Security Fix Blogger
Friday, October 26, 2007 11:00 AM
A transcript follows.
Brian Krebs: Happy Friday, dear Security Fix readers, and welcome once again to Security Fix Live. It helps me a great deal in answering questions about PC security problems if you can include as much information as possible about your system setup, what types of security software you have installed, any error messages, that sort of thing. Without further delay, I will jump right in...
Ann Arbor, Mich.: Hello Brian,
I am having difficulty getting my PC to automatically "sync" with an internet time server. I find I have to reset the clock each time I turn the PC on- it defaults to January 2000.
A few weeks ago while on vacation I completely shut down my PC,printer etc- disconnected the electricity. Prior to that the clock on this PC synched up automatically.
I have broadband, and the connection to this PC comes through a standard router (not wireless). We use Windows XP, McAfee's antivirus and firewall, and I also Windows Defender and update service. McAfee support says it's not their firewall that's the problem. I can't find any useful info in the labyrinthian Windows support online either.
I've tried several different time servers, including time-a.nist.gov and time.windows.com. They work fine but I have to manually synchronize them each day.
Thanks for any recommendations you can provide, and thank you for your great service! Horatio
Brian Krebs: Hello Horatio. I had a similar problem with a PC I built nearly 4 years ago. After much troubleshooting, I found that it had to do with the small battery that is included on the computer's motherboard. This watch-sized battery is what powers the system's BIOS, which keeps track of all kinds of system settings even when the PC is turned off. Among the things that it keeps track of is system time. If the battery starts to fail, so will your PC's ability to keep track of the current time.
One thing to check before replacing the battery is to ensure that the Windows service that manages time on your system is enabled. Go to "Start," and the click "Run." In the box that pops up, type "services.msc" without the quotes. Scroll down the list that pops up to "Windows Time" and make sure that it is set to Automatically start. If it's not, you can enable it by right clicking on the entry, selecting Properties, and then changing the "startup type" entry to Automatic.
If it was already enabled, you might try this: Shut down the machine. Unplug everything. Ground yourself by touching something metallic, or use a grounding strap if you have one. Open up the machine and gently remove the battery from the motherboard (these can sometimes be difficult to remove, so be careful that you don't force it or touch other parts of the motherboard.) Examine the markings on the battery and write them down. Go buy yourself another identical battery, replace it and see if that fixes your problem.
If that doesn't fix it, I'd recommend a simple program called Atom Time, which will sit in your system tray and periodically sync your system's time with an atomic clock server. It works very well. Good luck.
Portland, Ore.: There's a freeware program called Daemon Tools rootkit that is supposed to mount an ISO file as a virtual drive, thereby allowing its ripped and decoded movie contents to be played as if it were a movie on the original DVD.
Is this the sort of rootkit that might make a computer vulnerable to third party malware, similar to the Sony rootkit problem of a couple of years ago?
Brian Krebs: I don't have personal experience with or knowledge of the tool you're asking about, but I for one would be hesitant about any program that includes the word "rootkit" in its title. I am not aware of specific security issues introduced by this program.
But if I understand that thrust of your question, it would appear this program operates similar to Alcohol, a commercial program that operates at a very low level of the operating system to subvert copy protection technologies on DVDs and games. Alcohol, for example, does its work by loading a driver into Windows when the system is initially booting up.
It's important to understand that any application that loads itself at that level -- including anti-virus programs and other security software -- has the potential to be an attack vector if attackers know how to exploit a vulnerability in the drivers to load other software at boot-up.
I'd be more concerned if I were you about what happens when you try to remove such a program. I had experience with a system once that had Alcohol installed, and the machine would not get past the initial stages of boot up, even in Windows Safe Mode. Turns out, the guy had just uninstalled Alcohol, but there were some registry entries that were still trying to load the Alcohol driver. The fix was to manually remove the driver, but it took a bit of work and probably would not have been obvious to the average user (I also had to do some extensive Googling on another machine to find the fix).
New Albany, Ohio: The "used" IBM computer I just bought from IBM has Norton Anti-virus pre-installed. But I am happy with a free copy of AVG software. I can't seem to erase enough of the Norton to stop it from continuing to check my e-mails ahead of AVG and I don't like the continuing requests to purchase an upgrade from Norton.
