The malware wars: How you can fight it

Topic

New Reply

	TOP STORY[/size][/font] The malware wars: How you can fight it[/size]
	By Michael Lasky A tip-filled conversation with Andrew Brandt, director of threat research at Solera Networks, reveals some of the ways hackers sneak malware into PCs. Malware most often embeds itself with our unwitting help, but even when we have our defenses fully up, malware can still climb aboard. Nevertheless, there are practical and effective ways to defeat it — or clean it out after the fact.

---

The full text of this column is posted at WindowsSecrets.com/top-story/the-malware-wars-how-you-can-fight-it]/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

See my post here. 🙂

Reply | Quote

On Monday this week by coincidence, I was trying IE9 (I normally use Firefox but in an idle moment). Then I thought isn’t IE10 out soon and followed the links to the MS site.

I downloaded and ran the installer and what an installer for just a browser update! It shut down everything including Security Essentials and even Windows Explorer so that my desktop vanished. Eventually it rebooted and almost immediately Security Essentials picked up Trojan:JS/Seedabutor.B in the IE temporary internet files folder.

Obviously I let it delete the file and ran a full scan.

Now I don’t use IE at all and only last week ran CCleaner and MyDefrag for a monthly clean up. That Trojan must have come from MS.

Worst of all there seems to be no way to report this to MS. I tried for half an hour to find an email address, I even rang the switchboard, twice, but just ended up dumped in a circle of “press 2 for this, press 5 for that.” I gave up but maybe you guys have a back door to knock on?

Reply | Quote

I received 3 emails from “DHL”.
Each email stated that there was some “Postal Code” error in attempting to deliver me a package.
Each email was received from a different sender.
Each email stated that if I did not respond to the email in a timely manner, they had the right to ownership of the delivery item.
Each email also contained a ZIP file which was supposed to contain the details of the error.
This ZIP file actually contained an executable, as shown below.
Third email was from “DHL Manager” and I became interested in finding out about the attached ZIP file.
My Windows8 protection for antimalware did not think there was anything wrong with the ZIP file attachment.
I put the ZIP file on an old USB stick and unzipped it.
The executable had the same name as the ZIP file, yet my system still did not think it was a threat.
I did a brief Google search, to find out if I could post this *.exe somewhere that could tell me if it contained a malware.
One of the Google results was a company called virscanDOTorg.
I was not comfortable that this website itself was a reputable website.
I did a search to find out about h**p://rDOTvirscanDOTorg and read the company’s “About VirScan” page and when I saw some Chinese characters at the site and that it was ‘translated to English’, I started getting concerned.
But I needed to find out if any of the 37 listed anti-malware clients this website used could detect any sort of malware in the *.exe I was in possession of!
All of the major big name anti-Malware programs appeared to be included in this list of 37.
I finally relented and uploaded the file to dropbox and had VirScan do a scan on the *.exe.
Of the 37 malware tests VirScan performed; only three (8%) of them detected a trojan in the *.exe package.

h**p://r.virscanDOTorg
File Name : **LABEL-ID-NY20**2013-GFK**.exe
File Size : **56320 byte
File Type : **PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : **65f**d2d3d8bb7fb3acfae94**8320e5
SHA1 : **4f703854f**31c53cf8ccf2fa**55fd5e8186fd9
Pasted from

Authentium >> W32/Trojan3.EYX (Exact)
ClamAV >> PUA.Win32.Packer.Upx-53
F-Prot >> W32/Trojan3.EYX (exact)

I am now really puzzled if these emails were (or were not) a scam :confused:
And I am really tempted to click on the *.exe, just in case my great great uncle left me a $million dollar booty :o:
But I would not dare 😮
Yet and in the interim, I hope that I was not jacked by this VirScan website 😡

Reply | Quote

For the dozen or so Windows boxes I tend to (Win XP through Win 7, accessed remotely using TeamViewer), I favor a “layered” approach: all have Avira Free A/V (with configurations including heuristics set to ‘high’ and hourly update checks), the Comodo Firewall (configured per the recommendations from Gizmo’s Freeware — https://www.techsupportalert.com/content/how-install-comodo-firewall.htm , WinPatrol, the Secunia PSI (I prefer v2.0), the Firefox browser (with NoScript, HTTPS-Everywhere and Force-TLS), the Web of Trust (some configured to exclude certain types of sites) and SpywareBlaster (which does occasionally need to be updated manually). Oracle’s Java is either not installed or not enabled in the browser.

Some machines have Microsoft’s EMET deployed; all XP machines have DropMyRights. The DNS have been changed to Comodo SecureDNS, Norton DNS or OpenDNS.

CCleaner (augmented with CCEnhancer) runs at start-up.

Regular on-demand scans with Malwarebytes Anti-Malware and SUPERAntiSpyware (free versions), Kaspersky’s TDSSKiller and Trend Micro’s RootkitBuster have consistently shown no infections over several years; Malwarebytes Anti-Rootkit (in beta) also shows promise — http://www.malwarebytes.org/products/mbar/ (discussion: http://www.techrepublic.com/blog/security/rootkit-coders-beware-malwarebytes-is-in-hot-pursuit/9207).

Reply | Quote

Ya, I’m on the virtualization bandwagon also. I use almost nothing at all in the way of AV protection. Good router, I let Defender do it’s thing as long as it stays out of the way. I’m not at all curious like pseudoid is. That said, my computers have not caught so much as the sniffles in years so I may not be a typical example, but virtualization is still the way to go, not if one is interested in protecting confidential data, but if interested in easily recovering from any infection from any direction should it get onboard it certainly is. One can still feel free to layer up, so to speak, but the virtualization layer will bail one out regardless.

Reply | Quote

Virtualization is an excellent approach; unfortunately, it is not a practical solution for the technically challenged — which represents most of the machines in my care. Therefore, the trick is to harden these systems as much as possible in a way that requires an absolute minimum of operator interaction, or inconvenience (even having to work with NoScript and DropMyRights annoys several of the users…). The old acronym, KISS (Keep It Simple, Stupid) often comes into play, unfortunately.

Reply | Quote

I agree completely when its a separate process but when it’s built right into the boot process, similar to what Steady State is for XP, it could not be more simple, there is still challenge even there though, getting the user to recognize when and when not to have system virtualization active; so one can update programs and the operating system without removing those changes upon the next boot.
Its always a challenge in some respect no matter what we maintain, and as you mentioned, virtualization can be screwed up just as easily by an inept user…and hence we come upon the real common denominator. 🙂

Reply | Quote

Gr8 article! Mike. Most important for me was the heads up on XP and the method for discovering Abbreviated URLs for the different services providing them. THAT made my day. Thanks.

Reply | Quote

From his years of observing malware, Brandt believes that “the number one delivery method of a hack is a ZIP file. It might be disguised as a link or email attachment, but when opened, it will automatically unzip and execute the exploit that lodges malicious code in your computer.”

