Virus Scanners and Process Authentication for Windows? 23
cavedwler asks: "Like alot of people, for one reason or another, I still have Windows running on one of my PC's and have the standard virus scanner and wondered if that is enough. I ran across this site and found a program that seems to work well in conjunction with any virus scanner. It blocks any executable or script from running on your PC without your approval. It is not a virus scanner as it does not search for viruses but just does not allow them to run. It also has the ability to monitor files and restore them in real time if they have been modified. I have been running it for a while now and am thinking of recommend it to my boss for use at work. I was wondering if anyone else out there had tried this, or other programs similar to it, in a real world environment and had any problems or successes."
SecureEXE (Score:3, Interesting)
Trojan Defense System is better (Score:3, Interesting)
theoretically (Score:2, Informative)
I use AVG + ZoneAlarm + Ad-aware (Score:5, Informative)
Re:I use AVG + ZoneAlarm + Ad-aware (Score:3, Interesting)
http://www.kerio.com/
Much more powerful than ZoneAlarm.
Re:I use AVG + ZoneAlarm + Ad-aware (Score:5, Informative)
Download winpcap [polito.it]. Unlike Unix libpcap, it includes both functions to create packets as well as capture them. It does not use winsock but rather installs an NDIS driver that sits lower in the TCP stack. You can then write a simple program that listens for packets and then manually constructs packets with UDP/TCP headers and sends them out. Completely bypasses Kerio.
If you'd like, I can post the code. I tested this about a month ago and it worked against the latest version of Kerio Personal Firewall. Took about an hour of work for a proof-of-concept program. You could get really crazy and implement a TCP stack in userspace and then write all kinds of trojans that would bypass TPF. Only works with privileged accounts since you need permissions to install an NDIS driver, but outside of controlled corporate environments, all Windows users use the Administrator account anyway.
Sygate and ZoneAlarm both install low-level NDIS drivers and are not susceptible to this attack. (At least I couldn't figure out how to bypass them - it may be possible to install a TDI hook which sits below NDIS, but this looks like months of work.)
Other than that, TPF really is much nicer than Sygate or ZoneAlarm, but this is a pretty gaping hole. I'd recommend Sygate over ZoneAlarm.
Re:I use AVG + ZoneAlarm + Ad-aware (Score:1, Interesting)
I don't. I never log in as Administrator (or as an account in the Admiistrators group) on my windows box, just as I don't log in as root on my *BSD boxes.
Just because you don't know how to operate in a windows environment, that doesn't mean that everybody doesn't know. "Runas" is your friend.
Re:I use AVG + ZoneAlarm + Ad-aware (Score:1)
You have to open permissions on a few directories and (ocassionally) files to make them writeable, but that's it. The easiest way to do this is lock up write access to everything and audit all access failures. Then log on as a normal user and play away. When something fails, view the security log as an admin and you'll see what you need to open up. After you have a list you can automate this for other systems with a cmd script and cacls.
Several years ago I ran a Windows network with several thou
Re:I use AVG + ZoneAlarm + Ad-aware (Score:3)
Re:I use AVG + ZoneAlarm + Ad-aware (Score:1)
Microsoft's patch removed the WM_TIMER message. Also, on an unpatched box, it will not work if the application has a WM_TIMER handler, which is a trivial fix to implement in source.
Even if the application is vulnerable, making the exploit work reliably is not trivial, and is different for each version of each application. It's feasible, but a lot more difficult than you imply.
And slow (Score:2)
Of course, back then I didn't know IPtables... but there are other solutions [sourceforge.net] that do just as well. 486's with dual-NICS can run as these... but hell an older P1 will handle
Spybot also (Score:2)
These programs work... (Score:5, Insightful)
I find it far more effective to make sure that people aren't running as privileged users under NT. If they aren't running as a privileged user and you have a decent virus scanner that has up to date definitions you'll take care of 99.9% of the threats out there. Worst case scenario... some virus/worm wipes out the user's documents folder.
It really isn't that hard to properly secure NT/2000/XP... I just rarely see the IT staff of most companies bothering to do it.
Re:These programs work... (Score:3, Insightful)
or, some virus/worm wipes out the 30GB of corporate data that's on a mapped drive that the user has read/write access to....
I wonder (Score:2)
What an idea? Maybe something could be put into a permissions file. Oh wait...
Small problem.. (Score:3, Funny)
The idea is neat IF... (Score:2, Insightful)
Re:The idea is neat IF... (Score:2)
I actually work in place so similar to the one you are talking about...
Re:The idea is neat IF... (Score:1)
some viruses are not directly executable programs (Score:2)
Alot of people? (Score:1)
particular mistake by others at the top of alist of things
that annoy me. Why can't people be alittle more careful with
their grammar? One has to draw aline somewhere, don't be aloser.
YAW.