herbalist

I never saw your last post. Sorry about the delay in responding. I can't say if this applies to all the online system scanners but the last time I ran HouseCall, it updated the previously downloaded scanner, much like a conventional AV would. The main page of the scanner claimed that 2K or newer was required but the scanner downloaded and worked fine. There were a few activities I questioned the need for and decided not to allow, like a specific component that tries to get your MAC address, but the scanner still worked. When I have the time, I'll try to go through the available online scanners and see which ones still work with 98. It will be a while before that happens. Paranoid? I don't own a credit or debit card and have never used an ATM. There's nothing paranoid about it. It was just this year that I started using the online facilities of my bank with my checkbook. The problem is that you have to trust that both their end (the financial site) and the DNS system that took you there have not been compromised in addition to knowing that your own system is secure. There's 2 separate problems here. The first is knowing that you're actually at the site you wanted to visit, and that you haven't been redirected to a spoofed site. The second problem is when the legitimate site gets hacked. The Bank of India was hacked badly a while ago and was serving up a lot of malware, including password thieves. Other than making your own system resistant to any malware a compromised site might serve up, there isn't much you can do about the integrity of their end, but there are some things you can do on your end to offset some of the problems. Site Spoofing, making an almost identical copy of a legitimate site for the purpose of stealing your log-in credentials, credit card info, etc. The site may look the same, but its IP address is different. Get the IP addresses of the financial sites you use and add the address and site name to your hosts file. That defeats attacks that use the DNS system. You can also use firewall rules that restrict the IPs you can make secure connections to. If the IP is wrong or changes (redirected), your firewall should alert you. Part of the solution has to come from the financial site. On the initial login page of my bank, only your login name is entered, which can be anything you choose. The site may or may not challenge me with a security question. The site then has to display an image and a line of text that I selected when I set up the account. If I see those, I know it's the correct site. A spoofed site would have no way of knowing what those would be. If they're correct, I enter the password. If a financial sites login system does not have provisions for you to authenticate them and well as them authenticating you, don't use it. They're not facing the realities of todays internet. Some browsers allow the same user to have several profiles. With those that do, setting up a profile that strictly for financial or sensitive tasks can help. Any cookies or temp files created are in a different location than those used by the default profile. It's also a good idea to make any financial work the first thing done in a browser session, and to not visit any other sites during that session. Wiping the browser cache, history, cookies, temp files, etc after a session would prevent a malicious site that's visited afterwards from collecting that data. I use the launcher component of Eraser for this, executed by a small batch file. One click wipes all the locations. Use version 5.7 on 9X systems, not the newer one. I'm not particularly impressed with the extension system in Mozilla browsers either, especially NoScript. Any security/privacy tool that presumes to whitelist sites without my consent isn't wanted, especially when Google is in the list. I use the FlashBlock extension like a switch for flash content. The actual content filtering is done ahead of and independent from the browser by Proxomitron. This eliminates problems caused by vulnerabilities in security extensions. Firewall rules prevent the browser from accessing the internet without going through Proxomitron. Regarding attacks on external hardware like routers, DSL modems, etc, I'm convinced that there's a lot of vulnerabilities and possibly even built in backdoors that we don't know about. I've had several DSL modems that have an upper range port open that can't be closed with any of the configuration options. On every one of them, the port number has been different, but they've all had one open port. I can't determine if this is something my ISP has done or if it comes that way from the vendor. I've also disabled UPnP on everything and added blocking/logging rules to Kerio for the UPnP ports. I've been working on some web pages that detail how to use SSM free on 9X systems to enforce a comprehensive default-deny security policy sufficient to offset the lack of AV support. It's taking much longer to finish than I expected. Too much else to do and not enough time in a day. Rick

My network is quite simple. ISP provided DSL modem>Smoothwall>PC. VOIP router on DMZ. Wired, static IPs throughout. PCs being serviced are connected to the VOIP router, not my LAN.

