Re: Virus/adware/spyware -- is there all-in-one protection in one program?

From: Lionel Fourquaux (use.reply.to_at_no-spam.invalid)
Date: 06/22/04 

Date: Tue, 22 Jun 2004 23:13:16 +0200

[Note: I'm discussing the possibility of securing Windows without an
antivirus, but not advocating it. To all readers: DO NOT TRY THIS IF YOU
DON'T KNOWN *EXACTLY* WHAT YOU ARE DOING.]

taff wrote:
> True, but virtually anyone with that level of knowledge would know
> what problems a virus can cause and would install protection.
> It is a lot safer and quicker than downloading and checking each email
> before opening, especially if like me you get maybe 40 or 50 a day,
> all genuine, plus the virus mails.

You don't need to check them manually. Just make sure that any virus
will be unable to execute. One way to do this is to run your e-mail
client as a restricted account, with write permission only for the mail
files and a directory for temporary files, a deny ACL for execution on
these directories and for reading the scripting DLLs. You can also use a
software restriction policy. And of course, read e-mails as plain text.

It's slightly paranoid, but short of a huge vulnerability in the OS,
_and_ a vulnerability in the e-mail client, e-mail viruses are blocked.
Since even an antivirus program can have bugs, I'm not sure it would
even be less secure than the same configuration with an antivirus.

For an interesting page on using limited user accounts, see
http://blogs.gotdotnet.com/ptorr/commentview.aspx/4fc434fe-9295-496e-a528-9042b8f577bd
(Note that the author mention firewalls, but not antivirus software...
My guess is that he does use an antivirus as an added security, anyway,
but with such a configuration, he doesn't really _need_ it).

> Also, without a firewall, it does not matter how careful you are,
> something like MsBlast will be in like a shot before you have time to
> download the patches.

Yes, vulnerabilities in the OS are more critical in such a
configuration. However, if you set it up so that whenever possible
programs are run in limited accounts, you can greatly limit the number
of exploitable vulnerabilities. Moreover, you get a warning in this
case, since the virus is very likely to crash the program.

Stopping unnecessary services is also useful in this case, to reduce
your exposure. In fact, if you suppress all listening services, you'll
be safe from blaster-like viruses (unless there is a vulnerability in
the network stack itself --- in this case, you're in big trouble anyway).

And, of course, you can set up some kind of filter on network
connections (a firewall, or an IPSec strategy, or even both) to protect
the listening programs you want to keep.

In the end, a human being with proper tools and knowledge can be a
pretty good antivirus.

 From what I've read, the future antivirus from MS will not be based on
signatures, but on analyzing the behavior of the running programs. It's
closer to an automated version of "keeping an eye on what your computer
is doing". I like this.

Relevant Pages