How do I completely erase Norton? Thanks.
Brian Krebs: Norton products are notorious for leaving system files and programs all over the place after removal. For the longest time, even if you Add/Removed/uninstalled Norton Anti-virus or Internet Security, it would leave behind update components (e.g., Live Update). I don't know whether that's still the case, but in any event it is quite annoying.
Symantec offers an uninstall utility that should be downloaded and run by anyone who wishes to completely remove a Norton product. Download it from this link here.
McKinney, Tex.: Hey Brian-
Thanks for all you do to keep us up-to-date on computer security issues. These discussions have helped me out numerous times.
My question: in addition to being the computer administrator for the 4 computers in our household, I am also the system administrator for my Mom and 3 of my sisters. So every time one of them has a computer problem, I have to get in my car and drive 20-30miles to resolve the issue. Is there any software program you know of that I could SAFELY use to access their PCs from my house instead of going to their homes in person?
Brian Krebs: Great question, Texas, thanks. There are plenty of options.
There are several free programs you can use to remotely administer a machine. One is even built into Windows: Remote Assistance. Microsoft has a tutorial on how to use this program here. I recently had trouble getting this program to work on a family member's machine, but your mileage may vary.
You could also download and use something like RealVNC or TightVNC, both free tools, I believe. That involves setting up a server on the remote machine and connecting to it via a special username and password. There are also commercial services such as LogMeIn Free, which is probably the easiest to use for everyone concerned (easy to set up, and very easy to administer).
All of these tools allow you to administer a machine remotely from your PC, such that what you see on your screen is the other person's desktop. You can literally drive their PC from afar and do everything that they can do.
A couple of suggestions before you deploy any of these tools. Sometimes they don't play very nicely with installed security software, such as firewalls and the like. It's often tempting to disable security software to get these tools to work properly, but I'd advise against that if at all possible. Best bet for using these tools through a software firewall is -- if possible -- create custom rule sets that allow your PC and yours only to remotely access the target machine.
Also, make sure that whatever program you use that it's not set up to start automatically when the system starts up. In addition, for any remote control tools, be sure to set a strong password.
Boonsboro, Md.: I continually get nag notices from MacAfee SpamKiller that my subscription has expired. I don't want this stuff, but there does not seem to be any uninstall for this software. Any idea on how to stop the pain?
Brian Krebs: Yep. Download the McAfee Spamkiller removal tool, available here.
Lorton, Va.: May I ask about Linux?
Brian Krebs: You may.
Honolulu, Hawaii: Aloha Brian,
I've install Mozilla Firefox (188.8.131.52). However in control panel, add or remove programs, I see Mozilla Firefox (184.108.40.206) and (220.127.116.11)
Question: Can I remove these two programs extraneous and still have 18.104.22.168 operate? Thanks.
Brian Krebs: How odd. I see no reason why you shouldn't be able to remove these older versions without problems, but before you do that, you might want to back up your Firefox profile....just in case something goes wrong.
Ann Arbor, Mich.: Thanks for the suggestions Brian. On a related matter: So it's probably not a conflict caused by using both McAfee's Security Center (provided by Comcast) and also a Windows firewall/Defender setup?
I have seen you recommend just using one firewall but I'm not sure which one to turn off. Thanks again, Horatio
Brian Krebs: Yes, you really don't want two firewalls running at once. If you've got McAfee's firewall turned on, you can probably safely turn off Windows firewall.
Ft. Dix , N.J.: I am in the Army. I bought my first computer ever from Dell less than a year ago . This is the first time I've seen anything like this site and have a zillion questions. I guess the best thing for me is to ask where and / or how to start my computer education.
I didn't get wireless access as I feared security breaches. I visualize my signal floating around for anyone to reach out and access.
I've spoken to some one who said there's a way, with the stick-looking or card-type , wireless access plug-in accessory, to put a paddle lock (idea) on my signal. He said he could show me. He also told me of ghosting but discouraged this for me. He explained how he did that and it took him 30 minutes to find his access door.
I do understand some computer characteristics such as there being doors and having to know how to find them and how to knock on them in order to be able to access what is on the other side. Although I'm still trying to learn how to do these things.
