Security Fix Live
|
TOOLBOX
   Resize
COMMENT
 Discussion Policy
 CLOSE
Comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions. You are fully responsible for the content that you post.
Who's Blogging  |
Friday, July 28, 2006; 11:00 AM
Security Fix blogger Brian Krebs was online to answer your questions about the latest computer security threats and offer ways to protect yourself and your personal information.
A transcript follows .
____________________
Brian Krebs: Happy Friday everyone, and thanks for joining us for Security Fix Live. We're relatively light on questions so far, so if you've been itching to ask a security-related question, now would be an excellent time to drop it in the queue. So, without further ado....
_______________________
Bedford, MA: Are we (the online) users taking an undue risk if we use a free online virus protection like Avast?? What are the shortfalls of these programs?
Thank you.
Dan Oblas
Brian Krebs: Hi Dan, nice question. Free anti-virus tools are pretty good, although they are perhaps a little better at on-demand virus scanning that real-time protection. What I mean by that is that tests have repeatedly shown many of the free anti-virus tools to lag a bit behind AV products like Kaspersky and NOD32 in pushing out anti-virus definitions that allow them to spot brand new online threats.
A few months back I wrote about the
of the various anti-virus products to the latest threats. It showed that on average AVAST and and AVG (another free anti-virus tool) took about 8-10 hours to ship new updates.
That said, these free AV products will usually alert you if you try to open an infected file or if a trojan somehow gets intstalled on your machine after visiting a site.
Aside from the response times, I actually use AVG and AVAST on different systems I own because they don't have a huge footprint on the system for the most part, but your mileage may vary.
_______________________
Silver Spring, MD: Brian - I tried to install the Flash Player 9 update from Adobe on Internet Explorer, but it doesn't work, even though Add/Remove Programs shows it installed. The Adobe "about flash" page won't show a proper install, nor does it show Flash 8. I've tried uninstalling Flash 9 several times, but Add/Remove won't let me remove it at all. So I'm stuck in limbo - any suggestions?
Brian Krebs: Adobe recently released a stand-alone uninstaller to help people get Flash off their machines or to help clean up a bad uninstall/install. According to Adobe, the problem in cases was that the installer didn't have to proper permission from the operating system to muck with the files:
"If you have a Windows Flash Player uninstaller downloaded prior to May 11, 2006 on your desktop, please delete it and download the latest version. The uninstaller has been updated to address Windows permission issues."
Try downloading the uninstaller from
.
See if that works. If it succeeds, then go ahead and try re-installing Flash. Good luck.
_______________________
Greenbelt, MD: Brian, Thanks for your columns. I appreciate all the useful information. I have a couple of questions:
1. A few weeks back, almost every other time I powered on my computer, Norton firewall would warn that an attack has been blocked using the Bla Trojan rule (UDP traffic on port 1042). My computer sits behind 2 routers and I have run port scan tests and they all report that all the ports on my machine are in stealth mode. Adaware, Spyware Blaster, Spybot and Windows Defender never found any problems at any point. A few days after that, my graphics adapter card died and I went back to integrated graphics. And since then I haven't had this warning. Do you have any insight into the issue?
2. I have a task run every night that defrags both the disks on my machine. But lately, I get a report that windows.tmp file could not be defragged. What can I do about this?
Thanks.
Brian Krebs: Greenbelt, I believe the firewall is merely telling you that it blocked this attack, most likely when you visited a site that tried to use an exploit to upload a Trojan to your machine. You didn't mention whether you have anti-virus software installed (maybe you also have Norton antivirus or Norton Internet Security?) so doing a full anti-virus scan would be a good idea, but my guess is Norton was just warning you that it blocked an attempt to install malware, nothing more (incidentally, if you'd prefer that Norton blocked these attacks silently without throwing up warnings all the time, I believe you can configure it to do so).
On your defrag question, you want to make sure you're not running any other programs while you're defragging the hard drive. Assuming you don't have a browser window open while you were trying to defrag, you might try right clicking on the hard drive icon, selecting "properties," and then "Disk Cleanup." When that comes up, it should have a series of check boxes: check the ones next to Temporary Internet Files and Temporary Files and then proceed. A defrag should not throw up that error again.
_______________________
Raleigh, NC: Will you be attending Black Hat and Defcon next week?
Brian Krebs: Hi Raliegh, yes, I will be attending both BlackHat and Defcon , back to back hacker conferences held in Vegas each year. Come find me: I'll be the guy in the cargo shorts, black shirt and green baseball cap (I'm sure that narrows it down to about 5-10 percent of the attendees ;). Or drop me a line if you're going (I extend that invitation to anyone who's going) and mabye I will see you there.
