My current methodology for malware prevention

[jftuga]

For non-techie type people, this is how I have been protecting their computers. I don't want to overly complicate their setup. Any comments are appreciated.

1) Advise them to use Firefox instead of IE.

2) Install Google Toolbar for IE.

3) Install Mike's Ad Block Host File, http://everythingisnt.com/hosts.html

4) Run IE, Firefox, & Outlook via DropMyRights. I was using psexec -l -d, but some AV scanners thought psexec was a hack tool and then it would get quarentined.

5) Configure DNS servers from http://www.opendns.com/

6) Uninstall their AV since they let it expire anyway and install AVG.

7) Run Adaware, Spybot, and Ewido

8) Run WindowsUpdate, set it to automatically download new updates (if they are on DSL/Cable)

Edit: 9) Run Autoruns from sysinternals.com (forgot to mention this)

For myself, I do all of these, plus disable Java in Firefox and use the NoScript Firefox plugin (which I think would be too complicated for regular folks).

What are some other things that I can do for non-technical people to help them from getting spyware or a virus? Is there a better free AV? I liked Avast! except for the fact that you had to keep registering it, even though it was free.

Thanks,

-John

Edited November 2, 2006 by jftuga

[LLXX]

1. Configure and secure IE

2. HOSTS

3. Proxomitron

No AV for me, but I usually recommend NOD32 to anyone that absolutely *has to* have one (usually I give them a long talk about being cautious and tell them if they get infected it's their own fault )

[TheTOM_SK]

Using HOSTS file can slow down connection, make sure, you will test it.

Lock down IE as much as possible, if other browser is used instead of it.

I do not use any AntiApp, so I recommend, what I consider to be "the best":

AV: Avira (you can also consider AVS, AVG is easy-to-use, but has low detection)

AS: Spyware Terminator (low detection, but much better than Windows Defender)

Firewall: Comodo, Kerio or Zone Alarm (depends on the user, GUI, functions, etc)

OnDemand: CureIt (downloadable, it does not install, so it will not conflict with AV)

Ewido is great AntiTrojan, but too weak AntiSpyware, as well as AdAware & Spybot.

I would pick SuperAntispyware instead of AA & S, it got good detection and nice GUI.

[Scubar]

My method works the best as i havent had any malware or virus's in a few years now.

Use Brain.

Use Opera.

[jftuga]

LLXX,

Can you elaborate on "Configure and secure IE"

Thanks,

-John

[Tarun]

I primarily use my Anti-Malware Professional package. It contains SpywareBlaster, CCleaner, CWShredder, Ad-Aware, Spybot S&D, AVG Anti-Spyware (formerly ewido), Firefox, Thunderbird, Firetune, and UPHClean setup.

Personal methods:

I have a number of tools I use to diagnose and repair systems. It generally takes an hour to two hours, depending on the speed of the machine and how critical the infections are.

From start to finish:

Peperfix, VX2Finder, TheNotifier (used to verify the results of VX2Finder), ADSSpy, SpywareBlaster, CCleaner, CWShredder, Ad-Aware (and I install the defs I pre-downloaded using my InstallDefs.bat file), Spybot S&D (and all three of the updates), Autoruns, HijackThis, Dial-a-fix, LSPFix, UPHClean and Windows Updates.

Peperfix is to of course remove any Peper files, VX2Finder finds and repairs any VX2 infections, and ADSSpy for malicious ADS-Stream data.

SpywareBlaster is a great asset as it protects both IE and Firefox; plus it stops any active malware on the system from properly functioning.

CCleaner is then used to clean out the system of junk files. Additionally when you use it to clean your system, it can also clean out temp directories and other locations where malware can hide and replicate.

CWShredder is used to remove any CWS infections that can bog down the system. I've not been seeing near as much CWS as I used to.

Ad-Aware and Spybot are run concurrently, both scanning at the same time. Prior to scanning with Spybot, I Immunize the system and also allow it to clean up File Sets. Then begin the scan and while scanning I look over the ActiveX and BHO's via Spybot's Tools. I also apply the Spybot S&D HOSTS file. When finished I remove all malicious findings after reviewing them and then I move on to my next tool, Autoruns.

Autoruns is used while Ad-Aware and Spybot are scanning. Under Options I apply a check beside Verify Code Signatures and Hide Signed Microsoft Entries. I check for File Missing entries and look for anything malicious which I then remove manually. I check every user listed as well.

HijackThis is used next and I inspect the entries, making whatever removals necessary.

I make use of LSPFix to check for any other issues to Winsock, etc.

Dial-a-fix gets used for good measure, hitting the green checkmark and clicking Go to tidy up and resolve any potential issues.

