Re: Trojans and ADWARE / NORTON
From: Joseph V. Morris (jvmorris@erols.com)Date: 07/18/02
- Next message: : "Atguard 3.22 + BlackIce 21cn"
- Previous message: Kapp: "Re: confused: firewall & dialup ISP"
- In reply to: : "Re: Trojans and ADWARE / NORTON"
- Next in thread: : "Re: Trojans and ADWARE / NORTON"
- Reply: : "Re: Trojans and ADWARE / NORTON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joseph V. Morris" <jvmorris@erols.com> Date: Wed, 17 Jul 2002 18:41:42 -0400
Paula,
"Paula DeRoo" <pderoo1@nospam.comcast.net> wrote in message
news:7glZ8.152230$iX5.7457023@bin3.nnrp.aus1.giganews.com...
. . . .
| > Couple of other observations about configuring NIS/NPF of general
| > validity.
| > 1) Run on "High" Security setting unless you've got a defensible
reason
| > not to.
|
| Okay, had that already...
|
| > 2) Disable "Automatic Firewall Rule Creation" (it's on that drop-down
| > list you used to get to the Trojan Block rule settings).
|
| That was on Enable, changed it...
Potential problem (above) is that you can unknowingly find a new
Internet-enabled application granted privileges without you being aware of
it. With this option DISABLED, you will be asked _explicitly_ (from the
Rules Assistant). And, even if you check "yes", always go back and review
the resulting rules added to the ruleset. There's a (technical) limit as
to how well Symantec's rules can be configured to your particular
requirements; you need to confirm the resulting 'defaults' personally and
(if necessary) modify them. (Still, they tend to be a bit better than
what you're likely to get from most other PSFs.)
|
| > 3) Ensure that "Stealth Blocked Ports" (on the Advanced Options |
Other
| > tab) is ENABLED.
|
| That was already checked...
|
| > 4) Set Reporting to "Minimal" (primarily to cut down on confusing
clutter
| > in your event logs).
|
| Had on High, changed that too.
Again, to re-emphasize, this is primarily to cut down on 'clutter' in the
various event logs. I've never seen anything (of consequence) resulting
from running in "High" Reporting status rather than "Minimal". All I've
seen is 'clutter' that makes it even harder to understand what you're
seeing. I suppose a novice might gain some insights from the overly
verbose logs during the first week or month, but that's about all I can
see to be gained from them.
. . . .
| Wow. I sure hope you're getting paid (rather well) for knowing all that
| because if you're not, you've definitely missed your calling.
Hah!! <g> I wish! <g> But then I wouldn't be able to raise hell when the
urge strikes me; no one would trust my objectivity. (I've got a couple of
guys at Symantec who will never speak to me again, I suspect; luckily,
Brendon Woirhaye is _not_ one of them.)
| So in translation, what you're trying to tell me is that my NPF Trojan
Horse
| Settings are worth shit?
Well, I still run 'em, myself, so No; I'm not saying that (exactly). I'm
simply pointing out that I'm a lazy SOB who hates to have to go out and
track down what the hell that 'Unused Port Blocking' or 'Implicit Block
Rule' entry in the firewall event log would otherwise mean. If you're
willing to do this yourself (and a lot of people aren't), really all you
have to do is look them up at http://www.simovits.com/trojans/trojans.html
(or some similar website). Incidentally, there is no _definitive_ site of
default ports that various RATs may use, nor (apparently) is there _going_
to be one. And, indeed, as noted in my original post, there's absolutely
_nothing_ that prevents a sophisticated 'cracker' from using _other_
ports. I routinely see only about three or four of these. After about a
week or so, you can recognize them yourself. Still, if you're just a
casual user running a home PC or SOHO used by kids, spouse, and other
family members, these rules can come in handy. Otherwise, you can live
without them.
