Jump to content

[9x/Me] Surviving Without a Virus Scanner


Queue

Recommended Posts

Do you mean JavaScript? Because that's definitely for the paranoid. But I will concede that some sites out there throw too much of it at you, which bogs everything down. Blocking ad scripts isn't enough.

Link to comment
Share on other sites


All of our security software can be considered as filtering tools. What they allow or filter out is dictated by the security policy that's being enforced. With the standard default-permit security policy, an AV is one of the core security apps, filtering out suspicious and known malicious code. With default-deny, the policy editor and/or HIPS effectively filters out all non-whitelisted executables. The firewall filters out all traffic that's not specifically permitted. This brings us to the problem of unwanted or malicious content delivered by the allowed traffic. This web content includes a wide variety of code, including:

Media files, audio and video.

Flash content, which ranges from useful and entertaining to annoying and potentially malicious.

Java, same range as Flash.

Javascript, a wide range of functions ranging from small webpage conveniences to the fetching of malicious pages.

A lot more sites use scripts, javascript, and other interactive content than you might think. On this thread for instance, the "fast reply" window uses javascript. On this weather radar page, several of the map functions use javascript. Sites might be displayed normally with scripts and active content disabled, but there's often a loss of function that makes the site less usable. Whether we like it or not, the web is using more active content all the time. Blocking all scripting and active content might be safer, but it also makes the internet less usable and enjoyable. Unlike executable files, dealing with web content isn't as black and white. The exact same code can serve a useful purpose or be used maliciously.

The default-deny security policy can be applied to web content. Active content and scripting can be treated as executables with the sites containing them treated as parent processes. This requires software that can handle web content in the same manner that HIPS software handles applications, blocking active content by default while allowing certain sites to perform specific activities. The trusted, restricted, and internet "zones" in Internet Explorer attempted to do this to a very limited degree. With no ability to block or permit specific content on the fly, it's not sufficient.

Various extensions like FlashBlock and NoScript make possible the whitelisting of specific activities and websites on FireFox, SeaMonkey, and other "gecko" based browsers. The problem with these is that they only work with the browser they're installed to. As extensions of the browser, they can be adversely affected or broken by browser updates. Some like NoScript have a few issues of their own, like a controversy over a premade whitelist.

Proxomitron is a much more flexible and powerful web filtering tool. It's available at PrxBx.com, along with filter sets, tutorials, archived websites, certificate tools, and a forum for Proxomitron and other web filtering tools. Proxomitron (version Naoko-4.5 recommended) works with all browsers. It can filter all web content, limited only by the filter set and the skill of those who write them. The better your knowledge of HTML and scripting languages, the more powerful it is. Proxomitron enables you to whitelist specific types of active content and websites along with filtering out or modifying most any other web content, including cookies, user agents, referrers, nosy scripts, i-frames, and much more. Proxomitron is small, 1.6MB extracted. No installation necessary. Unzip it, change your browsers proxy settings, adjust your firewall rules, and go. The default filters are a good place to start. Like all rule based software, Proxomitron takes some getting used to (especially its default color scheme :crazy: ) but the longer you use it, the easier it gets.

To other Proxomitron users:

In case you haven't seen them, Andrew's Security Filter(s) v5.62, updated May 10, 2009, adds NoScript-like functions to Proxomitron for all browsers. It's an addition that merges with your existing filterset, giving the user the option to allow or block, one time or permanently, many individual scripts, objects, applets, etc. See the screenshot in the above link. Excellent work.

Rick

Link to comment
Share on other sites

Queue:

You forgot to mention that an antivirus scanner running in realtime can in itself cause a whole clusterf*** of security issues. Just look at it logically: Any extra service running on the system with elevated privelages (as most AV products do) is bound to give opportunity for exploitation.

One of the key rules of computer security is to keep applications in the user area as much as possible without them straying into the privelaged areas of the system - this is one rule that antivirus applications ritually break. Even a user running as a limited profile isn't protected against this because an attacker just needs to target the AV program and use its privelages to breach the security. This literally makes any antivirus application that is running in realtime, a potential backdoor.

This is one of the main reasons I don't use any AV software at all, the other of course is the performance hit. My netbook with Vista would probably be killed even just by running NOD32, supposedly one of the most efficient AVs.

Strong browser settings and a hardened network configuration are a major step in preventing security issues, rather than just patching them when they occur.

