Antivirus realtime protection: case in point.

For years, I've been bemoaning people's ignorance toward computer viruses. There's this general misconception, that existed for as long as I can remember, that, hey, all you need to do is to scan your computer from time to time and you'll be fine.

The reality of the situation is, as I've been pointing out, is that by that time it may be too late. There have been viruses known to encrypt your entire hard drive in background, destroy your motherboard BIOS without a chance of recovery, and, most importantly, a self-respecting virus, upon activation, will do whatever's necessary to one-up whatever antivirus programs you may have installed on your machine, as well as your future attempts to remove it, including changing local policies to cripple Task Manager or encrypting themselves.

That's why realtime protection is _mandatory_. You get the virus before it is executed.

Two days ago this was demonstrated to me in crystal clarity. I've been running Kaspersky on my parents' machines, however, for performance reasons, I only set it to scan files on execution.

That was a big mistake.

Somehow, my father was emailed a dropper for NTOS.EXE virus, which he executed. The dropper itself is a harmless program - all it does is secure NTOS in place, making sure it executes before anything else (from several places). The file also changes the viruses' length randomly to fool your crappy Uncle Bob's Virus Signature Scanner.

Even after I cranked up Kaspersky to scan files on both write and read, and turned on heuristics, the virus was undetectable because it has secured the first spot in being executed, and because it manipulated security permissions to be unreadable, yet still be executed.

The only reason I was tipped off to a virus' presence is because my father's machine would hang everytime I would change network settings. You see, NTOS.EXE hooks itself into your networking, captures the keyboard, and attempts to steal your login credentials to a few major online banks.

Once I recognized NTOS.EXE and the folder it created inside SYSTEM32, I blanked its security permissions and restarted the system - it failed to execute. Then I gave it back normal permissions. Kaspersky instantly perked up, notified me that its heuristics detected a trojan, and deleted it.

...

Morale: use a background filesystem scanner. Enable heuristics as well - (I've had cases where I would run a freshly downloaded "greeting card" virus and the antivirus would ONLY stop it when heuristics allowed it to detect it as a variation of something it already knows; its default setting, which only relies on pattern matching, just let it execute).

If you're concerned with performance... well, in case of Kaspersky, I can set it to turn off realtime scan when I run Quake Wars or WoW, or just make it skip scanning the folders containing them. With today's disk access speeds and CPU speeds, realtime scan isn't that much of a bother compared to the risks you run otherwise.

For people who want free protection, AVG Free provides background definition-based scanning, and the free version of PC Tools Threatfire provides heuristic scanning. The "Pro" version of Threatfire adds on-demand scanning, but as shiho says, the idea is to catch the virus/malware/etc in the act, not after the fact.

Their impact on performance is minimal, I don't ever bother turning them off before gaming. I've tried other tools (like Spyware Doctor) which do impact performance a bit more.

I've been using Avast lately, only because Consumer Reports ranked it over AVG in total correct detections in their battery of tests. They want you to register for a key, but it's free. I don't like their interface, but I've been happy with it. It's picked up some stuff that slips through since I installed it, plus the initial scan picked up some leftover files AVG had not cleaned.

Most tests that I've seen (av-test.org and others) give Avast a very slight edge in detection rate, but also a higher false positive rate. Both are head and shoulders above the lion's share of commercial apps, and either one is very good.

That's a good case example of why not opening unknown files is _mandatory_.

Nosferatu wrote:

That's a good case example of why not opening unknown files is _mandatory_.

It's always amazed me how hard that simple fact is for most people to understand. Hell I never open a file or attachment unless I specifically requested it and I'm running Kaspersky in realtime whenever I'm not actively in a game.

Another thing I recommend: Don't browse the web without having NoScript running. If a site wants to run code on my system it can ask, thank you very much

Nosferatu wrote:

That's a good case example of why not opening unknown files is _mandatory_.

That's clever and all, but ill-informed.

1) Until we have an insta-education system from The Matrix, people will keep opening unknown files and there's nothing you can do about it. Not everyone is a computer nerd like you and me, who always keeps up with the latest scams. Most of my relatives, for instance, aren't.