Is something lost in translation here..? ZIP files do not unzip themselves. Self-extracting ZIP files unzip themselves, but technically those would be EXE files.

“From my research, I’ve noticed that these files are usually deposited in temp-file locations. They show up as .exe or .dll files.” You don’t normally find executable files in a temp-file folder.

And this is just paranoia. Executable files routinely end up in a temporary folder. It happens almost every time you run a perfectly legitimate installation program, or sometimes when you use a program’s auto-update feature, or if you run an application inside a ZIP file without unzipping it somewhere else first (depending on what app you’re using for ZIP files). Baffling.

Reply | Quote

kehander, Most archiving programs allow for integration directly into the FileManager/Explorer. When used in this manner, the ZIP files appear to look like folders and their content (normally) are shown on the right pain, as if they were data files within the ZIP ‘folder’. Think of it as a form of virtualization but I would recommend against such integration, as it makes the content of a zip package too easy to execute. Cheers!

Reply | Quote

Most archiving programs allow for integration directly into the FileManager/Explorer. When used in this manner, the ZIP files appear to look like folders and their content (normally) are shown on the right pain, as if they were data files within the ZIP ‘folder’.

“Most archiving programs”? The only one I know of that acts that way is the Zip-management built into Windows Explorer by default. Were you thinking of something in particular..?

Even so, a ZIP file opened in such a fashion won’t “automatically unzip and execute the exploit” all by itself – you’d at least have to purposefully run whatever executable is in the ZIP.

Pedantic? Perhaps, but we hardly need rumors about magical ZIP files that spontaneously infect computers, now do we?

Reply | Quote

kehander,
I should probably not reply but just to kill any potential “rumors”; you are welcome to read the rest of this fresh piece of discussion:

… Today, we benchmark three of the most well-known archiving and compression tools: 7-Zip, WinRAR, and WinZip. Not only do they support a massive number of formats, but they also integrate with Windows Explorer, making their functionality easy to access from where it’s actually needed. Pasted from

… as it makes the content of a zip package too easy to (click to) execute .

Reply | Quote

Generally good article, but I would appreciate a more through explaination of the statement “Stop using Windows XP.” To me, this sounds like it toes the Micro$oft line about the reason to upgrade. Yes, there was mention of UAC (User Access Control) built into Windows 7, but there was also a statement that indicated the typical Pavlovian dog response: “Most people just click Okay and continue”. So, they are not gettng the benefit of UAC. What about running any operating system under restricted privledges for browsing, such that no software can be installed? Is Windows XP still in need of updating in that scenerio?

Reply | Quote

This is just another scare-you-to-buy article. Grade: Poor

Reply | Quote

I cannot remember the last time I had a virus. In fact, I just warned two of my friends that their email accounts were hacked. I have common sense with downloads, links, and attachments, and many programs to defeat malware. When my old computer bit the dust (motherboard capacitors were swollen and leaking), I bough a new, fast, Windows 7 machine, and hated it so much that after a week I uninstalled 7, and went back to XP. All of my precious programs worked again. Right now, I am in the process of making backups, collecting components, like hard drives, and storing updates, because I will have Windows XP forever, even after support is gone. I will never have an iFad, tablet, Windows 8, and my unsmart cell phone only makes voice calls.[/FONT][/B]

Reply | Quote

The second malware deterrent suggestion from Andrew Brandt includes using free AVG anti-virus software. Although this software may be effective I consider it to be malware too in that it has a habit of forcing itself upon unsuspecting users. It does this through tying itself to downloading of other software from websites like CNet whose despicable practices “infect” PC’s with programs that are very hard to delete. AVG forces itself as a default program which is time consuming to delete and almost impossible delete by novice users.

Microsoft Secrets would do well to distance itself from promoting software like AVG if for no other reason than to force such companies to shed themselves of clearly dishonest practices. From a security perspective I find it best to stay with an antivirus provider whose sole purpose is to keep their customers free from viruses, Trojans and the unscrupulous vermin that are pervasive on the internet. My choice is Trend-Micro whose annual cost is infinitesimal compared to the cost and inconvenience of recovering from an infection.

Reply | Quote

It seems that everything is getting ruined, especially when something is “improved”. I used to get my programs from C-Net and other free download places, not anymore. Even legitimate programs want to add toolbars and other crap. Gone are the days when I would just click the default or recommended installations. I choose Custom Installation and actually read the agreements now. Plus, I have completely uninstalled JAVA, and all remnants of JAVA left behind. It’s been many years since I have had an infection.

32 bit Windows XP, 3.2 mHz dual-core, 2 GB RAM

avast! free antivirus
COMODO free firewall
Advanced System Care Pro
C Cleaner
Malwarebytes
Easeus Todo Backup
X-Ray PC
Smart Defrag 2
Mouse Trap (Gibson Research Corp.)
ShootTheMessenger (Gibson Research Corp.)
Unpnp (Unplug and pray, Gibson Research Corp.)
SocketLock (Gibson Research Corp)
abine Do Not Track Me, and AVG Do Not Track (add-ons for Firefox)
Trend Micro Online scanner
PC Pitstop (online)
Securnia (online)

Let’s see some malware get through all that!

Reply | Quote

Don’t get too cocky, I’m sure there’s a kid in Russian that would roll their eyes and have root access with a few clicks. 😀

Reply | Quote

The article starts by almost encouraging clicks on things you were not expecting to get. Let’s start by placing a sign on mouse and keyboard saying “If you were not expecting to receive this, delete it without stupid experimentation no matter who it claims to be from ##$&#@$%%^&”.

In many years of liberally following that rule, I’ve often heard people say that I will loose things that I should have received. The chances of that happening are low, in my case it’s been 1 or 2 since the beginning of the Internet. Disobey that rule and the chances are very high that you will find out there’s a reason for that rule. This covers malware in ZIP files, links to malware sites, shortened URL’s, etc!

The second rule is effective anti-virus and firewall.

Reply | Quote

Tell Mr. Brandt to tell Micro$oft they should develop a UAC program to work with XP. One way to avoid malware, stop using XP? Mr. Brandt must be getting a hell of a stipend from Micro$oft for saying that. This just taints what he has to say. It’s a about how much money he can make by speaking for Micro$oft.

Reply | Quote

Tell Mr. Brandt to tell Micro$oft they should develop a UAC program to work with XP. One way to avoid malware, stop using XP? Mr. Brandt must be getting a hell of a stipend from Micro$oft for saying that. This just taints what he has to say. It’s a about how much money he can make by speaking for Micro$oft.

A UAC module for Windows XP would pop up warnings every time you boot the OS. It really is that badly insecure!

-- rc primak

Reply | Quote

Generally good article, but I would appreciate a more through explaination of the statement “Stop using Windows XP.” To me, this sounds like it toes the Micro$oft line about the reason to upgrade. Yes, there was mention of UAC (User Access Control) built into Windows 7, but there was also a statement that indicated the typical Pavlovian dog response: “Most people just click Okay and continue”. So, they are not gettng the benefit of UAC. What about running any operating system under restricted privledges for browsing, such that no software can be installed? Is Windows XP still in need of updating in that scenerio?

