Does Win9x need Antivirus anymore?

[ZortMcGort11]

I'm willing to keep using F-Prot 3.16f for DOS which was released in 2009... (see the DOS Programs thread)

but is there any need to keep an up-to-date, bloated Anti-virus program on Win9x?

Clamwin is about as small and light as you can get, but I've been using ClamWin for like 4 years and it's never once detected a single virus...

So, I'm thinking either ClamWin is worthless, or else Win9x is just too old for viruses to infect?

I stopped having problems when I stopped using peer-2-peer file sharing networks and Internet Explorer. And that was like back in the days of Kazaa and IE 5. Since then, nothing. No more homepage getting hijacked to porn websites, no more blue screens of death, or freezes. In fact, as soon as I started using Netscape 9 I never had another problem. I've gone from using Netscape 9 to K-Meleon and Seamonkey and Opera. Never had any problems.

Does anybody get viruses anymore while using Win9x? What kind of virus was it? How did you get it? etc.

Which types of viruses are more able to infect Win9x in 2013?

-master boot record viruses

-exe/com file infectors

-trojans / malware

-worms

-macro viruses ?

Links to articles or websites, pro or con regarding the relevance of Win9x viruses, and the need (?) for Anti-Virus would be appreciated... and anybody's opinion or experiences.

Basically, is there any point at all to bother using Anti-Virus on Win9x systems? Would it be like worrying about viruses on Windows 3.1 at this point? All of the viruses for Windows 3.1 are basically "not in the wild" anymore. Only way you'd get them, is by finding an old floppy disk that's twenty years old and was never scanned.

I'm at the point where I believe there is 99% NO reason to scan for viruses anymore on Win9x. The only possibility I can think of is you might stumble upon an old floppy disk that might have an infected word document or DOS game that was infected.... possibly a floppy disk might also have an old MBR infector virus. That's it.

Most programs don't run on Win9x nowadays, so I don't think the chance of virues being spread around are anything to worry about. You can't open new "word" documents anymore either, so there's little sense of worrying about that either.

Am I missing anything here?

Is there any possibility of getting virues from USB flash drives? My windows ME computer is incapable of booting from USB anyway... seems to be a feature of newer computers.

Edited February 22, 2013 by LostInSpace2012

[ZortMcGort11]

http://www.washingtonpost.com/wp-dyn/content/article/2006/06/30/AR2006063001587.html

Washington Post article published in 2006 which says,

Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, which monitors hacking trends, said Windows 98 and ME users already have a measure of security through obscurity, because most malicious code created today will not run properly on those systems.

So, if that was said 7 years ago, then we're in the clear, right?

Edited February 22, 2013 by LostInSpace2012

[CharlotteTheHarlot]

Win9x is such an easy system to manage with such a tiny footprint that I cannot imagine a need to lock it down using realtime CPU-killing AV when you can simply clone the whole thing periodically to another HDD, stick it on the shelf and grab it as a replacement if a virus should ever strike. Replacing a HDD only takes a moment so you can be right back online very quickly. This way, you can run your system bare naked ( behind a router of course ) with the full CPU and I/O power available and unimpacted by realtime AV.

Alternatively, even without cloning, if you have a separate offline computer available, it is really simple to take out an infected system HDD and install it as D: and clean it that way. It is really easy to clean a virus or malware from Win9x and FAT32 ( easier than NT under NTFS ). There are so few places for it to hide and fewer startup vectors.

This is just my opinion, but why punish yourself with realtime AV intercepting all traffic and peeking in every folder and flashdrive? Definitely get behind a router first though.

[ZortMcGort11]

thanks for the reply, Charlotte.

well, I'm on dialup... do I need a router for that? Dial-up is never really mentioned when it comes to security, like it's forgotten or something. What should I do in my case?

Right now, I just have Tiny Firewall installed. It's the only firewall that doesn't slow down my already slow internet.

I just deleted ClamWin because to me it' s nothing more than a drain on resources.

