Results 1 to 10 of 10

Thread: I have received a number of viruses recently and ZA's Ove...

  1. #1
    tough Guest

    Default I have received a number of viruses recently and ZA's Ove...

    I have received a number of viruses
    recently and ZA's Overview panel indicates "You are protected. No action is required."
    I had to have a Dell technician remotely clean up my system (not cheap)
    using a
    variety of programs, apparently ZISS did not do the job that was required.
    What
    is required to completely remove all malware short of reformatting the hard drive and/or reinstalling windows.
    Note:
    I am extremely prudent about what email, websites and etc. I open, so is there a bullet proof solution to prevent malware from
    intruding or just stay off the internet?

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: I have received a number of viruses recently and ZA's Ove...

    <blockquote><hr>tough wrote:
    I have received a number of viruses
    recently and ZA's Overview panel indicates "You are protected. No action is required."
    I had to have a Dell technician remotely clean up my system (not cheap)
    using a
    variety of programs, apparently ZISS did not do the job that was required.
    What
    is required to completely remove all malware short of reformatting the hard drive and/or reinstalling windows.
    Note:
    I am extremely prudent about what email, websites and etc. I open, so is there a bullet proof solution to prevent malware from
    intruding or just stay off the internet?

    Operating System:
    Windows XP Pro
    Software Version:
    8.0
    Product Name:
    ZoneAlarm Internet Security Suite

    <hr></blockquote>

    "ZA's Overview panel indicates "You are protected. No action is required."" indicates the ZA is updated and running in resident.
    Both are important for providing security. The firewall on and the antivirus updated and active are required for proper security.

    To personally believe the security suite or any security suite from any security vendor for that matter or any antivirus of any kind will keep the windows "fully protected and secure" really is an advertising pitch by all and almost any security vendor.
    The merit of the ZAISS is the ZoneAlarm firewall and the included Kaspersky antivirus scanner. Both are top notch in their field and highly respected for the firewallling and the antiviral solution. Combined together they create a formidable combination.
    But no antivirus is perfect - no matter how it is pitched to the consumer using scare tactics or ultimate re-assurances of the complete protection of the product that the consumer must have to be completely secure.
    Almost all antivirus testing and grading is done with some large number of viruses, worms, troyans, malware, adware, spyware and such all numbering in the hundreds of thousands in the testing labs. Truth be told - there are millions of possible malware in total that most antivuses never even see or get used in the tests.
    The average to the most excellent antivirus all detect the most common or most seen malware - something exotic and off the edge from the usual detections will be missed by the antivirus scanner. This is nothing new and I seriously doubt this is ever going to change any time in the future.
    Plus some antiviruses purposely omit certain detections - infections from some malware which the computer user should never be attempting to install in the first place. The main reason being - the antivirus vendor deems users should not be installing cracks, using key gens, using cracked windows, and other illegal activities. So often they omit these in the detections.
    Logic dictates that if the user will be doing something illegal, then why protect the user from their own illegal activities.

    Often is heard, Oh first I used antivirus A and got infected and then antivirus B and got infected and so forth until using antivirus F keeps my windows clean and secure.
    The user clearly believes that the antivirus F product is truly the superior antivirus over the preceeding A-E antivirus scanners.
    Probably when the user first used antivirus A, the user was a complete new user and knew nothing, and as the user progressed until antivirus F, the user became more experienced and finally stopped making the erroneous mistakes. At last that user learnt not to infect the windows any more.
    The actual exact quality of the antivirus scanner in it's detections and removal abilities has little to do with it's prevention/removsl abilities if the user stopped acting irresponsiblely and finally learnt not to infect any more through the user's own errors or with lapses in personal judgements and computer security.

    Three basic security tenets:
    1). Always use strong passwords.
    2). Always run and update the antivirus scanner.
    3). Always patch and fully update the software and the operating system.

    AND the three unspoken tenet of basic security:

    4). Always use the operating system in the limited or standard user account. Not the Administrative or full privileges user account!