1a) The user manipulation has yet long ways to go. It's getting more clever, and presuming that you'll always be above it is an ego mistake that may cost you big one day.

2) There have been exploits that force execution of unknown files without your consent. There have been exploits that made Email clients execute attachments without asking you. There have been exploits that executed embedded code inside PICTURE FILES. For all you know the next .OGG file you download may exploit a buffer overflow in Winamp or WMPlayer and allow a virus to execute.

3) Traditionally, computer viruses didn't come as separate files. They attached themselves to perfectly valid executables, allowing the legit code to run after they have. A lot of viruses still do that. So, when you run that program you know to be legit - you could be rolling the dice.

shihonage wrote:

1) Until we have an insta-education system from The Matrix, people will keep opening unknown files and there's nothing you can do about it. Not everyone is a computer nerd like you and me, who always keeps up with the latest scams. Most of my relatives, for instance, aren't.

We must have the same relatives. But really, this isn't a something with a tech solution and, sadly, even recommending people run anti-virus often does little good unless they've got security-minded relatives to set it up for them. Not everyone does.

shihonage wrote:

There have been exploits that made Outlook execute attachments without asking you.

Chalk that up as one reason I've never bothered to install outlook on any of my personal computers.

shihonage wrote:

4) Traditionally, computer viruses didn't come as seperate files. They attached themselves to perfectly valid executables, allowing the legit code to run after they have. A lot of viruses still do that. So, when you run that program you know to be legit - you could be rolling the dice.

Has this been an issue with any files from vendor sources? I'll admit that you're obviously more of a security geek than I am (I say that in a good way!), but I always figured if I downloaded, say, the latest version of Publisher directly from Microsoft, the Steam client from Valve, or other vendor-supplied software I wouldn't have to worry. Thanks for making me paranoid, lol.

Raven wrote:

We must have the same relatives. But really, this isn't a something with a tech solution and, sadly, even recommending people run anti-virus often does little good unless they've got security-minded relatives to set it up for them. Not everyone does.

I said - use antiviruses. You say - you can't set them up for everyone.

(shrug) It's easier to install an antivirus than to constantly keep your relatives up to date. But I already said that, so if you decide to repeat this in the future, consider yourself redirected to previous sentence.

Chalk that up as one reason I've never bothered to install outlook on any of my personal computers.

Outlook isn't the only program that could be targeted. Is is just a narrow example of a larger picture - a program that deals with received data. Outlook has been known to be exploited, but so can any other program, via either buffer overflows, social engineering, or a combination of both.

Abstaining from using any of the mainstream programs may make you feel like a e-ninja, using Opera instead of Firefox/IE, OpenOffice instead of MS Office, and The Bat! instead of Outlook, but the road of a e-ninja is a strenuous one, as those programs are often popular for a reason. In addition, whatever replacements you choose, chances are they are even less secure, and, Moses forbid, should one day they gain a modicum a popularity, the exploits will take them for a ride they won't soon forget.

Has this been an issue with any files from vendor sources? I'll admit that you're obviously more of a security geek than I am (I say that in a good way!), but I always figured if I downloaded, say, the latest version of Publisher directly from Microsoft, the Steam client from Valve, or other vendor-supplied software I wouldn't have to worry. Thanks for making me paranoid, lol.

In my observation the choices of antivirus vendors by such companies are rather random, as they seem to settle for either price or base it on their existing relationships with the company.

In addition, I suspect that when dealing with tremendous volumes of information, such as scanning webmail, these companies don't use heuristics in their antivirus programs, because heuristics take down performance _considerably_ compared to simple pattern matching, as they involve running a virus inside a mini-virtual machine. In addition, false alarms probability becomes a real threat with such a massive email volume, and they don't want scandalous complaints from thousands of users.

Relying on pattern matching alone requires very frequent signature updates - an area in which most antivirus companies, including Symantec, critically lag behind.

Your computer is the last bastion of defense. Make it count.

shihonage wrote:

I said - use antiviruses. You say - you can't set them up for everyone.

(shrug) I guess I feel sorry for your relatives.