_______________________
Fairfax, VA: Is the only recovery from a rootkit installation the re-installation of the operating system? I have software applications installed that, because of a messy divorce, I no longer have the installation disks to. Will someone eventually figure out a way to "cookie-cutter" out this mess? (In the meantime ... I'm using another computer.)
Brian Krebs: If you know that there is a rootkit on your machine, that's some serious bad news for the OS itself. Most security pros would consider that a total system compromise (meaning you can no longer trust even simple system management tools and commands to tell you the truth about what's really on your system). Most pros would probably tell you to just flatten the machine (back up important files) and re-install. In your case, you don't have the install discs so that could be problematic (unless you have a friend with a copy of the install disc and you have a valid license number....maybe stickered to the underside or side of the PC).
You might consider installing an open-source operating system that isn't so difficult for typical Windows users to manage. Ubuntu is a good start. They also have a "live cd" install, which allows you to run the entire OS off of the CD. If you need to save files, you can configure it to save to a USB drive or whatever media you'd like. There are tons of the live cd distros out there. Might be time to give them a spin. Good luck.
_______________________
Lake Ridge VA: A couple of weeks ago, Microsoft announced a security fix would be coming out very quickly for a a major security problem with PowerPoint.
Have you heard anything more about? I logged on to their Updates websites and came up with zip.
Bob Richardson
Brian Krebs: HI Bob. Yes, Microsoft said it would issue a patch to fix a serious security hole in PowerPoint that we have seen being exploited in the wild. But this was first spotted the day after Microsoft released its patches this month. In all likelihood, the bad guys are waiting to exploit new flaws they find until directly after Msft issues updates, to give them more time to use these exploits before Microsoft puts out its next month's patches. While Microsoft could issue a patch for the PowerPoint flaw earlier, in all likelihood you will not see this update until Aug. 8, the next time it is scheduled to release patches.
In the meantime, you should just be vigilant about opening e-mail attachments. Scan any that you do want to open with up to date anti-virus, or better yet -- send it for a scan over to VirusTotal, which lets you upload suspicious files and will run them against nearly 30 different anti-virus engines. If you work with PowerPoint files a lot and typically receive them through e-mail, you might consider using Microsoft's Free Powerpoint viewer, which it claims is not vulnerable to this. Or, you might consider switching to
, a free alternative to Microsoft Office. You can open, view, edit, etc. all of the same files that you can in Office.
_______________________
Cody, Wyoming: Hi Brian -- thanks for your great columns. Your information has been a real lifesaver for me!
I use Webroot's Spysweeper software for my antispyware program. I'm pleased with it except for one baffling, albeit minor, problem. I have the automatic update option selected. But it doesn't work. I have manually update the definitions.
Webroot told me my firewall was interfering with the updates. The asnwer, they said, was disable my firewall.
That sounds absolutely insane to me. What do you think?
Brian Krebs: Does your PC sit behind a router, like a wireless router? If so, most of those come with built-in firewalls that do a great job of blocking in-bound unwanted traffic. If so, you should be fine turning off the software firewall (which helps block unwanted traffic going BOTH ways) just to test and see whether it is indeed the problem -- though I'm not sure there is a way to force it to auto-update itself aside from manually updating.
To your question, it IS a crazy response, but it's one that you'll find all too often from tech support people. Whenever possible, they like to blame the problem on somebody else's program, or the OS itself. Of course, sometimes they're correct, but I've heard and read that kind of advice all the time, where tech support tells people to turn off their firewalls without emphasizing that this should not be an end-all answer to resolving the problem (i.e..., they typically don't remind people that this should be a temporary step, or to re-enable the firewall at some point.) Companies should be able to make their SECURITY software play nice with other common security softawre, like firewalls, but this is a constant issue it seems.
That said, check which programs you have allowed in your firewall settings. You may need to monkey with the settings for SpySweeper's listing in the firewall config to get this to work.
_______________________
Seth Vienna, VA: Hi Brian,
I recently installed a Linksys wireless router, which contains a firewall. I therefore uninstalled Zone Alarm. But now I am wondering if I should reinstall it as a backup, or is that overkill? Thanks.
Brian Krebs: Hello Seth. I answer this question almost every time I do this chat. It's important to understand the distinction between hardware and software firewalls. Hardware firewalls -- the kind that come built-in to many wireless routers that you have there -- are good at blocking inbound traffic, but they typically don't do a lot by default to filter outgoing traffic, and as a result if something nasty does make it onto your machine, that program is free to "phone home" for updates, to send data out of your machine, etc. Software firewalls, like ZoneAlarm and others (you can find a number of free firewall tools listed here ) allow you to choose which programs on your computer should be allowed to communicate with someone or something else online.
