Jump to content

Anti-Malware Suggestions


Recommended Posts

Hello Noel,

Thank you for linking your domains compiler, and sharing the lists you use. The lists I mainly use can be found in the Ublock Orgin Repository under Third Party Filters, Malware Domains. I also use lists from here as well http://iplists.firehol.org/

Proxy I use: http://www.squid-cache.org/


To those who do not want to maintain their own servers, or use the HOSTS as a blacklist, Ublock Orgin is a wonderful extension that not only blocks ads, but also blocks malware.

Link to Ublock Orgin: https://addons.mozilla.org/en-US/seamonkey/addon/ublock-origin/?src=ss

Popup Blocker I use: https://addons.mozilla.org/en-US/firefox/addon/popup-blocker-ultimate/

SeaMonkey Addon Converter: http://addonconverter.fotokraina.com/

Link to comment
Share on other sites


  • 2 weeks later...

@Flasche, as a long time Expert with Malwarebytes, I will admit that I have never used their Anti-Exploit software. I do however know that it, and their Anti-Malware, Anti-Ransomware, and Anti-Exploit are all being merged into Malwarebytes 3.0.

Quote

Our engineers have spent the last year building this product from the ground up and have combined our Anti-Malware, Anti-Exploit, Anti-Ransomware, Website Protection, and Remediation technologies all into a single product which we simply call “Malwarebytes.” And it scans your computer 3-4 times faster!

The beta just went public not long ago and it runs extremely well. The license is very worth getting, too.

On the subject of uBlock Origin, I recently made the switch to it from Adblock Plus. It is indeed a wonderful addon. Thankfully, uBlock Origin has plenty of good lists that allow for great protection and ad filtering. Far more than Adblock Plus offered. I do hope that you whitelisted MSFN if you haven't already donated to the website. :)

Even in uBlock Origin I tend to avoid using any of the lists that use a hosts file. hosts misuse has been discussed on many occasions and it can even be problematic cross platform as well!

  • 127.0.0.1 is localhost and opens a connection until it times out. On Windows 8 and up there is a noticeable delay.
  • 0.0.0.0 is a listen all on Linux, and it may very well also be true for Mac as well since both are Unix based though I may be incorrect about that.

Windows Defender also detects changes to the hosts file in case of malware tampering. It's detected as SettingsModifier:Win32/PossibleHostsFileHijack.

If you'd like to learn more, I have a comprehensive article written about Blocking Malware and Advertisements Safely that I continue to expand when good information comes to light about the common misuse of the hosts file.

Hope this is helpful!

Link to comment
Share on other sites

By the way, on the subject of MBAM...  There have been reports this week of MalwareBytes finding false positives in Microsoft's latest sets of updates.  Note for example: 

https://www.askwoody.com/2016/malwarebytes-stumbles-with-false-positive-on-kb-3197868-the-win7-november-monthly-rollup/

Blocking sites based on managed blacklists is an EXCELLENT way to keep yourself out of the vicinity of online malware.

However, if it makes you feel better Tarun, a better solution (and with some advantages) to blacklisting via a hosts file is to run a local DNS proxy server.  I have been using the open source Dual DHCP DNS Server software for some time and it brings capabilities to do things like wildcarded blacklist entries.  In my case, since I have a machine running Dual DHCP DNS Server 24/7, my entire LAN is protected by it.  Ad-free, malware-free, wanted-content-only browsing is really nice.

-Noel

Edited by NoelC
Link to comment
Share on other sites

I've read about that Raspberry Pi-based device.  It looks legit.  But because I have a somewhat uncommon situation here of having a high reliability server running 24/7 I opted for a software solution.  As you've seen, I develop and update my own blacklists from multiple sources, and so far that's been a completely effective strategy - I've not seen any of my systems come anywhere near malware literally in years.  I wouldn't even need an active AV package, TBH.

If you're interested in trying out the Dual DHCP DNS Server software solution, I've made modifications to the source to allow expanded list sizes...  You can find that source here (and I'm sorry if this is repeated from an earlier post; I kind of lose track of what I post where):

http://Noel.ProDigitalSoftware.com/temp/DualServerChangesForLargeWildcardList.zip

At another level, I've been working closely with the author of the Sphinx Windows Firewall Control product to beta test his latest builds...  With his upcoming 8.0 release, the package is becoming name-based, which GREATLY reduces configuration maintenance cost and deals very nicely with such things as CDNs and cloud server banks.  Changing from IP-based to name-based (integrating information from DNS lookups in real time) is no less than a quantum leap in maintainability, and changes keeping a detailed deny-by-default firewall config running from being a work-intensive task to almost set-it-and-forget-it.  Seriously.  The upcoming Windows Firewall Control 8.0.0.15 build will work with a locally-implemented DNS proxy package like Dual DHCP DNS Server perfectly.  I have this firewall on all my systems, and I can tell you that 8.0 is going to be a DYNAMITE firewall solution.

By the way, it's called "Windows 10 Firewall Control" but it is developed for Windows 7 and newer.  I think he includes 10 in the name so it will seem "modern", but he confided in me that the low-level functions he interfaces with are all essentially the same since 7.

Some screen grabs...

WxFCApps.png

WxFCDomains.png

WxFCZoneConfig.png

-Noel

Edited by NoelC
Link to comment
Share on other sites

  • 4 weeks later...

Hello, do you know which antiviruses offer a good protection against ransomware?
I've already added SRP whitelisting (Win7 Pro here), so I need some other kind of active protection.

Malwarebytes, Nod32 or others?

And what about a firewall to replace my free-but-clunky Zone Alarm?

Edited by phaolo
Link to comment
Share on other sites

Where do you think you're more likely to get the ransomware from...

