Security Fix Blogger
Friday, September 14, 2007 11:00 AM
The transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers. We've got a few questions already but could probably handle a few more with the hour that we have, so do your worst! But please try to be as specific as possible in describing the problem you're having, and include information about the security software you have in place, and wherever possible information about the operating system, any error messages, etc.
Mark, Columbus, Ohio: When my Norton Anti Virus subscription runs out early next year, I would like to download and install free AVG for my AV protection. My NAV is part of Norton System Works 2005, of which NAV is about the only program I still use.
Do I download and install the AVG first and then uninstall NSW? Does AVG have any "issues" with the free Zone Alarms firewall, Lavasoft's Ad-Aware or Sypbot Search-and-Destroy (I run all three)? How difficult is it to do a complete NSW uninstall, and should it be done with the Windows add/remove utility? If so, will the uninstall remove all traces of NSW, or at least everything that might clash with AVG? How do I do all this without temporarily exposing my system to infection? What's the safest, simplest, most effective way to accomplish all of the above?
Brian Krebs: You should never try to have two active anti-virus programs running on your machine at the same time. Most anti-virus programs don't play nice together, and can cause system instability and slowness if competing for supremacy on your Windows machines.
You should definitely uninstall Norton and its components via the add/remove programs feature (including Live Update), BEFORE installing AVG. You may need to run Norton's removal tool to fully get rid of all the Norton files that sometimes linger. That tool is available here. Reboot, of course, before installing AV or any other software. Good luck!
Raleigh, N.C.: Please help. I am trying to disable McAfee security Center Ver 8. I have a PC with Windows XP SP2. For some unexplained reasons McAfee has removed the option to right click on McAfee icon and just close the program temporarily. I tried to kill the processes using services.msc but I still couldn't do it. I also contacted their customer service but they were of no help. Do you have suggestion for me? Thanks.
Brian Krebs: Hrm. Curious as to why services.msc would not let you do that. Have you tried terminating the processes started by McAfee, via the Windows Task Manager (in Windows XP, hit Ctrl-Alt-Del keys all at once). It may not be obvious which running processes are associated with McAfee, so you might consider grabbing the free Process Explorer which should tell you which company is responsible for which process. You can use PE also to terminate running processes.
Barberton, Ohio: Brian, you supply extremely useful information and I enjoy reading your column and live chats. I'm using an IBM Thinkpad T43 running Windows XP Professional with SP2, Microsoft Office Enterprise 2007, Avast anti-spyware along with AdAware Plus.
I have taken your advice and created a limited user account. However I have encountered a couple of issues. The first is that I can not receive updates for the Firefox browser. I receive a pop up that indicates that it can not load the update and to check if this account has the necessary security to load updates.
The second question relates to Microsoft Outlook-I can not view any of my mail, I can send and receive, just not view the mail that is currently in my in and out boxes. Thanks!
Brian Krebs: Good on ya for going the limited user route, but I totally understand your frustration: unfortunately, even Microsoft doesn't make it easy to run its own software under a limited user account.
As I've covered in at least two previous chats, there is a Java component of Firefox that is not updating correctly with the latest version, but you should still be able to receive updates to the browser itself (and add-ons) while using Firefox under a limited user account. I've never had any problems updating Firefox under a LU account, with one exception and that was a major release. Version 220.127.116.11 is the latest (check yours by going to "Help" and then "About Firefox."
There appears to be a longish thread at Mozillazine about updating problems with Firefox. It seems sometimes various security software can interfere with updates. Check out this thread for some suggestions. If all else fails, you might try a reinstall of Firefox.
Question: Did you install Office 2007 using the "Run as" option while logged in under the limited user account, or did you install it from the admin account? If the former, you should uninstall and reinstall it using the admin account and see if that fixes things. If the latter, you mgiht try temporarily changing your limited account to an admin account, and then logging in and launching Office to see if it needs to install any additional components. If you can view mail using the admin account, switch it back to a limited user account and see if anything's changed.
If you have purchased Office 2007 -- which is not a cheap piece of software by any stretch -- I believe you're entitled to support from them. You should take your problem to Microsoft and get them to fix it. I'm sorry I don't have a better answer for you on that.
Northwest, D.C.: Hi Brian. I think todays computers are TOO high security settings. Straining mechanical device to temporary and eventual permanent failure.
Daily cleaning seems best solution for home user. Simplify to more tolerant security level selected for better performance.
Brian Krebs: Er...okay. Thanks for the comment, D.C.