Good suggestion. I do have a second Windows ME computer, and a Windows 2000 computer (no modem, so I don't go online with it) that I hardly use. Swapping hard drives wouldn't be hard. But still, I haven't had any problems before with any of my 3 computers.

[Nomen]

Back during the time-frame July 2000 through Dec 2005, we had about a dozen win-98 machines (and about 6 other machines running NT4 and 2K) in a small organization sharing an ISDN connection to the internet. We had a net-block of 64 static IP addresses, and each of our PC's was assigned on of those addresses. No firewall running on any of the PC's (at least not the win-98 PC's) and no NAT router.

All of the PC's ran some version of Norton Antivirus, and it caught most viral email attachments as incoming mail was spooled on our NT4 mail server.

Over that time frame, none of the win-98 machines got infected by anything. Our 2 NT4 servers were discovered to be hosting someone's private FTP site (or at least they were trying, but our slow connection was a problem I suppose). Our Win-2k machines were periodically hit with network worms and other stuff. I would argue that those years (2000 - 2005) were the prime years for win-9x to be targets, and we had a completely open network topology that would have facilitated it, but in the end our win-98 machines sailed through those years cleanly. In the years since then, our PC's shared a DSL connection behind a nat-router, and although I maintained NAV 2002 on about 6 machines until about 2008, they continued to be devoid of malware, trojans, virii, etc.

So for the past 5 or so years I've abandoned any AV protection on these win-98 machines.

On the other hand, I'm quite aggressive at adding entries to my hosts file, which is based on the MVPS hosts file. I examine my router's out-going logs periodically to see what domains or hosts are being accessed, and any that don't look right are added to my hosts file. There is a lot of web-metrics, click-tracking, ad-serving and god-knows-what servers out there that are hooked into the web-surfing experience that have no place being there, and I'll be damned if I'm going to expose my PC's to that crap. Especially when it's those servers that are likely to be hacked and serve up malware.

But it all comes down to this: Win-9x, either by design or dumb luck, is simply not vulnerable to even a fraction of the exploit vectors that have existed for the NT-based line of Windows.

The website Secunia.org lists all the known security issues for many many hardware and software products. As of July 2006 (when win-98 went EOL) Secunia was listing 33 advisories for Windows 98. That's for the entire life-span of the product. They were listing well over 200 advisories for Win 2k/XP at the same time. And as of Dec 2012, they were listing 408 advisories for Win-XP pro (44 of which were un-patched).

So that should put things into perspective.

[CharlotteTheHarlot]

well, I'm on dialup... do I need a router for that? Dial-up is never really mentioned when it comes to security, like it's forgotten or something. What should I do in my case?

Are you dial-up on POTS ( plain telephone wire )? I've actually never seen anything except that situation so my knowledge is limited here. If it is POTS, including ISDN, your computer is using a modem to create/decipher the actual analog "phone" signals which speak to the telephone company and they talk with the Internet from up there. I can't see a way that a router can be placed in between you and the Internet because that actual gateway is remote.

By contrast, for broadband users the jumping off/on point that has an IP address is physically in their house at the Cable/DSL/Fiber modem so a router is simply slipped in between there and the computer(s) via ethernet and it becomes a hardware firewall managing incoming and outgoing comm while NAT'ing the IP addresses.

In your Modem-POTS situation, the IP address is actually on a device far upstream, where they perform the Internet communication and then "Modem" it into telephone signals for the trip back to your modem. The security aspect of someone using your ( probably unchangeable ) IP address to probe your ports is primarily in the ISP's hands, and presumably a thoughtful ISP would notice such activity and thwart it upstream. For some added measure of protection a software firewall with inbound and outbound blocking might be useful, if for no other purpose than to popup with a prompt every time something knocks on your door or tries to phone home. But for all practical purposes they must have a router in place upstream that rejects many port probing and flooding attacks, check here.