I'm not using XP. On this PC I'm running Win2000, 98FE, 98SE and 2 flavors of Linux. As far as comparing 2K and 98: 98 boots up and shuts down a lot faster. Applications start and run slightly faster on 98 but not as many are 98 compatible. once they're both tuned up, internet speeds are about equal. Both will run for several days continuous. After a couple of days, 98 starts to lose stability. Out of the box, a 98 install is fast but unstable. It needs a lot of upgrading and tweaking to make it a stable and reliable system. IMO, the results are worth it. 2K is stable out of the box but sluggish. It needs tuning to reach its speed potential. When I do upgrade my hardware, I'll probably run the same operating systems I am now. IMO, an OS should be a platform that runs your software and interfaces with your hardware, nothing more. Beyond that, it should stay out of the way. AFAIC, the newer operating systems don't meet that requirement and are moving in the opposite direction. I don't need an OS that uses more disk space than all my software combined. That's not an upgrade. It's a big waste. If MS won't produce an OS that meets that simple requirement, I'll keep using their old ones. When that's no longer possible, I'll move to another OS like Linux. Rick

Why should I "upgrade" to a system that would force me to buy new hardware just to match the performance of what I have now? Rick

The PC I'm using does everything I need. Yes, I could use some more disk space and a little more speed would be nice, but I can't truly say that I need it. That said, I wouldn't mind something more powerful for recreational purposes. A friend has a game that I enjoy but it's far too demanding to ever run on my hardware. Being able to play it at home would be fun and would let the 2 of us work as a team on the game, but I can't say that I need to be able to play such games at home. It's probably the last thing I really need, an excuse to spend more time on the computer doing nothing useful. Rick

Unless the task at hand requires the use of a different OS, I'll boot up 98FE. For me, its been very stable and reliable.

Both 95 and 98 do much better than that when you install a display driver. Check the vendors site. If the vendor doesn't offer one, try a universal driver. This one has worked well for many people. Rick

I've only seen a couple of ME systems that behaved well. Most of the ones I've worked on ended up with either 98 or 2K on them. I've seen a WinME unit go from very well behaved to completely unstable when the AV updated, but that same AV update worked just fine on another WinME unit. On another one, I installed a firewall (Kerio 2.1.5), rebooted it, and had no keyboard when it restarted. Eidenk, either you've been fortunate with your copy or you know some trick that makes WinME behave that most of us don't know about.

When you said it came with Win95, I was expecting much lower specs than those. 98SE will run very well and quite fast on that system. If it were mine, I'd set it up as a dual or multi-boot with Win98(FE or SE) and Win2K, and maybe a lightweight linux version if it interests you. Both 98 and 2K will run well on those specs. Given the specs you listed, I'd have to assume that the USB hardware is 2.0 ready. 95 and 98FE would be slightly faster than 98SE or 2K, but the difference wouldn't be much. If the reason you were considering Win95 was the extreme lightness and the potential speed you could get from it, you might also consider using 98lite to strip it down. Even the free preview version can give a substantial performance increase. You might want to make a backup of the 95 system. 98lite can use the 95 shell if you want. On a PC with those specs, a 98lite system would fly. Rick

I've never used Clam or ClamWin. Others who are obsessed with test results claim that it fails to detect a lot of malicious code. Then again, they all have that problem to a growing degree. I suppose that you could look at it that way, given the fact that most malicious code gets into a system from the internet. That said, unless you bought your AV from a store on a CD, chances are that your AV came from the same internet, as do its detection updates. AVs are not completely trustworthy by design. They're never completely up to date. None of them catch everything. I don't see any real difference between an online scanner and a locally installed one, save that you know when the locally installed one was last updated. Is using an online AV any different than using online data backups or online applications? Ideally, I'd choose a locally installed application every time but 9X users aren't getting many to choose from. Agreed. Then again, neophyte users shouldn't be running unsupported software and operating systems. Unless they know how to secure their system using their own resources, they're running on nothing but blind luck and random chance. Malicious code might not be targeting 9X systems much anymore, but it is targeting the applications that run on it. It's been years since I tried Opera. Didn't like it, but it was long enough ago that I don't remember what it was I didn't like. For me SeaMonkey and its predecessor, the Mozilla Suite have been very reliable. I can't remember the last time I had a non-beta version crash. Everybody has their preferences, but like everything else, there's fewer that work on 9X all the time. Eventually, 9X users will have to run the last compatible version and rely on good filtering and a default-deny policy to offset their weaknesses. Rick