I'll also put IE7 on to increase security and get their system up to date.

UPHClean is installed last and I follow up by checking for Windows Updates, getting all of them. Or I'll make use of AutoPatcher if they're on a low-speed connection.

After rebooting and making sure the system is working good as new (or better); I'll use CCleaner to scan for Issues and remove anything found, always making backups as a precaution as I've seen CCleaner break a lot of systems when using the Issues scanning.

Should they need an Anti-Virus; it's always Avast witha minimal install and set up to update silently.

----

At work I use pretty much the same tools, though I do not install and use Firefox, Thunderbird, Firetune or AVG-AS on client machines (It's pretty much for visitors to my website only, as many of the tools I use should only be used by professionals). I do update Firefox/Thunderbird if it's already installed and add a few extensions that are lightweight and beneficial.

If a client doesn't want to buy an anti-virus, I was able to have my boss have us put Avast onto client machines.

I try to avoid using HOSTS files as they're not really meant to be used in that manner, though they can still protect a client machine.

I avoid toolbars and will always uninstall them when I encounter them. A properly configured system won't have to worry about popups.

With Firefox I use Firetune on it, then I go into about:config and manually change the browser.cache.memory.capacity and change the setting to 16384 (this keeps Firefox from becoming a load on the system). Always installed extensions are Cutemenus, AdBlock Plus, Filterset.G Updater, DownThemAll, and TabMixPlus.

[jftuga]

Tarun,

Wonderful post, thank you for such a nice & detailed response. I have a few questions.

I had never heard of Peperfix. After doing some research, it now looks a bit outdated and unsupported. Are you still detecting any malware with it? Wouldn't Adaware and/or Spybot find the same malware during their scans?

I am surprised to hear that you run Adaware & Spybot concurrently. My intuition leads me to believe that this could not be that much faster than running them sequentially. Am I wronng? Also, if both programs find the same piece of malware, which program do you delete it with first, Adaware or Spybot? Now that that piece of malware is gone, what happens to the 2nd program when it is in it's delete phase?

Thanks,

-John

[Tarun]

To date, I have never detected any Peper files with Peperfix, but I use it as a precaution.

Yes, it is possible that Ad-Aware and Spybot will find the same malware, but as they are different programs with different heuristics for scanning; they can detect different traces and elements of malware.

I always let Ad-Aware remove first, as it is updated more and is maintained far better than Spybot. When Spybot goes to remove an item Ad-Aware has removed, it simply ignores the file(s) found that Ad-Aware detected and removed, because they are no longer present. But should there be traces of other malware that Ad-Aware didn't get; Spybot takes care of them.

Also, if Spybot asks me to run again on startup, I always say no because it's usually lying.

Hope this clarifies a few things.

[#rootworm]

My method works the best as i havent had any malware or virus's in a few years now.

Use Brain.

Use Opera.

i used to rely on HOSTS religiously, but it does really slow things down. maybe with any luck they have a more efficient implementation in Vista.

Edited November 2, 2006 by #rootworm

[LLXX]

My method works the best as i havent had any malware or virus's in a few years now.

Use Brain.

Use Opera.

i used to rely on HOSTS religiously, but it does really slow things down. maybe with any luck they have a more efficient implementation in Vista.

Disable the DNS Client service. Contrary to common sense, DNS names still get resolved properly, and the HOSTS file still works fine

Just try it on your system if you don't believe me. What the service does is attempt to cache the whole HOSTS file, which is the source of the performance issue.

[CoffeeFiend]

i used to rely on HOSTS religiously, but it does really slow things down. maybe with any luck they have a more efficient implementation in Vista.

Same here. It wasn't too obvious until I decided to combine what seemed like the best 3 or 4 hosts files one could find on the web, merging them together and removing duplicates. The final version was a little over 1MB. The network service would peak CPU usage to 99% for a few minutes. Opening the web browser and such things did the same. The only fix that actually worked was to get rid of the said hosts file. Disabling DNS client didn't help one bit.

Since then, I haven't used one at all, and still haven't caught anything regardless. The idea isn't so much to make it impossible for your computer to reach places that host bad things (as you can't make a complete list) as to make it not become infected if it ever does (you will come across some sites with crap eventually).

As long as someone uses common sense, doesn't use IE, uses reasonably patched software, has a firewall of some kind (router, nat/fw software, or personal firewall), and preferably has an antivirus, there shouldn't ever be a problem (be it spyware, viruses or otherwise).

[Tarun]

Disable the DNS Client service. Contrary to common sense, DNS names still get resolved properly, and the HOSTS file still works fine

Just try it on your system if you don't believe me. What the service does is attempt to cache the whole HOSTS file, which is the source of the performance issue.