Eastampton, N.J.: Secunia software inspector keeps reporting that I have older versions of Macromedia, and that I should update to Adobes latest version. I have the latest Adobe version,(for XP) but I cannot get rid of the older Macromedia versions via remove software in the control panel. Is this a problem? If so, how do I get rid of the older versions? Thanks
Brian Krebs: You might try Adobe's handy Flash Removal Tool. I've not played with this tool, so I can't tell you how to use it, but it may well remove all instances of Flash from your machine. You'll need to close out of any open browsers before running it.
Alternatively, you may be able to get rid of older versions of the Flash plugin for your browser by managing plug-ins. In IE7, go to "Tools", "Manage Add-ons" and then "Enable/Disable Add-ons" (this is slightly different in IE6).
Lagos, Nigeria: Great blog. Microsoft finally axed "Autopatcher". Such a good thing to have. Heise "Do it yourself service pack" is a more difficult thing to use. My operating system is Windows XP Home with SP2. Do you have an alternative? Any tips about using Heise for a computer newbie like myself? Hope Microsoft will spare Heise. Oluade
Brian Krebs: Thanks, Lagos. Nice to know I have readers there!
Yes, autopatcher was a very nice tool, and it's a shame Microsoft's lawyers perceived it as a threat or some kind of trademark infringement. The reader is talking about the Do-it-Yourself-Service Pack, from the security forum Heise-Security.co.uk.
Yes, autopatcher was pretty user-friendly. And there are alternatives, but they're not I don't think any more or less complicated than the Heise solution. But IMO, the Heise method isn't actually that hard if you read through the instructions once or twice before starting, kind of like you'd do with a recipe you've never made before. I was able to put together a nice update package on a CD with few problems using their method.
Ithaca, N.Y.: Brian, thanks for your great column and advice. Here is my question: I have a Win XP home computer setup with a limited user account for my elementary age kids, which they use for educational software, web browsing, etc. As you have noted previously, many programs will not run nicely under such an account. As I do not want them to be running the computer as an admin, I am looking for a way to have only certain program be run as the admin. Win XP has the 'Run As' option, but you must enter in the username and password each time you want to run the program, which is not what I want. I would prefer to be able to create a shortcut that would start the program under admin access. Previous user comments on your 'DropMyRights' entry pointed to Psexec from SysInternals, but I couldn't get that to work. Any other suggestions?
Brian Krebs: Hi Ithaca. Thanks for the praise. Drop My Rights is for people who want to run system for everyday use under an all-powerful administrator account but want to lower the rights of certain programs, such as the Web browser or instant messenger software.
You might consider a program/script called Make Me Admin which I believe accomplishes what you're seeking. This process is not as hard as it sounds, but you'd do well to read that entire post before proceeding. It's not as hard as it sounds to put into action, and you might learn best how to do it just by giving it a shot and following the directions. Best of luck!
Annapolis, Md.: Is Skype susceptible to an executable virus prompted by a message that appears when you are online? I use Skype to communicate by video and audio with my wife in Baghdad.
Brian Krebs: Well, not sure why you've be receiving messages if you were offline. Perhaps I misunderstood your question. At any rate, don't know if you saw my blog post from earlier this week, but there IS a Skype worm going around that arrives in an Skype instant message. See this post here for more information on that.
Washington: I've gotten involved in the demi-mond of bit torrent file sharing. Do I need to be concerned about various nasties coming over with the files? Does it matter that I have a Mac instead of a PC?
Brian Krebs: If you're downloading mp3s and movies, probably not too much of a risk, but there is enough risk in downloading files of completely unknown origin to make this practice one of eventual Russian roulette, IMHO.
My guess is that the risk goes up exponentially when you're talking about downloading executable files. The same is true for DMG (image) files on Mac, although your risk is probably far lower than those of Windows users, simply because there don't appear to be many malware writers attacking the Mac platform at the moment.
Hastings/UK: Why are Mac Computers less prone to security problems, is it just the operating system of the fact they cost more and hackers use Microsoft Computers and does this apply encryption hacking.
Brian Krebs: This is a tough question to answer definitively. The die-hard mac fanatics will tell you that of course it's because Macs are more secure that nobody attacks them, and that the old market share argument is just sour-grapes wishy-washy thinking from jealous Windows users. That line of thinking says virus, Trojan, worm writers don't attack Mac users because they simply aren't able to figure a way around Apple's superiorly-secure OS, and that in any event even if attackers somehow did manage to pierce Apple's rock-solid armor, that Steve Jobs himself would come down from the clouds and smite the miscreants into oblivion.