Not exactly what I said... but whatever.

Your advice is still sound; I was just pointing out that it's only really useful for those of us who know to look for it and our relatives (through us). Many people don't have that luxury and they are, in large part, unreachable. Just an observation of reality; don't take it as an attack.

Raven wrote:

Your advice is still sound; I was just pointing out that it's only really useful for those of us who know to look for it and our relatives (through us). Many people don't have that luxury and they are, in large part, unreachable. Just an observation of reality; don't take it as an attack.

I addressed this more accurately in the edit, but the main point stands. Your argument lacks logic.

shihonage wrote:
Raven wrote:

Your advice is still sound; I was just pointing out that it's only really useful for those of us who know to look for it and our relatives (through us). Many people don't have that luxury and they are, in large part, unreachable. Just an observation of reality; don't take it as an attack.

I addressed this more accurately in the edit, but the main point stands. Your argument lacks logic.

"Sweep the leg." "Put him in a body bag, Johnny!"

shihonage wrote:
Raven wrote:

Your advice is still sound; I was just pointing out that it's only really useful for those of us who know to look for it and our relatives (through us). Many people don't have that luxury and they are, in large part, unreachable. Just an observation of reality; don't take it as an attack.

I addressed this more accurately in the edit, but the main point stands. Your argument lacks logic.

Your edit doesn't really address it either. He says that you can recommend all you want, but unless you've got someone who has an idea of how to set it up, it's about as useful as BonziBuddy.

baggachipz wrote:
shihonage wrote:

I addressed this more accurately in the edit, but the main point stands. Your argument lacks logic.

"Sweep the leg." "Put him in a body bag, Johnny!"

Seriously. I agree with everything you said, shiho, but why does everything you post come with a combative tone?

nsmike wrote:

Your edit doesn't really address it either. He says that you can recommend all you want, but unless you've got someone who has an idea of how to set it up, it's about as useful as BonziBuddy.

Most antiviruses set up pretty ok if you click "Next" during the installation, and the end result is, again, far better than leaving your relatives without an antivirus and without knowledge that you can't give to them anyway.

If someone wants to keep saying "All is lost, all is lost !", it is neither accurate nor has anything to do with this thread, so I invite you to go back and re-read my reply.

baggachipz wrote:

"Sweep the leg." "Put him in a body bag, Johnny!"

IMAGE(http://www.willowtreeaudio.com/images/ShihoPwnin.jpg)

shihonage wrote:
Nosferatu wrote:

That's a good case example of why not opening unknown files is _mandatory_.

That's clever and all, but ill-informed.

1) Until we have an insta-education system from The Matrix, people will keep opening unknown files and there's nothing you can do about it. Not everyone is a computer nerd like you and me, who always keeps up with the latest scams. Most of my relatives, for instance, aren't.

1a) The user manipulation has yet long ways to go. It's getting more clever, and presuming that you'll always be above it is an ego mistake that may cost you big one day.

2) There have been exploits that force execution of unknown files without your consent. There have been exploits that made Email clients execute attachments without asking you. There have been exploits that executed embedded code inside PICTURE FILES. For all you know the next .OGG file you download may exploit a buffer overflow in Winamp or WMPlayer and allow a virus to execute.

3) Traditionally, computer viruses didn't come as separate files. They attached themselves to perfectly valid executables, allowing the legit code to run after they have. A lot of viruses still do that. So, when you run that program you know to be legit - you could be rolling the dice.

1/1a) assuming your realtime antivirus protection is above failure is a big ego mistake that will cost you big one day as well.
2) there have been viruses that specifically targetted certain antivirus software, exploiting it to run itself.
3) Don't buy your software from some guy selling it out of his trunk, or giving it away over the net when you should have to pay for it. Or any file sent to you over e-mail.

You argued against yourself, if your relative had scanned the file before he opened it, then presumably the virus would have been caught and eliminated. I don't open *anything* that isn't verified first.

Nosferatu wrote:

1/1a) assuming your realtime antivirus protection is above failure is a big ego mistake that will cost you big one day as well.