Well said. Unfortunately, I won’t be able to stop using XP until I upgrade to it from the Win2K system that I’ve been using for the past dozen years through all its Windows Updates plus several hardware upgrades – a move which seems increasingly likely given that I significantly prefer XP (and Win2K) to the later offerings from Microsoft but would like to run a few things which no longer support Win2K.

I’m glad to say that up-to-date anti-malware signatures from Avira still do support Win2K (running on its July, 2011, 10.0.0.650 release – which, incidentally, CAN detect threats even when they’re encapsulated within .zip files), as does a reasonably recent version (12.0 from April, 2012) of Firefox with NoScript and an older but still very effective version (3.1.0.26) of the Online Armor firewall which includes its ‘run safer’ sandboxing for use with browsers, email, and other applications which support things like Javascript that might, in the wrong hands, wreak havoc if not suitably constrained. Couple these with a router that includes its own hardware firewall that makes us effectively invisible to external probes and we haven’t activated (let alone been harmed by) a malware threat in many years despite occasional excursions into the murkier portions of the Internet. – so while I do have versions of Sandboxie (and DropMyRights) that support Win2K I haven’t seen any reason to make use of them nor even to create a non-Administrator account to use for day-to-day activity, let alone virtualize my Win2K system (I do, of course, make frequent image backups, but more to guard against catastrophic disk failure than against malware).

XP, of course, is in a FAR better position to support current anti-malware products than Win2K is so I have no qualms whatsoever about choosing that as my eventual upgrade path, though I have paid some attention first to Win 7 and now Win 8 just in case I may eventually need them to run something that won’t run on XP. So I heartily agree with your observation that while the rest of the article seems reasonable, one should simply ignore its admonition to ditch XP ASAP unless one has other reasons for preferring a later Windows version.

Reply | Quote

You’re still talking about something different pseudoid, though it does indeed make it easier, I have mine integrated into the context menu; never happens without my call though.

As far as UAC goes, first or second thing I disable, nothing but a nuisance to me. So backhauling that to XP, only reason to stop using it as far as malware is concerned is if you have a history of getting malware. It’s plenty secure behind a router otherwise. In other words, XP will sit there connected to the Internet for Eternity and not get infected; a user can continue that trend or hit it like the tidal wave that struck Japan. The user is the overwhelming deciding factor but I fear that will always fall on mostly deaf ears since we want to think in terms of security blanket, rather than a multitude of users of all different aptitudes.

Reply | Quote

There was definitely a Golden Age Geezer, we’re in a frenetic, what’s next, short attention span and getting shorter and more A.D.D. all the time now. Six second videos and 140 character limits are not my kind of world, but its a malware writer’s you-know-what dream. Notice again that I didn’t mention any Windows OS, for that makes very little real difference.

Reply | Quote

Sir Windows XP Geezer,
If you have no use for that Win7 OS you bought, I’d be willing to take the Product Key off of your hands as a charitable contribution, which in turn I can install in a cohort’s PC, as he wants to migrate to Win7 but does not want to spend the $$. Free of charge! :rolleyes:

Reply | Quote

instead of fighting it
i want a pc that is scumware proof

i designed a dos version in the 1980s
nobody would buy it

i can architect and design a win/grafx type pc now
but only if someone will fund the effort in advance

why doesnt the govt do it?
they know it can be done
(at least they know that i can do it. not sure if they are smart enough)

AVOID problems! Do NOT FIX them ever.

the antispyware lobby will fight this project.
so will billyg and microslop.
probably NSA too
they dont want secure pcs.
they have different agendae

Reply | Quote

Product keys and OS versions are the Great Mystery to me. I bought my computer from a computer shop, and I got no restore disks or OS disk. I know when I first bought my old computer in 2001, it had 5 restore disks that put a ton of mess on my computer, no true OS disk. When I took my new computer back to the builder, he removed Windows 7 and put Windows XP on it. My version of Windows XP is legitimate and I have all the critical updates. I have no disks, or product key for Windows 7. I rely on Easeus Todo Backup Home (Free). Before Easeus Todo Backup, I had no clue how to make a backup. Now I make regular weekly backup images of my entire C Drive, and it had saved me a dozen times so far (I play a lot of online games, plus I deleted some things I should not have). Windows XP System Restore is turned off. Soon I plan to get Windows 7 Professional, which can run in XP Mode. It will be on a separate hard drive and will be a dual-boot XP/7 system, but I will always have Windows XP. I will have to purchase Windows 7 Professional 32-bit, and I have no idea what version of it I should get: Branded, OEM, Retail? have no clue. Sorry I cannot help.

Reply | Quote

Soon I plan to get Windows 7 Professional, which can run in XP Mode. It will be on a separate hard drive and will be a dual-boot XP/7 system, but I will always have Windows XP. I will have to purchase Windows 7 Professional 32-bit, and I have no idea what version of it I should get: Branded, OEM, Retail? have no clue. Sorry I cannot help.

XP mode runs as a “program” within Win7 Pro so you wont be dual booting but even better, you can run both OSes at the same time. Its a bit difficult to move XP Mode to another disk but it can be done, where it will perform better, especially if its on an SSD, either by itself or even with Win 7 on the same SSD. If you export XP Mode to VMWare Player and use that virtual software instead of VirtualPC you get even more options, better integration and use of hardware resources, easier access, simple to move and back up, things like that.

Reply | Quote

It’s really discouraging to see self-styled “experts” writing columns that are so full of rubbish!

ZIP files don’t execute themselves, as other posters pointed out. Even if you open a .ZIP with Explorer or any archive program, you still have to deliberately run the enclosed .exe file. How is this any different than mindlessly running a random .exe file?

Any decent AV program will automatically open .ZIP archives and examine the contents. If you have one that doesn’t, get rid of it.

Speaking of which, as an independent IT service professional, I routinely remove all (yes, ALL!) AV programs from my clients’ computers, and only install Microsoft Security Essentials. I’m no M$ fanboy, but MSE is as good an AV program as any (there are NO perfect AV’s, as I am sure you should already know), is very low overhead, supported by M$, and free! Plus, it is already baked into Win8, so get used to it.

NEVER run two AV’s on the same computer, except for special circumstances, then remove the ones you are finished with. They will just interfere with each other and slow down the computer, at the very least.

As far as I know, reading a .PDF file can’t cause any infection. If this is wrong, please explain the details, don’t just make a blanket statement like “Other popular methods for delivering malware include PDFs, EXE files”. PDF is waaay to useful and popular to start scaring people about reading them.

