Re: How good is Comodo Internet Security?
- From: Ansgar -59cobalt- Wiechers <usenet-2009@xxxxxxxxxxxxxxxx>
- Date: Thu, 1 Jan 2009 21:16:42 +0100 (CET)
Nik Gr <nikos1337@xxxxxxxxx> wrote:
"Ansgar -59cobalt- Wiechers" <usenet-2008@xxxxxxxxxxxxxxxx> wrote:
So if we are infected on LUA we just delete this user account for
good and create another one with the same name under our admin
account?
You don't even have to delete the account. Just delete the profile
(or rename it, so you can recover non-infected data from it, do
forensic examinations, etc.).
Currently iam logged in on windows vista as standard user "nik" but
I'm a member of admin groups. Where can I see my profile so to alter
it or delete it?
The profile is your user's directory in the "Documents and Settings"
folder. Open Explorer, click in the address bar, type %USERPROFILE% and
press <Enter>.
What the difference betweena user account and a user profile?
The profile is the directory where all of a user's configuration and
data is stored. The account is the information Windows maintains for
managing the user (username, password, location of the profile, etc.).
Where are profiles stored?
"%SystemDrive%\Documents and Settings"
Will I be safe if every time I egt infected I delete my user profile?
Normally you will. Provided your account didn't have elevated
privileges.
However, since right now your account does have admin privileges, you
have to take something else into consideration. Until Windows 2000
objects created by members of the group "Administrators" were owned by
the group rather than the individual user. This was changed in XP and I
presume also in Vista. Since your user "nik" has admin privileges, this
user is the owner of all files/folders he created (e.g. when installing
a program). Because of this ownership, that user will still have full
access to those files/folders, even if you remove the user from the
group "Administrators". If you don't change this, malware run by the
user "nik" may still be able to compromise stuff outside the user's
profile because of that.
You can:
- delete that user entirely and create a new limited user from the
administrator account
- use that account as your admin account and create a new limited user
- change the ownership of files/folders under %Program Files% and
%SystemRoot% to the group "Administrators"
In any case you should change the default ownership of objects created
by members of the group "Administrators" to that group (there's a
security option for that, which you can change with gpedit.msc).
Also I'd strongly recommend to change the default permissions on
%SystemDrive% to full access for administrators and SYSTEM and read-only
access for normal users or authenticated users. See the link below for
an explanation of the reason why.
http://www.microsoft.com/technet/security/bulletin/MS02-064.mspx
a) Determine exactly when the infection occurred and what was
altered on the system afterwards (files and registry), and then
take back those alterations
How? You can get infected without knowing you are at the time, so it
would be even more difficult to actually find alternation to files
and registry?
Well, that's the tricky part. You need to have a baseline to compare
against, e.g. checksums for all files and dumps of the relevant parts
of the registry, so you can compare. You can't simply compare
checksums of the files the registry is stored in, because Windows
stores a lot of dynamic stuff in it, so it's constantly changing.
Isn't there some Windows application or console command that will
compare my current system files to clean ones on my dvd and
re-overwrite the tampered files with its initial clean versions?
No. Windows' system files are digitally signed, and you can verify the
signature with sigverif.exe, but you need to do that from a known-good
system, and it won't check the registry and any other file except for
Windows system files.
I leave alone the dump registry part. sicne the user installed
programs and there is no way current registry size be the same as the
after format registry.
baseline = a measure of cmparisation?
baseline = a set of checksums
checksum = comparisation of sizes between 2 files?
http://en.wikipedia.org/wiki/Checksum
Normally you'd use a cryptographic hash function for this kind of
checksum:
http://en.wikipedia.org/wiki/Cryptographic_hash_function
And last, I think ill just leave my routers hardware firewall enabled
to filter(sort out) connections but an application level software
firewall with statefull packet inspection would help as well, yes?
If the router does stateful packet inspection, you don't need a software
firewall to do it again. Make sure, though, that you disable UPnP on
your router, and set a good password.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
.
- Next by Date: 22CIA2/MOSSAD
- Next by thread: 22CIA2/MOSSAD
- Index(es):
Relevant Pages
|