Yes, it would be a mistake to assume that. I don't see however what this has to do with this thread. I never said user discretion and antivirus use are exclusive to one another.

2) there have been viruses that specifically targetted certain antivirus software, exploiting it to run itself.

Let's not get ridiculous shall we.

Even if that is true, good antivirus software updates itself a lot faster than most other products, and I mean, the binaries are updated as well. The evidence of such viruses is anecdotal, and they're always very short-lived. I'd rather run an antivirus, a single program, that was _designed_ for combative behavior and has a very very slim chance of being exploited, than expose a whole plethora of "civilian" exploitable programs on my system by not running one.

3) Don't buy your software from some guy selling it out of his trunk, or giving it away over the net when you should have to pay for it. Or any file sent to you over e-mail.

You argued against yourself, if your relative had scanned the file before he opened it, then presumably the virus would have been caught and eliminated. I don't open *anything* that isn't verified first.

I already addressed that in prior posts. If you insist on repeating what was already said, consider yourself redirected to them.

Podunk wrote:

IMAGE(http://www.willowtreeaudio.com/images/ShihoPwnin.jpg)

That was over the line... kind of.

shihonage wrote:
Podunk wrote:

IMAGE(http://www.willowtreeaudio.com/images/ShihoPwnin.jpg)

That was over the line... kind of.

I'm just funnin' you. I'll pull it if you want.

edit: and for the record, I think the video is cool, so don't take that the wrong way.

Well I do appreciate the trouble through which you went to find a shot that would fit with bagga's comment, so don't pull it

Podunk wrote:
shihonage wrote:
Podunk wrote:

IMAGE(http://www.willowtreeaudio.com/images/ShihoPwnin.jpg)

That was over the line... kind of.

I'm just funnin' you. I'll pull it if you want.

edit: and for the record, I think the video is cool, so don't take that the wrong way.

By all means leave it up. shihonage's obviously an expert in software security - he knows what he's talking about here.

But you know shihonage... I spend far too much time dealing with real-life security and how it differs with idealistic security measures to think that discounting reality is in any way productive to the situation. It's nothing but letting ego obscure the facts. The fact is that you've offered sound advice. This is immediately followed by another fact that the vast majority of computer users neither have the knowledge to safeguard their system nor the proper fear of the consequences to know they need to look for that advice. Discounting that common ignorance does nothing but increase overall insecurity.

But what do I know, I just protect clients and/or their overseas assets for a living. You? You're the expert who dishes out computer security advice to an already knowledgeable audience on a popular gaming forum. Good job, you've accomplished a lot.

Raven wrote:

But you know shihonage... I spend far too much time dealing with real-life security and how it differs with idealistic security measures to think that discounting reality is in any way productive to the situation. It's nothing but letting ego obscure the facts. The fact is that you've offered sound advice. This is immediately followed by another fact that the vast majority of computer users neither have the knowledge to safeguard their system nor the proper fear of the consequences to know they need to look for that advice. Discounting that common ignorance does nothing but increase overall insecurity.

But what do I know, I just a protect clients and/or their overseas assets for a living. You? You're the expert who dishes out computer security advice to an already knowledgeable audience on a popular gaming forum. Good job, you've accomplished a lot.

The purpose of this thread was very simple - to make an example as to why realtime file protection must be enabled at all times. The misconception that realtime file protection is optional is quite widespread, yes, even amongst "knowledgeable audiences".

In your first reply you said "Yeah, but even that doesn't guarantee absolute protection, because not everyone can install an antivirus". Then you seemingly said "Yeah, but even if you install an antivirus, it doesn't guarantee absolute protection".

The first was just pointless. The second was a strawman. So, I point out these as nonsensical statements entirely irrelevant to this thread.

To make an example you can understand - if a person were to open a free law advice shop, you'd come up to them and tell them that there are people who can't reach their shop because they're too far away, there are people who are too stupid to utilize the advice, and there are people who are smart enough not to need it - such is reality, and so why bother opening the shop in the first place ? The rather obvious answer, of course, is for those who can reach it and those who can make use of it.