I've ran into the problem of not being able to access things because of not having admin access or authority or something. Probably because of the military security?
Any help or direction is greatly appreciated. Thank you, SSG
Brian Krebs: Hi Ft. Dix, thanks for dropping by. I'm glad you found us.
Might I recommend that you spend a little time looking through some of the Security Fix Live chat archives? I think you'll find that I've addressed the issue of wireless security on a number of occasions. You will also find there discussion on a great number of other entry-level security topics that may interest you. If you have more specific questions, please don't hestitate to ask them here.
Lorton, Va.: I want to learn how to use Linux. Is a Live CD the best without committing to installing it?
Do you have a distro you personally find easier to learn from than others ?
You have saved me so much grief by your security help that I feel I can rely on you for this more than other folk I know.
Brian Krebs: YES YES YES YES and YES. Anyone who is considering installing Linux should definitely get their feet wet with any one of hundreds of Live CD distributions. Burn them on to a CD, pop them in the drive, and off you go.
For beginners, I'd recommend plain old Knoppix, which is remarkably compatible with most system hardware, and now I believe even makes it much easier to use with wireless networks (although that may still be tricky). Ubuntu Live is also very nice, user-friendly, and pretty to look at.
Owings, Md.: Hi Brian,
I recently installed a Zone Alarm Wireless Router that comes with a firewall and Gateway Antivirus. It seems to be working great. I also have Zone Alarm Security Suite (ZASS) on my PC. Since the installation, ZASS does not have any firewall blocks (the must be stopped at the gateway). Do I still need the antivirus protection and firewall on my PC, or is the router sufficient? Also, if you know anything about the router as far as its effective, I would like to hear or read about it.
Brian Krebs: This is among the most common questions I get, but it deserves answering now and again because it's pretty fundamental.
Zone Alarm isn't recording anything in its incoming logs because all the unwanted traffic is being blocked by the hardware firewall, which simply drops/ignores any external/incoming communication that was not initiated by you. Most hardware firewalls are exceptionally good at their jobs.
But the hardware firewall isn't likely to do much to stop an unwanted program that might make it onto your machine from being able to use your Internet connection to dial out, phone home, download other programs or transmit stolen data out of your machine. So, a software firewall is an essential part of the security defenses for any system, because it lets you control which programs should be allowed to use your internet connection, and they can often alert you to malicious activity on your machine.
Hope that clears things up for you.
Lorton, Va.: Is Clamwin as good a virus detector as commercial SW?
Brian Krebs: It's difficult to say, and I'm not terribly interested in doling out recommendations on anti-virus software. I use NOD32 on two PCs and am quite happy with it. Your mileage may vary.
Clamwin is free, and for the cost, it's probably pretty good. There are other free tools out there that probably perform about the same. As to whether free tools perform as well as commercial software, the tests so far are fairly inconclusive. Just having SOME KIND of anti-virus software installed and kept current is critical.
Bear in mind that antivirus software is no substitute for using common sense -- not opening e-mail attachments in messages you weren't expecting, scanning all files you download before opening them, and staying away from file-swapping sites.
PQ, D.C.: So this isn't quite a computer security question, hopefully you can still help.
For data archiving on DVD, is there a preferred format between DVD-R and DVD+R? The RW wont work for my purposes. Thanks
Brian Krebs: It doesn't really matter. Depending on which model (how old) your DVD burner is, it may matter. Most semi-recent DVD burners are fairly agnostic on the +R or -R format, while older burners may require one over the other.
Columbus, Ohio: I have long followed reports of security concerns from Adobe Reader. I have also put up with the program's slow load because I knew of no alternative. Then, the other day, the program started downloading and installing its 8.1.1 version with no prompt to, nor permission from, me--something I did not know it could do. I don't recall setting any such default capability, and I wouldn't even if I knew how.
Last straw time? Maybe. Will I be happy installing Foxit to read pdfs? How do I thoroughly uninstall Adobe Reader with no program residue left? If I uninstall Adobe Reader, will that bollix up the Adobe flash players installed on my system? Will I still be able to "print" documents to Win2pdf (i.e. create pdfs) and have them readable on Foxit? Your guidance appreciated.
