Being that I wasn't paying attention, heres the message I accidentally responded to in private e-mail rather then the list... --------- ----- Original Message ----- From: "Jeff Shultz" <jeffshultz@wvi.com> To: <nanog@merit.edu> Sent: Monday, November 24, 2003 1:46 PM Subject: Re: Anit-Virus help for all of us??????
You know that the best AV program in the world isn't going to amount to a hill of beans if the user doesn't 1. download updates, 2. run the occasional scan [1], and 3. pay for more updates past the 1 year mark (for those for which this is a requirement).
Thats how they make money off of the antivirus stuff - the yearly subscriptions. Many people just go out and buy a new version of Norton whenever their defs expire (yeah, I've done that before for my personal machines, as sometimes they improve the detection stuff between versions - like Norton 2002 adds script protection and better e-mail virus filtering). The only completely and utterly free with no catches or nagware antivirus software I know of is clamav. But, its only for UNIX/Linux (although people have gotten it working in cygwin - I might just package it up for people and make an installer for it). Has an autoupdate script as well. If someone spent the time to play with it, who knows, it might be able to do realtime scanning. Its pretty fast too.
Firewalls at least tend to be a bit more hands off... and I'd like to hear more about the "snake oil" parts. Doesn't the 1/2wall that XP ships with default to "disabled?"
Yep, though in SP2 for XP, it will be turned on by default, IIRC. I actually like McAffee Personal Firewall Express (given away free by AOL to all of their users), have it installed on my mothers' Win98SE desktop and works like a charm. Not that many features or controls, so its slightly less confusing, but then again, you can't do very complicated stuff with it either, so its not good for everyone, but for someone like my mother, its more then enough. I just can't stand personal firewalls on my machines though - they have this nasty habit of either slowing down the machine, or causing issues with the various tools I run. Being that my primary machine is a PII 266mhz laptop, I really can't handle a personal firewall dragging down my laptop.
As for Malware... right now neither firewalls nor AV programs seem to stop it's installation. Personally I wish that there was something that we could install on customer machines that would absolutely and totally block the installation of net.net stuff, to the point of deleting any installation files that have been downloaded.
[1] When cleaning a customer's Nachi infected machine, I discovered that the installed copy of NAV was completely up to date - but a system scan hadn't been run since July 2002.
Spybot SD is a nifty program, installs some protection against malware that gets delivered by IE, and is generally good at ripping it out if it does get in. One thing that many people don't realize (from my personal experience) is that contrary to popular belief, Win98SE is a good all around desktop OS to use. It can run most things like productivity apps and games, and with 128-256MB of RAM, its quite fast even on an old laptop like mine. Unlike XP, it doesn't have a million services running, nor does it have the nasty UPnP stuff from WinME. I've run my Win98SE laptop with Norton Antivirus 2002, Outlook Express, and K-Meleon 0.8 (even with its more annoying bugs) as my primary browser and have never gotten infected by one of these mass mailing worms, or the DCOM exploits, or IE exploits, etc. The one thing I should mention though - I have a user, long time friend of mine, I got her setup with WinXP last year, patched her, then installed Norton Antivirus 2002, set it to autoupdate and do weekly scans (which, btw, are on by default, but I check nonetheless), and turned on the XP firewall and set it to block all inbound but RDP (so I could do remote management if she needed it). I also turned off auto-updating of Windows patches (since I've had situations where my customer's machines have been trashed because of bad/faulty patches). The machine survived the RPC/DCOM exploit nightmares as well as rounds of Outlook Express exploits with no problem. I only recently fully updated her machine with the latest patches (I didn't want to neglect her machine, but being my recent bout of health problems and personal issues left me with no choice). Even if users don't take advantage of the built in windows update because its risky, you can still make sure that you have (autoupdated) AV and the XP firewall, and you *should* be ok for the most part. All you need to do is make sure it is turned on. On a side note.... I've been developing some a little GUI tool which automate the process of securing a machine - run it, it turns on the XP firewall, turns off Windows Messenger service, asks for antivirus CD and auto installs it quietly (only works with norton right now) with all the important options turned on, has the option of downloading a list of latest patches from our web server, and then downloads them from microsoft (regardless of if it was installed already, as I have found that sometimes Windows Update thinks a patch is installed, when its really not), then quietly installs them without user interaction, then forces the user to reboot. Its got some 'issues' in its current implementation, so I'm not comfortable with releasing it into the wild for people yet. That and the fact it only works on XP. It isn't *that* hard to put something together for your less cluefull customers, as long as they agree to some sort of release of liability before running it. Not always possible, but who knows. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The AHBL - http://www.ahbl.org