In theory, slow dial-up is a less than optimal target for a hacker naturally. But realize that malware usually doesn't care what connection you have, particularly if executed locally, it just sees an active TCP/IP connection and does what it was told to do. In other words, if your web browser can successfully connect to webpage addresses that you type in, then any malware can do the same. So there is a threat level present, but careful computing is the primary defense. Executing all manner of dangerous programs locally on your computer is one way to still get into trouble.

Having said that, I never really used a local software firewall or realtime AV on Win9x over dial-up except out of curiosity for testing.

So in your situation, I would simply keep timely backups ( the best is a cloned separate HDD with incremental updates applied periodically ) left on a shelf. Then I would happily run without AV and just be careful. If the worst happens, I just swap in the spare HDD. Note, that spare HDD should NOT be left in all the time as a D: drive ( or whatever ) because that is NOT a reliable backup. In the case of a virus infection, all connected drives, should be considered suspect. So, incremental backup and then remove is the best practice.

If you have a 2nd computer which is normally kept offline, you can always do what I mentioned elsewhere: insert the infected drive and clean it like its a floppy disk. That spare machine would need to have a decent on-demand AV scanner and its definitions would need to be updated from time-to-time.

[ZortMcGort11]

Yes, my internet is on "plain telephone wire" I presume. I just plug my computer in the phone jack in the wall. If somebody tries calling, then they get a busy signal :-)

Thank you guys for the great responses.

Charlotte, regarding the GRC "Shields Up" Firewall test.... maybe you can decipher the results for me. After reading what you said, I don't believe my ISP (netzero) does any filtering "down stream" to my computer.

The reason why is because I have run the GRC test multiple times, and the PC Flank test from another website, with and without my firewall activated. When my firewall was acitivated it said my computer was secure and the ports were either closed or stealthed. When I retook the test without my firewall, everything was open and I completely failed the GRC test!

Needless to say, I turned Tiny Firewall back on!

I'm definitely no expert at all about this stuff. I'll just report what I do know:

I use Tiny Personal Firewall. Upon installation it prompts the user whether or not to share NetBIOS access. Every time I've installed it, I always check "NO. Don't share my files."

I then have proceeded to taket the GRC test. Results are always the same: "File Sharing: unable to connetc to NetBIOS on my computer. My computer is well hardened against internet attacks." Or something to that effect.

Next up, I do the simple port scan then the advanced port scan. The results are always the same, "All ports tested are stealthed." A curious thing though is that ports zero and 1 are merely closed, not stealthed. So in that regard my computer is visible, it always fails the "True Stealth" test. Because I have a couple ports that are closed instead of stealthed. No big deal I figure.

Anyways, sometimes, randomly while surfing the web I'll get a pop-up screen telling me that "Somebody at address xxx.x.x.xxx wants to Connect to SeaMonkey using port x.xx...x Permit or Deny." I always choose deny. Sometimes I also get pinged. I've looked at the internet address in my logs to see who pinged me. I then do a google search of that specific IP address and it's always from China.

So, if my ISP was protecting me before sending me data, then in theory I shouldn't get random people trying to connect to my ports or ping me, correct?

The only reason I think I never got hacked before I started using Tiny Firewall two years ago, is that Windows ME by default has file sharing turned off... contrary to Windows 98 which is on by default.

I still don't understand what file sharing has to do with having "open" and "closed" ports though, because back then I wasn't using a firewall at all but I still never had any visible signs of computer hijacking or mysterious glitches.

Which is why I think the entire concept of Dial-up security is completely neglected. I did research this issue a couple years ago, and after reading some articles by alleged "computer professionals" I came to the conclusion that I at least should have a "software firewall" installed.... even on dial-up.

Another thing is, if Netzero actually did filter or block or whatever the data going "downstream" to their customers, I wonder why they'd bundle the Norton Antivirus software free with their Netzero software.

Basically, the whole issue of 9x security is one giant foggy no-man's land to me. Who know's what works and what doesn't.

