Antivirus programs for XP - best ones?

Here is a post by Stefan Kanthak - the content of which seems
particularly good to me (although it has upset folk elsewhere!)

What views do the experts in *this* group have about Stefan's comments?

Thanks.

"Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
news:...

>ALL Anti-somethings are more or less useless, especially since
> they CAN'T protect against new and yet unknown malware. It just needs
> ONE failure and your system is toast. And all Anti-something software
> enlarges the attack surface.
>
> So: setup your OS properly and harden it!
>
> 1. DON'T create user accounts during setup as they will become
> administrative accounts.
> Create "restricted" or "standard" user account(s) after setup and
> use ONLY these accounts for everyday work.
>
> 2. Remove all optional components which installed automatically but
> you don't need.
>
> 3. Turn off all unused services: you won't need File and Printer
> Sharing
> when you don't have a LAN, and almost never DCOM or RPC.
> See <http://ntsvcfg.de/ntsvcfg_eng.html> for more.
>
> 4. Turn off possibly dangerous functions like AutoRun and AutoPlay!
>
> 5. Turn on Software Restriction Policies a.k.a. SAFER (unfortunately
> XP Home needs the registry to be edited directly) and set the
> default level to "Not allowed" except for the "Administrators"
> (and remove .LNK from the list of executables): this allows
> execution only in %SystemRoot% and below as well as %ProgramFiles%
> and below.
>
> Thus your standard user(s) can only run applications installed
> into paths where they don't have write access, and vice versa.
>
> Additionally consider
>
> <http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx>
>
> 6. Use a safe(r) browser and MUA/NUA or at least configure both the
> Internet Explorer and Outlook Express/Windows Mail for safety:
> no HTML in mail/news, no ActiveX, no Active Scripting, no picture
> preview, ...
>
> 7. Don't use functions "Remember my password" or autocompletion of
> passwords.
> Turn of transmission of passwords and user credentials in clear
> text!
>
> 8. Don't open (email) attachments you didn't expect, don't open
> files (.PDF, .CHM, ...) from sources you don't or can't trust.
>
> Don't use (the full-featured) Word, Excel and PowerPoint to open
> files you get per mail/floppy/USB or downloaded from the net, but
> use the free-of-charge Word/Excel/PowerPoint viewers. These will
> not run VBA-Code and macros.
>
> 9. Keep your system and ALL installed applications uptodate (Microsoft
> Update in automatic mode with "no reboot with users logged on" will
> do a good job for most of Microsofts applications).
>
> Stefan

~BD~

I basically agree with everything he says except the first bit which
can be read as a categorical rejection of AV programs. They're
definitely part of a risk management approach, and will catch some
things. I wouldn't have a corporate desktop out there without one,
for instance.

Some AV programs have heuristic based engines that do a "better than
nothing" job of detecting previously unknown malware doing malware
like things, so there is a place for them, but it's no silver bullet.

You do have to operate knowing that AV is relatively easy to evade
(via repacking, slightly tweaking existing nastyware, writing custom
nastyware, etc), and that having it doesn't mean you can just go
downloading whatever the hell ya want, or having your [insert any
major login site] web page open while surfing pr0n sites and hoping
there's not an CSRF or XSS issue with the pr0n site that might try to
have some fun with it.

All the other things he mentioned are good practices.

NOD32 isn't a horrible anti-virus. Symantec's corporate product isn't
all that annoying. I haven't seen their Norton line stuff in some
years but boy it was annoying as hell last time I did. Symantec's
engine does a decent job it seems, though.

http://www.av-comparatives.org/ is a useful site. They split
testing into on-demand scanning and proactive protection.