There is unfortunately a lot of misinformation gonig on about the Hosts file and the DNS Client service. A while back I wrote a brief FAQ on the Hosts file and how to protect your computer properly. Here's the Hosts file snippit.

What is the Hosts file?

The Hosts file is used to look up the Internet Protocol address of a device connected to a computer network. The Hosts file describes a many-to-one mapping of device names to IP addresses. When accessing a device by name, the networking system will attempt to locate the name within the Hosts file if it exists. Typically, this is used as a first means of locating the address of a system, before accessing the Internet domain name system. The reason for this is that the Hosts file is stored on the computer itself and does not require any network access to be used, whereas DNS requires access to an external system, which is typically slower.

Where can I find the Hosts file?

It depends on what Operating System you are using that determines where you can find the Hosts file.

Locations of the Hosts file on many Operating Systems:

• Windows NT/2000/XP/Vista: %SystemRoot%\system32\drivers\etc\ is the default location, which may be changed. The actual directory is determined by the Registry key \HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath .
  
• Windows 95/98/Me: %WinDir%\
  
• Linux and other Unix-like operating systems: /etc
  
• Mac OS: System Folder: Preferences or System folder (format of the file may vary from Windows and Linux counterparts)
  
• Mac OS X: /private/etc (uses BSD-style Hosts file)
  
• OS/2 and eComStation: "bootdrive": \mptn\etc\
  

What should the Hosts file be used for?

The Hosts file should only be used for redirecting a website or a new IP address. This generally happens if your favorite website has relocated to a new host or their IP has changed. It sometimes takes a few days to update your DNS cache and sometimes it's also up to your ISP to refresh this information on their local cache. You also should only use it if you absolutely must block a website that you have no desire of ever going to.

What do you not use the Hosts file for?

Under no circumstance should you ever use your Hosts file to block malware or advertisements. It is not designed to be used in this manner despite what many websites falsely report. Coincidently those sites also offer their own malware and ad-blocking Hosts files. Some websites will also recommend disabling the DNS Client service or setting it to Manual. By default it is set to Automatic and should not be changed.

Note The overall performance of the client computer decreases and the network traffic for DNS queries increases if the DNS resolver cache is deactivated.

The DNS Client service optimizes the performance of DNS name resolution by storing previously resolved names in memory. If the DNS Client service is turned off, the computer can still resolve DNS names by using the network's DNS servers.

When the Windows resolver receives a positive or negative response to a query, it adds that positive or negative response to its cache, and as a result, creates a DNS resource record. The resolver always checks the cache before querying any DNS server. If a DNS resource record is in the cache, the resolver uses the record from the cache instead of querying a server. This behavior expedites queries and decreases network traffic for DNS queries.

You can use the Ipconfig tool to view and to flush the DNS resolver cache. To view the DNS resolver cache, type ipconfig /displaydns at a command prompt. Ipconfig displays the contents of the DNS resolver cache, including the DNS resource records that are preloaded from the Hosts file and any recently queried names that were resolved by the system. After a certain time period, the resolver discards the record from the cache. The time period is specified in the Time to Live (TTL) associated with the DNS resource record. You can also flush the cache manually. After you flush the cache, the computer must query DNS servers again for any DNS resource records previously resolved by the computer. To delete the entries in the DNS resolver cache, type ipconfig /flushdns at a command prompt.

[CoffeeFiend]

Tarun: you're 100% right. And very good FAQ (lots of people disable services they shouldn't too, and just because their computer still runs, they think it must have been useless). Using the hosts file for such purposes is a kludge at best. And definitely not for ad-blocking. (Lots of good apps made for this, from filtering proxies to extensions like adblock).

[Tarun]

Here is a link to the full article.

[LLXX]

Tarun: you're 100% right. And very good FAQ (lots of people disable services they shouldn't too, and just because their computer still runs, they think it must have been useless). Using the hosts file for such purposes is a kludge at best. And definitely not for ad-blocking. (Lots of good apps made for this, from filtering proxies to extensions like adblock).

No need to run another program just to block ads when all you need is a static file that *always* works, and is basically nearly infalliable... I just use Proxomitron to rewrite webpages further (e.g. remove all content coming from */ads/* or */banners/*). Both together are more effective.

is not designed to be used in this manner despite what many websites falsely report

Thinking too narrow there. I really don't care what it was designed for, only what it can be used for.

As for disabling DNS Client I just use the 4.2.2.* DNS servers, those seem to have a better response time than the ones of my ISP. Also, no cache = less RAM usage.

Edited November 3, 2006 by LLXX