Forget about AVG.
Go for ESET or Kaspersky .
--
kerf
Avira AntiVir looks good on paper, but it isn't all that much better than Norton in real life.
ESET and Kaspersky are your best choices by far.
--
kerf
I disagree. I've been using Symantec Corp edition products for more than
a Decade and always felt they did a great job at protecting ours and our
clients computers.
Last week I had a case where I was surfing the web and hit a malicious
site and was redirected to a site filled with malware - it took seconds
for my computer to be compromised. Symantec didn't show a sign of
anything and didn't protect me from the malware via browser.
I cleaned the malware from the system, using MBAM and several other
tools - went back to the site, and my SEPP was the latest version and
fully patched, and it was compromised again.
Cleaned, etc.... Loaded Avira Free edition on the same computer and
visited the site again - this time Avira stopped the malware and gave me
a opportunity to ignore, deny, quarantine the malware.
I've moved all my own computers from SEPP to Avira and just started
seeing home users computers that are compromised with really nasty crap
that just went right past Norton/Symantec/McAfee/AVG....
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself.
spam9...@rrohio.com (remove 999 for proper email address)
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Leythos" <spam9...@rrohio.com> wrote in message
news:MPG.257c89a88...@us.news.astraweb.com...
Since you appear to have missed it, I gave a FULL description of how and
why that system was compromised last week - posted in 4 different
security groups.
Since AV is only a small part of protection, since that computer was not
being protected by the same firewall rules as we protect the secure LAN
areas, it was clear how and why it was infected. In all my decades of
experience I have never had Symantec Corp products fail me, until this
one time - that's a far better record than any other AV product I've
used and tested during that time period.
What you seem to have missed is that I posted my FULL experience on this
issue, a compromised computer on an isolated network, and didn't have to
admit it, I did it because I'm ethical and honorable and don't have
anything to hide - unlike you.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Leythos" <spam9...@rrohio.com> wrote in message
news:MPG.257cc2e1c...@us.news.astraweb.com...
LOL idiot - it was clear that it was infected, the full description was
in the information I posted.
The network IS ISOLATED, but you fail to understand the scope of the
isolation, one can easily build a network isolated from all other
networks within their facility - as we did.
There was a lot of detail that you missed or already know and are lying
about idiot. Face it, you were owned in this thread too, proving you
have no skills and are just a pirate/theif.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Leythos" <spam9...@rrohio.com> wrote in message
news:MPG.257cdf0ca...@us.news.astraweb.com...
You're the one back peddling, my full description of the incident was
made public last week - you're making yourself look like the fool you
are Chris.
> Since you appear to have missed it, I gave a FULL description of how and
> why that system was compromised last week - posted in 4 different
> security groups.
Can you provide a google link or similar to that article?
I'd be interested to know how a person like yourself, who no doubt has
systems fully patched, has a properly configured firewall, does not
surf the web with administrator rights and does not run executable
content offered could be affected.
Was this a zero-day exploit of some kind?
Do a google groups search - I posted it to Usenet in several security
groups.
The computer in question was setup for the sole purpose of downloading
files from the web, the account was a local admin, the firewall
permitted all file types to be accessed in HTTP/FTP, but it was isolated
from the rest of the network.
The computer was fully patched, running XP Prof SP3 and all updates,
SEPP latest version and fully updated, and I was using the latest
FireFox browser at the time.
If I had blocked exe/com/dll/etc it would not have happened, same if
the machine was not setup as a local admin (like the rest of our
computers).
We set this machine up with the idea that IT WOULD be compromised at
some point, that's why it was isolated, but in years (not the same
physical computer) it never happened.
The interesting thing is that I've seen several other computers,
residential systems, compromised with what appears to be the same crap.
You seem to have missed the article like Butts did - it was a
sacrificial machine with the sole purpose of downloading files.
