Matrix Games Forums

Forums  Register  Login  Photo Gallery  Member List  Search  Calendars  FAQ 

My Profile  Inbox  Address Book  My Subscription  My Forums  Log Out

RE: Heads Up - Wargamer is Flagging Unsafe Again

 
View related threads: (in this forum | in all forums)

Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [General] >> General Discussion >> RE: Heads Up - Wargamer is Flagging Unsafe Again Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Heads Up - Wargamer is Flagging Unsafe Again - 9/12/2009 4:30:44 PM   
GoodGuy

 

Posts: 1506
Joined: 5/17/2006
From: Cologne, Germany
Status: offline
quote:

ORIGINAL: berndn

The problem is not which AV solution you prefer. It's about the security stuff itself. The adobe security hole was known for some time. You had to rename a dll until weeks later Adobe had fixed it for the major versions.
Still I see lot of people with Reader 5/6/7 which are not updated

The problem is, that the Acrobat Reader is being launched in the background (every user should check the task manager once in a while, to check for suspicious processes, the TM won't show each and every task though, so an external task monitor/scanner is quite useful) and then used to either execute code (e.g. change registry entries) or pull/inject malware from the net. Software firewalls may not detect the transfer as the reader needs an open http connection to read online documents, so it's easy to hide within its http traffic or a browser's http traffic, and - in addition - virus tunneling may fool anti-virus software.

In general, a good way to avoid risks is to replace standard/well-known tools with alternative software.

Examples:
  • Replace Acrobat/Adobe Reader with Foxit Reader.
    Foxit has a Java Script Console, so just make sure you disable java script in the preferences. Remove Adobe Reader from your system.
  • Replace tools like Quicktime or RealPlayer with alternative plugins or tools. The neat side effect here is that QT's/RP's update/monitor processes won't load with windows anymore. (You might want to make sure to rename or delete files like QT.exe and other remaining files manually though, as registry entries may try to reinstall update routines on next boot).


Just an example:
quote:

ORIGINAL: Microsoft Bulletin from May 2009
("Null Byte overwrite vulnerability")

"Microsoft is warning against a critical security hole in DirectShow which allows attackers to control the affected system in case the user opened a specially made Quicktime media file."


It's relatively easy to prepare quicktime and .ASX video (afaik) files to exploit security holes. Don't be fearful, but be suspicious/careful regarding the source of a given media file.

Use tools like VideoLAN or similar stuff to play video files. If Windows' media player asks you to download/install a new codec in order to view the video, be suspicious as there are malware codecs floating around.


Other ways to reduce potential risks:

  • Always use more than one AV program. Make your main AV your the active AV-Shield that scans on read/write, and disable the other programs' shields. Then use the several AVs to scan all your drives/memory regulary. Make sure you scan EVERY file, because many scanners just use scan filters, which exclude alledgedly unimportant/harmless files. You want to scan more than just the usual suspects (like exe- or dll files). If your AV-program put a suspicious file (say a game dll) in quarantine, you can try to verify if it's a false alarm or not.
    Go to one of those online file-scanners and upload the file, there are some scanners that will check the file with up to 20 different AV scanners. You get a good idea about the accuracy/integrity of your main AV program that way, too. I've had a file here that was flagged as Virus by Avira's AntiVir version 9, but none of the other scanners on the online-platform would report an infection. So, AntiVir's heuristics settings were just too aggressive, producing a number of false alarms.

  • Make sure you have a firewall that reports outgoing traffic (and the file- or process name that wants to contact external IPs) as well. There are still firewalls that don't display or document outbound traffic. If you have a good firewall, and if you know what you're doing, you can at least avoid that some malware injections (the malware/virus downloader or virus server - injected by visiting a website, or launched by the user, when executing unsafe/downloaded files) won't be able to contact external sources in order to download the actual main virus. Given, there are quite some cases where even the attempt to download the main virus may not be detected by the user, in case the virus code uses system processes and tunneling.

    Still, on XP, for example, in- and outbound traffic from/to Windows' "generic host process" should make you suspicious, even though the particular file (svchost.exe) is a legal component of windows, and even though the svchost process is needed; it may run in multiple instances (sometimes up to 5). There are viruses that pretend to be an instance of this legal process, but some viruses are able to just use such legitimate processes (as vehicle) to establish contact to external IPs to pull the main virus .... or, even worse, to grant remote access, acting as a server.
    I created a rule on my rig, that this process is not allowed to establish/accept UDP or TCP connections.

