Anit-Virus help for all of us??????

Mon Nov 24 22:28:56 UTC 2003

Being that I wasn't paying attention, heres the message I accidentally
responded to in private e-mail rather then the list...
---------

----- Original Message ----- 
From: "Jeff Shultz" <jeffshultz at wvi.com>
To: <nanog at merit.edu>
Sent: Monday, November 24, 2003 1:46 PM
Subject: Re: Anit-Virus help for all of us??????

> You know that the best AV program in the world isn't going to amount to
> a hill of beans if the user doesn't 1. download updates, 2. run the
> occasional scan [1], and 3. pay for more updates past the 1 year mark
> (for those for which this is a requirement).

Thats how they make money off of the antivirus stuff - the yearly
subscriptions.  Many people just go out and buy a new version of Norton
whenever their defs expire (yeah, I've done that before for my personal
machines, as sometimes they improve the detection stuff between versions -
like Norton 2002 adds script protection and better e-mail virus filtering).

The only completely and utterly free with no catches or nagware antivirus
software I know of is clamav.  But, its only for UNIX/Linux (although people
have gotten it working in cygwin - I might just package it up for people and
make an installer for it).  Has an autoupdate script as well.  If someone
spent the time to play with it, who knows, it might be able to do realtime
scanning.  Its pretty fast too.

>
> Firewalls at least tend to be a bit more hands off... and I'd like to
> hear more about the "snake oil" parts. Doesn't the 1/2wall that XP
> ships with default to "disabled?"
>

Yep, though in SP2 for XP, it will be turned on by default, IIRC.

I actually like McAffee Personal Firewall Express (given away free by AOL to
all of their users), have it installed on my mothers' Win98SE desktop and
works like a charm.  Not that many features or controls, so its slightly
less confusing, but then again, you can't do very complicated stuff with it
either, so its not good for everyone, but for someone like my mother, its
more then enough.

I just can't stand personal firewalls on my machines though - they have this
nasty habit of either slowing down the machine, or causing issues with the
various tools I run.  Being that my primary machine is a PII 266mhz laptop,
I really can't handle a personal firewall dragging down my laptop.

> As for Malware... right now neither firewalls nor AV programs seem to
> stop it's installation. Personally I wish that there was something that
> we could install on customer machines that would absolutely and totally
> block the installation of net.net stuff, to the point of deleting any
> installation files that have been downloaded.
>
> [1] When cleaning a customer's Nachi infected machine, I discovered
> that the installed copy of NAV was completely up to date - but a system
> scan hadn't been run since July 2002.

Spybot SD is a nifty program, installs some protection against malware that
gets delivered by IE, and is generally good at ripping it out if it does get
in.

One thing that many people don't realize (from my personal experience) is
that contrary to popular belief, Win98SE is a good all around desktop OS to
use.  It can run most things like productivity apps and games, and with
128-256MB of RAM, its quite fast even on an old laptop like mine.  Unlike
XP, it doesn't have a million services running, nor does it have the nasty
UPnP stuff from WinME.  I've run my Win98SE laptop with Norton Antivirus
2002, Outlook Express, and K-Meleon 0.8 (even with its more annoying bugs)
as my primary browser and have never gotten infected by one of these mass
mailing worms, or the DCOM exploits, or IE exploits, etc.

The one thing I should mention though - I have a user, long time friend of
mine, I got her setup with WinXP last year, patched her, then installed
Norton Antivirus 2002, set it to autoupdate and do weekly scans (which, btw,
are on by default, but I check nonetheless), and turned on the XP firewall
and set it to block all inbound but RDP (so I could do remote management if
she needed it).  I also turned off auto-updating of Windows patches (since
I've had situations where my customer's machines have been trashed because
of bad/faulty patches).

The machine survived the RPC/DCOM exploit nightmares as well as rounds of
Outlook Express exploits with no problem.  I only recently fully updated her
machine with the latest patches (I didn't want to neglect her machine, but
being my recent bout of health problems and personal issues left me with no
choice).

Even if users don't take advantage of the built in windows update because
its risky, you can still make sure that you have (autoupdated) AV and the XP
firewall, and you *should* be ok for the most part.  All you need to do is
make sure it is turned on.

On a side note....

I've been developing some a little GUI tool which automate the process of
securing a machine - run it, it turns on the XP firewall, turns off Windows
Messenger service, asks for antivirus CD and auto installs it quietly (only
works with norton right now) with all the important options turned on, has
the option of downloading a list of latest patches from our web server, and
then downloads them from microsoft (regardless of if it was installed
already, as I have found that sometimes Windows Update thinks a patch is
installed, when its really not), then quietly installs them without user
interaction, then forces the user to reboot.  Its got some 'issues' in its
current implementation, so I'm not comfortable with releasing it into the
wild for people yet.  That and the fact it only works on XP.

It isn't *that* hard to put something together for your less cluefull
customers, as long as they agree to some sort of release of liability before
running it.  Not always possible, but who knows.

--------------------------
Brian Bruns
The Summit Open Source Development Group
Open Solutions For A Closed World / Anti-Spam Resources
http://www.sosdg.org

The AHBL - http://www.ahbl.org