Sunday, April 30, 2006
Bulletproof Windows Security
The bulletproof system consists of a multi-pronged approach which will make your system essentially invulnerable to attack by the vast majority of spyware, adware, and malware.
I - ASSESS YOUR VULNERABILITY
Go to Steve Gibson's ShieldsUP! page and test how accessible
your computer's ports are to a hacker looking for a way in:
https://www.grc.com/x/ne.dll?bh0bkyd2
Click on Common Ports to test the ones most used.
Click on All Service Ports for a complete test.
The perfect firewall will show Stealth (invisible) status
for all ports. ZoneAlarm is one of the few software
firewalls that can provide this level of protection.
It used to be the ONLY one.
II - INSTALL PROTECTION
1 - FIREWALL
You have a choice of a hardware or software solution here.
SOFTWARE FIREWALL
The best software firewall is ZoneAlarm, and it has the
advantage of being free, as well. ZoneAlarm protects both
against incoming attacks and outgoing events, such as
a keylogger sending private information, by asking you
if you initiated the program which is attempting to access
the internet at that moment. If you recognize the program,
such as the Internet Explorer browser, you can give it
blanket permission to access at all times, without being
checked out. If you say no, it will be blocked. You can
also give one-time access to check out any results, like
error messages from a Windows service which needs to run
in order to give your browser access.
ZoneAlarm offer a Pro version which provides additional
features and support, but the free version is just fine:
http://www.zonelabs.com/store/content/home.jsp
HARDWARE FIREWALL
A hardware firewall is simply a router that sits
between your DSL or Cable modem and the network
card in your PC. It very effectively blocks all
incoming traffic which has not been intitiated
from your PC. It will NOT block programs on your
PC from accessing the internet, so, while it may
prevent a trojan from being loaded onto your PC,
it will not prevent it from working once it's
been initiated. When combined with the other
protection here, that won't be a problem, but
you should know that this blocking of outgoing
access by programs, without your permission, is
one of the virtues of ZoneAlarm.
The biggest advantage of a router is that is
fields all the traffic sent to the IP address
given to you by your ISP, and reassigns the IP
address used by your computer, so your PC's IP
address is simply not accessible.
Though they offer the possibility of being
configured, little or no configuration is
usually necessary.
One of the best routers for the money is Asante.
One of the most cost-effective solutions is the
FriendlyNET FR1004:
http://www.asante.com/products/productsLvl3/FR1004.asp
2 - ANTIVIRUS (AV)
Many of the commercial AV programs are notorious for failing
to detect bugs in a timely manner, and for causing conflicts
with other software (Norton is one of these). As a result,
users started looking for better solutions. I've tried any
number of the freeware solutions and finally settled on
AntiVir.
Here's a good list of possible programs:
Free online or downloadable virus scans:
AntiVir:
http://www.free-av.com/
BitDefender:
http://www.bitdefender.com/scan/licence.php
Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx
Panda:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Trend Micro:
http://housecall.trendmicro.com/housecall/start_corp.asp
I like AntiVir for several reasons:
- It tends to find viruses missed by other AV programs.
- Detection files are updated frequently - often several
times a day. You can set the update component to update
as often as you like. I update once a day.
- It has a component called AntiVir Guard which monitors
file activity on your hard drive and scans on-the-fly.
This is especially valuable in the case of hidden
"drive-by" downloads from malicious sites - a common
source of trojans. The Guard component sees these
hidden downloads and scans the files, immediately
alerting you of malicious content, and offering you
the option of deleting, moving or renaming the file
or placing it in quarantine. Priceless.
3 - WINDOWS UPDATES
Microsoft is painfully aware of the many vulnerabilities
in its software, from Windows itself to Outlook Express
to Internet Explorer. They work hard to patch them as
quickly as possible after becoming aware of a problem.
Updating your system is vital to any comprehensive
effort to protect yourself:
http://www.windowsupdate.com/
4 - FREEWARE SOLUTIONS
Out of all the freeware solutions out there, the following
programs should be considered essential. They are tried and
true, contain no spyware or adware themselves, work well with
other programs, and are constantly being updated and improved
by some of the most creative and conscientious programmers in
the world.
Many of them overlap in their protective capabilities, but
there's no such thing as too much protection. At the same
time, they each contain some unique aspects which more
than make up for any overlap in function.
- AdAware
"Ad-Aware is designed to provide advanced protection from
known Data-mining, aggressive advertising, Parasites,
Scumware, selected traditional Trojans, Dialers, Malware,
Browser hijackers, and tracking components. With the
release of Ad-Aware SE Personal edition, Lavasoft takes
the fight against Spyware to the next level."
http://www.lavasoftusa.com/software/adaware/
The free version is essential. Plus and Professional
versions are also available.
Use it once a week, or more often if you browse aggressively.
Manually update before each use.
- Spybot Search & Destroy
A partial list of features:
Removal of adware and spyware
Removal of dialers
Removal of keyloggers
Removal of trojans and other baddies
Removal of usage tracks
Save removal of threats by shredding them
Backups of every removed problem
Exclude option to ignore specific problems
Permanent blocking of threatening ActiveX downloads
Permanent blocking of known tracking cookies for IE
Permanent blocking of threating downloads in IE
http://www.safer-networking.org/en/features/index.html
Overview:
http://www.safer-networking.org/en/spybotsd/index.html
- Javacool Software's Spyware Blaster
"Prevent the installation of ActiveX-based spyware, adware,
browser hijackers, dialers, and other potentially unwanted
software.