It is well known that downloading program files from the web can
potentially lead to malware problems. What interests me more (and from a
detection point of view) is how the initial lure gets to be displayed to
a user. Obfuscated HTML and/or script (I'm sure scripting was also
enabled and unrestricted) can be detected as suspicious (Avira may show
a heuristic detection of these) and 'nipped it in the bud'. This is
*not* the same as detecting the actual (various) malware being served
up. Does your goat log these lure attempts, and did the endpoint
protection slip up, or was it a new obfuscation technique it wasn't yet
equipped to handle? Are your downloads unattended, or is the user
required to say "yes" to whatever oddball rogue requests a click from
them?
I assume this was a goat network rather than a regular network that you
set up on "opposite day". :o)
We have one machine we setup to download from the net, it's a machine
that has no access to our other machines by network connection and
firewall rules - the purpose is to download files, it's not a honeypot,
it's just a safe way of doing downloads.
In this case I was attempting to browse to a MS site and entered the
address incorrectly and was taken to a non-MS site and immediately
redirected to the malicious site.
SEPP didn't show anything at the time of entry or during the additional
items the malware downloaded, and the firewall was not setup to monitor
intrusions on that network/machine.
In this case there was no manual anything, as soon as the page started
to load the tattle-tale DOS box appeared and then closed, doing this
several times in a few seconds - as each new malware was loaded.
The reason I posted the events/information was to make people aware of
just how easy, even if you're using a NAT router, it is to get
compromised by accident, using all updates/patches, using commercial
antimalware tools, etc.... In all my years I've never had that happen,
but we don't normally allow that level of access on our networks or
customers networks - this machine was isolated and for good reason.
The point was that with a few simple protection methods, based on how I
believe the infection entered, it could have been prevented, something
that most people are not willing to do because of the limits it puts on
them while using their computers.
Common typo squatters!
> SEPP didn't show anything at the time of entry or during the
> additional
> items the malware downloaded, and the firewall was not setup to
> monitor
> intrusions on that network/machine.
Browser exploit webpage must have had something that worked on your
setup.
> In this case there was no manual anything, as soon as the page started
> to load the tattle-tale DOS box appeared and then closed, doing this
> several times in a few seconds - as each new malware was loaded.
Why do you run this special isolated machine as admin?
> The reason I posted the events/information was to make people aware of
> just how easy, even if you're using a NAT router, it is to get
> compromised by accident, using all updates/patches, using commercial
> antimalware tools, etc.... In all my years I've never had that happen,
> but we don't normally allow that level of access on our networks or
> customers networks - this machine was isolated and for good reason.
Compartmentalization is the essence of what the term "firewall" used to
be all about.
> The point was that with a few simple protection methods, based on how
> I
> believe the infection entered, it could have been prevented, something
> that most people are not willing to do because of the limits it puts
> on
> them while using their computers.
You mean - like not running as admin when you don't need to?
seems like firefox with noscript might have prevented that. [ its happened
to me before, thats why i use ff ]
--
Tommy
> seems like firefox with noscript might have prevented that. [ its
> happened
> to me before, thats why i use ff ]
A malicious website can host a wide variety of exploits covering many
different clients. The way to get the user to visit the site varies
(some using script), but this was just a misstep that landed Leythos in
a bad place (with the keys to the machine dangling out of his pocket).
Sometimes the user's choice of client only changes the website's choice
of exploit(s).
> Do a google groups search - I posted it to Usenet in several security
> groups.
The article title or a group name would have helped, but someone
kindly sent me a link.
http://groups.google.com/group/microsoft.public.windowsxp.security_admin/msg/5a7d07766b150feb?hl=en
> The computer in question was setup for the sole purpose of downloading
> files from the web, the account was a local admin, the firewall
> permitted all file types to be accessed in HTTP/FTP, but it was isolated
> from the rest of the network.
Ok. Nothing wrong with being able to download potentially dangerous
files but running them is another matter.
> The computer was fully patched, running XP Prof SP3 and all updates,
> SEPP latest version and fully updated, and I was using the latest
> FireFox browser at the time.
Seems like FireFox could be the problem.
> If I had blocked exe/com/dll/etc it would not have happened, same if
> the machine was not setup as a local admin (like the rest of our
> computers).
