http://www.viruswarn.com/Forums/tabid/53/forumid/8/view/topics/Default.aspx This forum will provide users with some best practices for use when configuring or securing their systems. They'll be posted only by moderators of the viruswarning listserv. en-US ActiveForums 3.5 Copyright 2006 by OS-Cubed, Inc. leedrake@gmail.com I've received a large number of new subscribes to the Virus warning list in the wake of SirCam and NIMDA. I'd like to welcome all our new subscribers. I also would like to send you out some information on securing your systems that David, Brett and I have sent out little by little over the last few months of operating Virus Warning. Here are some frequently asked questions we get: 1) What can I do to secure my system? First you have to look at what the threats are. You have basically 5 ways that a virus or worm can get to your system: 1) Through your email - these days this is the most prevalent way for a virus to spread. Most email viruses take advantage of a number of security holes in popular email products, as well as the naiveté of users. Many users, when they see an attachment - just go for it. They say "Ohh goody - someone sent me something" double click it and worry about what's in it later. This is the MOST COMMON WAY that viruses get spread today. It makes sense then to be sure that your Virus scanning software scans your email - preferably before it even hits your mailbox. Norton Antivirus does a great job of this - McAfee a slightly less effective job. (The reason I say Norton is that it scans both Outgoing and Incoming mail - McAfee only scans incoming mail at this time). 2) By being hacked from the internet - the spread of DSL and Cable Modem connections have meant that people frequently leave their computer on - even when it's not attended. It also means that you typically have an open system just waiting on someone to try to infect or take it over. There are a number of steps you can take to lock down a system, including unlinking NETBIOS from your internet connection, and using a product such as Zone Alarm Pro. 3) Through shares on your system - These days most computers are hooked to a server, or share data between each other - it's easy, it's fast - and it's dangerous. Because now you can get infected both through your own email or hacking, but also if the computer you're plugged into is hacked or compromised. If a domain server gets infected, it can spread that infection to literally thousands of computers in seconds. Your main protection on this sort of vulnerability is keeping up to date on patches, and running server-side virus scanning software. 4) Through disks you share with others - you can still get a virus from someone else's floppy disk, or it's contents. The best protection from this is scanning all media before using them in your computer. 5) Through the web - The advent of NIMDA introduces another source for nasty virus - the web server. If someone else's IIS server gets infected it's possible in some cases, for that machine to push down onto other machines it's infection. Your best protection here is an up to date browser, and local internet based virus scanning. What can I do to prevent myself from getting a virus? Gone are the days when you can update your virus signatures every week or 2 weeks and hope to avoid the majority of virus'. I'd strongly recommend DAILY updates - perhaps even 2x per day. Not 5 hours after NIMDA was released on the net it had infected and damaged thousands of servers. Almost every popular virus scanning software allows automatic updating of the virus signatures. Be sure this is set up, is operating, and is downloading any new signatures 1x per day at least. Also be sure you have a virus scanning software that is no more than one year old - the older virus scanning engines aren't nearly as fast or complete as the newer ones. Finally be sure that your virus scanner is configured to protect your email, your internet connection, as well as your drives and files - most default installations leave all or some of these out. I would set my explorer interface to SHOW ALL file extensions (not to hide them). You do this from tools/folder options/view in most versions of Windows. This way if someone sends you a virus it's REAL extension is displayed. A common way to spread viruses is to rename them something like: myPicture.jpg.exe . A file named something like that is ACTUALLY an executable program, but it will look like a picture at casual glance if you don't check carefully. The next recommendation is that, if you're internet connected, and not behind a firewall, you unbind TCP/IP from the netbios interface. This is a multi-step process, but well worth it: check www.grc.com from instructions. In addition to the unbinding of TCP I'd recommend those with broadband connections get the program ZONEALARM (or some other equivalent software for blocking internet attacks). I recommend this EVEN IF YOU ARE BEHIND A FIREWALL. The reason being that if you do somehow get an attack through email - it won't be able to send information from your computer out onto the internet if zone alarm is installed. You can get zonealarm, for free, at www.zonelabs.com If you have more than one internet connected computer, or even if you don't, it's pretty cheap to purchase and install a hardware based firewall as well. Linksys makes one that commonly retails for under $100 these days - and it's well worth it. Finally, you should download and install Microsoft's "critical update notification option". http://windowsupdate.microsoft.com is where you go for that one. The critical update notifier will tell you, as soon as you login to the interet, if there are any security critical updates you need on your machine. I'd also periodically run windowsupdate and be sure that you have the latest patches and service packs for Internet Explorer. This should be done roughly once per week. If you're an office user you should do the same thing with http://Officeupdate.microsoft.com and be sure that your office apps are up to snuff. If you use Outlook or Outlook express for email, be sure that you have Tools/Options/Security tab/Zones set to "restricted zone" for both. This effectively disables scripting in email messages. You should (for outlook) be sure you've