Thanks. That's very much appreciated. I'm glad to hear that others are finding this thread useful. I pretty sure that AntiVir/Avira has already dropped support for 98/ME. There aren't many left for 98. I haven't tried the online system scanners in a while. Probably should just to see which ones still work with 9X. Is it Opera itself crashing or the add-on that's causing it? SeaMonkey and K-Meleon are both good browsers for 98. Avoid the 2.0 versions of SeaMonkey unless you have KernelEX installed. Both browsers are fast, light, and very stable. Unlike Internet Explorer, which hasn't been patched on 98 in some time, these browsers are up to date. Both are available as installers or zip files. If you'd like, you can install both and see which one you like better. K-Meleon has flash blocking built in. The FlashBlock extension has a version (1.3.13) for SeaMonkey that works very well. Proxomitron can also block flash content for any browser. Flash is one of those problem formats that's more often used to deliver ads and junk than to deliver useful content. It can also be used maliciously. In one instance, Flash was used to alter the settings in routers via UPnP. When Adobe stops updating the 9X compatible versions of Flash Player, flash content could be a major vulnerability for 9X systems. Blocking it by default and allowing it on an as-needed basis is the best way to deal with a format that's not usually delivering anything useful. Rick

What are the specs for this PC, processor, RAM etc?

The problem with the "zone" concept in Internet Explorer is the complete lack of versatility more than it is "on the fly" usage. There's only 3 levels of permissions available at any one time. All sites not entered into the trusted or restricted zone run with "Internet zone" permissions. Proxomitron takes the idea much farther, letting you make an almost unlimited number of permission lists, whitelists, blacklists, etc. You can have separate site whitelists for flash, java, javascript, etc. That way, you can allow the site only the permissions it needs instead of selecting between 2 or 3 pre-defined groups or zones. You can allow the java applets on a site to run and still block the flash content. Besides the lack of flexibility, one of the main problems with the "zone" concept is its default-permit basis. It's default zone should be what it calls the restricted zone, not the internet zone where sites have more permissions. Whoever came up with those default settings didn't think the process through. By the time you find a site should be in the restricted zone, you've already visited it in the internet zone. Internet Explorer users who don't want to use Proxomitron should completely change the "zone" settings. Since the "Internet Zone" is the default permissions for sites not listed in the other zones, it should have the least permissions. The "restricted zone" should be the next step up where sites have more permissions than those in the default zone. The "Trusted zone" should be limited to sites that need the higher levels of permissions to work. Site trust and permissions should always start low and be raised if necessary, not the other way around. That is becoming a bigger problem all the time. Malicious code that's executed by the AV when it's unpacked and scanned. Fortunately for 9X users, that code most likely targets NT systems and probably won't run on a 9X system. There's also been several instances where a security suite is successfully attacked and used to take over the OS. If I remember right, that happened with Norton Internet Security and those compromised PCs were used to launch some big DDOS attacks against anti-spyware vendors and websites. Malicious code that makes the AV part of the attack surface puts the AV vendors into a no-win situation. If the resident AV can't function at a kernel level, it won't be effective against malicious code that does. On the other hand, when an AV scanner is integrated with a resident AV, certain types of malware can exploit that by using the scanner to execute it. The only way to avoid that is for the resident AV and the AV scanner to be completely independent of each other. That would make them even more bloated than they are now. Most are already too bloated to run decently on a 9X system. A well configured HIPS like SSM can prevent the execution of malicious code by the AV, but it will require very tight control over the parent-child settings for the AV components. That problem is compounded by the fact that AVs need constant updating, which often includes new executables that will be unknown to the HIPS software. If the AVs updater isn't permitted to launch new executables, the AV can't automatically update. In order for HIPS to protect the system from malicious code that's executed by the AV, the AV can't be allowed to execute an unknown, which makes updating it a manually performed administrative task. It's simpler to set up a default-deny policy, drop the resident AV, and use online scanners to check files. Rick

In the last 5-6 years, I've seen several reputable companies join up with some very questionable partners. Shortly afterwards, their products and services start going downhill. I haven't used Comodo products but I was considering trying out their software on a test unit. The incident with the ask.com toolbar pretty much made me decide against it. This latest incident has guaranteed that I will never install their products on any PC, mine or a clients. How good a piece of software might be doesn't matter if you don't feel that you can trust the vendor. I can forgive coding errors, missed detections, software conflicts, and similar problems, at least to a point. When a company starts compromising their integrity or lowering/violating their own standards for quick money, that I don't forgive. Software isn't like physical goods. We can't look at the box, the install CD, or the downloaded file for any indications of its quality. All we have is advertising, test results (possibly biased, often just more advertising), and feedback from other users that we've never met. On the internet, separating fact from fiction and truth from hype/advertising isn't easy. When a company's integrity and motives are repeatedly questioned, it's very difficult to trust their software, especially when it's a combined, standalone package. No matter how good Comodo software might be, they've already done serious, possibly irreparable damage to their image and reputation. With software, there's nothing that matters more. Rick

