|
The equivalent thereof would be to have my installation medium infected; something rather uncommon.
Yes, we've had an original Win95-CD that was infected once - but the chance of an infection is kinda "low"; at that point a scanner hardly helps, there is never a 100% guarantee
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: there is never a 100% guarantee This is the life we chose, the life we lead. And there is only one guarantee: none of us will see heaven their computer completely free of unwanted sh*t
|
|
|
|
|
Spoiler alert:
"Inside Man"
|
|
|
|
|
Does the house even exist if you're not there though?
How do you know so much about swallows? Well, you have to know these things when you're a king, you know.
modified 31-Aug-21 21:01pm.
|
|
|
|
|
Eddy Vluggen wrote: And in large ALL companies there is always a manager that opens the executable.
FTFY
|
|
|
|
|
Eddy Vluggen wrote: No, haven't used a scanner in 10 years. Haven't had a virus either.
Yeah, I never crashed my car, but I will always use my seatbelt. Better safe than sorry.
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|
|
AV is not a seatbelt, we already established that.
You wait until you are infected; your choice, your consequences. I prefer not to get infected at all.
This is where the thread ends, as it is useless to repeat the same statements
--edit
I was not paying enough attention, I assumed I was replying to the car-thread.
Go ask your doctor; is it better to check for STD's once a week, or is it safer to not have unsafe sex? Neither is a guarantee; but which would feel as "safe", and which as "sorry"?
If you are already infected, then the AV results might not be very trustworthy.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: AV is not a seatbelt, we already established that.
I never said it was, we're talking about an analogy.
Eddy Vluggen wrote: Go ask your doctor; is it better to check for STD's once a week, or is it safer to not have unsafe sex? Neither is a guarantee; but which would feel as "safe", and which as "sorry"?
Agree, but as in my analogy, it's not because you drive safe that you're free from suffering an accident, the same way as browsing safe does not free you from suffering an attack. The AV seatbelt acts like an antivirus, to save you from situations you cannot control. You can't possibly think you can control all scenarios. You can get infected even for browsing here on code project, which could have been targeted with a silent attack by hackers which explores a 0day flaw on the browser javascript engine.
As with the seatbelt, you have much better chances of survival if use an AV.
Eddy Vluggen wrote: If you are already infected, then the AV results might not be very trustworthy.
That's why it's the first thing I do when I setup an OS. And the seatbelt is the first thing I take care of when I get in my car. It's not guarantee but surely makes it safer.
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
Our heads are round so our thoughts can change direction - Francis Picabia
modified 2-Sep-15 13:05pm.
|
|
|
|
|
Fabio Franco wrote: I never said it was, we're talking about an analogy. No, the seatbelt is not an analogy for an antivirus. The browser is merely one point of entry, and I do not consider a browser-toolbar a virus. It may be malware, but it does not replicate and infect files; it will not propagate over the network.
Fabio Franco wrote: it's not because you drive safe that you're free from suffering an accident, the
same way as browsing safe does not free you from suffering an attack. The seatbelt is protection that only helps once things have already gone wrong; you could be dead and wearing the seatbelt.
Fabio Franco wrote: As with the seatbelt, you have much better chances of survival if use an AV. Even more if you install five different products. Still, you're already in an accident. What you are proposing is damage control.
Fabio Franco wrote: You can't possibly think you can control all scenarios I never claimed I did; nor can the AV claim the same thing. To be fair, I added the claim at the end of this post.
Fabio Franco wrote: could have been targeted with a silent attack by hackers which explores a 0day
flaw Most virusses are not based on new exploits. Don't need to, most machines aren't that up to date either, and the most commonly targetted is not the system, but the user - there is your prime vulnerability. The bluddy manager that simply has to open the "Pamela.exe" attachment.
As for the AV, most of them can be killed from code. Meaning that if you need to invoke your seatbelt, you will feel the Windows. Now try running the restore-command on the infected and half-corrupted backup.
Fabio Franco wrote: with a silent attack by hackers Most virusses operate autonomous, and are not specifically designed by a hacker for a single target. Hackers and virii are different things, with different attack vectors.
Now, I said that there is never a 100% guarantee; but in all arrogance, I don't need to think of every scenario, I can prevent some scenario's altogether. Protecting a network is quite different from writing an AV and catering for every possible version of Windows out there, with different service packs and various levels of patching. If you want the 100% guarantee it will become rather expensive though; means checking a whole lotta code before we can compile a kernel, and means that all cables will be superglued to the system to prevent stuff from coming in or going out.