Link to comment
Share on other sites

The trusted, restricted, and internet "zones" in Internet Explorer attempted to do this to a very limited degree. With no ability to block or permit specific content on the fly, it's not sufficient.

Steve Gibson apparently has an app which can allow on-the-fly use of Internet Zones in IE.

Link to comment
Share on other sites

The problem with the "zone" concept in Internet Explorer is the complete lack of versatility more than it is "on the fly" usage. There's only 3 levels of permissions available at any one time. All sites not entered into the trusted or restricted zone run with "Internet zone" permissions. Proxomitron takes the idea much farther, letting you make an almost unlimited number of permission lists, whitelists, blacklists, etc. You can have separate site whitelists for flash, java, javascript, etc. That way, you can allow the site only the permissions it needs instead of selecting between 2 or 3 pre-defined groups or zones. You can allow the java applets on a site to run and still block the flash content.

Besides the lack of flexibility, one of the main problems with the "zone" concept is its default-permit basis. It's default zone should be what it calls the restricted zone, not the internet zone where sites have more permissions. Whoever came up with those default settings didn't think the process through. By the time you find a site should be in the restricted zone, you've already visited it in the internet zone.

Internet Explorer users who don't want to use Proxomitron should completely change the "zone" settings. Since the "Internet Zone" is the default permissions for sites not listed in the other zones, it should have the least permissions. The "restricted zone" should be the next step up where sites have more permissions than those in the default zone. The "Trusted zone" should be limited to sites that need the higher levels of permissions to work. Site trust and permissions should always start low and be raised if necessary, not the other way around.

One of the key rules of computer security is to keep applications in the user area as much as possible without them straying into the privelaged areas of the system - this is one rule that antivirus applications ritually break. Even a user running as a limited profile isn't protected against this because an attacker just needs to target the AV program and use its privelages to breach the security. This literally makes any antivirus application that is running in realtime, a potential backdoor.

That is becoming a bigger problem all the time. Malicious code that's executed by the AV when it's unpacked and scanned. Fortunately for 9X users, that code most likely targets NT systems and probably won't run on a 9X system. There's also been several instances where a security suite is successfully attacked and used to take over the OS. If I remember right, that happened with Norton Internet Security and those compromised PCs were used to launch some big DDOS attacks against anti-spyware vendors and websites. Malicious code that makes the AV part of the attack surface puts the AV vendors into a no-win situation. If the resident AV can't function at a kernel level, it won't be effective against malicious code that does. On the other hand, when an AV scanner is integrated with a resident AV, certain types of malware can exploit that by using the scanner to execute it. The only way to avoid that is for the resident AV and the AV scanner to be completely independent of each other. That would make them even more bloated than they are now. Most are already too bloated to run decently on a 9X system.

A well configured HIPS like SSM can prevent the execution of malicious code by the AV, but it will require very tight control over the parent-child settings for the AV components. That problem is compounded by the fact that AVs need constant updating, which often includes new executables that will be unknown to the HIPS software. If the AVs updater isn't permitted to launch new executables, the AV can't automatically update. In order for HIPS to protect the system from malicious code that's executed by the AV, the AV can't be allowed to execute an unknown, which makes updating it a manually performed administrative task. It's simpler to set up a default-deny policy, drop the resident AV, and use online scanners to check files.

Rick

Link to comment
Share on other sites

... Herbalist, Rick ... just a note of thanks for posting so much info in this thread. I always learn something new from your postings ... I use Proxomitron and never heard of Andrew's Security Filters ... have been using them for a few days now and I really like that addition to Proxomitron ... I use Sidiki's set of filters and Andrew's filiters work just great with it ... took me a few hours before I figured out how to work with them and the A - B buttons in the upper right hand corner. Anyway, keep the info flowing ... Also, I was aware of WinSock but didn't have a copy in my software collection, thanks for posting the link.

Link to comment
Share on other sites

_snip_

Internet Explorer users who don't want to use Proxomitron should completely change the "zone" settings. Since the "Internet Zone" is the default permissions for sites not listed in the other zones, it should have the least permissions. The "restricted zone" should be the next step up where sites have more permissions than those in the default zone. The "Trusted zone" should be limited to sites that need the higher levels of permissions to work. Site trust and permissions should always start low and be raised if necessary, not the other way around.

