Nasty infection

[Rachel B. Posner]

My laptop got hit with "Security Tool," last night. This is a nasty bit of work disguised as an anti-virus program. It was a real mess and it took my Dad 2 hours to get rid of it.

The disappointment was F-PROT missed it entirely.

[Daniel J. Rohe]

hey rachel

[Hezekiah Michael Sudol]

I've had infections that F-Prot has missed too. I mostly use just Spybot and Avira Antivir now--Avira (which gives its full antivirus protection for free and doesn't come bundled with anything other than advertisements for its professional version that costs money) seems to find a lot of things that F-Prot doesn't.

[Paul R. Coen]

Sorry to hear that. The antivirus industry (overall) is kind of a mess now, and the biggest issue is malicious software. Most recent evaluations show that the major and minor players are not doing a particularly good job in catching certain kinds of malicious applications. The "Zeus" trojan, for example, which is really aimed at stealing banking information, is really hard to detect.

There's also a recent trend to using the Windows IME functionality to infect machines. If we actually had people logging into their computers as standard users (requiring that you log in as an administrator to install software), there'd be less of a problem. I'm not sure how happy people would be if we did that across the board.

One thing to keep in mind - we use Zenworks to distribute F-prot updates. If something breaks ZCM breaks on a workstation, it's not going to get the updates.

F-Prot actually does reasonably well in tests. However, if something is delivered (for example) via a malicious PDF file, it starts getting very difficult to catch. Once something is running on a system and loads with the operating system, it can be impossible to detect without booting off of either a Linux or Windows PE boot environment and scanning the drive. Something that's loaded with the operating system can intercept attempts to detect it. And it can only detect things it knows about. So someone's got to see it and report it before it's detected.

Another point - the more comprehensive the security application is, the more of an impact it has on the computer. I've seen some security packages slow computers down well beyond what a lot of users would think was reasonable, especially slightly older machines.

The biggest up and coming issue over the past year or two have been third party applications like Adobe Flash and Acrobat and Apple Quicktime. They don't have the greatest update mechanisms (Adobe Flash used to only check on reboot - and you have two copies, one for IE and one for "other browsers", and Apple's standard installer defaults to installing additional applications which may have their own security issues). At the point that you can do things like tell a "data file" to execute code (for example, the PDF specification has a mechanism to do that), you've got a problem. The Sun (now Oracle) Java JVM has been problematic for similar reasons.

One place F-Prot doesn't do well in central monitoring (reporting infections back). That would require buying a package that costs considerably more, and that money isn't available in the current IT budget. It would be handy, though, since we could warn people about infections or potentially quarantine computers on our campus network until the machine is disinfected (if it's combined with Network Access Control).

Even "legit" web sites have become a problem - Samsung (for example) had a small web server hacked in the last year or so and it was serving up malicious content.

One thing that's helped somewhat is that I use a Firefox add-on called "NoScript". It can be annoying to set up, but it at least prevents javascript from executing by default if you land on a web site you don't mean to end up on. The biggest issue is that you often need to temporarily disable it just before completing an online purchase, since it can interfere with the redirection for the credit card authorization.

[Jennifer A. Heise]

Re: intensive A-V software slowing the machine down... Yes, I put F-Prot on my Vista laptop (Vista was what it came with) and it's bogged down quite a bit. I'm thinking of changing to a different A-V program at home, maybe finding one that works better for the kind of Internet use I do.

We had a rash of infections in our offices at the beginning of the year with fake security tool credit card capture software, and we never could figure out what the common factor was; nobody seemed to be going to specific websites or downloading specific PDFs or programs. Pain in the tuchus. Thank goodness we can get rid of this stuff just by re-imaging the machines!

[Rachel B. Posner]

Quote:

Originally Posted by Jennifer A. Heise

Re: intensive A-V software slowing the machine down... Yes, I put F-Prot on my Vista laptop (Vista was what it came with) and it's bogged down quite a bit. I'm thinking of changing to a different A-V program at home, maybe finding one that works better for the kind of Internet use I do.

My dad uses Symantec (Norton) 360 at home. It didn't slow things too much until he enabled auto backup.