>
> We set this machine up with the idea that IT WOULD be compromised at
> some point, that's why it was isolated, but in years (not the same
> physical computer) it never happened.
Ok.
I've read the article and it appears the user did not deliberately
download and run something but simply visited a bad site causing
FireFox or one of its plugins to run an executable. Since the browser
was up-to-date and presumably configured properly, this indicates a
new or recently discovered but unpatched bug.
Typically, malicious sites attempt to run Javascript which does
several of the following:
* Allocate huge blocks of memory, filling with nop slides and
shellcode in preparation for exploiting a buggy browser component.
The exploit corrupts the process or thread stack and the CPU
instruction pointer ends up in the prepared memory. The attackers
code is now in control. I believe Data Execution Prevention (DEP) is
supposed to prevent this happening.
* Attempt to exploit many different ActiveX controls which are known
to be vulnerable or unsafe. They can be standard Microsoft components
or so-called browser helper objects like toolbars and seach
assistants from other software vendors. Not usually an issue with
Mozilla browsers which don't understand ActiveX controls, although
I've heard of a plugin that can enable access to them.
* Load malformed PDF and SWF (Flash) documents which also contain
shellcode and exploits for buggy Adobe components. Sometimes these
are targetted at other document readers like FoxIt.
* Run Java applets which exploit buggy versions of Sun's JVM.
* Exploit other controls, components, plugins or DOM peculiarities
specific to FireFox or other browsers.
I think that just about covers the current range of possibilities for
browsers. Other than that, the user would have to deliberately run an
executable.
> The interesting thing is that I've seen several other computers,
> residential systems, compromised with what appears to be the same crap.
Bogus security/AV software is widespread.
So scripts aren't the only way to infect somebody's pc from a website.
Got any cool links for that type of thing?
--
Tommy
>> Sometimes the user's choice of client only changes the website's
>> choice of exploit(s).
>
> So scripts aren't the only way to infect somebody's pc from a website.
> Got any cool links for that type of thing?
excellent, thanks
--
Tommy
Because it's used for specific functions and the machine is setup for
access to sites that MIGHT compromise it.
You guys seem to miss that this is a sacrificial machine, just for
downloads on the net.
I use to run NoScript on that machine, was to much bother, and the
machine was specifically designed/purposed for this type of situation,
it was not a production/domain computer, it was setup for just this type
of reason, a just in case machine.
Yep, but as I mentioned, I didn't click on anything, it was a browser
redirect and nothing was downloaded/clicked.
No, I got that part.
What you seem to miss is that offering up your sacrifice of computing
power to possible nefarious activities affects us and not just you.
I assumed the poster only wanted information. The fact is that the
browser itself acts as a window for other programs that also consume
data from a webpage, so even if the browser itself isn't attacked (or
abused in the case of scripting or media extensions) it still
participates in the attack vector. Exploits on webpages aren't entirely
limited to scripting exploits - although that is probably the lion's
share.
> I wonder if there's any real danger out there to a hardened system?
> I'm still waiting on someone to put up a link that my system can't
> handle.
Probably not, but there's always new stuff coming all the time. I used
to be able to send a metarefresh to the con/con bug in an e-mail, just
because that is no longer possible does not mean something else like it
won't be possible in the future. Even security programs (parsing the
HTML prior to the browser getting it) could conceivably be attacked if
they mishandle the data.
I always had scripting disabled in earlier Windows versions (I
considered scripting to be extending programming rights on my machine to
unknown parties), now I just take my chances with the timeliness of
patches for zero-day exploits.
Then you did miss the information in the description - there was NO
OFFERING and it WASN'T ONLINE FOR MORE THAN 10 SECONDS once compromised.
Sheesh, are you trying to be confrontational or what?
Sorry, I must have misunderstood your reasoning for running the subject
computer in such a pants down bent over state on the internet.
We've had a computer in that role for years, this was the first time it
had been compromised in all that time, running under that same
methodology. If I had given it enough time the IDS in the firewall would
have locked it to the network it was in and not let it have Internet
access, so there was no real danger of spewing crap on the net for very
long.