So, I advise Windows users to avail themselves of both a hardware and software firewall. If you use both, chances are you will not notice anything if you look in the software firewall's incoming logs -- that's because the hardware firewall takes care of that for the most part. What you will see when you install a software firewall are pop up alerts asking you whether you want to allow a certain file to access the web. If you don't know what that certain file or program name does, google it before proceeding so that you can make an informed choice about what's being allowed to communicate over the Web using your connection.
I've long relied on
, a free tool from Sysinternals to help manage this process (it tries to list the maker of each program running on your machine). This company was recently purchased by Microsoft, so who knows how much longer these tools will be free. If Microsoft is smart they will replace their woefully inadequate and dated "Task Manager" tool with this incredibly useful program, but who knows. Go download it while you still can.
_______________________
Greenbelt, MD: Thanks for answering my question about the Bla Trojan warning. I do have AVG anti-virus software running on the machine. But the warning always happened when I power up! Does that mean the trojan could already by on my system and Norton blocks it from going out? Or could it some legitimate traffic which Norton takes the safe approach of blocking?
Brian Krebs: When was the last time you updated AVG and ran a full system scan? You might consider doing a free online virus scan from either Microsoft and/or Panda antivirus (if you use Panda, make sure to give them an e-mail address that you don't mind getting lots of spam from).
Trojans are generally small programs that open the door on your machine to other malicious programs, and typically are programmed to fetch malicious files from some malware install site. It could be that you do have a trojan on your machine that's trying to contact a download site, and that is why you are receiving this alert.
Also...Have you looked at
before? It's a wonderful free tool that lets you have total control over what programs are allowed to start up when you boot the machine. You might do research on anything unfamiliar in that list, or visit any one of several online security help forums if you don't know how to use this tool.
a quick and dirty tutorial for using this powerful program.
_______________________
Baltimore, MD: I have a new Dell Windows XP Prof. It came installed with Mcafee. I tried to install Norton Security and when I do, it takes me off the internet and outlook mail. I am a new user so would I uninstall Mcafee and try again to install Norton Security if I can't have both on the computer?
Thanks for your help!
Brian Krebs: You definitely cannot have two anti-virus programs actively installed and running on the machine at one time. I mean, you may be able to, but you certainly would not be happy with the results (the two programs would be at constant war with each other).
You should be able to uninstall McAfee through the Add/Remove Programs list (in Win XP it's "Start, Settings, Control Panel, Add/Remove Programs"). Make sure it completely uninstalls before trying to install any other anti-virus product (check the Add/Remove list again: sometimes these security tools uninstalls take two tries to get all the programs).
_______________________
Reston, VA: Hello, is it spyware or a virus that may be causing my laptop to be excruciatingly slow on the uptake? I have a three-year old Sony Vaio, and I've diskcleaned and defragged, run Avast, Adaware and Spybot, practically emptied the hard drive and uninstalled unnecessary programs. I'm not very technically savvy, and I don't know what else to do to make it just run normally.
Thanks!
Shenshen
Brian Krebs: Hi Reston. Sometimes, Windows machines become sluggish because they're constantly trying to load old device drivers for devices no longer connected to the machine, other times remnants of programs get left behind and clutter up the system registry, causing slowness. I've found that after several years (of even super-cautious use), Windows machines tend to need a whole-pc tuneup, and by that I mean a general backing up of the data and reinstalling the operating system. It stinks, it's laborious and time-consuming, but it usually clears up any sluggishness (and potential malware) problems. I know this isn't the most elegant answer, but it's pretty effective.
_______________________
Rockville, Maryland: Sysinternals is great - but I got lost. What is the program name?
Thanks,
Gary
Brian Krebs: The program name I mentioned was Process Explorer. You can get it from here .
_______________________
Sacramento, CA: Brian, where can I find a list of IP address blocks by country. I want to block all contact with countries that seem to house most of the threats out there. Example: Russia, most of Eastern Europe, Brazil, etc... I have no need to surf or contact anyone in those nations so blocking them poses no problems for me.
Brian Krebs: Err..sure. Try these:
(kind of dated).
(not free)
and
Good luck.
_______________________
Brian Krebs: That's all we've got time for today, folks. Thanks to everyone who contributed to this discussion, and to all you loyal Security Fix readers who help make the blog a real community.
_______________________
Editor's Note: washingtonpost.com moderators retain editorial control over Live Online discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.