    No changes or unwanted installs can be made to the windows if the limited user account is used for the day to day uses and needs. This includes prevention or safety from toolbars, browser BHO and .dlls, most rootkits, almost all Adware and CWS, most troyans and spyware, changes to the regular search engine and home page, changes to the window's files, attacks onto the supported programs and applications and so forth.
    Plus using the limited user accounts does not cost anything and does not require any updates or additional computer resources.
    In addition, most of the vulnerabilities of the windows operating system are eliminated by using the limited user account. Where as in contrast using the windows in the full administrative account leaves the operating system wide open to attacks of any kind and unwanted installs and changes.

    5). Always practise "safe hex".
    And this includes using some common sense!
    This require an open mind to listen and learn new things and approaches to better security habits and practises when using the keyboard and mouse in front of the desktop.
    But it is really not that hard to understand or learn.
    It does improve with experience and practise.
    Some basic ideas for safe hex:
    Always NEVER open unsolicited emails and attachments.
    Always NEVER install programs and files from unsafe web sites and unknown media.
    Always first scan the newly downloaded files and any media files before opening or executng these new programs and files.
    Always have the guest or friend or spouse or children borrowing the computer set up in their own limited user account and never in an administrative account.
    Always set the email client to show only plain test and never open the emails by default - only show the listing and then decide if the email should be spammed/junked or opened.

    6). Always secure the browser that is preferred or most frequented.
    This includes using the security zones to allow and block scripts such as VBScripts or javascripts, activeX, iframes, Java, ads and banners and animated gifs, cookies, MIME type objects and so forth.
    These are all possible exploits when browsing the web.
    Simple disallowing these will prevent most online web browsing infections - either prevent properly in the ZoneAlarm's Privacy or in the browser itself.

    And never install directly from the web - and use some street smarts when browsing. There are far too many tricksters and hucksters on the web - both on the safe sites and on the risky sites.

    Do not click everything in sight and be very wary of installing some new activeX or CodeC or some "you got to have this toolbar" or some strange popup demanding/informing of some needed scanner, product, great site you got to see, must see video, etc. Be wary of such things at all times.


    Always use the mouse hover over the new link or video to be viewed and take a good look at the url and if there is an included file extension - if the video ends with a .exe or the url ends with a .exe, then what was promised is not what is going to happen. Instead you are being lured into executing a very possiblely malicious file and self infecting your own computer.
    Alway obey the antivirus scanner's alerts when browsing - never ignore it's warning of a malicious iframe or javascript in the browser cache or that the file is a possible exploit.
    Always obey the firewall alerts for component and program activities and of course the new network connections - this could be a sign of malware activity.

    End of sermon.

    Myself, I use Opera instead of the Internet Explorer for browsing.
    First of all, the Internet Explorer is directly tied into the operating system - this leads to serious possible online infections going directly into the bowels of the operating system.
    Whereas the alternative browsers such as Firefox and Opera are not part of the operating system in the same way as the Internet Explorer. They are added on to the operating system, not part of the windows.
    All of the DCOM and OLE exploits and many of the operating systems vulnerabilites are not exposed in the alternative browsers - these exploits are all aimed directly at the Internet Explorer. Many of these browser's leak test and vulnerability hypothetical test are aimed directly at the Internet Explorer - and these same tests or possible exploits fail when using the alternative browsers such as Firefox or Opera.
    Further more neither the Firefox or the Opera use or allow any activeX or VBScripts - this is strcitly an Internet Explorer feature and by not using the activeX and VBScripts, there are two less security holes to be concerned about.

    Secondly, it is very simple to set up the preferred sites with the allowed/needed web content in the Site Preferences inside of the Opera and block all of the unwanted content globally for all other web browsing.
    Hence any iframes or Java or javascripts are easily blocked off and this alone greatly enhances security.
    Firefox does similar things with the security zones (similar to the Internet Explorer) and with additional addons and extensions.

    Use the ZoneAlarm's Privacy to your advantage - it does prevent downloading unwanted and possible malicious web content onto the hard drive. It is there to help - use this to your advantage - allow the needed content for the needed/wanted sites and then block everything else for the rest of the web and internet.