  • Do you download executables from the wild Internet and run them?
  • Or do you think you'll get the ransomware from web pages?

Nothing can really help you much with the former.  If you're going to download software and run it then it would be a good idea to vet it in a virtual machine before ever allowing it near your critical systems.

If I were looking for an active protection program I'd probably look into the MalwareBytes Antimalware product, then at least scan every executable before running it, and maybe consider installing the active protection components.  It's one of the better scanners, though I have no experience with the preventative side of the product.  I only scan with it myself.

For the second possibility I follow a very good strategy for having all my systems just avoid visiting sites that host malware.  It involves downloading various blacklists of host systems and domains and compiling those lists into input data for a DNS proxy program I run called "Dual DHCP/DNS Server", modified to handle large lists.  Another almost as effective strategy involves gathering the same info and putting it into your system's hosts file, though beware:  Some folks claim that's a bad approach in that it can introduce undue overhead into Windows networking.  I personally have not seen any problems.

You can read more on these approaches here:

http://win10epicfail.proboards.com/thread/105/build-own-hosts-file

The better way to do it, and the way I'm doing it now for my systems, is described in post 12 of the thread at the above link  - I now use the Dual DNS/DHCP Server package to blacklist sites.  If a site being resolved to an address survives a lookup in the blacklists, it's considered legit and is forwarded to an online OpenDNS server to be resolved.  I can't emphasize enough how effective this strategy is at not only reducing the chance you'll be infected by malware but also to improve the performance and pleasure of your browsing experience.

Beyond the above, all of what I mentioned in the original post of this thread still applies.  Disable ActiveX, don't run things in iFrames, remove all the Add-ons you don't know you need, etc.  Don't be afraid to take control of your security setup.  Not everything is configured to be as secure as it can be out of the box!

-Noel

Edited by NoelC
Link to comment
Share on other sites

2 hours ago, phaolo said:

Hello, do you know which antiviruses offer a good protection against ransomware?
I've already added SRP whitelisting (Win7 Pro here), so I need some other kind of active protection.

Malwarebytes, Nod32 or others?

And what about a firewall to replace my free-but-clunky Zone Alarm?

Malwarebytes 3.0 is great for anti-ransomware and works alongside antivirus solutions. I've been looking into Avira as a recommended anti-virus.

As far as a firewall solution goes, I used to love Agnitum Outlook Pro. Unfortunately that's no longer available. GlassWire is a decent solution that offers a free version. I will say, I would never recommend or trust any Comodo products. They have so many problems past to present that they're a blacklisted software in my books.

Link to comment
Share on other sites

Oh yeah, thanks for noticing the firewall sub-question, Tarun... 

I forgot to mention:  Sphinx Windows Firewall Control version 8 has just been released.  It's breakthrough claim to fame is that you can manage the setup with names, rather than addresses.  It takes care of the ongoing correlation between names and addresses by watching DNS traffic.  VERY slick.  It handles things like content delivery networks and banks of servers adeptly.  You can take controlling things to a whole next level (e.g., describing just what sites a particular program can and cannot contact, or enabling/disabling Windows Update from contacting the several servers with mutable addresses that it normally talks to, etc.) and still not be overwhelmed with ongoing maintenance.  I run a tight ship and often go weeks at a time without messing with my firewall configuration (I've been testing version 8 betas for a while).

I'm willing to share my Sphinx configs as examples/starting points.  PM or EMail me if interested.

-Noel

Edited by NoelC
Link to comment
Share on other sites

On 16/12/2016 at 3:14 AM, NoelC said:

Where do you think you're more likely to get the ransomware from...

[..] If you're going to download software and run it then it would be a good idea to vet it in a virtual machine before ever allowing it near your critical systems.

[..] If I were looking for an active protection program I'd probably look into the MalwareBytes Antimalware product

[..] downloading various blacklists of host systems and domains [..] and putting it into your system's hosts file

[..] Disable ActiveX, don't run things in iFrames [..]

Thanks for the replies.

- I'm likely to get ransomware from anything: programs, attachments, vulnerabilities, etc..
It's 1+ year than I don't have an antivirus, but now I'm paranoid (yes, I make backups).
I'd need some program that could act as a "watchdog", because mistakes can happen.

- I wanted to use a VM to test crap, but it seems that I'd need to buy a new key for a Win7 installed there.. or am I wrong?

- thanks. But I need to know if MalwareBytes can block&recognize new ransomware (and not just block executables in some known paths).
No love for Nod32, instead?

- I remember that the old Spybot on XP used blacklists for the hosts file too.
It was nice, BUT at a certain point started causing recurring slowdowns to my entire pc.
It took me forever to identify it as the source of the issues, so I'm a bit scared of touching hosts again.. O_o'

- I use Ublock and NoScript in Firefox x64, so I'm usually safe enough when browsing.

On 16/12/2016 at 3:51 AM, Tarun said:

Malwarebytes 3.0 is great for anti-ransomware and works alongside antivirus solutions. I've been looking into Avira as a recommended anti-virus.
As far as a firewall solution goes [..] GlassWire is a decent solution that offers a free version. I will say, I would never recommend or trust any Comodo products.[..]

Another point for MB then.
Avira didn't impress me much, instead.
Never heard of GlassWire. I'll check it, ty.

On 16/12/2016 at 4:00 AM, NoelC said:

Sphinx Windows Firewall Control version 8 has just been released.

Thanks.

Edited by phaolo
Link to comment
Share on other sites

  • 4 weeks later...

My company got hit with ransomware just a few months after a local hospital forked over several hundred thousand dollars to get their data back. I'm glad I paid attention. After our ransomware hit, I just deployed our server and PC backups and kept it moving. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...