"Two weeks to prepare for cyber-attack"

[trencheel303]

Unfortunately that's just not practical for most.

And email isn't the only infection method.

But I guess I haven't had a car accident for a few years, I guess I can stop using my seat belt.

For the most part, resident antivirus scanners are quite frankly crap. All I ever see them do, in the years (and it really is "years" now) I've worked the helpdesk environment (and since before that, too) is see antivirus miss all kinds of malware infections time after time, they create more problems than they solve, they randomly b****r things up and slow the whole show down. Then there's the whole fact that to do its job a resident AV has to run with elevated privileges, I shouldn't have to explain why that's a big problem if you know anything about principle of least privilege.

There are all kinds of measures I take to secure a system - all based around the principle of least privilege - NONE of them involve installing a resident antivirus. IMO to install a resident AV into an otherwise secure system is to just pee all over the concept of security. I know that boggles a lot of people's minds here, but I don't have time to explain why having third party resident programs running with the highest privileges they can get is a fundamentally flawed concept.

Personally, I think KIPAX has the right idea, and furthermore, Windows 8 has enough of its own built in protection measures that even average Joe can run it without AV.

Please note, that throughout the last paragraphs I referred to RESIDENT scanners. I do advocate checking files regularly with things like HitmanPro and the various cloud scanners that are out there. But resident AV = no.

---

As for this whole hype thing, it's no different from all the other crap that's out there, and the only reason the media is hyping it is because it's connected to a Russian guy. Sorry to burst everyone's bubble but that's really it, there is nothing to see here.

 

[petersmart]

"IMO to install a resident AV into an otherwise secure system is to just pee all over the concept of security."

Well I can agree with that except for one thing - no computer IS secure!

Once you connect to the Internet you are under attack!

Years ago I used to use Zone-Alarm (when it was just a firewall) and in any one month period it could stop several HUNDRED attempts to access my PC!

Nowadays my router stops all attempts from outside to access my PC (it is "stealthed") and using VMs along with MalwareBytes Pro and the free version of Avast seems, on test, to provide me with a pretty good defence:

http://www.talkphotography.co.uk/threads/i-put-cryptolocker-on-my-pc.545609/#post-6303576

.

 

[neil_g]

For the most part, resident antivirus scanners are quite frankly crap. All I ever see them do, in the years (and it really is "years" now) I've worked the helpdesk environment (and since before that, too) is see antivirus miss all kinds of malware infections time after time, they create more problems than they solve, they randomly b****r things up and slow the whole show down. Then there's the whole fact that to do its job a resident AV has to run with elevated privileges, I shouldn't have to explain why that's a big problem if you know anything about principle of least privilege.

There are all kinds of measures I take to secure a system - all based around the principle of least privilege - NONE of them involve installing a resident antivirus. IMO to install a resident AV into an otherwise secure system is to just pee all over the concept of security. I know that boggles a lot of people's minds here, but I don't have time to explain why having third party resident programs running with the highest privileges they can get is a fundamentally flawed concept.

Personally, I think KIPAX has the right idea, and furthermore, Windows 8 has enough of its own built in protection measures that even average Joe can run it without AV.

Please note, that throughout the last paragraphs I referred to RESIDENT scanners. I do advocate checking files regularly with things like HitmanPro and the various cloud scanners that are out there. But resident AV = no.

---

As for this whole hype thing, it's no different from all the other crap that's out there, and the only reason the media is hyping it is because it's connected to a Russian guy. Sorry to burst everyone's bubble but that's really it, there is nothing to see here.

remind me later to come back and comment on this, i havent had enough coffee to make sense yet.

 

[dejongj]

For the most part, resident antivirus scanners are quite frankly crap. All I ever see them do, in the years (and it really is "years" now) I've worked the helpdesk environment (and since before that, too) is see antivirus miss all kinds of malware infections time after time, they create more problems than they solve, they randomly b****r things up and slow the whole show down. Then there's the whole fact that to do its job a resident AV has to run with elevated privileges, I shouldn't have to explain why that's a big problem if you know anything about principle of least privilege.

There are all kinds of measures I take to secure a system - all based around the principle of least privilege - NONE of them involve installing a resident antivirus. IMO to install a resident AV into an otherwise secure system is to just pee all over the concept of security. I know that boggles a lot of people's minds here, but I don't have time to explain why having third party resident programs running with the highest privileges they can get is a fundamentally flawed concept.

Personally, I think KIPAX has the right idea, and furthermore, Windows 8 has enough of its own built in protection measures that even average Joe can run it without AV.

Please note, that throughout the last paragraphs I referred to RESIDENT scanners. I do advocate checking files regularly with things like HitmanPro and the various cloud scanners that are out there. But resident AV = no.