This was a sacrificial computer, we keep a ghost image of it on a USB
drive so that we can restore it as needed - it's not like the machine is
used by people that can't spot the signs....
>Ant wrote:
>>* Load malformed PDF and SWF (Flash) documents which also contain
>>shellcode and exploits for buggy Adobe components. Sometimes these
>>are targetted at other document readers like FoxIt.
>
> Didn't Foxit fix that vulnerability back last summer
> with v3.0 b1817? http://tinyurl.com/yeseu8t
Yes, but people think that by using alternative software they are
immune from attack. Exploit writers are wise to this, so whatever
browser and associated applications are used as helpers to display
documents/multimedia, it's important to keep them up-to-date.
>n...@home.today says...
>> I think that just about covers the current range of possibilities for
>> browsers. Other than that, the user would have to deliberately run an
>> executable.
>
> Yep, but as I mentioned, I didn't click on anything, it was a browser
> redirect and nothing was downloaded/clicked.
However, executables were downloaded (or injected into memory) and
run, albeit automatically by the browser, thereby indicating a
problem with that software. At least, one presumes that was the case
and there wasn't some vulnerable MS service accepting malicious
requests on, say port 445 coincidentally at the same time.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Leythos" <spam9...@rrohio.com> wrote in message
news:MPG.257d77cb5...@us.news.astraweb.com...
| "ASCII" wrote:
Actually, there was another vendor independent PDF vulnerability the US CERT identified
(APSB09-15) in October that was patched by FoxIt v3.1.2.xxxx
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Leythos" <spam9...@rrohio.com> wrote in message
news:MPG.257d90f2f...@us.news.astraweb.com...
Looked in a mirror lately, dipshit?
Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it
There is no port 445 access on that network, only FTP, HTTP, HTTPS, DNS
on that network.
Actually, I run all major releases/products from all major vendors as
tests against malware on multiple machines (and no, not at the same
time). So I do know exactly what I'm talking about, unlike you.
We uninstall SEPP and run other products as well as MBAM and SAS on
select random machines every month - part of the basic security scan.
Seems you're not 1/100 as smart as you pretend.
You really are a dumbass - the User was me - that's why I know so much
about it. There was no hiding "WHO" the user was, that's your attempt to
hide that you don't know what the heck you're talking about.
I wrote the document without being personal, it's clear that it was an
analysis of what happened and the details - something you know nothing
about.
You have hosted Porn on your website, most of us remember it well - and
you posted links to it in MANY Usenet groups like the filthy pirate you
are.
Indeed! That's the problem.
>>Even security programs
>>(parsing the HTML prior to the browser getting it)
>>could conceivably be attacked if they mishandle the data.
>
> AFAIK the browser is the first app that sees anything online,
> after the innate windows firewall.
Remember "Proxomitron"? I'm thinking that some of these browse-safe
"security" programs work similarly.
> Is there anything that can overwhelm a simple allow/ignore IDS?
Overwhelm? No. Circumvent? Probably. It lies in what is allowed to be
consumed by what.
Murphy sez:
Updating to the latest and greatest wil add new and currently unknown
vulnerabilities.
Art :)
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"Leythos" <spam9...@rrohio.com> wrote in message
news:MPG.257e4fd16...@us.news.astraweb.com...
Considering you're a guy claiming to be a woman, it would appear you're
not sure what you are - maybe all that Pirate Juice has actually
impaired your cognitive abilities more than we thought.
> Murphy sez:
>
> Updating to the latest and greatest wil add new and currently unknown
> vulnerabilities.
The more complex systems become, the more bugs they have and the more
opportunities there are for exploits. That's why my browser is wget on
Windows 2000! Well, not all the time but a lot of malware will now
only run on later versions of XP and above. Some of it requires recent
versions of the VC++ runtime libraries, newer API functions in the
core OS and some uses dot-NET. I don't have that stuff on my internet-
connected PC.
My system wouldn't suit a modern-day web user; it's too minimalist and
doesn't have the latest gizmos. Apps I use most are a command prompt
and a text editor!