Again, I appreciate the replies.

Edited February 22, 2013 by LostInSpace2012

[TmEE]

I have not used any anti-virus programs for about 7 years now, and I have not got any viruses. I do some scan on another computer from time to time but that has not shown anything.

[CharlotteTheHarlot]

Yes, my internet is on "plain telephone wire" I presume. I just plug my computer in the phone jack in the wall. If somebody tries calling, then they get a busy signal :-)

So you are on 56K then, not ISDN?

IAfter reading what you said, I don't believe my ISP (netzero) does any filtering "down stream" to my computer.

No data filtering for sure, but there should be some form of router up there providing some rudimentary port defense ( but I suppose they might just be cheap and be using some bare bridge type of device ). Testing with and without firewall should provide an answer. For a comparison, an example of running really bare would be on broadband, where you have the cable modem sitting near the computer, and rather than inserting a router between them you jack the computer NIC straight into the modem ethernet port. This is as bad as it gets since the IP is usually static at the modem and assuming no software firewall on the PC, you should get probed rather quickly and compromised soon thereafter all at Mbits speed ( hence the firewall added in WinXPsp2 ). I guess it is possible that NetZero has developed the same scenario by using something upstream that just mirrors all ports to your system, but they should have learned something by now and at least used routers with some kind of protection against DDoS and the like.

IThe reason why is because I have run the GRC test multiple times, and the PC Flank test from another website, with and without my firewall activated. When my firewall was acitivated it said my computer was secure and the ports were either closed or stealthed. When I retook the test without my firewall, everything was open and I completely failed the GRC test!

Well that is surprising to me. And I guess that is your answer. NetZero apparently provides your system with the ability to use any ports and be attacked via the same. Consequently, a software firewall would seem to be critical now. The one test control I would perform would be to try one or two non-firefox browsers ( Opera and MSIE with no plugins or widgets and no extras like "Sync" or whatever ). Reboot first, and immediately launch the Shields Up page. Don't visit any other sites or pages first to rule out some flash ad or something that might open a port somehow. Get results from all three the same way ( reboot, etc ) with and without firewall for a total of 6 different passes and then we can come to some conclusions about your default security status from NetZero ( but yes, it is not looking good so far ). I'm not sure if you can disable the firewall before reboot, but it is possible that the firewall software itself is using some port even, when disabled, for back-channel communication.

II use Tiny Personal Firewall. Upon installation it prompts the user whether or not to share NetBIOS access. Every time I've installed it, I always check "NO. Don't share my files."

I then have proceeded to taket the GRC test. Results are always the same: "File Sharing: unable to connetc to NetBIOS on my computer. My computer is well hardened against internet attacks." Or something to that effect.

That is the correct message, no NetBIOS. I can't think of a good reason for it ( maybe that photo sharing option that comes with every camera or webcam? ) and it dates back to DOS, maybe even before Netware. Windows has it for backward compatibility I guess, and this is fine as long as it can easily be disabled. I think in Win9x it is a service so that registry needs to be deleted if I remember correctly. Also, I believe it comes back from time to time piggybacking on some INF file that gets launched when you Add/Remove a network adapter or use that "Windows Setup" tab in Add/Remove ( the one that reinstalls everything "checked", instead of only the things you "just" checked at that moment ). But yes, it should be disabled. Your status is correct.

Next up, I do the simple port scan then the advanced port scan. The results are always the same, "All ports tested are stealthed." A curious thing though is that ports zero and 1 are merely closed, not stealthed. So in that regard my computer is visible, it always fails the "True Stealth" test. Because I have a couple ports that are closed instead of stealthed. No big deal I figure.

Like I said above, if possible do a more controlled test with 3 browsers and firewall on and off. A quick Google finds this thread with users of Comodo firewall, and one possible reason is that ICS ( Internet Connection Sharing ) changes those ports to "closed" when ICS is disabled. If ICS isn't present in WinME, then perhaps something similar is doing the same. From what I read, it is most likely not a problem, but since we cannot rule out something in Sea Monkey yet ( hence the multiple browser experiment ), it is still too soon to know why they are not "Stealth".