My first infection was BGS9, still have it on disk but I don't have any hardware that still supports it. What was yours?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: I do not consider a browser-toolbar a virus.
Remote execution from a javascript vulnerability of your browser can infect you with a virus. The javascript attack takes advantage of the browser privileges to inject a virus into an executable, therefore infecting the target machine.
Eddy Vluggen wrote: The seatbelt is protection that only helps once things have already gone wrong; you could be dead and wearing the seatbelt.
Yes, the same as if you navigated to a site that was target of an attack (and didn't know it) the damage is done, you already got screwed. If you have an AV it may and it may not prevent your infection. If you use a seatbelt it may or may not prevent your death. Odds are... I don't need to explain.
Eddy Vluggen wrote: Most virusses are not based on new exploits. Don't need to, most machines aren't that up to date either, and the most commonly targetted is not the system, but the user - there is your prime vulnerability. The bluddy manager that simply has to open the "Pamela.exe" attachment.
Of course, but are not limited to. That's where driving safe and browsing safe comes in.
Eddy Vluggen wrote: As for the AV, most of them can be killed from code. Meaning that if you need to invoke your seatbelt, you will feel the Windows. Now try running the restore-command on the infected and half-corrupted backup.
Not really, they require elevated privileges to be killed, which most attacks don't originally have. If it's from a browser, it does not have elevated priviliges, if its from an executable, it will require your permission. In this case, the Pamela.exe fits pretty well. But still, they are caught before they get to execute code, if their signature is identified.
My point is, for us that are tech savvy, are still vulnerable to non trivial attacks and even good drivers are vulnerable to accidents. We use protection to minimize the damage. I lost a couple of friends because they fail to acknowledge of the importance of the seatbelt. And to me the AV is important to safeguard our digital property. Does it mean that all the friends I have will die for not using a seatbelt? No, bu to me it's just plain negligent to not use one. As it is not to use an AV.
Eddy Vluggen wrote: Now, I said that there is never a 100% guarantee;
Nothing is 100%
Eddy Vluggen wrote: My first infection was BGS9, still have it on disk but I don't have any hardware that still supports it. What was yours?
I can't possibly remember the virus' name, I was too young (about 10 years old). I remember the sound it played when I executed the file in a 5 1/4 floppy disk on MS DOS. It played some watery sound (yes, I had a sound card on my 33MHz x286) outputted some joke text on the screen, then everytime I would boot to DOS it would play again then return to the command line. All other executable files did the same. That was over 20 years ago.
To alcohol! The cause of, and solution to, all of life's problems - Homer Simpson
Our heads are round so our thoughts can change direction - Francis Picabia
|
|
|
|
|
Eddy Vluggen wrote: always a manager that opens the executable
|
|
|
|
|
Every browser has had 0-day vulnerabilities, where just browsing to a website with clever Javascript can compromise your computer. That script could be shown on almost any website, not just "bad" websites, as a lot of hackers use advertising networks to spread this script and it can show up on anyone's site that displays ads. The most clever viruses are ones that you will never notice you got and have low impact on your PC so you will never notice them running. Kinda like the HPV sexually transmitted disease of the computer world. That's why HPV is so prevalent.
How do you *know* you don't have a virus running right now with a keylogger that waits for sequences of keys that appear to look like a credit card and sends them off? You don't sit there monitoring WinPCap constantly, you don't actually believe that checking WinPCap once in a while means you don't have a virus do you?
Look in your running processes list right now. How many rundll processes are running right now? Do you have any idea what dll's each rundll is running? When is the last time you checked? Do you maintain a list of which ones are actual system processes and which one your newest piece of software installed? How do you know that clever browser script didn't replace a system DLL with one that works just as well but also contains the infected code?
As someone who may have dabbed in the black-hat side of things a long time ago, I promise you that without an integrated pre-emptive AV scanner installed, it is *impossible* to know what is being compromised on your PC right now. Even if you do a complete file scan once in a while, there are very easy ways to conceal a virus from static file scans that many viruses employ.
In the last 6 months or so, I've had my AV catch drive-by javascript exploit attempts twice. Before a browser runs any scripts, those are run through the AV. Just that right there is reason enough, even if you don't believe anything I just wrote.
|
|
|
|
|
Mike Marynowski wrote: Every browser has had 0-day vulnerabilities You worry about your browser. I worry about Skype displaying their Flash ad in a little browser in the chat-application. It is an open window, every friggin' WebBrowser component is a potential security risc, and when they run I wanna know what they load, and they will not load anything from a blacklisted domain.