In my opinion, one of the biggest threats to security are M$ patches that fail to install, then block any further updates from installing. I can’t tell you how many times I have had to fix Vista, Win7 and Win8 computers (including my own) by manually searching for and downloading individual patches that Windows Update quietly failed to install. Not only that, but I find that I have to “search for updates” from the control panel multiple times to get all the updates, not just once. Hint: there is an open source OS that knows how to do updates correctly. Exercise left to the user.

Reply | Quote

As far as I know, reading a .PDF file can’t cause any infection. If this is wrong, please explain the details, don’t just make a blanket statement like “Other popular methods for delivering malware include PDFs, EXE files”. PDF is waaay to useful and popular to start scaring people about reading them.

PDFs can have macros embedded in them that can execute upon opening. I don’t know what Adobe does to curtail that potential vector but Foxit simply installs in “safe” mode unless otherwise directed to, wherein it does not allow macros to execute.

Reply | Quote

As far as I know, reading a .PDF file can’t cause any infection. If this is wrong, please explain the details, don’t just make a blanket statement like “Other popular methods for delivering malware include PDFs, EXE files”. PDF is waaay to useful and popular to start scaring people about reading them.

It may not be common (now), but it’s far from impossible:

Viruses and exploits

PDF attachments carrying viruses were first discovered in 2001. The virus, named OUTLOOK.PDFWorm or Peachy, uses Microsoft Outlook to send itself as an attachment to an Adobe PDF file. It was activated with Adobe Acrobat, but not with Acrobat Reader.[68]

From time to time, new vulnerabilities are discovered[69] in various versions of Adobe Reader, prompting the company to issue security fixes. Other PDF readers are also susceptible. One aggravating factor is that a PDF reader can be configured to start automatically if a web page has an embedded PDF file, providing a vector for attack. If a malicious web page contains an infected PDF file that takes advantage of a vulnerability in the PDF reader, the system may be compromised even if the browser is secure. Some of these vulnerabilities are a result of the PDF standard allowing PDF documents to be scripted with JavaScript. Disabling JavaScript execution in the PDF reader can help mitigate such future exploits, although it does not protect against exploits in other parts of the PDF viewing software. Security experts say that JavaScript is not essential for a PDF reader, and that the security benefit that comes from disabling JavaScript outweighs any compatibility issues caused.[70] One way of avoiding PDF file exploits is to have a local or web service convert files to another format before viewing.[71]

On March 30, 2010 security researcher Didier Stevens reported an Adobe Reader and Foxit Reader exploit that runs a malicious executable if the user allows it to launch when asked.[72]

http://en.wikipedia.org/wiki/PDF#Viruses_and_exploits

Security

The latest security bulletins from Adobe are published on their Security bulletins and advisories page.[46] There have been security updates for Adobe Reader and Acrobat on Jan. 10, Apr. 10, and Aug. 14 of 2012, as well Jan. 8, 2013.[47]

From Version 3.02 onwards, Acrobat Reader (now Adobe Reader) has included support for JavaScript. This functionality allows a PDF document creator to include code which executes when the document is read. Malicious PDF files that attempt to attack security vulnerabilities can be attached to links on web pages or distributed as email attachments. While JavaScript is designed without direct access to the file system to make it “safe”, vulnerabilities have been reported for abuses such as distributing malicious code by Acrobat programs.[48] McAfee predicted that Adobe software, especially Reader and Flash, would be the primary target for software attacks during 2010.[49] Adobe applications had already become the most popular client-software targets for attackers during the last quarter of 2009.[50]

http://en.wikipedia.org/wiki/Adobe_Acrobat#Security

Security Advisory for Adobe Reader and Acrobat
Release date: February 13, 2013

These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system.

Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message.

http://www.adobe.com/support/security/advisories/apsa13-02.html

Bruce

Reply | Quote

Well, F.U.N. downtown, I am clueless. I will indeed be dual booting, with Windows 7 on one SATA drive, and Windows XP on another SATA drive. I will get a few more SATA drives as spares, large ones over 500GB. I will never buy an expensive, smaller, Solid State drive, I don’t care how fast they are. I put Solid State drives in the same “Improvements List” of things I won’t get, like smaller touch screens and cloud computing. Paying more for a smaller hard drive is going backwards, as far as I am concerned.

Reply | Quote

As far as I know, reading a .PDF file can’t cause any infection. If this is wrong, please explain the details, don’t just make a blanket statement like “Other popular methods for delivering malware include PDFs, EXE files”. PDF is waaay to useful and popular to start scaring people about reading them.

There are exploits that take advantages of vulnerabilities in PDF readers or that can use the PDF language to get some innocuous things such as executables to run. You better update your knowledge about this issue. A google search may be of help.

Reply | Quote

Then you will have two separate installations Geezer, and will not be using XP Mode; that is virtual only so it requires a booted host (Win 7 Pro or Ultimate). Maybe you were thinking of Win 7’s XP SP2 compatibility mode for installation and running of some programs?

Reply | Quote

To F.U.N. downtown:
I had a dual-boot system in the past. At boot up I could choose either Windows XP or Linux, which were on separate drives. I intend to put Windows XP Home and Windows 7 Professional on separate drives. Now, if I can have a computer, with just Windows 7 on it, and run it in Windows XP Mode (or have a part of that drive devoted to XP mode), then logically thinking, I should be able to put Windows 7 on one drive, with that XP Mode . . .partition or whatever, and have Windows XP on another hard drive, and choose which one I want to use when I boot up. I only intend to get Windows 7 as a safeguard for the future, for my online activities. I have a whole bunch of pre-Windows 7 games, programs, music editors, USB Turtable, etc., to keep me entertained offline with Windows XP for the rest of my life. Isn’t this amazing? >.> Market Share: Windows XP = 38%, Windows Vista = 5%, Windows 7 = 44%, Windows 8 = 2%. It’s very strange that so many people are still using such an old OS, and that when I go to get my taxes done, to the auto parts store, and even in the operating room when I has minor surgery, that Windows XP Pro was the OS they use.

Reply | Quote

My mom accidently clicked on an Adobe update a couple years about and unleashed a real big Trojan that disabled everything, Win updater, firewall, etc. After going through and reinstalling everything, I changed her account to limited, along with using most of the same programs many have listed in this thread. Network security is like running around trying to keep plates spinning on poles, very stressful and nerve-racking!

Reply | Quote

Far too many people are “overly” concerned with AM/AV protection while seriously lacking any kind of decent backup regimen.
This mentality of failing to recognize what is truly important is quite common amongst novices.

Most if not all novice computer users should be on a limited account. And the advice for most people to ditch Windows XP is very sound.
If your an advanced computer user who knows his/her own system and has a competent backup regimen, what OS your using will matter very little.