Block spyware/tracking cookies in Internet Explorer and
Mozilla/Firefox.
Restrict the actions of potentially unwanted sites in
Internet Explorer.
SpywareBlaster can help keep your system spyware-free and
secure, without interfering with the "good side" of the web.
And unlike other programs, SpywareBlaster does not have to
remain running in the background."
http://www.javacoolsoftware.com/spywareblaster.html
Run it once a week to update it, and enable all protection.
Then close the program. This program acts more like an
inoculation, preventing changes to the system. 4349 items
are currently in the database.
- WinPatrol
"WinPatrol uses a heuristic approach to detecting attacks
and violations of your computing environment. Traditional
security programs scan your hard drive searching for
previously identified threats. WinPatrol takes snapshot
of your critical system resources and alerts you to any
changes that may occur without your knowledge."
http://www.winpatrol.com/
This program loads with Windows and sits in the system
tray, offering many features. The most noticeable are
when Scotty, the Scottish Terrier, barks to alert you
that a new program has been added to the Windows Startup
sequence, either in the registry or the Startup Folder.
Since one of the ways that viruses multiply themselves
is to add an entry to Windows Startup, this is a very
valuable program. You can immediately deny any program
from placing a startup entry.
You can also use the program by double-clicking on the
tray icon. Scotty will bark in response, and you'll
have access to several tabs of options, including
viewing Startup Programs, Active Tasks, IE Helpers,
Cookies, and much, much more.
Scotty can also be set to monitor any changes made to
your HOSTS file. Much more on this later.
- HijackThis (HJT)
HijackThis is a legendary program which is of immense
value if you've already been infected, or think you
might have been.
"HijackThis examines certain key areas of the Registry
and Hard Drive and lists their contents. These are areas
which are used by both legitimate programmers and hijackers."
http://www.tomcoyote.org/hjt/
HJT creates a log of what it finds which can then be
posted for analysis by experts such as those found here
on Google Answers, or in a forum dedicated to assisting
those who are infected, such as 'TomCoyote Forums',
'Geeks to Go Forums' and 'SpywareInfo Forums'.
Experts can tell you precisely what entries to check for
removal by HJT.
One of the latest enhancements to this program is the
addition of online HJT log analyzers, which can give
you a leg up in analyzing them yourself:
IamNotaGeek.com log parser:
http://hjt.iamnotageek.com/
HijackThis log analyzer (a more graphic version):
http://www.hijackthis.de/en
HJT has other very useful features, including one which
marks a file for deletion on reboot. This is very useful
when Windows prevents you from deleting a file because
it's currently in use, which happens a lot with viruses.
- Microsoft Windows Anti-Spyware (Beta)
I installed this and ran it for about a week. It didn't
give any indication of having found anything that wasn't
already protected against by the other software here, but
I'm including it because it's received very good reviews
in the geek community, and I'd certainly recommend it to
anyone who has limited knowledge of spyware and the other
programs I've outlined to prevent it.
Let this run in your system tray.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
5 - HOSTS FILE
The HOSTS file is a little-known Windows file which normally
does nothing, since the content is minimal by default, that
being:
127.0.0.1 localhost
That entry just points to your computer and identifies it
as localhost.
But additional entries can be made to this file that amount
to Windows wizardry!
The file is typically located here, in W2000 & XP:
C:\WINNT[or Windows]\system32\drivers\etc
It has no extension, but your can rename it HOSTS.txt
and open it with Notepad to see that it is a text file.
Entries can be added on a custom basis. These entries
will point specified addresses to your computer, rather
than to your DNS server, so that, instead of looking for
the files on the web, your browser will look for them on
your PC. Since they don't exist there, they won't be
found and loaded. In this way, you can effectively block
certain sites from ever being loaded in your browser.
Many people use the file to prevent known advertising
servers and malicious sites from having access to your
browser. There are many sites which post replacement
HOSTS files to use in place of the default one.
Different sites focus on different content. You can find
sites that block porn sites, sites that block ads from
loading in your browser, sites that are known to be
malicious, and combinations of all of these.
Since there are hundreds of sites of all these types, the
number of entries in the HOSTS file can cause it to become
much larger. If the file is too large, it will slow the
speed of your browser's loading things, so some authors
of HOSTS files take this into account, and use it to
redirect only the most malicious sites and ubiquitous
advertisers.
The following page on the MS Most Valuable Professionals
site, offers the best compromise and supporting information
I've found for the HOSTS file:
http://www.mvps.org/winhelp2002/hosts.htm
You can download the one they provide and use it to
replace the default one (after renaming it). You can
then also lock the file, by right-clicking on it,
selecting Properties and checking Read-only. This will
prevent trojans and other hijackers from writing to
it, which can cause some major problems.
The MVPs page also offer a batch file utility which allows
you to temporarily turn off protection by renaming the file.
III RE-TEST YOUR SYSTEM
Once you've installed your firewall, go back to Steve Gibson's
ShieldsUP! page and test it out.
Then just update and run your AV program, Spyware Blaster,
Spybot S&D, and AdAware about once a week, and more often
if you have a period of agressive browsing in unknown
territory, or you have reason to suspect there is a bug
on the loose.
Meanwhile, AntiVir Guard, WinPatrol's Scotty, and MS's
Anti-Spyware programs, as well as Spyware Blaster's
innoculations, are keeping your system safe, and looking
for any changes.
BULLETPROOF!
http://everest.googlepages.com/
Subscribe to:
Posts (Atom)