_snip_

Herbalist, you are right. I have been running IE 5.5SP2 with the zones rearranged as you suggest for a number of years now and it works. I also use "Microsoft Internet Explorer 5 PowerTweaks Web Accessory" which adds 2 options to the Tools menu to add the current domain to either trusted or restricted zones. That makes surfing pretty painless. I'd still be using the old IE but it does not handle a lot of web 2.0 sites and I was unable to find a way of controlling flash intrusions.

I now use Opera with a little add-on to control the flash and it works when it doesn't crash! I also use a software firewall (Outpost 1.0) behind a nat router. If anyone thinks that is belt and suspenders then I say "they're my pants". I dont run a virus scanner at the moment but I'm about to try out the free version of Avira.

Great thread; the best ever.

Link to comment
Share on other sites

Thanks. That's very much appreciated. I'm glad to hear that others are finding this thread useful.

I pretty sure that AntiVir/Avira has already dropped support for 98/ME. There aren't many left for 98. I haven't tried the online system scanners in a while. Probably should just to see which ones still work with 9X.

I now use Opera with a little add-on to control the flash and it works when it doesn't crash!

Is it Opera itself crashing or the add-on that's causing it? SeaMonkey and K-Meleon are both good browsers for 98. Avoid the 2.0 versions of SeaMonkey unless you have KernelEX installed. Both browsers are fast, light, and very stable. Unlike Internet Explorer, which hasn't been patched on 98 in some time, these browsers are up to date. Both are available as installers or zip files. If you'd like, you can install both and see which one you like better.

K-Meleon has flash blocking built in. The FlashBlock extension has a version (1.3.13) for SeaMonkey that works very well. Proxomitron can also block flash content for any browser. Flash is one of those problem formats that's more often used to deliver ads and junk than to deliver useful content. It can also be used maliciously. In one instance, Flash was used to alter the settings in routers via UPnP. When Adobe stops updating the 9X compatible versions of Flash Player, flash content could be a major vulnerability for 9X systems. Blocking it by default and allowing it on an as-needed basis is the best way to deal with a format that's not usually delivering anything useful.

Rick

Edited by herbalist
Link to comment
Share on other sites

I think Clam AV works for 98, and since it's not resident, it could be a good one to consider

The programs I run on my 98 are hit and miss tho, since I use the Win95 shell, so in some ways I am actually limited to software that is designed for 95. Not that it bothers me :)

Link to comment
Share on other sites

Herbalist,

this responce has been prepared offline because Opera decided to have a page fault while I was writing a reply online. Rather than quoting I'll do this in point form.

Avira and anti-virus s/w:

You are right. Avira has dropped 9x support. I should have opened the manual before my mouth. I'll still use it on my XP machine.

I think ClamAV is likely to be the only option available to 9x users in the not too distant future. If they have a good project leader, there is no reason why that app should not continue to improve and become quite significant. The problems I had with ClamWin was unreliable updates.

Realtime virus scanning is necessary for neophytes but experienced users should not require it. Root kits and trogans are of greater concern and require constant vigilance. Luckily for us, the 9x users, for the most part the creators of this malware are concentrating on XP/Vista vulnerabilities because that is where the money is and, ethics aside, these guys are professional in every sense of the word. Script kiddies are no longer the problem they once were although, I have no doubt, they are still there. That said, I would like to scan some (all) of the old software packages I download for my 98SE.

I don't like the idea of online virus scanning. Isn't that the ultimate example of an oxymoron?

When it's all said and done, if the web gets too dangerous for 9x then I'll do all my surfing with a Linux live cd. Let's see the b......s get that!

Opera and browsers:

Compared to the other browsers I've tried, warts and all, Opera is streets ahead of the rest. Repeated page faults is the most significant problem I have experienced. I'll put this one down to the compiler and libraries they use. At least it does not take the system down with the traditional BSOD.

The next most significant seems to come from their implementation of the DOM which manifests as a failure to display a page when scripting is _on_ and yet works fine when it is _off_. I can't believe they got the ECMA scripting engine wrong; it's too well documented. I think their slavish belief in defined standards (by W3C) is their undoing.

Despite the above, Opera is far, far faster and, for me and the way I like to work, the interface is far superior to IE, Firefox, or Seamonkey. UI appreciation is purely subjective so I don't expect agreement. I'm happy to tolerate its self destructive tendancies.

