What's the best way to protect W2k/XP from trojans? Considering amount
of
IE
vulnerabilities, this question seems relevant to me.
Most viruses and trojans don't bother to use any IE vulnerabilities or
vulnerabilities at all, and I don't believe IE is the most common method for
them to enter the PC either.
The best way is to use antivirus software configured to download the latest
updates every week or so automatically, as well as personal firewall
software or other kind of firewall that monitors outbound connections and
tells you which executable is generating them.
www.kerio.com and
www.sygate.com are free firewalls,
www.grisoft.com is free antivirus.
Most trojans BTW fade out very quickly by themselves [unless they have the
ability to replicate, in which case they are really part of a virus or worm,
or unless someone is able to install the trojan as part of a web site or
software package].
In particular, is it practical to run Windows using low-privilege (Users
group) account?
It may be a good idea to do so for OTHER reasons. But my two cents, this
step would protected you from few if any of the trojans out there. User
permissions is not very effective anti-virus or anti-trojan. If you choose
to do this, do it for other reasons as well, such as if you want to control
what the USERS can do or install to their computers... and be prepared for a
possible increase in support help phone calls.
Do note two things: if the users are in the local Administrators group,
they can undo anything you can do to try to control them. And, no matter
what you do, it does make sense to try to control access to certain key
executables such as CMD.EXE and TFTP.EXE and FTP.EXE using permissions.
[Although you would also probably want to remove the System permission for
those executables as well... and if those files are replaced by a future
patch or service pack, the permissions might be reset.] These files are
accessible to ordinary users and Trojans by default [though a trojan could
theoretically contain its own TFTP functionality anyways]. A list of the
executable files you should consider protecting in this way can be found in
www.google.com or
www.microsoft.com/technet/security
It is true that running as a normal User prevents may prevent programs from
making themselve start up again when the computer reboots, by preventing
writes to the Run value in the registry and possibly the Startup folders
under \Documents and Settings\. It won't prevent the trojan from being
downloaded by, say, a web browser and being run in the first place, nor
would it prevent a combination trojan / worm or trojan / virus from then
attacking other computers. In this instance, a reboot would prevent the
trojan / worm / virus from reloading itself automatically when Windows
reboots, but in the case of something like Welchia, the computer gets
re-infected soon after reboot from the other infected computers on the
network, so in such a case you gained little.
Is it practical to disable write access to directories other than My
Documents for that user account?
Will it prevent trojans from being installed?
Will utilities, for example Norton Antivirus work under those
conditions?
Ditto. If the user can browse the internet, then a trojan can save itself
and run.