Mike Marynowski wrote: The most clever viruses are ones that you will never notice you got and have low
impact on your PC so you will never notice them running. Yes; but unless their mere existence is an academic effort in propagation, they will have a purpose and attack one of the files, altering it (changing a fingerprint) or try to communicate (hello firewall).
Mike Marynowski wrote: You don't sit there monitoring WinPCap constantly, you don't actually believe
that checking WinPCap once in a while means you don't have a virus do you? No, nor do I monitor it manually. Still, WinPCap is there for the same reason as an AV, to monitor my succes at not getting infected.
Mike Marynowski wrote: Look in your running processes list right now. How many rundll processes are
running right now? ..aight, right click on the column names, add "startup path". Happy hunting. And yes, if it is the kind of thing you do if you think it is important. Do you run any code you come across?
Mike Marynowski wrote: How do you know that clever browser script didn't replace a system DLL with one
that works just as well but also contains the infected code? A browser script does not have enough rights to do anything that requires admin priviliges. That also happens to be the default on modern Windows machines. Since addins for the browser used to run under the users' credentials, that was a nice entry point too. Things like sandboxing have become the norm. ActiveX has to ask for certain priviliges.
OTOH, it is rather a cheap distribution channel for malware, and there are enough people that will grant those rights to any addin. They can do so, because the settings allow them to do so. In your case, I'd delete your browser and install the Linx browser. Try and run some Silverlight in there
Mike Marynowski wrote: As someone who may have dabbed in the black-hat side of things a long time ago,
I promise you that without an integrated pre-emptive AV scanner installed, it is
*impossible* to know what is being compromised on your PC right now. I had to give that guarantee to professional software, and did
As long as one is admin, one has complete control over what happens in the system. If it weren't so, we would have DRM. There is your other side of the coin - I can attach a debugger to any process.
Mike Marynowski wrote: In the last 6 months or so, I've had my AV catch drive-by javascript exploit
attempts twice The machine I guaranteed does not allow for JavaScript. You can't have safe elephanting without protection.
So no, not the setup for the average user, as those already freak out if a cooky cannot be set. Imagine that, browser-games would refuse to run, without cookies, Silverlight and Flash. Ain't policies involving proxies great?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
You have a very naive view of security if you think you are safe using the above practices you just outlined. You just aren't for all the reasons I mentioned that you haven't actually rebutted. I'm not saying you *ARE* infected, I'm saying there is a statistically significant probability that you are and you have no way of knowing given your current practices.
Sorry, I meant svchost not rundll - "command line" usually won't tell you anything of importance for svc-hosted processes running, especially concealed viruses. Tracking svchost processes is notoriously difficult.
With regards to Javascipt not having admin rights - no, normally it doesn't, that's why they are called "0-day *VULNERABILITIES* - i.e. bugs in the browsers that grant JS full admin privileges without requiring UAC or anything else to intervene. Have you not heard of 0-day vulnerabilities? You actually browse the web with no Javascript enabled all the time? That's pretty excessive these days. Half the sites on the net don't work without Javascript anymore. You will be safer with a good free virus scanner than all your practices combined, and avoid all this hassle you are putting yourself through.
Even if you *can* manually check, which you actually can't with a cleverly programmed virus, but let's pretend there is a way to do it, like checking task manager command line - do you? No, you don't.
Please explain how you use WinPCap to regularly check if you are infected. I fail to see how this will help you in any way. You know that clever viruses hide themselves when commonly used detection and analysis tools are executed by the user, right?
|
|
|
|
|
Mike Marynowski wrote: Tracking svchost processes is notoriously difficult. If you look at the taskmanager without the startup command, and being able to identify it, yes. Not something from JavaScript.
Mike Marynowski wrote: You actually browser the web with no Javascript enabled all the time? No, I have a dummy for browsing and playing, and a dev machine that is not connected. Still, the dummy is reasonably protected. From a security perspective it is an interesting experiment to run anything Windows attached to the internet.
Mike Marynowski wrote: That's pretty excessive these days Is it?
With ads beyond my control being loaded into some addin running in userspace, from some unknown low-paying source?
I have two browsers on the dummy; one for CP and Gmail, one for 'other stuff' like banking, keeping up with news, MSDN, the like - it does not even allow for pictures to load that are hosted on another domain. It is too easy to generate a pixel from ASP.NET and to track someone. I did not consent to that pixel, I'm European. Parliament has still to decide on tracking-pixels, they just did cookies.
Mike Marynowski wrote: Have you not heard of 0-day vulnerabilities? Yes. Enjoy[^].
