (Score:3, Informative)
I bought the router to finally rid me of the personal firewalls tedious configuration ( which btw, you have to do again on each install, with the router it stays with you forever
Not associated with SMC, I just picked up the model mentioned above friday and I am very happy with it.
Enable the built in firewall (Score:4, Informative)
(Last Journal: Thursday February 08 2007, @02:07PM)
Also go into the widnows update site (on another connected computer) and click the update options to the right. There is an option to turn on the catalog view (or something like that... in Linux right now). This will allow you to search for all the updates of a particular Windows platform.
Use this to download the patches and burn them to a CD... Use this CD to patch your system.
Jim
An alternate approach (Score:3, Informative)
(http://devers.homeip.net:8080/blog/ | Last Journal: Tuesday April 12 2005, @08:34AM)
Using TCP/IP may have been a mistake. It was, after all, the vector by which the malware installed itself to begin with.
A better approach may be to do this with two computers, where one is the machine onto which you need to install XP and the other is already up & running with whatever operating system you like.
This second computer will act as a bridge to the internet, speaking TCP/IP only on its WAN interface, and speaking a non-routable protocol like NetBEUI to the XP machine on the LAN interface.
This way, the XP machine can only speak to other local machines.
With a setup like this, you can download the necessary service packs and other updates to the gateway machine -- people have already explained this in some detail elsewhere in this discussion -- and then the XP box can access the updates by regular old fashioned Windows file sharing.
Once you have the minimal updates, then and only then does it make sense to turn on TCP/IP support on the XP machine.