    Oldsod.

    Forgot to mention - I do not use any other antispyware or antitroyan or any antimalware scanners other than a basic and good antivirus scanner. Fully updated and running in resident.
    Along with the ZA Pro 5.5 firewall for the software firewalling.
    I have had not any infection in many years - and the need for an antispyware scanner really does not exist if using the right approaches and methods. Plus most modern antivirus detect most of the adware/spyware along with the usual viruses, worms and troyans.
    And of course a hardware firewall (three actually, but one will suffice) and Privoxy.
    But I should mention the ZA Pro is customized and fully configured well above what the average ZA user would setup for themselves.
    And I frequent many infected and malicious web sites on an almost daily basis, and do frequent the wild and dangerous web. The windows never has got an infection in many years - it is really comes down to some knowledge and precautions to prevent the web exploits.

    Oldsod.

    Message Edited by Oldsod on 02-11-2009 01:30 AM
    Best regards.
    oldsod

  3. #3
    findley Guest

    Default Re: I have received a number of viruses recently and ZA's Ove...

    Oldsod,
    First, I guess I need to say I'm not hijacking here - just want to complement you.
    This post is awesome - I'm a long-time reader of your posts and want to thank you for all the time, effort, and knowledge you always
    share with both the original poster and all of us &quot;lurkers/readers.&quot;
    Best regards,Findley

  4. #4
    tough Guest

    Default Re: I have received a number of viruses recently and ZA's Ove...

    Thank you for your help on this and although I fairly understand what you
    say and try to adhere to the tenets mentioned
    there are some finer technical aspects that I am not aware of.
    Is there any reading material you can recommend that will address setting up a system such as you outlined below?

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Firewalls

    FIREWALLS

    General advice for the firewall is simple - use a hardware firewall (router or nat-able dsl modem or perhaps even a dedicated gateway) and use a software firewall on the desktop or workstation; for the general consumer or home user.
    Keep both the router firmware and software firewall updated at all times.

    Set the router and software firewall to the optiminum security setttings and always make sure these are running at all times.

    Some basic suggestions for securing the router:
    1). Lock in the assigned IP for the computer with the MAC (and then lock in the assigned IP and the gateway IP in the Properties of the network device in windows and then disable the dhcp and dns client services in windows)..
    2). Disaable the UPnP and the Reply to Pings if thse are not needed for network devices on the LAN and the latter for using certain server programs such as a VPN, P2P, skype, etc.
    3). Use a dedicated computer to a DMZ to the router instead of opening ports globally for all of the local area networked devices and computers. This moves the risk to only one dedicated computer instead of allowing exposed or open ports to all of the entire LAN.
    4). Change the default password and logon account in the router. Using just several default passwords and account names to hack a router by dedicated war drivers or unwanted allowed attackers at home is simple and easy - this is easily thwarted by changing the default password and login.
    5). Use the WEP and WAP feautures of the router and use the wireless encryption to deter unwanted listening and obtaining the transmitted packets and of course the private information contained in those packets.