  • Create a rule in your firewall that your machine does not reply to incoming ping requests (ICMP -> echo requests), many firewalls establish these rules (no incoming/outgoing ICMP) as default rule on installation.
    Hackers who scan multiple IP ranges will then think that your rig is either stealth or that the machine behind your particular IP is not running. They will head to the next IP range, in most cases, and won't bother to find an open port or to attempt a DOS (denial of service) attack.

  • Disable Windows message system (used for admin messages), you can find a tool to disable it on the Shields Up page (link below).

    Google for tips regarding disabling services (start buttoon -> RUN -> "services.msc" on XP) that aren't needed but are in fact security risks. Disable services like the Taskplaner, the DHCP-Client (if you don't run a local PC-network), Universal Plug and Play. There are many tutorials on the net, delivering some insights regarding what services are really needed.

    The following URL is a translation (by google) of a German site, that contains a list of Windows services and tells you which services are really needed. Scroll down to view the chart containing Windows services. If you want a safe but fully functional (internet, printers, network) setup you can go for the "Recommended settings", but if you want to play it really safe (say you have a PC you use for your business only, or a rig you use for offline gaming ONLY), you can go for the "Tuner settings". You can even include some tuner settings if you go for the rec'ed settings, but should really know what a particular service does and what part of your system won't work IF you disable it.

    http://translate.google.com/translate?prev=hp&hl=de&js=y&u=http%3A%2F%2Fwww.windows-tweaks.info%2Fhtml%2Fdienste.html&sl=de&tl=en&history_state0=

    There are similar english webpages, but I found this German list to be the most complete one.

  • Review the processes in your task list, and get some infos about internal (legit) windows processes and external (3rd party) processes here:
    http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

    That page provides a list (alphabetically sorted) of all kinds of processes, and gives you a rough idea what a particular process might do, or which program had placed it in your batch of background processes. I am not sure how many VISTA processes made it into that list, but it's a decent source and some of the listed system processes might have been carried over to VISTA, too. If you can't find it here, just google a suspicious or unknown process. Again, you should check some reviews and get an external (freeware) process explorer, since the task manager won't show each and everything.

  • Check if you have open ports. This may happen even if you have a software firewall.
    You can use sites like "Shields Up" or "Leak test" to get an idea how vulnerable your machine is:
    http://www.grc.com/default.htm

    https://www.grc.com/x/ne.dll?bh0bkyd2 (Shields Up)
    Use the buttons ("common ports", etc) to have the page scan your computer's common ports (service ports), pretty much the first ports below port 1024 (IIRC). Port 135 may be open on some machines, depending on what service pack you have. The site offers advice on how to close such ports. In case you are using a firewall (which you should do, and not just Windows' firewall :P) all ports should be closed (at least), if rules are set up properly and if ICMP requests are being blocked, they should be "stealth". Play around with the several buttons on the shields page. You can enter particular ports too, or move your mouse pointer over the results image, each block displays a port, and provides you with an idea what particular port is needed for what job/traffic.
    Example, in theory your browser only needs port 80 for browsing and port 443 for SSL-connections (e.g. for secure connections to member areas or online-banking), and maybe port 21 for FTP-connections, all via TCP. Incoming or outgoing requests on say port 53 and via UDP isn't necessary at all, and most likely an attempt to exploit stuff from a remote location. Firewalls are only useful if the user knows what he's doing, or if the Firewall employs an intelligent automated rule system that caters for such events.

    http://www.grc.com/lt/leaktest.htm

  • Employ a custom "hosts"-file:

    http://www.mvps.org/winhelp2002/hosts.htm

    This host file will block tons of adware, ads on webpages, and sites that had been reported to contain malicious code/viruses.
    An additional (often underestimated) source of viruses/malware are innocent looking ads on webpages. The webmasters of the pages are often not able or not willing to inspect the content of the ads, especially if ads are handled by external trafficholders that keep rotating banners and ads. Injecting malicious code often happens through these ads, not just through bogus mainpages, and the original website may still be totally legitimate and trustworthy.

    EDIT: The HOSTS file is updated regularly, and if you're using it, it wouldn't just act like a banner-washer (as most advertizing networks can't be contacted anymore, since the hosts file re-routes the http-request to 127.0.0.1, a local IP on your machine, resulting in a message like "destination unreachable" in advertizing windows or frames), but it acts also as a security measure protecting you against well known and even new malicious websites.