downloaded and applied all internet security patches for the tool. Outlook express is updated by updating Internet Explorer. What should I do if I DO get infected? First off - don't panic - in many cases it can be fixed IF you do so correctly. The first thing to do is disconnect your machine from the internet - the vast majority of machines these days probe for other people on the internet, or send out emails to all your friends with the virus in them. If you physically (by unplugging the cable) disconnect from the internet - you're much less likely to be a vector for a the virus on other people's email, shares, etc. Second - if you're not comfortable with computers - this is a good time to call an expert. If you are you probably know what to do - Get the latest signatures, check for a "cleaner tool" on the virus vendors site, boot from a known clean disk, and scrub your system good. If it refuses to boot, call an expert. What if I run a server that's available on the internet? If you're in this category, and you're looking to me for answers, then you probably need to hire someone qualified to do this. Running an internet based server is not for the faint of heart - it requires a significant investment in time and security issues. If you don't feel comfortable in this role - GET SOMEONE WHO IS to do it for you. What good is this list? Will it keep me bug free? Unfortunately worms and viruses spread too fast to make that sort of guarantee. This list serves to let people know when a particularly virulent virus appears, or when a virus with a new mode of infection appears. But just reading this list won't protect you from anything - you MUST take action for that to happen. We don't provide any guarantee on the timeliness of our announcements - we do them as quickly as possible and have sometimes been before the major news agencies - but certainly not every time. What about hoaxes? There are any number of virus hoaxes - it's sometimes hard to tell the real warnings from the fake ones. We've yet to announce a hoax on viruswarn - and we don't intend to. We encourage you to check anything out before you pass it along as well. All our announcements are based on confirmed observations of the bug and it's confirmation from at least 2 sources. If you want info about virus and worm hoaxes check out these links: http://www.sarc.com/avcenter/hoax.html http://www.sarc.com/avcenter/jokes.html http://vil.mcafee.com/hoax.asp? A typical hoax message will say - "Pass this along to all your friends" and will cite "sources at Microsoft" or "Sources at Norton" without giving you a specific link to check it out. If you see any of these warning signs it's a darn good idea to check it out before spreading it. Lee Drake, Moderator http://www.viruswarn.com/Forums/tabid/53/forumid/8/postid/172/view/topic/Default.aspx Lee Drake Mon, 20 May 2002 13:32:15 GMT David, Brett and I would like to take this time to thank you all for participating in Viruswarning. We've been able to get the news out on potentially harmful viruses, worms and security threats in a timely and accurate manner for over a year now, and in that time our list has grown tremendously. We are currently well over 200 subscribers and going strong. We have subscribers all over the world, individuals, small one user shops, and huge multi-nationals. We even have a subscriber or two from well known AntiVirus product companies. Lately we've had the satisfying experience of having a number of our list subscribers email, call or write to us telling us that we saved them from opening a harmful attachment. We're glad we can make a difference. In that year we've also seen an incredible explosion in the number, cleverness and fast spread of viruses and trojans that threaten our computer resources with compromise or damage. We hope we've helped some of you with making your computer environment a safer and more secure one, and that we've prevented grief for at least one or two of you who might otherwise have been caught by one of these destructive missives. This list will remain committed to attempting to give you early warning on verified viruses that appear to be widespread or to have potentially very damaging consequences. Unlike similar services from virus vendors we don't purport to announce EVERY virus - just the ones we've actually seen causing problems in the "wild" based on reports from our many users and verified by information from news and antivirus company sources. Many of you may be purchasing computers for your year end, or getting new systems as gifts for yourself or others. Don't forget that from the first email you receive or the first time you connect to the internet, your box is vulnerable to infection or compromise. Be sure that you've followed some simple safety precautions: 1) Install antivirus software before bringing the machine online. Preferably a well known, frequently updated, product such as Norton Antivirus or McAfee. Be sure email attachment scanning and heuristic virus scanning is enabled. www.mcafee.com www.sarc.com 2) If your machine is going to be exposed on the internet through a broadband connection consider a personal firewall product such as ZoneAlarm. www.zonealarm.com 3) If you have multiple machines on a broadband connection consider adding a hardware firewall protection box at the connection to the internet. Both of the following make good inexpensive products: www.linksys.com www.dlink.com 4) Be sure that all your windows, internet explorer and media player patches are up to date: http://windowsupdate.microsoft.com 5) Be sure that your antivirus signatures are up to date by running liveupdate or the McAfee update download program regularly (at least once a day recommended). 