If I remember correctly, some of the early beta's for Jetico 2 still worked on 98. The present versions don't. It's possible that the beta version mistakenly detected a 9X system file as a trojan, not taking into account that the 9X files are different than their NT counterparts. The vendor may have felt that fixing it wasn't worth the trouble for an unsupported OS. Rick

If "modern" firewall is referring to a security suite such as Comodo, that's the last thing 98 needs. Doesn't matter anyway since no one is going to make their product 9X compatible, with the possible exception of some Open Source project. Besides, we have all the security-ware we need to make a 9X system nearly bulletproof. See [9x/Me] Surviving Without a Virus Scanner. The thread title is somewhat misleading because the thread covers much more. Rick

You might want to keep a copy of WinSockFix handy. Some malware replaces WinSock components with their own. When that malware is removed, the altered files are gone but not replaced. The WinSockFix is available at http://www.softpedia.com/get/Tweak/Network...inSockFix.shtml Rick

All of our security software can be considered as filtering tools. What they allow or filter out is dictated by the security policy that's being enforced. With the standard default-permit security policy, an AV is one of the core security apps, filtering out suspicious and known malicious code. With default-deny, the policy editor and/or HIPS effectively filters out all non-whitelisted executables. The firewall filters out all traffic that's not specifically permitted. This brings us to the problem of unwanted or malicious content delivered by the allowed traffic. This web content includes a wide variety of code, including: Media files, audio and video. Flash content, which ranges from useful and entertaining to annoying and potentially malicious. Java, same range as Flash. Javascript, a wide range of functions ranging from small webpage conveniences to the fetching of malicious pages. A lot more sites use scripts, javascript, and other interactive content than you might think. On this thread for instance, the "fast reply" window uses javascript. On this weather radar page, several of the map functions use javascript. Sites might be displayed normally with scripts and active content disabled, but there's often a loss of function that makes the site less usable. Whether we like it or not, the web is using more active content all the time. Blocking all scripting and active content might be safer, but it also makes the internet less usable and enjoyable. Unlike executable files, dealing with web content isn't as black and white. The exact same code can serve a useful purpose or be used maliciously. The default-deny security policy can be applied to web content. Active content and scripting can be treated as executables with the sites containing them treated as parent processes. This requires software that can handle web content in the same manner that HIPS software handles applications, blocking active content by default while allowing certain sites to perform specific activities. The trusted, restricted, and internet "zones" in Internet Explorer attempted to do this to a very limited degree. With no ability to block or permit specific content on the fly, it's not sufficient. Various extensions like FlashBlock and NoScript make possible the whitelisting of specific activities and websites on FireFox, SeaMonkey, and other "gecko" based browsers. The problem with these is that they only work with the browser they're installed to. As extensions of the browser, they can be adversely affected or broken by browser updates. Some like NoScript have a few issues of their own, like a controversy over a premade whitelist. Proxomitron is a much more flexible and powerful web filtering tool. It's available at PrxBx.com, along with filter sets, tutorials, archived websites, certificate tools, and a forum for Proxomitron and other web filtering tools. Proxomitron (version Naoko-4.5 recommended) works with all browsers. It can filter all web content, limited only by the filter set and the skill of those who write them. The better your knowledge of HTML and scripting languages, the more powerful it is. Proxomitron enables you to whitelist specific types of active content and websites along with filtering out or modifying most any other web content, including cookies, user agents, referrers, nosy scripts, i-frames, and much more. Proxomitron is small, 1.6MB extracted. No installation necessary. Unzip it, change your browsers proxy settings, adjust your firewall rules, and go. The default filters are a good place to start. Like all rule based software, Proxomitron takes some getting used to (especially its default color scheme ) but the longer you use it, the easier it gets. To other Proxomitron users: In case you haven't seen them, Andrew's Security Filter(s) v5.62, updated May 10, 2009, adds NoScript-like functions to Proxomitron for all browsers. It's an addition that merges with your existing filterset, giving the user the option to allow or block, one time or permanently, many individual scripts, objects, applets, etc. See the screenshot in the above link. Excellent work. Rick