Brian Krebs: Will you be happy with Foxit? I can't answer that for you. Was I? You betcha. It being free and all...you'd be silly not to give it a try, given your expressed fatigue with Adobe.
I received feedback from some readers about a year ago when I first started recommending Foxit that they had trouble printing documents, but I don't think that's a problem in the current version. But, as I said, give it a try.
Uninstalling Adobe Reader should not interfere with your ability to view Flash programs or videos. Two separate applications there.
Minneapolis: What is your favorite offline backup software for Windows? (I have been considering Norton Ghost 12, and similar programs.)
Brian Krebs: I use Acronis and have been quite happy with it (aside from the very first version I bought (8.x, which had some issues with the boot disk). But Norton Ghost is an excellent tool, really probably Symantec's best product, as far as I'm concerned.
What matters more than the brand of software you use is that you in fact do use some kind of backup solution, and create reminders for yourself to create periodic backups (or set it up to do it automatically).
Southwest, Va.: It is time for renewal of ZoneAlarm firewall. I have Norton Corp AV. Would it benefit me to go to Zonelabs or Nortons combined product? I am partial to Zonelabs becuase I have seen Norton's combined product drag a computer down. Any experience with any really decent products that don't eat CPU time when using a laptop?
Thanks for the informative chats.
Brian Krebs: I am not a huge fan of software security suites, as they all tend to noticeably slow down machines, even quite powerful/fast ones. Many times this is because they include everything but the kitchen sink, when often times the user just wants one or two of the suite's functionalities. So I wouldn't want to recommend one over the other.
I use stand-along antivirus and firewall products on most of my machines, mainly because I believe in diversity but also because basically every software suite I've tried has caused slowness issues, or included unwanted features that were difficult to disable.
Palm City, Fla.: Brian:
I recently purchased a new iMac24/2.4/2x1G/500/ Model MA878LL .
Over the past year I've heard comments and references made about Mac computers being relatively free of viruses. Is my iMac inherently secure from invasion or do I have to have the same Firewall, Anti-virus protection that you need for PC's running Windows? Thanks.
Brian Krebs: Good on ya, Palm City. A couple of thoughts. All software has security holes, and just looking at the sheer number of holes that Apple plugs each year, its operating system is no exception.
That said, it might be overkill to buy anti-virus software for the Mac. A free anti-virus solution for the Mac is here. Other than that, enable the Mac's built-in firewall, ignore phishing/scam emails, and take care with the software you install on the system and you should be fine.
Cody, Wyo.: Hi Brian,
Just a quick comment on FoxIt. I took your advice and installed it a few days ago. Then I got rid of Reader. Best move I ever made!
Thanks for your great columns and advice!
Brian Krebs: Glad to know my advice was helpful, thanks.
Arlington, Va.: I can't seem to run a complete Norton Antivirus system check anymore. It always reaches a certain point, then either freezes my machine totally or slows down to a total crawl. I do the LiveUpdate pretty regularly, and the only other security program on my machine is Webroot Anti-spy (for the record, there's never been a compatibility issue between the two).
Any ideas on why my Norton doesn't function as well, and/or how to correct the problem?
Brian Krebs: Have you tried looking to see which files trip up the scan? That might be a clue. Does it make any difference whether it's a manual scan or an automated one? Same deal?
If you have multiple hard drives, have you tried limiting the scan to the system memory and the programs on the C drive (assuming you have multiple drives or partitions).
I hate to say this, but Norton is likely to tell you that the answer is to uninstall and reinstall the program (pain in the #@#!, I know). If you do decide to reintall, make sure you have the installation file (setup.exe, probably) handy, as well as your license key.
Brooklyn, N.Y.: Can you have both Adobe Acrobat reader and FoxIt on same system?Thanks
Brian Krebs: Sure, but only one will be the default reader for PDF files, and Adobe's browser plug-ins will make it so that Adobe launches when you click a PDF link. You can change this behavior, of course, but since you asked...
Brian Krebs: I'm out of time, people. Thanks for the questions and for stopping by. Until our next Security Fix Live in two weeks), please make a habit of dropping by the Security Fix Blog once a day or so to stay up to date on the latest security news and tips.
Be safe out there!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.