---

As for this whole hype thing, it's no different from all the other crap that's out there, and the only reason the media is hyping it is because it's connected to a Russian guy. Sorry to burst everyone's bubble but that's really it, there is nothing to see here.

Lol I guess you don't work in environment that require decent security do you. Did you convince yourself of this theory that end point resident security is not required. Needless to say I don't agree at all. And think it is very bad advice.

 

[Carlh]

Well I have been protecting my system for just such an attack for 20 yrs now.. I dont use virus software of malware checks... I just use common sense... my email reader has always been text only and I never open attachments...

Not overly worried to be honest

That would worry me Kipax!, how you manage your own system is completely up to you, my main (paying) job is software developer (mobile, web, desktop, sql backend, virus hunting support, I've been doing it for 30 years). Some of my work is quite sensitive so I wont bore you with what I do, but even USB sticks get infected, have you ever gone to someone else's computer, plugged in your USB copied something to their machine, taken it out and plugged the same USB stick into your own machine?

If you're connected to the internet, good chance you're probably already infected. Even JPG's can hold viruses.

If you dont have AV or malware checks, you won't know you've been infected, unless you're OCD like me checking task manager for unusually activity, high CPU usage, memory hogging on certain processes.

Once of the best viruses I have found (and I admire how they done this) was to take over the Recycle bin. So when you delete something you didnt want or think is suspect, it puts an autorun.ini in the recycle bin.

The recycle Bin is classed as a "active drive/device" to windows (why they done this I dont know) - anyway, when you've put it in the recycle bin, if you have autorun switched on, it launches the virus. You can't empty the recycle bin properly either. Shows nothing in there, but the recycle icon looks like there's something in there. Thats what gave me a clue I had an infection.
(my default is now to disable the recycle bin permanently).

Of course if you're using a MAC, I can't comment, I dont use those OS's.

 

[trencheel303]

Lol I guess you don't work in environment that require decent security do you. Did you convince yourself of this theory that end point resident security is not required. Needless to say I don't agree at all. And think it is very bad advice.

I'm not looking to cause an argument, and I'm aware my beliefs are very unorthodox. My intention is not to come across as a smart arse, but I know that even if I explain my reasoning to the nTh degree, most people still wouldn't give it any credence as we're indoctrinated to believe "must use antivirus, must use antivirus" etc.

Back a good few years ago now I used to hang out online with a bunch of skilled and talented guys who knew more than I probably ever will about computer security, not just in design but in the psych behind it as well. There are of course polarised opinions all over the net when it comes to security and almost everyone you run into believes something different or has a variation on your own theory.

The fact that I came to learn and agree on is this - to a talented hacker a resident AV is nothing but a mere inconvenience, just one more attack vector, something that if taken over potentially puts the intruder in a very privileged position by virtue of the manner in which resident AV runs on a system. I've seen it with my own eyes, god knows how many systems infected with malware that had their AV totally buggered up in the process. How do you know that the malware didn't exploit a vulnerability in the AV and use it to gain elevated privileges? Privileges that wouldn't have been gained had the AV not been present. I've simply seen it too many times to ignore it.

And besides, my views aren't always as polar as they may seem to others - for the most part I still advocate that average joe should still use some kind of resident AV. It doesn't change the fact that there's an elephant in the room, but for what most home users do an AV will certainly keep them off my back for longer - but it by no means turns an otherwise vanilla windows install into a secure vault.

Like it or not, my views on this will remain unchanged until there's a paradigm shift in the way resident AV programs operate.

Finally - to address peters concern about zone alarm, most of those intrusion notifications are red herrings. If the port scan doesn't reveal any running service at the other side that is exploitable (which it shouldn't), it's moot. Being stealthed is nice , but really it's security through obscurity.

*phone post, please excuse my brevity.

 

[gramps]

I admire all of the 'it won't happen to me because' and the 'it's a non-issue' post people ... in the meantime there are thousands of unsuspecting Internet users who are just waiting to be zapped by the non-issue and I for one will remain 'up to the hilt' in Internet Security & Anti-Malware applications

 

[dejongj]

I'm not looking to cause an argument, and I'm aware my beliefs are very unorthodox. My intention is not to come across as a smart arse, but I know that even if I explain my reasoning to the nTh degree, most people still wouldn't give it any credence as we're indoctrinated to believe "must use antivirus, must use antivirus" etc.

Back a good few years ago now I used to hang out online with a bunch of skilled and talented guys who knew more than I probably ever will about computer security, not just in design but in the psych behind it as well. There are of course polarised opinions all over the net when it comes to security and almost everyone you run into believes something different or has a variation on your own theory.