I haven't tried Tiny on anything but 98. I run Kerio 2.1.5 on 2K here and have installed it on XP with no problems. Some users have reported problems when "hibernate" is used on XP. I can't confirm or deny this. It is better to deactivate the XP firewall if installing Kerio. It does nothing that Kerio doesn't do as well. I'm not aware of it conflicting with Kerio, but it is unnecessary duplication. Kerio does create its own default rules when first started. The rules for XP include "permit" rules for services which are way too permissive. If I'm understanding you correctly, you want to build the ruleset on 98 for use on XP? If the rules are limited to items such as DNS, DHCP, ICMP, networking rules, etc, that will work fine. Blitzenzeus did that at Castle Cops. If you try to include system executables and applications, you'll have problems. The rules in Kerio and Tiny include the path to the executable. Kerio checks the MD5 for the executable every time it connects. I believe Tiny does too. Those will be different. I'm pretty sure that Tiny can't import rulesets. I don't know if it would work if you shut Tiny down and replaced it manually. Kerio can import rulesets. I have edited XP rulesets on my 98 box. That's not a problem. The problem starts when something tries to establish a connection because all the rules will be wrong for that OS. You'd have to manually edit all the paths, then have Kerio recheck all the paths and MD5's. IMO, that would be more work than making a new ruleset. The rule creation interface on Kerio and Tiny is very well designed. If you're familiar enough with internet protocol to write firewall rules, their interface design makes it easy. On these firewalls, you can write individual rules as needed on the fly. Once you get used to them, you can make a ruleset in very little time. Rick For those not familiar with configuring Kerio or writing firewall rules, there's a forum thread at Wilders that covered Kerio in detail. The configuration described in the thread is for XP, but the principles apply to all versions of Windows. How to Optimize Security in Kerio 2.1.5.

True, but with alternate browsers, only a few of the vulnerabilities can be used for remote code execution. Many of them were denial of service and "data capture" problems. With IE6, remote code execution vulnerabilities were common. Regarding the NETBIOS ports, 137-139, these ports are still probed regularly from the web. My Smoothwall logs show at least a dozen of them every day on these ports, coming from all over. Access to the ports can be blocked with a firewall, but if your setup doesn't require them to be open for file sharing on a local network, it's better to close them completely. Closing them by configuration is more secure than blocking them with a firewall. A firewall can fail. There's a fair amount of malware that attacks AVs and firewalls. There's always the possibility of a software conflict. There's code that attacks routers. I seem to remember one that used Flash and UPnP. Blocking an open port with a firewall is patching over a vulnerability. Closing the port is eliminating that vulnerability entirely. The method for closing those ports can be found at http://www.grc.com/su-bondage.htm. The site recommends installing the NetBEUI protocol before unbinding TCP from the network client to keep the client from disappearing from view. It's not necessary to do this unless you have a need for it. Even though the network client might not be visible, it's still there and is working properly. I've unbound TCP from the network clients on every 9X system I have. A port scan on any of them with the firewall shut off shows no open ports, and they all work fine. Firewalls should be used to regulate traffic on ports opened by software or a service that you need. Ports are opened by applications and services that need to receive incoming connections. Trojans also open ports. If you have open ports, don't just patch them with a firewall. Find out what is opening them. Decide if this is something you need or if the application/service actually needs it to perform the tasks you want done. If you don't need it, shut it down, disable that service, etc. If it is necessary configure the firewall to restrict the traffic on that port to the specific app/service that needs it, and only to the IP range that app/service needs to function. Do not allow unrestricted inbound access to an open port. If you have an open port but can't find the service or application that's listening on that port, chances are you have a trojan hiding on your system. Rick

