Al Dykes said:
A client of mine just bought Norton SystemWorks 2005 as an upgrade to
his 2003 version and was specifically loking for "spyware" protection.
He's not technical and assumed spyware was spyware. This was my first
hands-on with NAV spyware scanners.
I installed it for him and did a full system scan. It found NOTHING.
I know this guy does safe computing, but IME, there's always cookies,
if nothing else.
I installed spybot and it found 57 cookies, with the some of them
being unquestionable crap; wwwsearch for one.
All spyware options in NAV are on. Is NAV oblivious to cookies ?
(I trust that NAV2005 is protecteing against hostile code.)
Comments ?
Thanks
If you block cookies, sometimes a site won't behave correctly. But often
you don't need the cookies left around after you are done with your browsing
session. Scanning sometime later to eradicate unneeded cookies is reactive.
Also, I'm not paranoid about those that might be tracking my web visits
since I don't go anywhere that I'm ashamed of and I don't care about the
marketeers seeing if I'm hitting there sites. However, I do consider it
rude they leave their trash on my system. There are several cookie managers
around that will help eliminate cookies. I use PopUpCop not only to get rid
of popups, 3rd party Flash content, and AX controls, but also because it
provides for whitelisting of domains for cookies. Although I wouldn't
consider PopUpCop's action to be proactive, it is still reactive but it is
automatic. Also, PopUpCop only loads when you load IE; I think it runs as a
COM+ add-in to IE. There is no other time when its functions are
appropriate. Other cookie managers consume memory all the time because they
run all the time even when they would be superfluous.
There are some sites that I visit, like forums, whose cookies I do want to
keep because it makes logging in much easier (i.e., automatic). There are
some sites that won't behave correctly if you don't let them create a cookie
(mostly for navigating around their site). In Internet Explorer, I
configure cookie management to allow first party cookies, block third party
cookies, and accept per-session cookies (they are *supposed* to get deleted
when you exit IE). Since I allow first party (which hang around) and
per-session cookies (which should get deleted but sometimes do not), but if
their domain is not in PopUpCop's whitelist, then their cookies will get
deleted when I exit IE. So all non-whitelisted cookies are forced to be
per-session cookies (and PopUpCop makes sure they DO get deleted). PopUpCop
can also clear the browser's temp file cache. There is an option in IE to
flush its cache on exit but it doesn't work 100% of the time. PopUpCop
makes sure that it does work 100% of the time. Because of whitelisting only
those domains that I want to keep their cookies, all others are forced to be
per-session cookies. That means I don't need any of those external
blacklists of cookies from Spybot, SpywarewareBlaster, or anywhere else, and
I don't need to have them pollute my system with a list of those blacklisted
cookie domains in IE's cookie management.
You can also configure Spybot to check if content on a web page is from a
domain on its blacklist. It Immunize feature can be made resident (actually
it is a BHO to IE called SDhelper.dll). You can configure it to block
content delivered from those blacklisted domains (and can choose that the
block be invisible (no prompt), to prompt you, or to to just show an alert
that it blocked it). I'm not quite sure about this feature. If I block it
invisibly then I won't know why a web page is misbehaving. If I have it
alert me then I'm bothered with a bunch of alerts that I might not care
about. If I have it ask me what to do, I get interrupted too often.
Currently I have it ask me but might switch to having it only alert me *if*
the alert are out of the way instead of in the middle of the page (and alert
that I have to move or close is no different than me having it ask me for an
action because both require an action to get rid of the interferring
dialog).
I have Norton 2003 (its subscription ends in Nov 2005). While NAV 2005
might have added more coverage of spyware (assuming they are not included in
the signature updates), I wouldn't count on it for spyware detection. Get
Spybot *and* Ad-Aware *and* CWShredder. McAfee does better at spyware
detection (but I don't like McAfee due to other problems) as does Kaspersky.
I guess if I wanted better spyware detection then I'd be looking at TDS-3 or
Trojan Hunter. You can Google for some trojan scanner review sites, like
http://www.anti-trojan-software-reviews.com/index.htm (but they don't put
datestamps on their articles so their timeliness of content is unknown,
although there is some indication of when they reviewed a product based on
the datestamp of the trojan list they used which is noted at the end of
their articles). I hear Trojan Hunter is better at detecting root kit
infections (trojans that inject themselves into the OS) and is better at
removing them than TDS-3. Both Trojan Hunter and TDS-3 will scan alternate
data streams (ADS) of files which no anti-virus product does (the on-demand
scanner won't scan the ADS of files but their on-access scanner should
detect when something attempts to load it *if* the av product has a
signature for the nasty that was hidden in the ADS). Spybot doesn't scan
ADS, either, but Ad-Aware SE added that feature.
I've heard recommendations for Process Guard, an intrusion prevention
system, which is made by the same folks as TDS-3. However, for now, I'm
using Prevx Home which is free for personal use. Prevx, Abtrusion, and
System Safety Monitor are intrusion protection systems (IPS). Abtrusion
doesn't have the smarts of SSM regarding it checking if an authorized
program was started by an unauthorized program, I don't feel comfortable
with SSM regarding support and their severely slow servers, and Prevx seems
to have them beat. But if having to answer prompts from your firewall
wasn't enough, and having to answer prompts from Spybot's BHO wasn't enough,
and getting alerts from your anti-virus program regarding intrusions, now
you'll add more prompts from an IPS product asking if a program has
permission to run or access protected resources. Sometimes I end up
dragging the prompts off to the side because I'm right in the middle of
critical work and cannot be interrupted right then. I sure wish they would
learn to use balloon popups from their tray icon that would expire within a
couple seconds and then flash their tray icon to alert you of their status
and pend those operations (and pend whatever process was causing their
trigger) until *I* decided that I can be interrupted to handle whatever they
are bitching about. I'm about to the point where I'm not adding anymore
anti-malware software because it is starting to interfere with the use of my
computer. For the typical user, I'd say the following would be sufficient:
- Firewall (NIS, Sygate, Outpost, ZA). Do NOT enable any automated
authorization (like in NIS) but instead require the user to get prompted
when an application wants to make a connection. If an option is available
(as in NAV and Sygate), have it check the process, if any, that might've
started an authorized process so the user knows all are permitted.
- Anti-virus (Kaspersky, NOD32, NAV, McAfee). Make damn sure the on-access
scanner is enabled. Schedule daily update checks or even at 4-hour
intervals.
- Monthly scans using Spybot, Ad-Aware, & CWShredder, or anytime peculiar
behavior is noticed.
- Data-only weekly backups (or more often depending on the user). Make damn
sure the verify option is enabled. Backups are worthless if their data
cannot be retrieved. This will double the time to perform the backup.
Without verification, it's like tossing a frisbee and hoping it comes back
to exactly where you were standing (i.e., without verification, you're
taking a big risk so why bother doing the backup at all?). If the user
doesn't do backups then they have declared that their data is unimportant.
- Drive images after initial setup and before any major change (do NOT rely
on System Restore). Mirroring only provides for hardware disaster recovery,
not to restore the system back to a working snapshot of the system. The
image from the initial setup and periodically should be on media that
doesn't rely on mechanicals, like CD-R[W] or DVD-R[W]. Images saved on hard
drives are susceptible to loss due to mechanical failure whereas removable
media can be inserted into a replacement same-type drive. Intermediate
images can be saved to a hard drive but preferrably to a different physical
drive (i.e., not to a different partition on the same physical drive as the
partition getting imaged; if the drive dies, you lose your image).
You'll probably be hard pressed to get a customer to even do all of the
above safety measures. Getting them to then add IDS products and trojan
scanners is pushing it.