    Some basic suggestions for the software firewall:
    1). Never allow internet server unless the Program is safe and recognized as secure. Always keep the operating system or the Program involved fully updated or patched and properly secured at all times. Server for the internet translates into an open port facing directly to the internet - fully updated programs and operating systems reduce the involved risks.
    2). Access to the network or internet from the usual Temp folders or Internet folder or even from the root of the drive can be innocent if installing or updating at that exact momment intime. But these network attempts occuring when doing some casual browsing or reading of emails is a definite sign of some malware attempt. Always respond properly to the firewall alerts at all times. The firewall logs have exact records of the preceding events for forgotten or missed details.
    Then immediately block the unwanted rogue connecting IP(s) or block the unusual port activity in the firewall - this is exactly what a software firewall was specifically designed for in the first place.
    3). Unusual program access and any unsual component network activity or system activity should be immediately investigated. Do not ignore these.
    Both the parent and child processes and the corresponding components are closely monitored by the Zone Alarm firewall.
    Any unusual or odd events is a possible sign of malware.
    By default the ZA will either Ask or deny depending entirely on the Program Control settings determined by that individual user. Not a default allow all, but either deny or ask.
    4). Rogue dns and dhcp connections can be easly defended by properly entering the correct dhcp and dns into the Zones of the Firewall of the ZoneAlarm. Any new and unwanted dhcp or dns connections will be immediately questioned by the ZoneAlarm - you will see a new network alert or more than likely just asking for a dhcp connection for the remote port 67 by UDP or a dns connection to the remote port 53 by UDP of the possible rogue servers.
    Only the known and correct dns and dhcp servers should be allowed and used at all times.
    5). Look at unusual or suspect port activity. The usual local email ports going to the remote http and https ports is a sign of malware doing spam. So is any extra remote email port connections. Any unwanted connection attempts to the IRC ports is a sign of an irc troyan or malware or "bots" with C & C (command and control). So are any unwanted server attempts for the irc ports.
    Worms tend to use the usual dcom and netbios ports, but they will often use other ports as well - always be on the alert when perusing the firewall logs.
    Many specific troyans have very specific ports assocaited with themselves - both remote and local ports. This is nothing new and easily seen in the firewall Alerts and in the firewall Logs.

    The newer breed of Bots C and C and similar troyans will use some unusual or not normally used ports, but not always this is true.
    Instead they will use the port 80, but these will not use the correct http for port 80. Also these will use the port 443, but again not obeying the correct https for the port 443. In both cases the packets sent by the malware will be encryopted and thus unreadable by the firewall.
    But the firewall will log the actual port activity and the involved remote IPs. If the ports in question are used when they should not be operating and the remote IPs seem suspect, then follow these up.
    6). Rootkits, rootkits crossed or interbred with worms and viruses and troyans and other malware. All are the bane of all firewalls everywhere. Hidden and virual files and drivers can easily avoid the protection of the software firewall.
    Certain viruses and malware in the past have been known to install their own TCP/IP stack - but these malware were easily seen by the antivirus and then promptly removed. But a hidden driver obtaining internet access or a hidden TCP/IP stack on the windows system is even harder to detect and to remove. Even harder to be seen by either the windows itself or by any firewall. The ZoneAlarm does have protection from rootkit installs attempts or initial activity (so pay close attention to those firweall alerts) and it's antivirus does have rootkit detections, but still these are no absolute against rootkits. As rootkits seem to evolve and change on an almost weekly basis, making rootkit detection harder not easier.
    7). Toolbars for browsers and browser helpers (BHO) and browser addons will use the default allowed permissions for the browser to connect to unwanted sites and report details about your personal browsing habits and even your report your keystrokes and personal information. General advice is avoid installing these from the onset.
    8). A rogue .dll inserted into the TCP/IP stack or installed it's own winsock.dll will not be seen by a software firewall. It will then be able to make or allow any connection that is desired and avoid detection by the firewall. Good news is any garden variety type of antispyware scanner or any antivirus will easily detect these rogue .dlls and there associated files. Also these rogue .dlls are easily seen by inspecting the LSP through windows itself.



    The techie or geekie reply for research and vast endless readings. Take a look at all of these following urls as these cover a broad range of topics and details and information. These are some of my bookmarks in my browser - some are easy reads and some are in-depth coverage or specialities. Presented in not any particular order or system, and some be actually of genuine interest or have some value and merit.
    And a little of everything for everybody:

