On Sun, 1 Jul 2007 08:15:04 -0400, "R. McCarty"
There are also A-Squared and AVG Antispyware, which used to Ewido.
I would use online scanners ONLY to submit "unopened" files for
scrutiny. What I would NOT do, ever, is:
- take a suspected-infected PC online
- let it find an online scanning site via ?malware'd DNS
- drop my browser's security when I get to that site
- allow the site to drop and run code on my PC
- stay online while that code looks at all my files
Once malware has been able to run, it is positioned to pre-empt and
overridfe anything you do from within the infected system. Most
malware won't make maximal use of this positioning, but what you're
really counting on is weakness of the attacker's capabilities.
If malware is "commercial", posing as legitimate (though ?unwanted)
software, it is constrained in what it can do. If it becomes too
aggressive, e.g. wiping your data, killing your av etc., then the
vendor loses "plausible deniability".
It is this distinction that distinguishes commercial malware that av
typically ignores and "antispyware" apps typically target, and
"traditional" malware such as viruses, etc.
From this distinction comes the idea that you can tackle active
commercial malware informally, e.g. by running AdAware, Spybot etc.
from Windows. Current trends blur the distinction, as the
"commercial" operatiors are either out of jurisdiction, or emboldened
by the weak legal response to thier activities.
This is true, and I don't see anything in the poster's measures that
address by-design exploitability. I would:
- kill hidden admin shares
- kill all wireless I wasn't using
- if I had to use WiFi, I'd want WPA with 20-character random key
- stop the PC auto-restarting on errors
- stop the RPC service from restarting the computer when it fails
- show all files, and especially all file name extensions
- kill off Java unless I needed it (then keep only latest Sun JRE)
- delete unopened any attachments lacking specifically human text
- keep incoming material out of "My Documents"
- keep infectable material (e.g. code files) out of "My Documents"
- relocate "My Documents" to a HD volume off C:
- do not full-share any infectable locations
- do not full-share any integration point locations, e.g. StartUp
- use a NAT router if on broadband
- disallow auto-dialup if on dialup (even if phone calls are free)
- stop Windows opening files based on "content, not extension"
- use Spyware Blaster to passively block known-bad stuff
- disable Windows Scripting Host if not using it
- disable block Remote Desktop / Assistance if not using it
Well, you get the idea.
What happens is:
- the UI doesn't show info needed to assess risk, e.g. file .ext
- the user lacks skills to assess this info even if it is visible
- the OS lets bad stuff spoof this risk indication anyway
This is aside from pure clickless attack, where a combination of bad
design (e.g. exposing RPC and LSASS services to unsolicited Internet
traffic) and defective code allows direct network attack.
NAT and firewall help those, as do patches.
Context:
What I've mentioned is legally free too, for home use at least
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.