Reply | Quote

Sure, you can have both XP boot and XP Mode in Win 7 Pro, though I don’t know why. Once I tasted the power of VM/host with almost no performance issues, there was no going back for me, I haven’t set up a dual boot system now in several years. The only issue I have is whether to run XP as host or Win 7. If I use Win 7 64-bit as host, I can use and allocate more memory and use more than one vm at a time but measuring actual usage, I only run one vm 99% of the time. It’s about all a good multicore processor can handle when both systems are hard at work. At the moment I’m typing this in my XP vm with Format Factory converting about 19 videos headed for one location while the host is converting several more videos headed for a different location and I’m getting a good 90% constant CPU utilization without any performance slowdowns in either the host or the VM. I love that sort of efficiency and one can’t get that from dual booting. With the exception of the hard drive which really needs to be an SSD, most desktop systems these days are way overbuilt for everyday use with the exception of video editing/rendering and modern FPS games.

My war is with the KPA and the Ceph, not malware, and yes, the VM is shut down during those times to provide my enemies with undivided attention!!

I think unless you have some unique online activities that require I.E., we’ll be just fine for a long time to come as long as Chrome and Firefox keep thinking XP is worth their while. I love the fact that Chrome zipped right into the lead browser on the block, largely because MS decided XP wasn’t worth their time anymore. They might never get that prize back now.

Reply | Quote

Oh well, maybe I want to have a dual-boot system for nostalgia. Don’t mind me, bacause I am the last of a dying breed. I have no disposable income with my disability check. I get 20 GB a month usage with my USB broadband modem. I use a mouse and keyboard with PS/2 connections, because I have PS/2 connections on the back of my tower, and it frees up 2 USB ports. My monitor is an old 600 x 800 flat-front CRT with an 18 inch rear end. When it goes bad I will upgrade it, but so far the graphics and colors are outstanding. The big JBL Platinum Series speakers hanging on the sides of the monitor sound awesome. I have inputs on the front and back of the tower and I have my computer connected to a printer, joystick, webcam, USB turntable, stereo VCR/DVD recorder, FM tuner, home theater, and cassette deck. I can record and play music both ways to any component. I got a 32-bit machine to save on memory costs, and I will eventually raise my 2 GB memory to 4 GB (the max). I have two multi optical drives, and I may fill the empty floppy drive bay with a multicard reader. I bought a USB external hard drive enclosure and put my old 160 GB ATA hard drive in it. I have a 320 GB and a 250 GB SATA drives inside my huge tower. With my 20 GB slower broadband, I won’t be downloading many videos, but that is fine: I watch my movies on a big old- fashioned, 100 pound Stereo TV, with a converter box, and rabbit-ears antenna, for FREE. Why should I pay to watch my own TV? I get Acme Classics, and I watch good old, old shows. Most are black and white, but the shows were better back then. I still have a land line phone, and only use my pre-paid cell phone when I go out, for urgent business. I get my water out the faucet, and not in a bottle. So you kids, stay off my Windows XP yard!!! [Waves real-life cane] But seriously, thanks for the info.

Reply | Quote

I have just today joined, having read your column on avoiding malware. You mentioned Malwarebytes. I had been using it until I had trouble with my computer. The same tech that addressed the problem advised me about Windows Secrets and I have been reading it since. However, he advised me to get rid of either Malwarbytes or Norton Internet Security as there was likely a conflict which caused my problems. I decided to uninstall Malwarbytes as I had just renewed my Norton subscription. Does anyone have any comments regarding running both Norton Internet Security and Malwarbytes? I still have Norton Internet Security.

Reply | Quote

I have a friend in Jerusalem who is running Norton Internet Security (NIS) with Malwarebytes (I recently gave him a paid subscription to the Pro version of Malwarebytes). Everything is running fine on his Windows XP system, that is about 7 years old, and currently has 1 GB of RAM (maximum upgradable to 2 GB RAM). Malwarebytes did catch one piece of malware that slipped through NIS.

On my ~6 year old laptop (Windows 7 Ultimate), Malwarebytes detected and removed a browser hijack malware that slipped past the guard of my TrendMicro AV software.

Reply | Quote

If not, why print it in Windows Secrets Newsletter?

From the article:

“From my research, I’ve noticed that these files are usually deposited in temp-file locations. They show up as .exe or .dll files.” You don’t normally find executable files in a temp-file folder.

So why not just sandbox the browser cache, the Downloads Folder and the Temp Folder(s)? At least for Limited or Standard Users? Only those things you confirm through execution control dialogs should execute. Problem solved.

In Linux, you can designate the Home and Root Directories as NoExec, with the same security advantage. Although a better analogy might be the Linux Swap Partition, which is by default NoExec.

In Windows, Trusted Installer can override most sandboxing restrictions, so third-party sandboxing would have to be used, and it would have to be able to override some of the highest Permissions Levels known to Windows (for Trusted Installer). That’s Microsoft’s fault, and it may be unfixable.

I find the claim in the article implausible. Otherwise, there wouldn’t be a cottage industry in Windows security programs.

Other security topics raised in this thread:

Most AV scanners are set by default to skip scanning inside of ZIP archives. It takes a LOT longer to do a File System Scan if this option is defeated. I know — I have Avast and MSE set to scan inside the ZIP archives — and I see with every Full System Scan why folks would choose to leave the default (no scan of ZIP archives) as-is.

It’s not just novices who should run in Limited User mode most of the time. I do so in Windows 8 Pro. And everyone here knows I am no novice.

As for someone being an XP die-hard because of the alleged expense of upgrading, I run Windows 8 Pro with almost all freeware. And without toolbars or ads, thank you. If I had actually upgraded from the OEM Windows 7 on my laptop, this would have cost me all of $40.00. Is this too much to pay? My point is, there are very cheap ways of staying up to date with Windows and most types of programs.

I don’t use cable TV or Internet Services like Hulu or Netflix. Converter Boxes, antennas and VCRs — nothing else, except for the occasinal free online site for a program I can’t get through the antennas. Now, speaking of security, those online free TV streaming sites are a prime example of why some folks need good firewalls and antivirus!

If you want to run any Second Opinion anti-spyware program (which most of us in the Lounge do recommend) or any online scanner (which WS columnists recommend) both Norton and McAfee will not play well with your other AV/AS products or services. You will have to choose one or the other. MSE-4 and Avast 8 have been playing mostly nicely in my Windows 7 Home Premium installation for a few months now.Others have used Malwarebytes Pro with MSE-4 with few issues if any.

-- rc primak

Reply | Quote

I find the claim in the article implausible. Otherwise, there wouldn’t be a cottage industry in Windows security programs.

I’m not clear what “claim” you’re referring to. This part of your comments doesn’t seem to relate to the small part of the article which you quoted.

Did something in the article hint that Windows security products were ineffective or unnecessary?

Bruce

Reply | Quote

I’m not clear what “claim” you’re referring to. This part of your comments doesn’t seem to relate to the small part of the article which you quoted.

Did something in the article hint that Windows security products were ineffective or unnecessary?

Bruce

The quote was crystal clear. “…these files are usually deposited in temp-file locations. They show up as .exe or .dll files….”

If this were true of malware and how it infects Windows, simply deleting these files, and sandboxing (or preventing execution from) these temp-file locations, would solve all our malware problems. This was allegedly a Windows security expert making this statement.