    http://www.linuxsecurity.com/resourc...wall-seen.html

    http://www.iks-jena.de/mitarb/lutz/u...all.en.html#PF

    http://www.interhack.net/pubs/fwfaq/firewalls-faq.html

    http://www.comptechdoc.org/independe...ide/index.html

    http://www.w3.org/Security/faq/www-security-faq.html

    http://www.geocities.com/uzipaz/eng/pfnt.html

    http://www.securityfocus.com/infocus/1701

    http://www.practicallynetworked.com/

    http://www.wlug.org/files/ipchains-f...l/siframes.htm

    http://www.wilyhacker.com/1e/

    http://www.aspdeveloper.net/tiki-ind...rosoftKB832017

    http://technet.microsoft.com/en-us/l.../cc772774.aspx

    http://support.microsoft.com/kb/825750

    http://support.microsoft.com/kb/170292/EN-US/

    http://www.microsoft.com/windowsxp/u.../stopspam.mspx

    http://technet.microsoft.com/en-us/l.../bb726983.aspx

    http://support.microsoft.com/kb/140859

    http://support.microsoft.com/kb/832017

    http://support.microsoft.com/default...;en-us;Q164015

    http://www.microsoft.com/windowsxp/u...g/default.mspx

    http://technet.microsoft.com/en-us/l.../bb491071.aspx
    (discover arp, netstat, nslookup, ping, tracert, netsh, ipconfig, etc)

    http://bdplaw.net/content/homesecurity.shtml

    http://technet.microsoft.com/en-us/l.../cc750828.aspx

    http://www.unwantedlinks.com/

    http://www.us-cert.gov/nav/nt01/

    http://www.spirit.com/Network/net0700.html

    http://www.spirit.com/Network/net0600.html

    http://labmice.techtarget.com/networking/wireless.htm

    http://www.markusjansson.net/exp.html

    http://www.grc.com/nat/nats.htm

    http://www.wardriving.com/

    http://www.windowsecurity.com/articl...ack-Part1.html

    http://ntcanuck.com/tq/TQ_Pg13.htm

    http://www.ipprimer.com/overview.cfm

    http://www.commontology.de/security/...lls/fire0.html

    http://www.ipdeny.com/

    http://www.eventhelix.com/RealtimeMantra/Networking/

    http://www.simovits.com/trojans/trojans.html

    http://www.privacyrights.org/index.htm

    http://malwaredomains.com/

    http://www.aircrack-ng.org/doku.php

    http://www.stumbler.net/

    http://insecure.org/

    http://security.getnetwise.org/

    http://www.microsoft.com/protect/default.mspx

    http://www.checkdomain.com/

    OOps forgot one - for the uber geek:

    http://www.ntkernel.com/w&p.php?id=14

    I have more links if still interested.
    See next post(s) for browsers and malware suggestions.
    Maybe tommorrow?

    Oldsod.

    Message Edited by Oldsod on 02-11-2009 03:13 PM
    Best regards.
    oldsod

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: I have received a number of viruses recently and ZA's Ove...


    <blockquote><hr>Findley wrote:
    Oldsod,
    First, I guess I need to say I'm not hijacking here - just want to complement you.
    This post is awesome - I'm a long-time reader of your posts and want to thank you for all the time, effort, and knowledge you always
    share with both the original poster and all of us "lurkers/readers."
    Best regards,Findley

    <hr></blockquote>


    Thank you Findley!
    I always enjoy nice compliments and public acclaims.
    Oldsod.
    Best regards.
    oldsod

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

  8. #8
    tough Guest

    Default Re: Firewalls

    Thank you again for the in-depth reply... implementation underway.
    CC

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Malware Part Two

    Consider a special windows computer that never is connected to the Local Area Network or to the internet, never gets any media inserted (cd, dvd, floopy, usb, etc), or never opens emails or uses the email client, never used a messsenger or a browser.
    And nothing was ever installed after the original setup.
    And only one user account using a strong password.
    Consider this windows a perfectly clean and safe computer.

    In real life for the home user, this special computer probably does not exist.
    Home computers are meant and bought to be used to send messages, browse, enjoy the media and music and video, send and recieve emails, and a few other things.
    Once the computer is 'opened' up to these variables, there is always a risk.

    The first six tenets listed previously should be closely followed and observed.

    http://forum.zonelabs.org/zonelabs/b...essage.id=5420

    But there maybe some 'security holes' still not covered in this previous advice.

    I did a quick post for this some time ago:

    http://forum.zonelabs.org/zonelabs/b...ssage.id=17114

    But I suspect some of the links maybe not valid anymore.