6) Check your email (if using Outlook or Outlook Express) and be sure that it's configured for the RESTRICTED security zone. 7) You can also visit the following sites for tips on security and your system: www.grc.com (port scanning and verification of firewall status) www.microsoft.com/security (security checklists and a testing tool for some platforms) www.zonelabs.com (for information about Zonealarm) www.sarc.com (for information about Norton antivirus configuration) www.mcafee.com (for information about McAfee antivirus configuration) http://www.leedrake.com/virus_notification.htm for instructions to subscribe new users, or unsubscribe yourself from this list. As most of you know, we don't use this list to solicit you for business or to advertise our companies. It's strictly been as a service to you to help to share our knowledge and make your computing environment a little bit better. We intend to continue that tradition into the future. Aztek Computer Solutions, P6 Consulting and Periwinkle Communications wish you a happy and safe holiday, and a productive and profitable New Year. www.azcomputer.net Aztek's Site www.p6c.com P6 Consulting's Site www.toto.com Periwinkle Communication's Site. Lee Drake, Moderator http://www.viruswarn.com/Forums/tabid/53/forumid/8/postid/171/view/topic/Default.aspx Lee Drake Mon, 20 May 2002 13:22:43 GMT The real key here is - if you have a properly configured browser you should ALWAYS be prompted before running any such install program, and you should - unless you're expecting the install, almost always answer NO to the question "Do you want to install xxx". You may even find that they do things like pop-up a web page that LOOKS like a normal dialog box. To double check your setting you should go to Tools/Internet Options, Security tab, choose the "internet" icon, and then choose custom settings. Your settings SHOULD be as follows: Download Signed ActiveX Controls: Prompt (note that just because something is SIGNED doesn't mean it doesn't violate privacy) Download unSigned ActiveX Controls: Disable Initialize and script ActiveX Controls not marked as safe: Disable Run ActiveX Controls or plug-ins: I'd mark this as Enabled, or Prompt. I use prompt - it's annoying in that almost every page pops up a warning, but at least I always have the option of opting OUT of scripts being run. Script ActiveX Controls marked safe for scripting: See comment above, set as Enabled or Prompt depending on your paranoia level and search habits File download: Enable - you'll still be prompted, but you may need to download files... Font download: Your choice, enabling means you have more risk that a file can get on your computer, disabling may affect how some websites look. MicrosoftVM - Java permissions: High Safety Miscellaneous: Allow access to data sources across domains: Disable Allow meta refresh: Enable Display mixed content: Prompt Don't prompt for client certificate: Disable Drag and drop or copy and paste files: Prompt Installation of desktop items: For most users this should be disable, or at the most prompt Launch programs and files in an iframe: Prompt Navigate subframes across different domains: Prompt Software channel permissions: Medium safety Submit non-encrypted form data: Enable, but be aware of the security id in the lower right corner before hitting submit... Userdata persistence: Enable Active scripting: Enable or prompt - your choice for ease of use/paranoia :) Allow paste operations via script: Prompt or disable Scripting of Java applets: Enable User authentication: LOGON only in intranet zone - this prevents your login credentials from being passed out on the internet and forces a login prompt to appear for you to login. You may find that after doing this you get more prompts- but remember the prompts allow YOU to decide if you want scripting or controls to run - if the site looks ok without them - you didn't need them now did you :). If the site looks bad without them you can either decide not to browse further, or hit the refresh key and choose "allow scripting" or "allow activex controls" and see how it looks then - but YOU'VE made the choice. If you don't have all these choices, you may have an earlier version of Internet Explorer. David and I highly recommend moving to IE 6.0. The reason is that 6.0 also allows you to control who may place cookies on your machine, and gives a more detailed set of security settings. You should have your cookie settings as follows: Under Internet Options/Privacy tab click the ADVANCED option and set: Override automatic cookie handling: Checked First party cookies: Prompt Third party cookies: Prompt or disable Session cookies: Always allow (These are necessary for most sites to maintain "state" when you're in the site) Then as you browse to a site, the first time, it will ask if you want to use the cookie (possibly for SEVERAL cookies if there are advertising on the site). Be sure to look at WHO the website is you're going to, and WHO the cookie is actually for. When it does prompt YOU can decide whether to permit it or not. You'll be surprised to find that even spam email tries to put cookies on your machine to track whether you saw the email or not. For anything that doesn't require a login or the ability to track WHO you are (for instance weather.com might put a cookie with your zip on it so it can show you your local weather, that's a "good cookie" the ads they run though also try to put cookies on your system to track your browsing and clickthrough habits - that's a "bad cookie". When you decide about a cookie you can either BLOCK or ALLOW the cookie. When you do this, be sure to select the checkbox that says "Apply these setting to ALL cookies from this site", and you'll never be prompted about it again - it will track your personal selections as you go along. If you change your mind you can always click the EDIT button to the tab and change the settings for a particular cookie. And finally, as we've mentioned a number of times, in both Outlook and Outlook Express you should set your software so that that browsed messages are considered to be in the "Restricted zone". In OE: Tools/Options/Security/Restricted zone, and be sure that both warn me when other applications try to send mail as me and don not allow attachments to be saved or opened that could potentially be a virus are checked. In Outlook: Tools/Options/Security/Zone set to "Restricted". Take a few minutes today and double check your settings. If you're not on IE 6.0, get there, and after you install it BE SURE to run windows update to get all the security patches up to date. You want the best protection you can get from mal-ware and ad-ware. Be sure you have it. Lee Drake, Moderator http://www.viruswarn.com/Forums/tabid/53/forumid/8/postid/170/view/topic/Default.aspx Lee Drake Mon, 20 May 2002 13:14:40 GMT