Mike Marynowski wrote: You know that clever viruses hide themselves when commonly used detection and
analysis tools are executed by the user, right? Yes, and that you cannot check on Windows whether a software keylogger has been installed. What, is your user an admin?
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Eddy Vluggen wrote: Especially large companies would come under fire if they lost all their data over an old and outdated virus.
Right, so they have to make sure that they have a good, up-to-date anti-virus program to blame it on when they lose all their data. Anti-virus companies mainly sell CYA to enterprises, they have to have it whether it does the job or not.
Eddy Vluggen wrote: there is always a manager that opens the executable.
Of course, it's right there in the policy manual. So nothing to worry about, the buck stops at middle management.
I don't use anti-virus at home, because I generally know what I'm doing, plus I mainly use those boxes for gaming and need the performance. I do keep my boxes updated and do ad-hoc scans once in a while, but no real-time scanning. I've gotten a couple of viruses in the past, but they weren't nearly as bad as having an anti-virus program running in the background.
My main concern at this point is what kind of data-collecting malware MS wants to install on my computer without my knowledge or consent. My Win7 machines aren't even safe from this anymore, I do not like where this is going.
|
|
|
|
|
I use AV because it works. Unless you have a totally left-field OS which is not targeted by hackers, spammers and phishers, you are a fool not to protect your data. Every popular OS - Apple, ix Win - is being targeted and not having a decent defense in place will result in a breach. If you're lucky you'll lose all your data, if you're not then it'll be all your money as well.
Go on, choose.
veni bibi saltavi
|
|
|
|
|
If you need to scan to see whether something is infected, you are already behind the curve and at risk.
Update your hostsfile, check the startup folder, turn on UAC and DEP..
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
My AV is set to scan every morning at 2 am and it's set to automatically remove threats.
If it's not broken, fix it until it is
|
|
|
|
|
If there's software running, as admin, then your AV might be gone in the morning
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Wrong, the AV and Firewall are there in addition to managing access into [and out of] the machine. With kids it is easier to have the AV nannying in the background then it is to keep cleaning the shyte off their machines.
veni bibi saltavi
|
|
|
|
|
Eddy Vluggen wrote: f you need to scan to see whether something is infected, you are already behind the curve and at risk.
Show me someone who claims they aren't behind the curve and I'll show you an up and coming victim..
There isn't one guy on the planet who can plan today against every current and future threat out there. We pass this responsibility onto other teams (anti-virus software companies) so that we can get on with our day-to-day jobs.
How do you know so much about swallows? Well, you have to know these things when you're a king, you know.
modified 31-Aug-21 21:01pm.
|
|
|
|
|
Brent Jenkins wrote: Show me someone who claims they aren't behind the curve and I'll show you an up and coming victim.. I am rather paranoid about my computer; the victim is the one that believes to be protected when he is not protected enough.
Brent Jenkins wrote: There isn't one guy on the planet who can plan today against every current and future threat out there. I do not have to; I merely need to be able to control what is on my machine
Brent Jenkins wrote: We pass this responsibility onto other teams That is your choice. "We" don't - if you want something done good, you (learn to) do it yourself
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Even though you think that you have you machine covered, you don't.
Companies like Kaspersky, McAfee, Symantec, and the like all have teams of hundreds (if not more) of guys working on dealing with security threats every hour of every day.
No matter how good you may be, you simply can't match that. And even with all of their resources, they slip up pretty often too.
Still, it's you machine, so your choice..
How do you know so much about swallows? Well, you have to know these things when you're a king, you know.
modified 31-Aug-21 21:01pm.
|
|
|
|
|
Brent Jenkins wrote: Even though you think that you have you machine covered, you don't. Again, 100% coverage is not realistic. No AV claims that percentage.
Brent Jenkins wrote: Companies like Kaspersky, McAfee, Symantec, and the like all have teams of hundreds (if not more) of guys working on dealing with security threats every hour of every day. No, not with security in general, but with detecting malicious code.
If you have malicious code on your machine, then who is going to guarantee the integrity of the scanner itself?
Brent Jenkins wrote: No matter how good you may be, you simply can't match that. Learning to protect your machine is not the same as knowing every virus and making a living out of that. I'm preaching hygiene; not claiming to be better than the doctor - but with sufficient hygiene, you will visit your doctor somewhat less often.
Brent Jenkins wrote: And even with all of their resources, they slip up pretty often too. So, no, I am not going to trust some application to clean up after me.
Sorry, I am not buying the idea that simply installing an AV-suite is actually safer than thinking about your machine, consequences and risks. On the contrary; someone who relies on others tends to be less careful in other areas.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|