"~BD~" <> writes:
> Here is a post by Stefan Kanthak - the content of which seems
> particularly good to me (although it has upset folk elsewhere!)
>
> What views do the experts in *this* group have about Stefan's comments?
>
> Thanks.
>
> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
> news:...
>
> >ALL Anti-somethings are more or less useless, especially since
>> they CAN'T protect against new and yet unknown malware. It just needs
>> ONE failure and your system is toast. And all Anti-something software
>> enlarges the attack surface.
>>
>> So: setup your OS properly and harden it!
>>
>> 1. DON'T create user accounts during setup as they will become
>> administrative accounts.
>> Create "restricted" or "standard" user account(s) after setup and
>> use ONLY these accounts for everyday work.
>>
>> 2. Remove all optional components which installed automatically but
>> you don't need.
>>
>> 3. Turn off all unused services: you won't need File and Printer
>> Sharing
>> when you don't have a LAN, and almost never DCOM or RPC.
>> See <http://ntsvcfg.de/ntsvcfg_eng.html> for more.
>>
>> 4. Turn off possibly dangerous functions like AutoRun and AutoPlay!
>>
>> 5. Turn on Software Restriction Policies a.k.a. SAFER (unfortunately
>> XP Home needs the registry to be edited directly) and set the
>> default level to "Not allowed" except for the "Administrators"
>> (and remove .LNK from the list of executables): this allows
>> execution only in %SystemRoot% and below as well as %ProgramFiles%
>> and below.
>>
>> Thus your standard user(s) can only run applications installed
>> into paths where they don't have write access, and vice versa.
>>
>> Additionally consider
>>
>> <http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx>
>>
>> 6. Use a safe(r) browser and MUA/NUA or at least configure both the
>> Internet Explorer and Outlook Express/Windows Mail for safety:
>> no HTML in mail/news, no ActiveX, no Active Scripting, no picture
>> preview, ...
>>
>> 7. Don't use functions "Remember my password" or autocompletion of
>> passwords.
>> Turn of transmission of passwords and user credentials in clear
>> text!
>>
>> 8. Don't open (email) attachments you didn't expect, don't open
>> files (.PDF, .CHM, ...) from sources you don't or can't trust.
>>
>> Don't use (the full-featured) Word, Excel and PowerPoint to open
>> files you get per mail/floppy/USB or downloaded from the net, but
>> use the free-of-charge Word/Excel/PowerPoint viewers. These will
>> not run VBA-Code and macros.
>>
>> 9. Keep your system and ALL installed applications uptodate (Microsoft
>> Update in automatic mode with "no reboot with users logged on" will
>> do a good job for most of Microsofts applications).
>>
>> Stefan
>
>

--
Todd H.
http://www.toddh.net/

Todd H.

Many thanks for your views, Todd.

FYI, I was 'loaned' a copy of the Corporate Symantec product which
seemed to work flawlessly. It was just after I'd mentioned this on the
Aumha forum that 'they' became all funny with me - and shortly after
decided to ban me from their forum.

What if? (No evidence!!) one were to visit their site to have ones
computer 'cleaned' - but, after downloading and running all manner of
software on instruction, one was pronounced 'clean' - but had, in fact,
been co-opted into a huge botnet. How would the average guy or gal know?

Always wondering! <smile>
--
Dave


"Todd H." <> wrote in message
news:...
>
> I basically agree with everything he says except the first bit which
> can be read as a categorical rejection of AV programs. They're
> definitely part of a risk management approach, and will catch some
> things. I wouldn't have a corporate desktop out there without one,
> for instance.
>
> Some AV programs have heuristic based engines that do a "better than
> nothing" job of detecting previously unknown malware doing malware
> like things, so there is a place for them, but it's no silver bullet.
>
> You do have to operate knowing that AV is relatively easy to evade
> (via repacking, slightly tweaking existing nastyware, writing custom
> nastyware, etc), and that having it doesn't mean you can just go
> downloading whatever the hell ya want, or having your [insert any
> major login site] web page open while surfing pr0n sites and hoping
> there's not an CSRF or XSS issue with the pr0n site that might try to
> have some fun with it.
>
> All the other things he mentioned are good practices.
>
> NOD32 isn't a horrible anti-virus. Symantec's corporate product isn't
> all that annoying. I haven't seen their Norton line stuff in some
> years but boy it was annoying as hell last time I did. Symantec's
> engine does a decent job it seems, though.
>
> http://www.av-comparatives.org/ is a useful site. They split
> testing into on-demand scanning and proactive protection.
>
>
>
> "~BD~" <> writes:
>> Here is a post by Stefan Kanthak - the content of which seems
>> particularly good to me (although it has upset folk elsewhere!)
>>
>> What views do the experts in *this* group have about Stefan's
>> comments?
>>
>> Thanks.
>>
>> "Stefan Kanthak" <postmaster@[127.0.0.1]> wrote in message
>> news:...
>>
>> >ALL Anti-somethings are more or less useless, especially since
>>> they CAN'T protect against new and yet unknown malware. It just
>>> needs
>>> ONE failure and your system is toast. And all Anti-something
>>> software
>>> enlarges the attack surface.
>>>
>>> So: setup your OS properly and harden it!
>>>
>>> 1. DON'T create user accounts during setup as they will become
>>> administrative accounts.
>>> Create "restricted" or "standard" user account(s) after setup and
>>> use ONLY these accounts for everyday work.
>>>
>>> 2. Remove all optional components which installed automatically but
>>> you don't need.
>>>
>>> 3. Turn off all unused services: you won't need File and Printer
>>> Sharing
>>> when you don't have a LAN, and almost never DCOM or RPC.
>>> See <http://ntsvcfg.de/ntsvcfg_eng.html> for more.
>>>
>>> 4. Turn off possibly dangerous functions like AutoRun and AutoPlay!
>>>
>>> 5. Turn on Software Restriction Policies a.k.a. SAFER (unfortunately
>>> XP Home needs the registry to be edited directly) and set the
>>> default level to "Not allowed" except for the "Administrators"
>>> (and remove .LNK from the list of executables): this allows
>>> execution only in %SystemRoot% and below as well as %ProgramFiles%
>>> and below.
>>>
>>> Thus your standard user(s) can only run applications installed
>>> into paths where they don't have write access, and vice versa.
>>>
>>> Additionally consider
>>>
>>> <http://blogs.msdn.com/michael_howard/archive/2005/01/31/363985.aspx>
>>>
>>> 6. Use a safe(r) browser and MUA/NUA or at least configure both the
>>> Internet Explorer and Outlook Express/Windows Mail for safety:
>>> no HTML in mail/news, no ActiveX, no Active Scripting, no picture
>>> preview, ...
>>>
>>> 7. Don't use functions "Remember my password" or autocompletion of
>>> passwords.
>>> Turn of transmission of passwords and user credentials in clear
>>> text!
>>>
>>> 8. Don't open (email) attachments you didn't expect, don't open
>>> files (.PDF, .CHM, ...) from sources you don't or can't trust.
>>>
>>> Don't use (the full-featured) Word, Excel and PowerPoint to open
>>> files you get per mail/floppy/USB or downloaded from the net, but
>>> use the free-of-charge Word/Excel/PowerPoint viewers. These will
>>> not run VBA-Code and macros.
>>>
>>> 9. Keep your system and ALL installed applications uptodate
>>> (Microsoft
>>> Update in automatic mode with "no reboot with users logged on"
>>> will
>>> do a good job for most of Microsofts applications).
>>>
>>> Stefan
>>
>>
>
> --
> Todd H.
> http://www.toddh.net/

~BD~

"~BD~" <> writes:

> Many thanks for your views, Todd.
>
> FYI, I was 'loaned' a copy of the Corporate Symantec product which
> seemed to work flawlessly. It was just after I'd mentioned this on the
> Aumha forum that 'they' became all funny with me - and shortly after
> decided to ban me from their forum.
>
> What if? (No evidence!!) one were to visit their site to have ones
> computer 'cleaned' - but, after downloading and running all manner of
> software on instruction, one was pronounced 'clean' - but had, in fact,
> been co-opted into a huge botnet. How would the average guy or gal know?
>
> Always wondering! <smile>

It's hard. You'd have to have a baseline of network traffic and
perhaps anomalous traffic would give you a hint. Essentially no one
has that.

When in doubt, fdisk, format, and reinstall from original readonly
media.

Todd H.

"Todd H." <> wrote in message
news:...
> "~BD~" <> writes:
>
>> Many thanks for your views, Todd.
>>
>> FYI, I was 'loaned' a copy of the Corporate Symantec product which
>> seemed to work flawlessly. It was just after I'd mentioned this on
>> the
>> Aumha forum that 'they' became all funny with me - and shortly after
>> decided to ban me from their forum.
>>
>> What if? (No evidence!!) one were to visit their site to have ones
>> computer 'cleaned' - but, after downloading and running all manner of
>> software on instruction, one was pronounced 'clean' - but had, in
>> fact,
>> been co-opted into a huge botnet. How would the average guy or gal
>> know?
>>
>> Always wondering! <smile>
>
> It's hard. You'd have to have a baseline of network traffic and
> perhaps anomalous traffic would give you a hint. Essentially no one
> has that.
>
> When in doubt, fdisk, format, and reinstall from original readonly
> media.
>

Agreed. Totally!

Consider those who have no clue, Todd.

I once thought I was sharp about 'protection' - yet I got burnt.

Many people I speak to in the real world have no clue about security
matters relating to 'computing' but, even worse, don't seem to care at
all!

Most folk think I'm daft when I suggest that even swopping out a hard
disk for a brand new one might not 'clean' a compromised machine - I'm
still not certain about that! The Police advised me to scrap my PC after
it had been compromised. I did .......... eventually!

Thanks for discussing, Todd.

--
Dave

~BD~