Link to comment
Share on other sites

I've never used Clam or ClamWin. Others who are obsessed with test results claim that it fails to detect a lot of malicious code. Then again, they all have that problem to a growing degree.

I don't like the idea of online virus scanning. Isn't that the ultimate example of an oxymoron?

I suppose that you could look at it that way, given the fact that most malicious code gets into a system from the internet. That said, unless you bought your AV from a store on a CD, chances are that your AV came from the same internet, as do its detection updates. AVs are not completely trustworthy by design. They're never completely up to date. None of them catch everything. I don't see any real difference between an online scanner and a locally installed one, save that you know when the locally installed one was last updated. Is using an online AV any different than using online data backups or online applications? Ideally, I'd choose a locally installed application every time but 9X users aren't getting many to choose from.

Realtime virus scanning is necessary for neophytes but experienced users should not require it. Root kits and trogans are of greater concern and require constant vigilance. Luckily for us, the 9x users, for the most part the creators of this malware are concentrating on XP/Vista vulnerabilities because that is where the money is and, ethics aside, these guys are professional in every sense of the word.

Agreed. Then again, neophyte users shouldn't be running unsupported software and operating systems. Unless they know how to secure their system using their own resources, they're running on nothing but blind luck and random chance. Malicious code might not be targeting 9X systems much anymore, but it is targeting the applications that run on it.

It's been years since I tried Opera. Didn't like it, but it was long enough ago that I don't remember what it was I didn't like. For me SeaMonkey and its predecessor, the Mozilla Suite have been very reliable. I can't remember the last time I had a non-beta version crash. Everybody has their preferences, but like everything else, there's fewer that work on 9X all the time. Eventually, 9X users will have to run the last compatible version and rely on good filtering and a default-deny policy to offset their weaknesses.

Rick

Link to comment
Share on other sites

Hi Herbalist,

there are a number of things I don't like/trust about online virus scanning. Where I am in Oz we have limited bandwith so downloading a scanner and database each time I want to check for a virus is out of the question, financially at least. Any significant amount of cloud computing stuff is not going to happen here for quite a while.

Another question is "how do you protect yourself from site hijacking?" It happens to banking sites and such so an online virus scanner seems like a pretty inviting target for exploitation. Sure the connection would be SSL but certificates have been spoofed and the incentive for the bad guys to find a way in is in the mega-buck range. Can you imagine the damage if such a site was compromised for even a day? Personally, there is enough to be thinking/concerned about surfing the net. I _never_ do internat banking because of site spoofing and the like. That might be considered paranoid but I'm old (and proud of it) and I'm allowed! ;-)

That attack on routers you mentioned is a serious threat but I don't think to me. I'm running a relatively obscure router (Siemens 4200), I turned off its PnP facility, and 98SE doesn't support the technology. I tested the system with UPnP from GRC.COM and got a clean bill of health, so here's hoping.

I've recently prchased an EEE PC901 with XP and I'm quite undecided about letting it anywhere near the internet, it is just so vulnerable.

On ClamWin, I just downloaded a new version, installed it, and deleted it. It went off into na-na land on it's first run. Ok, my system has become a bit flakey and is due for a rebuild, but I don't think it is that unstable yet. Probably another oss project compiled with an M$ compiler. Combine all that with a ui that has not improved in the last 12 months. The project manager needs a swift kick. Scratch ClamWin for now.

On browsers, I'm probably being impatient with SeaMonkeys speed but it is noticably slower than the current Opera and I don't like the way they run the project. Their bug fixing is spotty; they fix visible security bugs immediately, as they must or go under overnight, but other things like cookie management, which was broken in v1, ignored in v2, has only now been fixed in v3 or so I'm told. Basic Mozilla browsers seem pretty limited in functionality because if you want some necessary feature you have to install a plugin. NoScript as a plugin? Give me a break! And have you seen the code implementing these plugins? It's b....y pathetic. Talk about script kiddies.

The plugin system in Opera seems better conceived than in Mozilla stuff. Take the FlashBlock thingy. It consists of a piece of CSS and a piece of JScript that are injected into the web page when it loads and executed before control is passed to any embedded stuff. My understanding is that their whole plugin system is based on this concept. Seems to work OK. For me, their configuration management is better organised and accessible. It ain't perfect but, in an age of mediocrity, it ain't bad either.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...