Anyways, sometimes, randomly while surfing the web I'll get a pop-up screen telling me that "Somebody at address xxx.x.x.xxx wants to Connect to SeaMonkey using port x.xx...x Permit or Deny." I always choose deny. Sometimes I also get pinged. I've looked at the internet address in my logs to see who pinged me. I then do a google search of that specific IP address and it's always from China.

So, if my ISP was protecting me before sending me data, then in theory I shouldn't get random people trying to connect to my ports or ping me, correct?

Yes, it is starting to look like NetZero is not blocking any ports. If your software firewall is catching pings they certainly are not preventing anything from swimming downstream to you. For all practical purposes there is no hardware firewall present. Does your software firewall show attempts on any port or just those not in "Stealth"? I'm not sure what is an appropriate or unusual level of pinging for you. I believe it directly correlates to the bank of IP addresses your ISP and you reside in. The bad guys will go for the low hanging fruit and they would know where that fruit is. It could be that NetZero IP's gets more or less than say another ISP so it simply comes with the territory. Or, there might be more war dialing port scanners in operation this week rather than last. Who knows.

The only reason I think I never got hacked before I started using Tiny Firewall two years ago, is that Windows ME by default has file sharing turned off... contrary to Windows 98 which is on by default.

Yep, that makes sense.

I still don't understand what file sharing has to do with having "open" and "closed" ports though, because back then I wasn't using a firewall at all but I still never had any visible signs of computer hijacking or mysterious glitches.

Open ports are a prerequisite for file sharing. When you have a router or software firewall you will almost always need to edit the configuration temporarily to use something like a torrent. As far as not getting hijacked, that is the result most people on dial-up report, including myself when I used it. The biggest security risk was never from remote invaders, but actually from executing an infected file or malware installer locally. The payload may be present already and is easily installed or it simply phones home knowing your exact defenses and comes back through whatever ports are open, with a payload ready to go.

Another thing is, if Netzero actually did filter or block or whatever the data going "downstream" to their customers, I wonder why they'd bundle the Norton Antivirus software free with their Netzero software.

I think we are now understanding why they bundle AV in there, their customers have the ( low speed ) equivalent of a naked broadband router modem and without some protection they will get compromised. A better question is why not include a firewall instead or in addition to it ( note, you said they include NAV not NIS ). Realtime AV, as I often state, is completely optional as long as the computer user is careful because IMHO the bad outweighs the good, but YMMV. Without a proper router though, a software firewall is clearly essential.

EDIT: modem, not router

Edited February 22, 2013 by CharlotteTheHarlot

[ZortMcGort11]

Thanks, Charlotte. You've helped me better understand all this router stuff. And you've confirmed what I've suspected about my ISP.

Yes my connection is 56k.

I tried running the "GRC ShieldsUp" test using Opera and K-Meleon, the results were the same. Same ports were closed and everything.

As far as when I get attacked, it's never to the visibly closed ports (#0 and #1), but instead to port 1050 or some high number like that. Whenever I'm alerted to it, I immediately disconnect.

I used to get pinged more often, like once a day, but I created a preset rule in the firewall to automatically ignore them.

Tried other firewalls that are Win9x compatible (Sygate 5.x, Zone Alarm 3.7, Outpost 1.0), and while they completely 100% stealthed my system, they also slowed my internet down. The bigger the program, the slower my internet was.

Now getting back to the viruses.... I keep the final version of F-Prot for DOS around, just in case I need to scan a possible "payload" as you put it. It's old, but I figure whatever Win9x malware is out there, that program will detect it.

I might put ClamWin back on my machine... my paranoia may get the better of me.... I never bothered with the real-time ClamSentinel though. Don't have the RAM for that.