This is what I said is implausible to me.

But if this were indeed true of Windows malware, then cleaning the browser cache and other temp file locations before closing an online session should be a very effective Windows security practice. Yet, I never see this technique mentioned in Windows security articles. This I also find strange, if what was quoted in the article were indeed true of Windows malware.

In any event, no well-disciplined Operating System should ever be allowing .exe or .dll files to be executed from temp-file locations. It isn’t necessary and it doesn’t make security sense.

What part of this is not related to the article?

The part about Linux and how it prevents .exe and .dll execution from vulnerable locations is also direct and to the point. Windows unfortunately has always lacked the structural discipline to allow whole Directories to be declared NoExec and solve a lot of security headaches in this way.

-- rc primak

Reply | Quote

In any event, no well-disciplined Operating System should ever be allowing .exe or .dll files to be executed from temp-file locations. It isn’t necessary and it doesn’t make security sense.

But you don’t think it happens much?

Bruce

Reply | Quote

But you don’t think it happens much?

Bruce

I think it DOES happen much, and I am wondering if this is really necessary. If not, why can’t Windows programmers get together and set more secure standards for downloaded executables and the locations where they temporarily reside on PCs? Couldn’t these temp locations be sandboxed? That alone might prevent a large portion of auto-exec attacks through the browser, wouldn’t it?

Then again, this is what Smart Screen Filtering in IE 9 and 10 (and the upcoming IE11) are supposed to do. Are these measures enough? I guess time will tell.

-- rc primak

Reply | Quote

I think it DOES happen much, and I am wondering if this is really necessary. If not, why can’t Windows programmers get together and set more secure standards for downloaded executables and the locations where they temporarily reside on PCs? Couldn’t these temp locations be sandboxed? That alone might prevent a large portion of auto-exec attacks through the browser, wouldn’t it?.

This seems to reinforce the part of the article you found implausible earlier.

You were surprised that a security expert would talk about infections often being found in temporary folders, and now you’re doing it.

Bruce

Reply | Quote

This seems to reinforce the part of the article you found implausible earlier.

You were surprised that a security expert would talk about infections often being found in temporary folders, and now you’re doing it.

Bruce

I am still surprised, not by finding files in temp locations which could be executed elsewhere, but by finding (as posted in this thread) that many executables actually can and do execute directly from their temp locations. This is insanely insecure! It does not need to occur, and is bad software writing at the OS level. And then folks wonder why Windows is so vulnerable to Internet-based malware attacks!

It isn’t that there ever appear to be executables temporarily stored (such as downloads) which surprises me. It’s that under Windows, there is no native (built-in) safeguard against these executables executing without being moved elsewhere (which a good security program could monitor and if necesssary warn about). The lack of this safeguard is what I find surprising and inexcusable in Windows design and function (if it is indeed the case).

The quote from the security expert seemed to say or imply that the vast majority of Windows malware shows up in this way. While the expert does not say that the malware executes directly from these temp locations, there seems to be a reasonable inference that this is exactly what is happening in many Winodws infection scenarios. There is no reason I can think of why such behaviors couldn’t be simply across the boards disallowed. In which case, the vast majority of Windows security issues would vanish right then and there, if the quote is to be believed.

Somewhere in here, some mention of the extremely elevated permissions status of Trusted Installer should be made, but I’m not sure how this may be interacting with the security flaw of (allegedly) allowing executables to execute directly from temp locations.

I don’t believe that this is the way Windows malware infections work. Maybe sometimes, but I don’t believe it’s so simple all the time. If it is so, then we are spending a lot of time and effort putting together layers of security programs, when all we need is a good sandbox around the temp locations.

Make these locations secure (if the statement is true) in the sense that nothing executes from these locations without user interaction, and all our security problems should go away.

Again, I don’t believe the Real World of Windows malware is anywhere near this simple.

So the quote is false and potentially dangerously misleading. And its inclusion in a Windows Secrets story is very irresponsible.

That is, if my suspicions are correct, and if the quote says what I read it as saying.

-- rc primak

Reply | Quote

I am still surprised, not by finding files in temp locations which could be executed elsewhere, but by finding (as posted in this thread) that many executables actually can and do execute directly from their temp locations. this is insanely insecure! It does not need to occur, and is bad software writing at the OS level. And then folks wonder why Windows is so vulnerable to Internet-based malware attacks!

It isn’t that there ever appear to be executables temporarily stored (such as downloads) which surprises me. It’s that under Windows, there is no native (built-in) safeguard against these executables executing without being moved elsewhere (which a good security program could monitor and if necessary warn about). This is what I find surprising and inexcusable in Windows design and function.

The quote from the security expert seemed to say or imply that the vast majority of Windows malware shows up in this way. While the expert does not say that the malware executes directly from these temp locations, there seems to be a reasonable inference that this is exactly what is happening in many Windows infection scenarios. There is no reason I can think of why such behaviors couldn’t be simply across the boards disallowed. In which case, the vast majority of Windows security issues would vanish right then and there, if the quote is to be believed.

Antivirus programs do prevent executables running from temp folders, e.g. Svchost.exe is trying to run from windows/Temp folder

I don’t believe that this is the way Windows malware infections work. Maybe sometimes, but I don’t believe it’s so simple all the time. If it is so, then we are spending a lot of time and effort putting together layers of security programs, when all we need is a good sandbox around the temp locations.

Make these locations secure (if the statement is true) in the sense that nothing executes from these locations without user interaction, and all our security problems should go away.

The quote didn’t say always.

Again, I don’t believe the Real World of Windows malware is anywhere near this simple.

So the quote is false and potentially dangerously misleading. And its inclusion in a Windows Secrets story is very irresponsible.

That is, if my suspicions are correct, and if the quote says what I read it as saying.

So the quote is false because you believe it SHOULD not be possible, not because you believe it IS not possible?

But why is publishing it dangerous or irresponsible?

Bruce

Reply | Quote

Antivirus programs do prevent executables running from temp folders, e.g. Svchost.exe is trying to run from windows/Temp folder

The quote didn’t say always.

So the quote is false because you believe it SHOULD not be possible, not because you believe it IS not possible?

But why is publishing it dangerous or irresponsible?

Bruce

“Antivirus programs do prevent…”

Why should we need special third party programs to do what Windows doesn’t do? Why should Windows by default allow direct execution from temp locations?

“The quote didn’t say always.”

The quote was irresponsibly broad in making such a sweeping generalization. And Windows Secrets is irresponsible for not qualifying what the quote says.

The quote is false and misleading, in that it does NOT say that there are other ways to infect Windows from the Internet.

-- rc primak

Reply | Quote

Why should we need special third party programs to do what Windows doesn’t do? Why should Windows by default allow direct execution from temp locations?

If you’re certain that Windows Defender doesn’t prevent that, then ask Microsoft.