The more rational explanation holds that malware writers have far more experience attacking Windows users, but more importantly that there are orders of magnitude greater numbers of Windows users out there.
If you're a virus writer or hacker who is making tens of thousands of dollars duping Windows users into installing software or by exploiting unpatched holes in Internet Exploder, why would you bother to devise exploits to go after a relatively tiny fraction of Mac users? The answer: you wouldn't.
Glastonbury, Conn.: Hi Brian, can you tell me which of the free antivirus software you noted in the recent AOL article you would choose first (Antivir Personal Edition Classic, AVAST Home Edition, BitDefender Free, Clamwin Free, and Grisoft's AVG Free were the ones you noted)? Also what about free firewall software. And are these free programs good enough vs spending the money on some of the name brands out there?
Brian Krebs: Anti-vir has consistently performed the best in anti-virus tests, even compared to many of its non-free rivals.
As for free firewalls, I mentioned some alternatives in this chat here.
I'd say these free alternatives are definitely "good enough" for the average user. If you want more full featured software -- which allows you write custom rule sets and things like that -- you may need to opt for non-free alternatives. But for most users, the free versions should do just fine.
Glastonbury, Conn.: Another question, When I run under my limited user account and am using Internet explorer, is it a sure thing that any MS security updates I've applied using the admin account are also applied to the limited user account such that IE in the limited user account is fully up to date too. I would think so, but the other day I somehow got a MS pop-up that appeared to want to run me thru the MS update with updates I've already done in the admin acct.
Brian Krebs: Yes, if you applied the Windows Updates logged in using the admin account, they will be also applied for your limited account as well. These are system-wide file changes, not user-level changes.
It may be that the prompt you saw was nothing more than the Microsoft Malicious Software Removal Tool wanting to install an update or something. There have been malware in the past that try to mimic those alerts in your system try to get you to buy some security software, etc. If you get such a pop-up while logged in under the limited user account, pop on over to the admin account and see if you receive the same prompt.
San Antonio, Tex.: Brian, Our website was hacked by a hacker calling him/herself the Jackal. Spygrup.org was left as the calling card. It seems they hacked through the flash application on the page? Should this be reported to Cyber crime unit of FBI and is there anything we can do to prevent this hacking? Thank you.
Brian Krebs: You can and should report it. You can file an incident report at the Internet crime Complaint Center. But I wouldn't expect anyone to do anything about it. Unless you can prove there were many thousands of dollars worth of damages, the feds aren't going to be able to help you.
As for what you can do to make sure your site doesn't get hacked again, there are a couple of good and free Web vulnerability scanners that you can use to make sure your site is not running on software that is outdated and full of security holes (PHP code is riddled with holes that malicious hackers will use to take over your site if you're running outdated code).
Check out Nessus, a comprehensive Web vulnerability scanner; there are downloads for Linux, Mac and Windows. Wikto, a Windows-based Web site vulnerability scanner. Nikto is another vulnerability scanner that works on Linux and Windows (although it has some dependencies and is maybe not as newbie-friendly). There is also a very slick Mac version of Nikto, called -- fittingly -- MacNikto.
They may seem overwhelming at first, but if you read the documentation, it's not that hard to use these tools, and you can harden your site pretty well with regular use.
Burke, Va.: Suddenly, when I send an email with a .pdf document attached (one I have scanned on my home scanner and which appears as a .pdf when I send the email), the recipient receives 8-10 copies of the email which is completely garbled and the attachment is in an indecipherable .dat format. This does not happen with plain emails or emails to which I attach .doc attachments. Any thoughts? Thank you (and thanks for all these chats).
Brian Krebs: You didn't say which e-mail client you're using, but I'm going to take a wild guess and say Outlook or Outlook Express. I doubt you will have this problem with a free mail client such as Mozilla's Thunderbird.
Have you tried sending the PDF in an e-mail with another e-mail account, such as Gmail or Hotmail or Yahoo! Mail, and see if that works? It may be the file is too big and your ISP has a limit on how big attachments can be, and so some of the file is getting stripped out, and the e-mail client doesn't know what to do with it, so it renames it a .dat file.
If all else fails, there is a free .dat file decoder you can download and use to re-claim files that get morphed into .dat files. Check it out here.
Brian Krebs: That's all the time I have today, dear readers. A big "Thanks!" to all who stopped by to read or contribute questions. Hope you'll join me again in two-week's time for another Security Fix Live. Until then, please stop by the Security Fix blog for your daily dose of security news and tips.
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.