[CharlotteTheHarlot]

As far as when I get attacked, it's never to the visibly closed ports (#0 and #1), but instead to port 1050 or some high number like that. Whenever I'm alerted to it, I immediately disconnect.

Most likely these are not something to bother disconnecting for ( more links ). You say all the ports except 1-2 are "stealth" right? So on those higher ports the packets should just be harmlessly rejected anyway. If you have a rule to handle them, set it to just log it for future reference with no prompt and be done with it. I just double-checked what Gibson had to say about those definitions ... and with "closed" the best a real intruder can do is know that your computer port exists, but go no further. I suppose if he was really evil and intent on penetrating your 56K system ( probably 5 KB/s, not a lot of value for them ), he could ping it mercilessly 24/7/365 until that moment your firewall is off and, well, still do nothing Don't sweat it. Even if you were on broadband I wouldn't sweat it ( It kinda takes the fun out of it ).

But it is worth checking the port status periodically to make sure something doesn't get opened up behind your back and stay open. If you run all kinds of expert uber-utilities or dangerous programs they might change something.

I still would suggest just cloning the C: drive to a separate spare HDD on a shelf, and also keep a backup computer around for scanning and cleaning the C: drive if possible. With those two fallback plans in place nothing can really hurt you.

[ZortMcGort11]

Thanks for the help.

I got my backups on flash drives and CD-R's.

No "expert uber-utilities" either, LOL.

Just some old DOS games :-)

[MiKl]

I stopped having problems when I stopped using peer-2-peer file sharing networks and Internet Explorer. And that was like back in the days of Kazaa and IE 5. Since then, nothing. No more homepage getting hijacked to porn websites, no more blue screens of death, or freezes. In fact, as soon as I started using Netscape 9 I never had another problem. I've gone from using Netscape 9 to K-Meleon and Seamonkey and Opera. Never had any problems.

I would strongly suggest using NoScript !! And for stuff that you can't get rid off with NoScript - also AdBlockPlus !!

I am a movie buff and the German database OFDB is plagued with advertising, pop-ups, etc. but not with these two apps

[AnX]

So, in conclusion, we only need Firewall and AdBlock on a Windows 98 machine? AV is really not necessary?

[CharlotteTheHarlot]

So, in conclusion, we only need Firewall and AdBlock on a Windows 98 machine? AV is really not necessary?

No two people are the same, so it cannot be stated as simply as you did. I'm using no AV on WinXP, always on Admin, been doing that for years. The three main ingredients IMHO are ...

Use a Router. A hardware firewall has no equal. The built-in Windows software firewall is actually also running on mine but is pretty much obsolete in my case.

Don't use MSIE. Change the default browser to something else, I like Opera myself, so that any program that opens the system web browser does not get the expected MSIE with it's well-known holes and exploits and myriad settings visible in the registry.

Be Smart. The obvious stuff like not running stuff in attachments, not using those stupid software downloader stubs, not installing toolbars and other freebies packed in distributions, extracting EXE's and examining the contents before running them, using local on-demand or online scanners for risky files, etc. Above all, don't execute possible malware locally, if you do you will regret it.

Running on Win9x is pretty much running as Administrator and it only takes a microsecond for something executed locally to plant itself in deep. Even though there are less autorun locations than on WinXP+, there are still very many places for malware to attach itself to in order to be a persistent pain. At least it is much much easier to clean up a malware mess.

Of course, the most important thing that should be said and is something that needs to be repeated for many threads here ... don't experiment on your one and only computer. Win9x is so simple to back up that it is criminal not to have a fallback. Having a second computer is another way. If the second computer is kept clean and offline, then whatever happens on the first computer will never be a big deal because you can just pop out the system disk drive and place it in the second one and clean it in isolation. Having this kind of fallback in place, and believe me this is something I do, means that I can afford to live somewhat dangerously. Anyone who cannot be troubled to take these precautions should not even be entertaining these thoughts.