The quote was irresponsibly broad in making such a sweeping generalization. And Windows Secrets is irresponsible for not qualifying what the quote says.

The quote is false and misleading, in that it does NOT say that there are other ways to infect Windows from the Internet.

On what research do you base your opinion that this malware analysis expert was incorrect to say “usually”?

And why was it dangerous or irresponsible, when he stressed the importance of antivirus and antimalware programs?

Bruce

Reply | Quote

If you’re certain that Windows Defender doesn’t prevent that, then ask Microsoft.

Bruce

I have personally watched as downloaded malware (adware) evaded Windows Defender and executed from temp locations. But I still do not know whether this is the most common, or the “usual” path for Windows infections.

On what research do you base your opinion that this malware analysis expert was incorrect to say “usually”?

And why was it dangerous or irresponsible, when he stressed the importance of antivirus and antimalware programs?

Bruce

Your embedded link points to a press release which does not contain the quote used in the Windows Secrets article.

The expert’s quote (in the Windows Secrets article) did not stress the importance of antimalware. That was later in the article, by the article’s author. And he never qualified the quote. The quote stressed the appearance of .exe and .dll files in temp locations. In fact, the expert spent a lot of time deprecating signature-base scanning for malware.

I do not agree with the implication that the main emphasis of protecting Windows from malware should be on .exe or .dll files in temp locations. The quote clearly implied this emphasis.

Also, the same expert seems unaware that ZIPped archives can be opened and scanned by antivirus scanners during a Full System Scan. I have to tell Avast and Super Antispyware not to skip compressed or packed files, but both scanners can and will open and scan them — at the cost of doubling scan times.

-- rc primak

Reply | Quote

But I still do not know whether this is the most common, or the “usual” path for Windows infections.

So why label the expert’s “usually” quote as “implausible”, “false” and “misleading” if you have no idea whether it’s true or not? :rolleyes:

Your embedded link points to a press release which does not contain the quote used in the Windows Secrets article.

I realize that. It was to show you the background of the guy whose opinion you’re disputing.

The expert’s quote (in the Windows Secrets article) did not stress the importance of antimalware. That was later in the article, by the article’s author.

Absolutely incorrect:

When asked the top three ways to deter malware on a PC, Brandt’s suggestions are ones we should all know — and follow — by now.
◾Stop using Windows XP.
◾Install and keep updated security software such as the free AVG (site) and Malwarebytes (site).
◾Most important: Think before clicking any link and whenever Windows unexpectedly asks whether you want to proceed with a change to your PC settings

You really should reread these articles before commenting on them, because your memory of what they actually said is frequently not as good as you think.

I do not agree with the implication that the main emphasis of protecting Windows from malware should be on .exe or .dll files in temp locations. The quote clearly implied this emphasis.

You’re guessing. Was he?

Bruce

Reply | Quote

Don’t know about should be or not, but that is the standard convention when any downloaded program needs to be extracted before installation. In fact I often go into the temp files after extraction and make an install ISO of the extracted files, and there are several executables and an autorun or two quite commonly. After giving W8 potter’s field burial, I’ve just been setting up a W7 system to take me through the next 5+ years and I extracted over half a dozen programs and installed in this manner.

Reply | Quote

Frankly speaking (and not that my name is Frank), I just don’t get this whole paranoia thingy about using a firewall, as a must!
Yes, yes! I already know all the cliches as to what a firewall is and how it works to ‘protect’ my network.
I also know the history of firewalls, dating all the way back to Zone Alarm (circa 1996?) and how we all thought Zone Alarm’s founder was like a PC God!
We were all his disciples then, and we believed and practiced everything he told us.
We would endlessly test all our ports with his utilities and all that jazz!
In the days of old, I have been known to ‘experiment’ with many warez sites and used to browse and prowl even some of the Chinese 0-day sites.
Ooooooh, we also would preach everyone, within ear-shot, that they’d be fools if they did not use ZoneAlarm or a firewall.
We used to extol the virtues of a hardware firewall over a software firewall and we would also brag that we used both types in combination.
But finally, about 4 years ago, I finally just stopped worrying about firewalling my system.

I figured that I would let my ISP, and my DSL modem worry about network protection and just ignore this whole panacea at the OS level!
I mean afterall, how many of us can actually remember ever experiencing/ getting nuked at our network connection?
No really? Sure, firewalls are important in the servers and places of business.
Yet, the responsibility of protecting the servers that I use really belong to my ISP and those who run the servers.
Of course, all the latest WinOS by default have the firewall enabled and all ADSL modems also do the same!
I don’t want to start a war here but am I really the only one that was blessed enough to have NEVER gotten nuked bcuz of a weakness in my firewall?
Argh!:cool:

Reply | Quote

A Software Firewall is a piece of software that is installed on your computer in order to protect it from unauthorized access. http://www.bleepingcomputer.com/glossary/definition51.html

Most personal home networks do not have a dedicated Firewall Appliance to protect them from unwanted network intrusions, a few of which are malicious. This includes hackers and automated routines which “ping” to find vulnerabilities in the network’s security setup. The fewer such “pings” which can get through, and the fewer malicious attacks, the safer the end-user will be from netork or Internet based attacks. While modern routers have security settings, most do not qualify as hardware firewalls.

A software Firewall (Personal Firewall) is part of a Layered Approach to PC security. The more layers we can maintain without impairing network or computer performance too much, the better. Even with these layers, DNS Services and sandboxing (virtualization) hackers have been able to get into personal computers and take control for malicious purposes.

The idea is to make my PC a less attractive target than my neighbors’ PCs, so that the malicious attacks will hit them first and harder, giving me enough warning to update my defenses or disconnect from the Internet until patches are issued by software and OS vendors. Anyway, that’s my logic. Let the other folks get the arrows in their backs.

While it is possible to go overboard and make PC use too inconvenient, a well maintained Personal Firewall is a good, often cheap way of making up for the lack of a true Hardware Firewall in consumer-level routers and gateways. This applies just as much to wired (ethernet) networks as to Wireless Networks, although Wireless needs additional security measures.

I know some guys who never use antivirus and claim they’ve never gotten a virus. I believe this may be true, depending on how the PC is used, and who is using it. But the restrictions these guys place on their computer use, especially on networking, media streaming and Internet use — it all seems to be more inconvenient than keeping my OS, software and security up to date and turned on. Not using a Personal Firewall even with a “security router” makes me feel half-naked in a public place (the Internet).

BTW, my AT&T ADSL router (2-Wire) does NOT have security by today’s standards. A lot of older routers are still in use on DSL lines.

Were I using Linux, I might feel differently, but with Windows, you need all the security help you can reasonably afford, in price and in inconvenience.

-- rc primak

Reply | Quote

For most part of my business, data confidentiality is a prime concern. I have been looking for a value for money software that can give me security against copying of data, alerts about unauthorized devices being plugged in and blocking of attachments as a part of email security software. I am pretty pleased with the software that I am using as of now.