    Browser

    Scripts allowed in the browser are risks because they can be executed and run actively not just in the browser cache, but on the entire PC itself.
    If a malicious file was present, it could be dangerous and infect the PC.
    This does not really apply so much to the Firefox (or for Opera browser for that matter), but for the Internet Explorer. The IE is very much part of the windows kernel and tied directly into the windows, whereas the Firefox is not. Another reason for the Firefox and Opera being "safer" browsers than the IE.

    MIME is used for introducing media content to the web page - but can be used maliciously to introduce malware files instead of the expected media.
    IFRAMES basically inserts a frame within a block of text which can be not seen or entirely visible (see http://www.w3.org/TR/html401/present/frames.html).
    Both IFRAMES and JAVASCRIPTS are prone to cross-site scripting vulnerabilities- disabling javascripts in the browser along with iframes will prevent most of the web threats from browsing.
    ActiveX can be be a malicious CODEC or .DLL, in disguise of the expected media content or embedded in the media content.
    Banners, certain active ads and flash although using .swf (and variants), and some popups all need javascript to be allowed in order to work. Hacked sites and "unknowingly" innocent sites will have malicious scripts in the banners, ads and flash.

    Cookie:

    http://en.wikipedia.org/wiki/WWW_cookie


    Webbugs:

    http://en.wikipedia.org/wiki/Webbug

    Popup Ad Blocking and banner ads and Web banners:

    http://en.wikipedia.org/wiki/Pop-up_ads_blocking

    Javascripts>

    http://en.wikipedia.org/wiki/Javascript

    Embedded Objects:

    Java>

    http://en.wikipedia.org/wiki/Java_applet

    ActiveX>

    http://en.wikipedia.org/wiki/Activex_control

    Scripts:

    Vbs>

    http://en.wikipedia.org/wiki/VBScrip...mming_language

    Mime-type integrated objects:

    http://hixie.ch/advocacy/xhtml

    http://en.wikipedia.org/wiki/Cascading_Style_Sheets

    http://www.w3.org/People/mimasa/test...-types/results

    Private header:

    http://en.wikipedia.org/wiki/Referer

    My favorite for information about cookies, java, javascripts, hijacks, activeX, spoofs, users concerns about hackers and general internet security is this one>

    http://www.w3.org/Security/Faq/index.html#contents

    It is long, but it does cover any question(s) that any user may have.

    Also check out>

    http://en.wikipedia.org/wiki/WWW_browser

    http://en.wikipedia.org/wiki/Internet_Security




    Email

    General advice is always see the email in plain text not in code or html.
    This prevents the container language from hiding any possible exploits or evil code or bad scripts.
    Never have the email client set to open the first email - always have the new emails listed and unopened. An email opened by default could infect even before seeing the exact body or the sender of the email.
    Never open unsolicited emails and their attachments. Simply opening the unwanted email automatically executes a 'web bug' which promptly calls back to the home server of the unwanted sender and informs the sender that yes this email address is valid and has now been verified. Once it is seen as valid, the spammer now adds the new email address to the lists, and then sells the list(s) to potential buyers for further spamming. In other words, open just one unwanted email and then be prepared to receive many unwanted emails in the near future.
    Email attachments with an executible file extension are a risk (unless you personally know the sender), but so are word documents and pdf (both can be exploited).
    Never open unwanted attachments with an executible file extension!

    Most of the email traffic is spam. Most of the internet traffic is spam.
    There are only a few servers responsible for sending spam along with only few infected computers/servers. Considering one home computer can send out millions of spam emails in just one day, these limited and few spamming computers do a lot of damage.
    An infected home user's computer sending out spam is not just a threat to the internet but to the home user themselves - a severe loss of bandwidth due to the high traffic spamming reducing the enjoyment of the home user's internet experience; losing of internet connection/access from the internet provider due to the illegal spamming; or even legal charges laid against the home user. The owner of the malware is free of any legal or moral issues as the owner of the malware never is held accountable - it is the home user left with the onus of being the criminal.
    Always keep the windows computer clean and rid of worms, viruses and troyans.