I hope I made this sufficiently clear. Please, next time you post, I don't care if its positive or negative, but don't strawman me, and don't make grandiose, inaccurate claims along the lines of "Woe is you, your puny advice accomplishes nothing !", without offering a better alternative. Seriously, dude - before you are tempted to do so yet again, I strongly encourage you to examine your motives.

shihonage wrote:

I hope I made this sufficiently clear. Please, next time you post, I don't care if its positive or negative, but don't strawman me, and don't make grandiose, inaccurate claims along the lines of "Woe is you, your puny advice accomplishes nothing !", without offering a better alternative. Seriously, dude - before you are tempted to do so yet again, I strongly encourage you to examine your motives.

This is an unwarranted attitude. First off, no one said your advice "accomplishes nothing." You started a thread about security, and brought in a story about a relative's computer. Despite the fact that maybe you wanted to talk about how important it is to have real-time file protection activated, the most that can be said on the subject is, "Yep, that's a good idea." That's about as deep as the thread can go. To expect someone not to post about their own relatives and how it's a struggle to be able to expect them to understand this concept, and security in general, doesn't seem like a reasonable expectation as far as this topic goes.

You're being overly defensive and reading things that aren't there. Raven's posts were patient and diplomatic, while yours were consistently confrontational. You have only yourself to blame for any current backlash. I've got no sympathy for you, and you need an attitude adjustment.

Per usual.

Cough. Mac. Cough.

Anyway doesn't your email scan attachments and what not? Wouldn't that prevent something like this from happening? Would Yahoo be strong/current enough to detect this since they scan attachments for viruses?

I practice the don't open spam method. I tell that to my parents, but my Mom is always amazed at how she gets targeted (and untargeted) spam and still opens some of it anyway. Same with my Dad. That can't comprehend that some fat sweaty guy in his basement is just pulling thousands and millions of email addresses from the 'net and sending massloads of spam to them to make a few hundred thousand a year and that it isn't all happening because they are popular.

I do admit it can get tempting once in a great while to open spam. It is human nature to think maybe this one email is legit and I'll win the lottery or the equivalent.

And yes most people don't understand security enough to properly use anti-virus or anything.

So my advice is get a Mac. Not necessarily security proof in and of itself, but the lower market share really helps in this case.

trip1eX wrote:

Cough Mac Cough.

Security by obscurity is not security.

Podunk: the genius!!

NERD FIGHT!

Anti-virus is a good idea. Real time scanning is a good idea. Most users are oblivious. Most users will kludge up their machine and help propel the service industry to greater heights. That sum it up? Can we move on?

doihaveto wrote:
trip1eX wrote:

Cough Mac Cough.

Security by obscurity is not security. ;)

Macs are gaining market share fast. The viruses and exploits will come. They will come down hard on a community that is completely unprepared for them.

Oddly apropos timing. I finally succeeded in getting our corporate offices to turn on the real time scan on our virus client. I spent all day yesterday getting the same phone call repeatedly, "My computer is slow."

nsmike wrote:

[...]

I'll give you a hint :

nsmike wrote:

This is an unwarranted attitude. First off, no one said your advice "accomplishes nothing."

Raven wrote:

You? You're the expert who dishes out computer security advice to an already knowledgeable audience on a popular gaming forum. Good job, you've accomplished a lot.

That's called sarcasm. If you could misread something that obvious, it's no wonder you would see passive-aggressive as patient and diplomatic.

I've got no sympathy for you, and you need an attitude adjustment.

If you've got a bone to pick with my personality I encourage you to send me a PM instead of gracing this thread with faulty accusations.

===

Although I really appreciate several posters' effort to actually remain on-topic, by the very nature of this thread has been living on borrowed time. Hopefully by reading the OP more people will become aware of realtime protection. If your system already ran it, it may be too late.

Oh, and I've tried many antiviruses over the years. This is not a viral marketing campaign, but although, apparently, BitDefender and Kaspersky are considered the best, Kaspersky is the one that's actually the best. It is the most comprehensive, customizeable, frequently-updated antivirus I've ever used. It's also got the best self-defense mechanisms I've seen in an antivirus, as it is resistant to most programmatic attempts to disable or remote control it.