If you really want to do this yourself (and actually get a more
sophisticated idea of what's going on), then I have to recommend Sven
Schaefer's Log Viewer, which you can find at
http://home.debitel.net/user/svenschaef/logview/ . If you find an event
in Log Viewer that concerns you, Sven provides a lot of detail in his
"Event Details" (right-click) pop-up that you may find useful. You may
also want to take a look at the add-on utilities that Albert Janssen
provides at www.capimonitor.nl for both AG and NIS/NPF. Both of these
guys are well-known, reputable sources of add-on utilities for AG/NIS/NPF,
as anyone who joins this thread will attest.
|
| Other than NPF I have NAV2002 and this Anti-Trojan 5.5, but I have to
| run that periodically.
Then, you are effectively running NIS. (Not too sure what you're
referring to be Anti-Trojan 5.5, however.)
| It sure would be nice to have a small program running
| in memory. Do you recommend one of the ones you mentioned above "AV,
| AT, TTT, SSM, or BI 3.5"?
No, actually, I don't. I run NIS (NPF + NAV in various configurations and
releases) on my various machines, but I don't even recommend them; I
simply try to occasionally inform people how to use them, if they're
interested. I got over my "Ford vs Chevy" (and "Which firewall is best?"
or "Which AV is Best?" or "Which AT is best?") interests a long time ago.
Everyone has their own needs (or lack thereof) and their own inclinations
as to which product they are most comfortable with. Ultimately, as long
as you are _comfortable_ with and fully _understand_ the product(s) you're
using (both their features and limitations), that's the best that can be
accomplished. There are any number of independent sources of information,
e.g., www.wilders.org on the pros and cons of the various applications;
you just have to check them out for yourself, and then make your own
decision after playing with each possibility that _you_ find appealing.
| Also, can you point me to a site that will thoroughly scan my computer
for
| security holes? There's so many, unless you know what you're doing it's
a
| toss-up.
Well, I've got the same problem here.
If it's a completely _external_ scan (with no downloading of an
application, ActiveX control, or Java applet to your machine), the only
thing you're really checking is whether or not you've got some gaping hole
to _external_ intrusions into your machine. Any of the reputable port
scanning sites can do this. You want a quick and dirty? Try GRC's "Probe
My Ports" at www.grc.com . PC Flank ( www.pcflank.com) and DSLR
(http://www.dslreports.com/secureme ) are other sources, but they are
hardly unique (still, both can go well beyond the functionality available
from GRC).
If you want to check how well you have MSIE set up, then a visit to
http://www.gemal.dk/browserspy/ may be in order.
If you run Microsoft's Outlook or Outlook Express, then you want to take a
look at information available from http://www.slipstick.com/index.htm .
With regards to Microsoft applications, the important thing is to keep
your software updated. As far as your Windows operating system, Windows
Explorer, and MS Internet Explorer are concerned, you can get most of the
requisite updates from http://windowsupdate.microsoft.com/?IE . With
regards to MS end-user applications, you should check at
http://office.microsoft.com/productupdates/ .
Of course, Microsoft is not the only source of Internet-enabled
applications (indeed there are hundreds of others). You need to routinely
check the websites for other Internet-enabled applications that you have
installed on your machine to ensure that they are up to date. Don't like
taking the time? Well, then check BugTraq or NTBugTraq for vulnerability
and exploit warnings (and hopefully, a path to any 'fixes' that may be
available).
--
Regards,
Joseph V. Morris
jvmorris@erols.com
ICQ #29438199
This is a NEWSGROUP message; except for privacy reasons, please respond
therein; an e-mail COPY is always appreciated, of course.
Almost all electrons used in the creation of this message were recycled.
No electrons used in the production of this message were harmed or
mistreated in any manner.
- Next message: : "Atguard 3.22 + BlackIce 21cn"
- Previous message: Kapp: "Re: confused: firewall & dialup ISP"
- In reply to: : "Re: Trojans and ADWARE / NORTON"
- Next in thread: : "Re: Trojans and ADWARE / NORTON"
- Reply: : "Re: Trojans and ADWARE / NORTON"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