    Media

    All new or rewritten media should always be first scanned before executing or being opened.
    However once that media is determined to be safe, it should be regarded as always safe - unless the media has new files added to it (malicious or otherwise).

    Holding down the [Shift] key before entering the media will prevent it from automatically being opened, thus limiting any immediate opening of files.
    There are specific malware designed to 'jump' immediately from the media into the computer regardless of the user's actions or setup. Although the windows can be set up not to immediately open the media when it is inserted, but there is certain types of malware that will over-ride this and infect anyways.
    Basically disabling the autorun in windows removes this possibility.
    A USB drive or external hard disk drive could be infected - disabling the autorun removes this threat and allows the drive to be first completely scanned removing any possible malware.
    Enabling and Disabling AutoRun gives a description and there is a correction recently issued by MS How to correct "disable Autorun registry key" enforcement in Windows.

    For CD/DVD media there is How to Disable the Feature That Allows CD-ROMs and Audio CDs to Run Automatically as it is possible for even video files to have hidden malicious code. This malicious code usually is designed to become active when the file is played and then either exploit any vulnerability in the player (buffer overflow or security hole in the player itself) or even attempt to send out an .exe into the Temp folder and then start to infect windows (I have seen this myself) or even require some unusual codec to be played.
    Always be careful about about obtaining and installing unknown codec and be careful of the source and server of the codec (it maybe a disguise for an .exe or .dll file). Always handle or treat the new codec in the same manner as with activeX - with caution.

    Zone Alarm Privacy

    ... a little repeat of the above but some new stuff....

    Flash (or .swf), some banners and banner content, sounds, webbugs, site interactions, some of the ads, some of the site's presentations and so forth will all use javascripts.
    On the other hand, javascripts is very much needed for logins, signins, password verifications, site interactions (banks, buy/sell sites, etc), web mail, and for the "good" and needed sites.
    In many ways the html code of the web sites are just the basis, the .css files are just the adjustments and generalizations whereas it is the javascripts that give many sites the "glamour" and the neat tricks.

    Other common types of scripts used by some sites to give it the "glamour" and some neat tricks are MIME, VBS and the IFRAMES.

    The MIME, VBScript and IFRAMES are, of course, all known to be also exploited by malware writers and as such these can be a risk/danger at unsafe/risky sites.

    The MIME and the VBScript can be also blocked in the Privacy.

    The IFRAMES cannot be blocked by/in the Privacy - probably the only newest filtering that it the privacy does miss as now iframes are becoming more dangerous than ever before.
    However the NoScripts Addon of the Firefox can be used to block/allow IFRAMES & MIME and the Firefox by default does not use any VBScripts. I believe the Adblock for Firefox also has protections from evil iframes.
    I strongly suspect the 'about:config' of the Firefox to disable IFRAMES globally. The IFRAMES can be disabled globally in the IE's Internet Options, but I would advise against doing this and just leave this alone. ( scripts can be blocked off in the IE, but again leave this alone because it is easier to leave this task to the ZA Privacy).
    Iframes can be blocked globally inside of the Opera Browser, using the 'opera:config' and then adjusting the iframes to be allowed in the Opera's Site Preferences.

    The ZA states:

    " In the Mobile Code Control area, specify the types of mobile code to block.
    Block JavaScript Blocks JavaScript content, including that required for common uses such as Back and History links, rollover images, and opening and closing browser windows.
    Block scripts (vbscript, etc.) Blocks scripts that execute automatically, including those required for displaying banners, pop-up ads, and dynamic menus.
    Block embedded objects (java, ActiveX) Blocks objects embedded in Web pages, including sound and image files.
    Block mime-type integrated objects Block mime-type integrated objects Blocks objects whose MIME-type indicates that they are applications.
    Note: This option also blocks legitimate executable files sent through the browser, including downloads that you may want to allow. When this occurs, you'll see the error "This object has been blocked" in the browser. For downloads initiated by you, it is safe to disable the Block mime-type integrated objects feature."