Internet Explorer has long held the title of the most attacked and exploited software for a few reasons. 1, It has long been the most common browser on the web. 2, Thanks primarily to its integration into the 9X operating system, successfully exploiting the browser usually gave the attacker the ability to execute their code on the OS. Unlike Internet Explorer, the alternate browsers (FireFox, SeaMonkey, Opera, K-Meleon) are not an integral part of the operating system. In addition to having fewer exploitable vulnerabilities, when they are found, they don't result in remote code execution nearly as often. When applications are integrated into the operating system, their vulnerabilities become the operating system's problems. In their quest for complete ease of use and user convenience, Microsoft integrated everything together. Yes, it made everything very convenient. It also made everything vulnerable to any weakness found in any component. Convenience for the user usually results in convenience for malicious code. Integrating web applications into the operating system effective makes the operating system targetable from the web. This problem is not limited to Microsoft applications being integrated into Windows. This integration also exists between the browser and other user software. Example, PDF files on websites are usually opened in a browser window. Likewise, a PDF file can contain a link to a website. When used with their "as installed" settings, the PDF software will be allowed to launch the browser and direct it to the specified site. Very convenient for both the user and the malicious code writer. On a PC using the most common software brands, malicious code in a PDF file can use that integration to gain control of the browser, and if that browser is part of the OS, the code in the PDF can run code on the operating system too. The convenience brought by the integration of user applications with each other or with the operating system lowers your systems overall resistance to attack. Vendors are constantly patching vulnerabilities in user software that allows these kinds of attacks, and malware writers keep finding more. It's an unending cycle of penetrate, patch, update, but not for the 9X user. During the constant patching process, 9X support gets dropped, forcing 9X users to either accept software with exploitable vulnerabilities or try to find replacements. The problem is that most of the replacements are doing the same thing. Quite often the 9X user has one choice, use an application with known vulnerabilities to open unknown and potentially malicious content. As bad as that sounds, it's actually normal usage for everyone. There's unknown and unpatched bugs in all software. No application that opens unknown content is truly attack proof. It's a simple fact that the users security policy needs to acknowledge and address. Since we can't prevent user software from being vulnerable to malicious code, the question becomes: "How do we prevent a compromised application from being used to compromise the operating system?" For this problem, any software that has internet access, that is directly started by software with internet access, opens web content, or opens files from outside or unknown/untrusted sources is considered the attackable surface. This includes the browser, media player, PDF reader, IM software, P2P applications, office software and others. A large part of the solution lies in the dis-integrating or separating the exposed and vulnerable applications from each other and from the operating system itself. The attackable surface needs to be as isolated as possible from the operating system components and from applications that are not part of the attackable surface in order to prevent the malicious code from gaining access to the more critical parts of the system. Part of this is accomplished via configuration of the individual applications and of the OS. The rest of this isolation is achieved with the policy editor and security software. On NT systems, users have a wide selection of security software available, some of which is quite ingenious and very effective. One option I'm very impressed with is SandBoxie. Except for complete virtual systems, it's one of the best tools available for isolating the attackable surface. Host Intrusion Protection Systems (HIPS) are some of the most powerful tools made for enforcing a default-deny security policy and preventing malicious code from running in the first place. The problem facing 9X users is that the majority of these options don't run on a 9X system, with one powerful exception. The free version of System Safety Monitor (SSM) is the one Host Intrusion Protection System I know of that is completely compatible with 9X systems. It does require the installation of the Visual C++ 6.0 run-time components, which should have been installed on all updated 9X systems. Like Windows 98/ME and many of the applications 9X users have to run, SSM is no longer being supported and developed. It's sad when financial viability decides the fate of software and operating systems more than quality and performance. I'll also apologize now if some of this sounds like an advertisement or product promotion, but I know of no other 9X compatible software that gives the user this level of power and control over their system. I wish I did, and if anyone is aware of a similar 9X compatible program, I'd very much like to know about it and test its abilities. SSM can be viewed as a rule based firewall that controls applications/processes and their activities instead of internet traffic. Like the policy editor, it can build and enforce an application whitelist with some very important improvements: It verifies the MD5 of executables before allowing them to execute. The path to the executables is part of the rules. If an executable is moved or copied to another location, SSM will treat it as an unknown. SSM treats user applications, system executables, installers, and malware the same. System processes are not automatically whitelisted, save for kernel32.dll, internat.exe, and SSM's own processes. I'm not certain why internat.exe is whitelisted unless it's used by SSM for multiple language support. When operating in its "paranoid" setting, SSM lets the user specify what other applications/processes each process is allowed to launch (parent) or be launched by (child). It's the equivalent of making a separate process whitelist for each executable. SSM makes it easy to define separate user and administrative modes with vastly different permissions, and makes it easy for the administrator to switch between the modes. SSM modules monitor and protect the important registry keys, the important .ini files, the users startup folders, and key Internet Explorer settings. All of these can be tailored to the users specific needs. SSM also has a switchable "window filter" module that compares window titles or captions to a user defined blacklist. If the title bar containing the match is a user application, SSM will terminate it. If the match is a system folder or dialog such as the control panel or folder options dialog, SSM will close it. This "window filter" module is effective for controlling users access to key areas of the system such as the system folder, control panel, or folders containing another users name. It can prevent a user from accessing specific documents such as anything with "diary" or "budget" in the name. It also works with the browser, making it a useful parental tool when it's configured to filter words like "sex". The only limit is your imagination. SSM can maintain separate rulesets and window filter sets for each user on multi-profile PCs. The correct ruleset is loaded when the user logs in. At 3.2MB, SSM is much smaller than any AV. It's also extremely light. At this moment, it's using 3.3MB of memory on my PC. It's processor usage is also light, under 1% most of the time with short, higher spikes when applications are launched or engaged in other monitored activity. Unlike the policy editor, SSM can be temporarily disabled, shut down, or prevented from automatically starting with Windows if the administrator chooses. Again, I apologize if this looks like an advertisement, but by empowering the user to this extent, SSM makes it possible to safely use 9X systems, even with no AV support and limited software choices. That said, a couple things need to be made absolutely clear. SSM does not differentiate between processes. It makes no decisions or recommendations. It will allow or block exactly what you tell it to, even if it's harmful to your system. It is solely up to you, the system administrator, to decide what should and should not be allowed. SSM is only as good as the ruleset it enforces. Writing secure rules requires that the user/administrator understands what the different processes are for, which ones are necessary for normal usermode operation, which ones should available only to the administrator, and which ones each process should be allowed to start. Your knowledge and the security policy you build is what will ultimately protect your system, not SSM and your other security software. They are merely tools that enforce your policy. It's also extremely important that the configuration of your operating system and user software matches the rules enforced by SSM, your firewall, and other security software you're running. I realize that this statement sounds incredibly obvious, but most users including the more security conscious don't start with a plan or security policy. They install what they consider to be the best security apps, then start trying to plug all the known holes and vulnerabilities. Even when they want to set up a default-deny policy, they concentrate on items to be blocked instead of specifying what is to be allowed. The result is a piecemeal approach that usually has gaps, overlooked applications and situations, and conflicts between the rules in the security apps and the configuration of the user software. A well thought out security policy covers a lot of details and situations that are part of normal operations. Without a policy or plan as a guide, it's almost guaranteed that details and applications will be overlooked. Rick

#3 works, as long as the worms don't bite.

Tea Timer can sort of be described as the spyware equivalent of a resident AV. It's primarily a signature based blacklisting tool. I used to run SpyBot many years ago, but strictly as a manual scanner. I had other resident "anti-" software at the time, too much in fact, and didn't want to risk its conflicting with the rest of the detection software. There are many, many trojans that will run on 9X systems. They're no more difficult to write than their NT counterparts. There's toolkits available that can make custom trojans for most any OS that AVs won't detect. One of them is actually sold as commercial software, with updating and support. Check out MPack. The deception techniques and software you're asking about would only be useful against sites that try to identify your OS, browser, state of patching, etc, and only against certain methods. Browser headers, javascript, Java, Flash, ActiveX, probably Silverlight, etc can all be used for those purposes to varying degrees. I'm not aware of any software that's specifically designed to deceive malicious sites. That said, there is software that does this to varying degrees. The K-Meleon browser can spoof the user agent and is very configurable in what it will allow (flash, java, JS, etc). The more I use this browser, the more I like it. There's extensions for FireFox and SeaMonkey that can do the same thing. The best tool I know of would be Proxomitron. Using pattern matching, it can rewrite web pages on the fly, including javascript. It's only limitations are the users knowledge of html and scripting languages, which are required for writing good, specific filters. That said, the default filters are pretty good. Sidki still maintains a set. If you can find them, the old JDList filters were very good. Anyone wanting to learn how to write good filters should examine that set. I still have a copy if anyone wants it. By far, the best way to defend against a custom trojan, or any malicious code that an AV doesn't detect is the default-deny security policy. Custom made or "off the shelf", a trojan is a process. A rootkit installer is a process. Infecting a system requires code to be executed, aka a running process. It can be a free-standing process like keylogger.exe, install.exe, and similar. It can be a DLL that's executed by RUNDLL32.EXE or another system process, It can be malicious code that's injected into a legitimate process, an option which still requires a process to initiate it. Any method that can enforce a process whitelist will defeat the first group, as long as the user doesn't choose to allow it. The whitelist is also partially effective against the 3rd method, injection, provided a separate process is used to initiate it. HIPS software can defeat malicious injection/hooking as well as the malicious use of system processes like RUNDLL32. I got a bit extreme on my system regarding RUNDLL32.EXE after it was used to defeat my defenses, which were more conventional at the time. When operating in what I've defined as "User Mode," RUNDLL32.EXE is not allowed to run at all. It's not needed for normal usage. Rick

Unless you need to share files over a local network, the NETBIOS ports can be closed. That's the first thing I do on a 9X system.

Another 9X thread relocated. I hope users of NT systems can see this is a thread for 9X users and refrain from adding the 'upgrade your OS" posts. The 98FE unit, my primary OS, changes very little. Except for little unzip and go apps, when I do install or update software, I make a full system backup first. If something goes wrong with the install, like finding they've removed 98 compatibility, I can get back to where I was very easily. Contrary to the standard advice, I don't make an effort to stay current with the browsers. Right now, I'm using SeaMonkey 1.1.9, which is 7 versions behind. Most of my extensions are installed in the application folder and have to be re-installed when I update the browser. Every so often, one of the updates breaks an extension I use, forcing me to either find a replacement, find a way to fix it, or back up to an earlier version of the browser. With most of the browsers integration with other applications removed, disabled, or otherwise blocked, its traffic filtered through Proxomitron and SSM restricting the access the browser has to the OS components and other applications, I don't worry much about non-IE browser weaknesses. I back up the entire OS at once except for the boot folder, which contains several bootable images including Knoppix. This I treat as a separate OS. I was using an older version of the Acronis rescue CD for all the backup and restoring tasks, which worked very well. I never had a problem with it except for one time when I was restoring from CDs. One of the CDs was damaged, not the fault of Acronis. I have backup images of this OS dating back to 2006. Don't ask me why I haven't pitched these. Last year I started experimenting with using 7zip for full OS backups. For the most part, it has worked well. It has enabled me to back up and restore any of the Windows OS from any any other, including the DOS image. The 7z backup images are 25-35% smaller than the Acronis images and take quite a bit longer to make. I can extract individual files from them from Windows and DOS. For me, that's a big plus. It seems I'm always having to open a backup image to get something I left on the desktop. Another advantage of using 7zip is that I can keep using Windows and doing other tasks while it's running, which makes the longer creation and extraction times a non-issue. The ability to run 7zip at a lower priority in the background is sweet. Tiny and Kerio are excellent firewalls for 9X systems. Kerio 2 was developed from Tiny. Their engines are so similar that Kerio can import Tiny's rules. I'm pretty sure that Multibooter stays with 2.0.14 because it's pre 9/11. If you don't consider it necessary to use pre 9/11 software, there's version 2.0.15 of Tiny and Kerio 2.1.5, also very similar. The size difference between Tiny and Kerio (1.35MB vs 2.06MB) is due to help files contained in Kerio. If being "stealthed" is important to you in a firewall, Tiny doesn't stealth ports 0 (nul port) and 1 properly. The other major difference is that Kerio can export and import rulesets, a feature Tiny doesn't have. Other than that, they're almost the same firewall. In that instance, definitely. The potential attacker has no way of knowing what OS the potential target is running. If he/she did know, they could just as easily pack a different trojan that did run on 98. On web pages, it's not that simple. Some of those who create malicious sites or attack supposedly safe sites use scripting, headers, and other tactics to determine the OS, browser type and version, and at times which patches have been applied. It uses that information to select the best malware for compromising that system, or if the system is not vulnerable, the site delivers no payload at all. They can tell if the PC/IP address has been there before, which makes it hard for security app vendors to get samples. Some of these attackers have really put some work into these sites, with up to 40 pieces of malware or exploit code. It would be a simple matter to include something for a 9X system if they chose to. We're not dealing with script kiddies anymore. These are professional coders who know how to exploit vulnerabilities, defeat AV detection, and bury code so deep into a system that it's a nightmare to get it back out. The "security through obscurity" concept for 9X systems is of limited value that only helps in certain situations, P2P downloads being one of them. Don't rely on it. I don't see this as a problem. Besides online AV scanners like HouseCall, local on-demand integrity checkers can be used to scan the file system for new, altered, and missing files. Anything new or altered can be uploaded to VirusTotal. There's several good free ones. There's also several apps that poll files and folders at user defined intervals. There's at least one that checks the root directory along with the "windows" and "system" folders at bootup, also free. I have quite a few of these on my FE system but rarely ever use them anymore. In some ways, running an integrity checker is superior to scanning with an AV. The AV is looking for known threats. It doesn't detect unknown malicious code, altered, corrupt, new, missing, or moved files. Integrity checkers can find all of these. I have a fair selection of these if anyone is interested. Rick