> FromTheRafters wrote:
>>"tommy" <tommyle...@removeyahoo.dropcom> wrote in message
>>news:hf0pff$42s$1...@news.eternal-september.org...
>>
>>>> Sometimes the user's choice of client only changes the website's
>>>> choice of exploit(s).
>>>
>>> So scripts aren't the only way to infect somebody's pc from a
>>> website. Got any cool links for that type of thing?
>>
>>http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_
>>web_based_attacks_03-2009.en-us.pdf
>>
>
> That link merely describes the theoretical nature of browsing dangers.
> affecting grossly under-protected systems or extremely careless users.
> I wonder if there's any real danger out there to a hardened system?
> I'm still waiting on someone to put up a link that my system can't
> handle.
It would be at the least, irresponsible for anybody in antimalware to place
any link that could harm your computer intentionally. Some things, you will
have to locate on your own; if thats really your wish.
--
Dustin Cook [Malware Researcher]
MalwareBytes - http://www.malwarebytes.org
BugHunter - http://bughunter.it-mate.co.uk
> I'm not looking to harm my system, but merely offering a bluff for
> someone so
> inclined to call it, and I suspect you well understand the sarcastic
> smart ass
> nature of such.
> To be simplistic, I could do more damage with readily available hand
> tools
> than any set of code could ever hope to. I'm a retired electronic tech
> that
> has spent enough time online to adopt the arrogance of today's youth.
> ;-)
I just had an image of you sitting there all smug with a text-only
browser - just daring anyone to post a malicious link. :oD
There was a site some time ago that hosted every exploit they knew to
crash the visitor's machine - a test site that explained what was being
tested for and allowed the user to decline if so desired. Also, another
site on that domain that did the same thing only not so nicely. Having
never used a text only browser, I wouldn't know how affected it would be
by the malformed or oversized font file exploits.
Still, your computer consumes data, and that data can be maliciously
crafted.
The trick is whats done with the data. Is it treated as data only, or
can specific instructions be included? That's where it gets
interesting...
>>Still, your computer consumes data, and that data can be maliciously
>>crafted.
>
> Maybe a better or more accurately defined 'consumption' would be in
> order.
Data destined by the consumer program's design to be translated and
interpreted as program code (a browser extension that runs scripts for
example), is the most obvious consumption. Such code can do something
undesired by using or abusing functions. Data destined by design to be
consumed as data only can influence program flow in undesired ways as
well, especially if there are flaws in the consuming program that allows
the data to be interpreted as code. Even if the data isn't interpreted
as code, it can be used by the consuming program as input (for address
arithmetic for example) which can result in DoS conditions like hanging
or crashing the program or the OS by memory corruption.
Data crafted as a simple DoS attack, while unsophisticated, would still
be exploit based malware.
> Just utilizing such data doesn't necessarily have to be destructive
> regardless
> of how it's crafted.
No, it doesn't have to be. The thing is that data coming in often gets
consumed by more than just the program that the user thinks is consuming
it. There are often many opportunities to mishandle data.
Like when it is assumed that the data will only be treated as data (as
designed) but vulnerabilities exists (malicious font files) or it is
misunderstood that an assumed data filetype has the ability to execute
code by design.(WMF).
Sites that host exploit based malware could have a detrimental effect on
a system where the user thinks he can go anywhere and click on anything
because he uses a "secure" browser. Exploits such as the one discussed
here http://seclists.org/bugtraq/2009/Jul/91 could still ruin your day.
Someone as described above.
> Went and checked,
> yep,
> sure enough,
> they're talking about MSIE.
They mention that IE often uses that dll. It is a system file that other
applications than IE can also use. The browser is providing a path
(vector) to the vulnerability - but is not insecure (in this context) in
and of itself. I'm just saying that it is not always obvious what takes
place when clicking a link. Bad things can happen even if the browser
itself is secure.
> Now, kindly show me the way to an actual threat to
> a 'secure' browser. I'm not saying none exist,
> just would like to know the limits to my system
> so I can tweak my config if needed.
I don't know of any off hand, I'm only saying that they can (and
probably do) exist.