    Please, note the MIME referred by the ZA and myself is not actual SMTP/MIME, but it is actually properly known as MIME HTML.

    http://en.wikipedia.org/wiki/MHTML

    http://en.wikipedia.org/wiki/JavaScript

    http://en.wikipedia.org/wiki/VBScript

    http://en.wikipedia.org/wiki/IFrame

    The Privacy Advisor itself is a useful tool for determining what content has been blocked and possible content needed to be allowed for the proper site use.
    Or just to show you what has been blocked and any possible risks which have been avoided.
    I have stopped long ago using the Privacy of the ZA and use alternative methods. But when I used the Privacy, immediately after a "fresh" install or "clean" install, I went to all needed and usual sites with all allowed in the Privacy.Once the needed and usual sites were added to the Privacy listing, I then set the blocking to High for everything. This method let me enjoy my sites with the needed content and block content from any new or "foreign" or risky sites.

    Mistakenly blocked content can be determined by the Privacy Advisor, or by trial and error or even with an online service such as a "browser check", like this one:

    http://www.heise-online.co.uk/securi.../browsercheck/

    I specifically used the above site as a reference because it does have advice and securities for both the IE and the Firefox under the "Changing settings" and "Security Holes" links. Since these are the two specific browsers that you are using.

    Java is another common threat, but the latest JAVA from SUN has improved, when considering security. What goes into the JAVA cached usually stays in the JAVA cache and does not spill over into the windows. Any trojans in the JAVA cache usually stays there and is deleted/removed by a file cleaner or manual clean of the JAVA cache. Most antiviruses now detect JAVA trojans and even the antiviruses that don't still are safe to use, since the JAVA is now realtively safe to use (as compared to a few years ago). Even something such as VUNDO (from emails or safe web browsing) will be removed from the JAVA cache by deletion or uninstall/reinstalling the JAVA. NOTE: there are other variants of VUNDO but these are not JAVA related and are only found from illegal media or "cracked" programs.

    Last but not least, activeX is the last "security" threat to be mentioned.
    While the Firefox does not allow for any activeX installations (it will access applications which themsleves use activeX), the IE 7 in the default setting will prompt for the installation of any new activeX.

    http://en.wikipedia.org/wiki/ActiveX


    Private Headers (or commonly known as "refer" or "referrer") in itself is not a security risk, but a privacy risk.

    http://en.wikipedia.org/wiki/Referer

    HTTP cookies are not a security risk, but considered to be a privacy issue.
    Tracking cookies or the third party cookies traditional have been the privacy issue cookies (although it may well be the first and session cookies will soon be tracking - not just the site directly involved, but for other parties).

    http://en.wikipedia.org/wiki/HTTP_cookie

    Web trackers and site counters can be using cookies (just disable third party cookies) or webbugs (just disable the javascripts or webbugs in the Privacy). But not always. Some are using the server's logs or javascripts of that server (or third party server).

    http://en.wikipedia.org/wiki/Web_bug

    http://en.wikipedia.org/wiki/Web_counter

    However, even certain ads and banners and embedded scripts can act also act as web counters and trackers (with javascripts and others).
    The web counters and trackers are not security risks, but are often considered to be an invasion of privacy when these collect certain data of the user.
    Also see:

    http://www.geocities.com/yosponge/datacoll.html


    Further readings:

    http://www.junkbusters.com/cookies.html

    http://www.unwantedlinks.com/

    http://www.cknow.com/vtutor/VirusProtection.html

    http://bcheck.scanit.be/bcheck/

    http://cexx.org/

    http://msmvps.com/blogs/spywaresucks/Default.aspx

    http://www.us-cert.gov/cas/tips/

    Best regards.
    Oldsod.

    Message Edited by Oldsod on 02-16-2009 01:37 PM
    Best regards.
    oldsod

  10. #10
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Firewalls


    <blockquote><hr>tough wrote:
    Thank you again for the in-depth reply... implementation underway.
    CC
    <hr></blockquote>


    I very much appreciate your answer!
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •