[9x/Me] Surviving Without a Virus Scanner

[herbalist]

I never saw your last post. Sorry about the delay in responding.

Where I am in Oz we have limited bandwith so downloading a scanner and database each time I want to check for a virus is out of the question, financially at least. Any significant amount of cloud computing stuff is not going to happen here for quite a while.

I can't say if this applies to all the online system scanners but the last time I ran HouseCall, it updated the previously downloaded scanner, much like a conventional AV would. The main page of the scanner claimed that 2K or newer was required but the scanner downloaded and worked fine. There were a few activities I questioned the need for and decided not to allow, like a specific component that tries to get your MAC address, but the scanner still worked. When I have the time, I'll try to go through the available online scanners and see which ones still work with 98. It will be a while before that happens.

Another question is "how do you protect yourself from site hijacking?" It happens to banking sites and such so an online virus scanner seems like a pretty inviting target for exploitation. Sure the connection would be SSL but certificates have been spoofed and the incentive for the bad guys to find a way in is in the mega-buck range. Can you imagine the damage if such a site was compromised for even a day? Personally, there is enough to be thinking/concerned about surfing the net. I _never_ do internat banking because of site spoofing and the like. That might be considered paranoid but I'm old (and proud of it) and I'm allowed! ;-)

Paranoid? I don't own a credit or debit card and have never used an ATM. There's nothing paranoid about it. It was just this year that I started using the online facilities of my bank with my checkbook. The problem is that you have to trust that both their end (the financial site) and the DNS system that took you there have not been compromised in addition to knowing that your own system is secure. There's 2 separate problems here. The first is knowing that you're actually at the site you wanted to visit, and that you haven't been redirected to a spoofed site. The second problem is when the legitimate site gets hacked. The Bank of India was hacked badly a while ago and was serving up a lot of malware, including password thieves.

Other than making your own system resistant to any malware a compromised site might serve up, there isn't much you can do about the integrity of their end, but there are some things you can do on your end to offset some of the problems.

Site Spoofing, making an almost identical copy of a legitimate site for the purpose of stealing your log-in credentials, credit card info, etc. The site may look the same, but its IP address is different. Get the IP addresses of the financial sites you use and add the address and site name to your hosts file. That defeats attacks that use the DNS system. You can also use firewall rules that restrict the IPs you can make secure connections to. If the IP is wrong or changes (redirected), your firewall should alert you.

Part of the solution has to come from the financial site. On the initial login page of my bank, only your login name is entered, which can be anything you choose. The site may or may not challenge me with a security question. The site then has to display an image and a line of text that I selected when I set up the account. If I see those, I know it's the correct site. A spoofed site would have no way of knowing what those would be. If they're correct, I enter the password. If a financial sites login system does not have provisions for you to authenticate them and well as them authenticating you, don't use it. They're not facing the realities of todays internet.

Some browsers allow the same user to have several profiles. With those that do, setting up a profile that strictly for financial or sensitive tasks can help. Any cookies or temp files created are in a different location than those used by the default profile. It's also a good idea to make any financial work the first thing done in a browser session, and to not visit any other sites during that session. Wiping the browser cache, history, cookies, temp files, etc after a session would prevent a malicious site that's visited afterwards from collecting that data. I use the launcher component of Eraser for this, executed by a small batch file. One click wipes all the locations. Use version 5.7 on 9X systems, not the newer one.

I'm not particularly impressed with the extension system in Mozilla browsers either, especially NoScript. Any security/privacy tool that presumes to whitelist sites without my consent isn't wanted, especially when Google is in the list. I use the FlashBlock extension like a switch for flash content. The actual content filtering is done ahead of and independent from the browser by Proxomitron. This eliminates problems caused by vulnerabilities in security extensions. Firewall rules prevent the browser from accessing the internet without going through Proxomitron.

Regarding attacks on external hardware like routers, DSL modems, etc, I'm convinced that there's a lot of vulnerabilities and possibly even built in backdoors that we don't know about. I've had several DSL modems that have an upper range port open that can't be closed with any of the configuration options. On every one of them, the port number has been different, but they've all had one open port. I can't determine if this is something my ISP has done or if it comes that way from the vendor. I've also disabled UPnP on everything and added blocking/logging rules to Kerio for the UPnP ports.

I've been working on some web pages that detail how to use SSM free on 9X systems to enforce a comprehensive default-deny security policy sufficient to offset the lack of AV support. It's taking much longer to finish than I expected. Too much else to do and not enough time in a day.

Rick

[dencorso]

For those who have at least 512 MiB or more RAM to spare, setting up a RAM disk and then pointing TEMP; TMP; Temporary Internet Files; Cookies; History and the java temporary files to the RAM disk is a good and reliable way to get rid of the junk resulting from Internet navigation with every reboot. The only downside is if and when one decides to download files bigger than the RAM disk, because then IE will fail silently, pretending it finished the download, but, of course, yielding a truncated file. There are several workarounds for this problem, ranging from temporarily setting the Temporary Internet Files elsewhwere, just for that download, and then setting it back to the RAM disk, to using FlashGet or some other download manager for the files bigger than the RAM disk. With plenty of RAM to spare, a 1.5 GiB RAM disk (my current option) makes even this small annoyance quite rare. It's painless, it's transparent and works like clockwork, provided one reboots regularly, as in shuting down the machine every day, at least during the time one'll be asleep. Of course, it's not as useful for a machine that will be running P2P all the time, but, even then, a reboot usually is required every 48h or less, and that will do fine. And anyone who is able to spend the money needed to get 1.5 GiB or more RAM needed to adopt this strategy should consider spending US$10 more to get the excellent RLoew's non-XMS RAM disk, which is invisible to Win 9x/ME and leads to the most stable possible configuration with a RAM disk (for more on problems arrising from using very big RAM disks esp. with XMSDSK, refer to my > 1 GiB thread, for which there is a link on my signature).

[lightning slinger]

I've been working on some web pages that detail how to use SSM free on 9X systems to enforce a comprehensive default-deny security policy sufficient to offset the lack of AV support. It's taking much longer to finish than I expected. Too much else to do and not enough time in a day.

Rick

Looking forward to this immensely Rick.

Your posts on security are always a very good and informative read.

I use 98SE and 98SE2ME on two boxes without any resident AV and with SSM Free.

I have been relying on both Eset and Symantec On-line AV Scanners for periodic checks while they are still supporting 9X (only time IE6 is used).

However I am sure that my use and that of many users of SSM needs a little guidance to become fully comprehensive default-deny.

TIA

Colin

Edited June 27, 2009 by lightning slinger

[the xt guy]

I too, am looking forward to Herbalist's site re securing Windows 98 without a virus scanner!

[Tarun]

Can easily summarize how to secure Windows 98 without a virus scanner: Unplug/Disconnect access to router/Internet.

Realistically: format Windows 98 off and upgrade to a modern, supported OS.

[Monroe]

herbalist - Rick

... some time back I tried SSM and really liked it with 98SE. Then I ran into the problem of opening Media Player Classic with SSM running ... the computer freezes up and has to be shut down. I think you were able to verify this on your end ... did you ever get any answers on that or figure anything out? I just put SSM back on one of my 98SE machines about a week ago ... had forgot about the Media Player Classic problem till today ... I could just try to remember to shut SSM down when I want to use Media Player Classic. There is certainly a problem there between the two programs. ... thanks ... that's the only program (MPC) that I found so far that has a conflict of some sort with SSM. I have many programs on my 98SE test machine.

I have another question ... on some programs you tell SSM to "always" run a certain program when it is opened but on some programs there might be a 2nd or 3rd permission asked using the term "allow global hooks". Is it OK to give future permission for the "Global Hooks" question? I don't quite understand that "Global Hooks" question when it pops up on a program.

Edited July 3, 2009 by duffy98

[herbalist]

Global hooks can serve many functions. They're used to intercept system calls, keystrokes, and mouseclicks. They can be used to inject or add code contained in a DLL to one or more running processes. Windows explorer for example needs to hook browseUI.dll in order for the start menu and window menus to work. Applications written in Visual Basic (most of Karen's power tools for instance) often need to hook MSVBVM60.DLL in order to work. The zip file version of K-Meleon needs to hook rebarmenu.dll, one of its own files in order for the menus to work.

There's also instances of applications and windows components that ask for hooks but appear to work just fine without them. On 98FE, using "Find" results in an alert for explorer wanting to hook shell32.dll. Find works normally whether you allow it or not. An older version of Yahoo messenger I had asked to set hooks to idle.dll (part of yahoo) for the keyboard and mouse. It worked whether I allowed it or not.

A fair amount of malware also uses global hooks or dll injection. It's a common method for keyloggers and trojans. Rootkits use certain types of hooks to hide their existence. Quite a few security apps also use them. On XP Pro, the pro version of SSM hooks well over 200 locations, which enables it to detect and intercept almost anything that takes place.

RKU_Report.txt

When you get an alert for a global hook or DLL injection, the first things to check are "what application is asking" and "what is the app asking to hook". Applications asking to hook a DLL in their own folder are normally legitimate and necessary for that app to work. If the DLL has some random name, it's suspicious. The same applies to DLLs with normal names that are in the wrong location. I normally choose "block this action once" the first time such an alert appears. If everything in the app functions normally, I'll make it permanent. In instances where the hook has to be allowed, there's often a selection of responses in the drop-down box as shown in the screenshot below. .

Whenever possible, limit the hook to the specific application that's asking for it and limit it to the specific DLL it's asking for. Except for browseui.dll, Windows 98 itself needs few if any hooks to function. 98FE asks for very few. 98SE and ME ask for a few more, some of which don't seem to be necessary. Beyond that, allow hooks only when it's necessary for the app to work, and if possible restrict them to the specific executable and DLL in the alert.

Rick

[Monroe]

Thanks Rick for the detailed explanation on the global hooks in SSM. I will put SSM back on one of my machines and check each global hook as they pop up. I do remember SpywareBlaster asking for one or two global hooks and also Microsoft Money 97 asking for global hooks permission. The term "global hooks" sounds a little sinister and I was wondering what the program might be hooking into or how far these "hooks" might go after connecting to the internet.

... I also will be looking forward to the web pages dealing with SSM and a 9x system.

Edited July 3, 2009 by duffy98

[eidenk]

I was wondering where this thread had gone and then I forgot about it. I'll have few things to answer later after reading it all again in more depth.

[JustinStacey.x]

I do like this thread but it has to be said: You cannot secure an operating system which at its lowest level, the kernel, is inherently insecure. It's bad practise adding piles of addons on top of an insecure foundation and it is one which doesn't really result in computer security but an illusion of such (in actual fact, computer INsecurity).

The only Windows OSes which could be considered even partly secure are the NT based ones with a kernel that has security built in, instead of a single user kernel with no perception of ACLs or access control security of any kind - the 9x kernel. Good security can only be built on top of a good, secure kernel; if the kernel is not secure, the system can never be secure.

Windows 98 just cannot be realistically secured, it's turd polish, and while I *love* Windows 95 (or 98 with IE ripped out and the 95 shell on top) I won't ever lie and say that it can be made as secure as an NT, 2000, XP or Vista box, because it can't.

[herbalist]

A secure kernel does not result in a secure OS. The opposite does not hold true either. Either way it's irrelevant as Microsoft has never made a secure kernel or operating system. The best they've managed is one that's not quite as insecure as its predecessors. Vista and Windows 7 are supposed to be Microsofts most secure systems to date, and they get infected like any other. Any system containing data or performing a function critical enough to require a secure kernel shouldn't be running Windows. The only way any version of Windows can begin to be secured is by restricting what is allowed to execute and by restricting the amount of access the allowed processes have to the rest of the system. The more recent NT systems accomplished this with software restriction policies and limited user accounts, implemented with built in tools. 9X systems don't have built in tools that can implement such restrictions, but it can be done with installed security software. When done with built in tools, it's called a more secure OS, but when it's done with installed software, it's "piles of addons." Interesting double standard, especially when much of windows "built in security" tools began as installed applications. My entire "pile of addons" takes up about 18MB, half of which is log files and test configurations. Combined, it uses 5.5MB of memory. If that's a pile, the typical security suite used on XP must be a mountain.

Malicious code doesn't have to compromise the kernel or run at kernel level. It can be damaging or costly no matter what level it runs at. When properly implemented, a default-deny security policy will prevent that malicious code from executing. If it can't execute, it can't compromise the system whether the kernel is "secure" or not. That's one of the purposes of this thread, covering the details of implementing the policy on 9X systems. If you want to call that turd polishing, fine. As far as I'm concerned, the NT systems are the real turds.

A file system that can hide malicious files in alternate data streams.

Vulnerable services few users need opening ports by default.

An OS/kernel so secure that the term "rootkit" has become common language.

An OS with so many holes that a regular "patch day" was created for it.

No thanks. I've cleaned too much garbage out of NT systems, especially XP, to ever consider it to be a security improvement. I'll stay with my "insecure" 9X system that doesn't have those problems.

Rick

[frogman]

I know this has been talked about by many forums, but as Avast are very near to releasing their new Avast 5 and will eventually drop support to 95/98 and ME.

As there aren't many anti virus real time programs available now for those older operating systems I am now concerned for users that want to keep using their system as to what they will use in this instance once they can no longer use Avast that is.

I have been informed that they intent to keep Avast 4.8 running for this year anyway, beyond this they don't know, or perhaps they just don't want to say at this time.

Unless you have any other ideas I would be interested to hear them.

The time to be thinking about this is now, as we may not have that long come December.

I will start off by listing ClamWin which will apparently support 95/98/ME but unfortunately it is a resident program and not real time, but at this point in time beggars can't be choosers it would appear.

Also SAS superantispyware, again the free version not real-time, but a very good scanner for spyware cookies etc.

Please list as many types of programs, whether it be anti virus real time or resident, and spyware and Malware progs again real time or resident that you know will work and be supported for the older systems, this will help our community and hopefully keep those systems alive.

Many thanks in advance.

[dencorso]

This is the subject of an already on-going discussion elsewhere: [9x/Me] Surviving Without a Virus Scanner

[frogman]

This is the subject of an already on-going discussion elsewhere: [9x/Me] Surviving Without a Virus Scanner

Dear Mod,

Could my opening post be moved to that thread please?

Thanks

Edited July 23, 2009 by frogman

[cyberformer]

Hi! frogman!

I've had Avast on a 98se box of mine for awhile.

Then one day, I tried to scan a file, and it would not work.

It did produce a single message, telling me that the "key" they issue out, had expired.

I was not left with any working AV at all, even though it had been updated until the very day the key had expired.

I do not think I did anything wrong in the sense of not knowing how to get it to work, even though the key had expired---anyone else here, encountering this kind of thing?

So what good is it keeping up to date, when once they decide to discontinue support,

you no longer have a working AV (even with those Old, yet massive def's you have downloaded faithfully whilst the key was working?

Would I be discouraged not to use my 9x boxes once the day comes (hopefully not)

when all AV support is gone?

Not at all!

In fact, I would more VEHEMENTLY assert my right, and resolve--- to continue to use it!!!!

I would make sure I have the original Install CD, and others having all fixes, mod's, and updates; as well as the latest progs I've been using.

I would religiously make backups of any important files, that are Work, or Hobby related.

I would use my knowledge of where not to go, and hone in sharply to my "gut instincts" concerning such things as should I, or should I not---click on this suspect, or unknown download etc.

Then, should I be hit with something, that totally lays waste to my system,

all I've to do, is reformat! and reinstall!

It really does not take long at all to reinstall any of the 9x series of operating systems.

And all you need do then, is gather forth your CDs' having the programs you have always used---reinstall them---and you are a 9x user again!

Rising from the ashes of your previous experience, as new and as resolved as ever,

to continue to use and enjoy the OS you Will to use.

So with every little assault upon my 9x work and fun--due to this and that entity no longer supporting drivers, anti-virus progs, and what not,

the more so am I imbued with the strength, courage, and fortitude---to continue on.

The only thing that still concerns me, is the lack of built in IPV6 support; but a very knowledgeable computer wizard I know---assures me that there will always be a way,

to connect to the internet for those privileged enough to use 9x.

By the way, I am using Clam Win now. It's slow---slow....slow..!

Spy Bot Search and Destroy, seems to work more ploddingly too, as time goes on.

But nevertheless, where there is a will---there is always a way,

for those Strong Enough to Endure the Fight.