Reply | Quote

Bruce, you and the security expert are simply wrong. That you can’t admit it and can’t seem to end your nitpicking over details in my posts seems to be a chronic character flaw with you.

Just because someone is quoted in Windows Secrets and has given at least one interview with the tech press, does not make all his advice worth following. I would definitely recommend that folks follow your link to get the real story this expert was trying to convey, and on this point you were correct.

But the article here in Windows Secrets placed too much emphasis on .exe and .dll files in temp locations (which by the way the average Windows user cannot do much to mitigate) and not enough emphasis on things we all can do to protect ourselves. The bit about something we can’t control (or most of us wouldn’t bother to control) is simply not appropriate advice in a Windows Security article. It may look to you like only one part of one quote, but the statement is a very noticeable part of what appeared in the article, and the statement implies that Windows security is beyond end-user control.

It’s one thing to say, “use AV/AS apps” but quite another in the same list, to imply that these apps are useless.

I agree with the finding (in another part), that many Windows infections are socially engineered, and user interactions are involved in a lot of windows infections, as the article says. This we all can do something about. And using AV/AS apps is something we can all do something about. Updating programs and plugins, and keeping the OS and the browser up to date, are things we can do something about.

But preventing executables from executing from within temp locations is NOT something most users can do much about. So why even mention it in a Windows Secrets article aimed at telling us how we can secure our PCs?

I notice you did NOT challenge my comment on Windows Defender/MSe failing to prevent a malicious attack originating from an executable download. This bolsters my point about how inappropriate it is to discuss things end-users can’t do much about when making Windows security recommendations.

-- rc primak

Reply | Quote

Bruce, you and the security expert are simply wrong.

Unlikely. We didn’t agree on anything.

That you can’t admit it and can’t seem to end your nitpicking over details in my posts seems to be a chronic character flaw with you.

Admit what? At least when I tell you you’re wrong, I tell you what you’re wrong about. Thanks for resorting to character assassination.

Just because someone is quoted in Windows Secrets and has given at least one interview with the tech press, does not make all his advice worth following.

Which of his advice should we dismiss?

I would definitely recommend that folks follow your link to get the real story this expert was trying to convey, and on this point you were correct.

There was no advice in the press release.

But the article here in Windows Secrets placed too much emphasis on .exe and .dll files in temp locations (which by the way the average Windows user cannot do much to mitigate) and not enough emphasis on things we all can do to protect ourselves. The bit about something we can’t control (or most of us wouldn’t bother to control) is simply not appropriate advice in a Windows Security article. It may look to you like only one part of one quote, but the statement is a very noticeable part of what appeared in the article, and the statement implies that Windows security is beyond end-user control.

It didn’t imply anything like that. Otherwise, why recommend AVG and Malwarebytes?

It’s one thing to say, “use AV/AS apps” but quite another in the same list, to imply that these apps are useless.

List? Which words implied AV/AS was useless?

I thought, “But then you have to know exactly what you’re looking for” implied that most of us need help from those specialized applicatons.

But preventing executables from executing from within temp locations is NOT something most users can do much about. So why even mention it in a Windows Secrets article aimed at telling us how we can secure our PCs?

I don’t believe AV applications ignore temporary locations.

I notice you did NOT challenge my comment on Windows Defender/MSe failing to prevent a malicious attack originating from an executable download.

I suppose I could have commented on how you were initially astonished that execution from temp folders was possible, yet now you claim to have witnessed it:

”…these files are usually deposited in temp-file locations. They show up as .exe or .dll files….” This is what I said is implausible to me.

I have personally watched as downloaded malware (adware) evaded Windows Defender and executed from temp locations.

This bolsters my point about how inappropriate it is to discuss things end-users can’t do much about when making Windows security recommendations.

I still can’t get you to explain why you think it’s dangerous or irresponsible to mention something that happens. Security by obscurity?

Bruce

Reply | Quote

Recently I found my processor (Intel i3 in ASUS A52F, Windows 7) running 100% for a considerable time, so went to Task Manager to find out what was running – zilch!
I then tried to scan with Ad-Aware – would not run, and then with Malwarebytes – again would not run.
Then a window opened telling me that System Care Antivirus had detected 38 threats, and the computer needed scanning to remove these.
This raised very red flags as I had never knowingly installed System Care Antivirus.
On another computer I googled this program and found it to be malware, and I found some descriptions of methods of removal – most referred to Spyhunter.
My wife suggested that we try a restore point, and so I ran one ftrom 4 days earlier in Safe Mode.
Problem solved – much easier that removing dozens of files from Program Data and the Registry.
As the infection seems to be a ‘Drive-by’ download I cannot discover from whence it came.
I was surprised that Ad-Aware did not pick it up, nor Malwarebytes.
Are there (I am sure there are) any further comments and/or advice out there? If System Restore had not worked it would have been a real pain.

Reply | Quote

Congratulations on reaching the bottom line, even if through a System Restore.

Did you happen to come across “Removal instructions for System Care Antivirus,” from Malwarebytes — http://forums.malwarebytes.org/index.php?showtopic=125373 (dated 2013.04.20)?

Also, there is the highly-regarded Emsisoft Free Emergency Kit (a portable app) — https://www.emsisoft.com/en/software/eek/ .

Prevention, of course, is the best practice. As no security software (that I am aware of) protects against every possible exploit, two free apps that should add significant layers of protection that drive-by (or inadvertently downloaded) malware would have to penetrate are WinPatrol and the Comodo Firewall (with proper configuration; see https://www.techsupportalert.com/content/how-install-comodo-firewall.htm). Though it can be a tad annoying at times, utilizing a browser running NoScript will add a significant additional layer of protection.

WinPatrol (free and Pro) is a very small utility that plays well with others. When anything attempts to alter various system files or set itself to start with Windows, it is blocked, subject to the user’s approval.

Though the Win 7 firewall offers reasonable protection, when properly configured the Comodo Firewall (in addition to stealthing all ports) also monitors for anything that attempts to change various system files; it and WinPatrol compliment each other.

Finally, there is the Geek Uninstaller (http://www.softpedia.com/get/Tweak/Uninstallers/Geek-Uninstaller.shtml), which is similar to the Revo Uninstaller (it too searches for and removes remnant Registry entries), but is a portable app — and has additional features, such as a “Forced Removal” option (also, unlike the free version of Revo, it has full 64-bit compatibility). Even if it is not effective in removing “System Care Antivirus,” you may find it worthwhile for general use.

I hope this is useful.

Reply | Quote

As AJNorth suggested, no WinOS should ever be booted without BillP WinPatrol.
It is preferable to pay for the WinPatrol Pro version, since this utility is that good and worth the lifetime subscription that never expires.
Looking at the bright side (of paying for WinPatrol Pro) is the fact that you get that pooch as a pet for free. 😉
Learn to use WinPatrol and its intricacies and you will never regret it.
It is a very lean startup and does not drain system resources or hog the memory.

Reply | Quote