    I don't recommend using the "restricted zone" rules and filters for Internet Explorer listed on the URL above, as it's easy to confuse buttons and rules, so that you end up allowing dangerous sites to get in the trusted zone. You have to know what you're doing. With the hosts file, it's easy to add your own URLs, plus you can disable the hosts file with a short batch file, in case you want to view all contents (or popup windows) on trustworthy sites. You can also use the hosts file as your custom "parental"-filter that way, as kids will never figure how to ship around these entries.

    I wrote a tiny script for use on XP to execute the renaming of the hosts file, which has no file extension, in order to en/disable the filter. I rarely use the batch, but it may be useful for other people:

    ECHO OFF
    ECHO Starting batch file....
    ECHO **********************************************************
    ECHO *      Renaming hosts.bak to hosts.alt                   *
    ECHO *      Renaming hosts     to hosts.bak                   *
    ECHO *      Renaming hosts.alt to hosts                       *
    ECHO *                                                        *
    ECHO *                                                        *
    ECHO **********************************************************
    copy c:\Windows\system32\drivers\etc\hosts.bak c:\Windows\system32\drivers\etc\hosts.alt
    copy c:\Windows\system32\drivers\etc\hosts c:\Windows\system32\drivers\etc\hosts.bak
    copy c:\Windows\system32\drivers\etc\hosts.alt c:\Windows\system32\drivers\etc\hosts
    echo **********************************************************
    echo *                   Files have been renamed.             *
    echo **********************************************************


    In case someone knows a better/smarter way of doing that, then i'd be pleased to get a hint. In order to get this batch thing to work properly, you have to rename the original windows HOSTS file to hosts.bak first and then you just paste the hosts file from the website in the windows folder displayed in the code.

  • Use alternative browsers, like Firefox and/or Opera.

  • Use alternative Email-programs like Thunderbird.

  • Disable Java-Script in your browser, and enable it only if you really need it to view trustworthy content. You don't drive cross-country with your Luxury limo where you could employ your good old dirty 4-wheel pickup instead, right?

  • Only install the JAVA runtime environment if you really really need it. JAVA is starting to get really popular, as it's way more powerful than java script applets or flash-content. Many pages don't look like they'd be java pages, but they are in fact already packed with the stuff. Uninstall JAVA if you don't need it for a particular game or app.


My 2 cents.

< Message edited by GoodGuy -- 9/12/2009 6:43:14 PM >


_____________________________

"Aw Nuts"
General Anthony McAuliffe
December 22nd, 1944
Bastogne

---
"I've always felt that the AA (Alied Assault engine) had the potential to be [....] big."
Tim Stone
8th of August, 2006

(in reply to berndn)
Post #: 31
RE: Heads Up - Wargamer is Flagging Unsafe Again - 9/12/2009 4:45:25 PM   
junk2drive


Posts: 12907
Joined: 6/27/2002
From: Arizona West Coast
Status: offline
Good advice.

In the back of my memory was a problem with an Adobe Flash player update (before Adobe maybe) where a popup was a spoof. After that I only updated from the official website.
Last night my wife started up FF and the FF page advised her to update her Flash player. It took her to a page that looked like Adobe but FF blocked something at the top. When we tried to download our system warned that it might be malicious. I quit and went back to my computer. The official page looked just like hers and the last update was July 30 2009. I had to manually dl and install. Sometimes you just don't know what to do with all the real and false warnings.

I use ZoneAlarm so at least I get warned if something is trying to go outbound.

(in reply to GoodGuy)
Post #: 32
RE: Heads Up - Wargamer is Flagging Unsafe Again - 11/6/2009 2:23:24 AM   
LarryP


Posts: 3783
Joined: 5/15/2005
From: Carson City, NV
Status: offline
quote:

ORIGINAL: junk2drive

I use ZoneAlarm so at least I get warned if something is trying to go outbound.


I used ZoneAlarm for years off and on. After a few weeks of using it each time, it would start to lock up programs, especially games, but not only games. So I would disable it for a while, then go back to it. Every time I went back it would to the same lockups again. So I finally dumped it.

Have you had troubles like that at all?

(in reply to junk2drive)
Post #: 33
RE: Heads Up - Wargamer is Flagging Unsafe Again - 11/6/2009 3:34:54 AM   
junk2drive


Posts: 12907
Joined: 6/27/2002
From: Arizona West Coast
Status: offline
I don't play any online games or tcp/ip so no, no problems like that. When you update, you do need to click the allow box, but that doesn't bother me.

(in reply to LarryP)
Post #: 34
Page:   <<   < prev  1 [2]
All Forums >> [General] >> General Discussion >> RE: Heads Up - Wargamer is Flagging Unsafe Again Page: <<   < prev  1 [2]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI

0.813