The fact that I came to learn and agree on is this - to a talented hacker a resident AV is nothing but a mere inconvenience, just one more attack vector, something that if taken over potentially puts the intruder in a very privileged position by virtue of the manner in which resident AV runs on a system. I've seen it with my own eyes, god knows how many systems infected with malware that had their AV totally buggered up in the process. How do you know that the malware didn't exploit a vulnerability in the AV and use it to gain elevated privileges? Privileges that wouldn't have been gained had the AV not been present. I've simply seen it too many times to ignore it.

And besides, my views aren't always as polar as they may seem to others - for the most part I still advocate that average joe should still use some kind of resident AV. It doesn't change the fact that there's an elephant in the room, but for what most home users do an AV will certainly keep them off my back for longer - but it by no means turns an otherwise vanilla windows install into a secure vault.

Like it or not, my views on this will remain unchanged until there's a paradigm shift in the way resident AV programs operate.

Finally - to address peters concern about zone alarm, most of those intrusion notifications are red herrings. If the port scan doesn't reveal any running service at the other side that is exploitable (which it shouldn't), it's moot. Being stealthed is nice , but really it's security through obscurity.

*phone post, please excuse my brevity.

Ok fair enough this is more moderate and I'm glad you join in the advice that it is good to have it installed.

Naturally any software can have a vulnerability and end point protection is merely a layer in the onion.

Out of interest, which anti virus product had so many vulnerabilities that were exploited? It would be good to share that knowledge with others.

And naturally just like end point protection is part of it, so is patch management

 

[trencheel303]

Ok fair enough this is more moderate and I'm glad you join in the advice that it is good to have it installed.

Naturally any software can have a vulnerability and end point protection is merely a layer in the onion.

Out of interest, which anti virus product had so many vulnerabilities that were exploited? It would be good to share that knowledge with others.

And naturally just like end point protection is part of it, so is patch management

Given my position it'd be foolish of me to name names, but I've experienced several products and I felt most were lacklustre when it actually came to doing their jobs. We've had some that brought networks to their knees (this is a failure on the "accessibility" point of security!) and others that just seem to let any old rotten piece of malware sail right by it.

I was even reading an article last night where someone discovered the default nature of their AV was to let an infected file execute (and hence do the damage) before then deciding there was an attack happening. Gee, that's useful! (And it wasn't exactly a small, not well known program either)


Of course there more to it than AV, and if I had more free reign I'd run a much tighter ship, but alas one does not want to bite the hand that feeds them.

 

[dejongj]

Given my position it'd be foolish of me to name names, but I've experienced several products and I felt most were lacklustre when it actually came to doing their jobs. We've had some that brought networks to their knees (this is a failure on the "accessibility" point of security!) and others that just seem to let any old rotten piece of malware sail right by it.

I was even reading an article last night where someone discovered the default nature of their AV was to let an infected file execute (and hence do the damage) before then deciding there was an attack happening. Gee, that's useful! (And it wasn't exactly a small, not well known program either)


Of course there more to it than AV, and if I had more free reign I'd run a much tighter ship, but alas one does not want to bite the hand that feeds them.

??? So you know of exploited vulnerabilities but won't name them? Pardon my direct nature but that is very strange.....There is lots of monetary rewards if it wasn't public it and then I can understand it. But it would be rectified in days....Or perhaps, and more likely imo it is just all a big piece of BS

 

[trencheel303]

Like an ageing mercury vapour lamp, you seem to be going a bit dim. I'm not holding vital information on dangerous zero day exploits as you seem to think, I'm merely saying that I won't disclose precise information about what I have found due to the field I work in being somewhat sensitive.

 

[dejongj]

Like an ageing mercury vapour lamp, you seem to be going a bit dim. I'm not holding vital information on dangerous zero day exploits as you seem to think, I'm merely saying that I won't disclose precise information about what I have found due to the field I work in being somewhat sensitive.

Nope I'm not thinking that at all, I wasn't talking about zero day exploits at all. Don't know why you turn it into that direction. You make a statement about Anti Virus software in general, then make a claim where insinuate it is the anti-virus software likely at vault on god knows how many systems you've witnessed. Yet now it is some conspiracy secret and are suggesting I am dim for not getting....

Yeah right, I'm dim for not buying into your little theories from mates who you'd 'hang out with online'....Oh please....And now the field you work in is being somewhat sensitive....Sorry buy I call a big fat BS on that....looking at the earlier posts in this thread you don't display the slightest bit of comprehension of secure environment....What is next, you are going to tell me that you are a CLAS consultant? A CAPS assessor? Or perhaps from across the point and are a FIPS accreditor? i'd be amazed, totally amazed...But hey weirder things have happened online....

 

[u8myufo]

What a load of crap. When was the last time you heard of someones bank account getting hacked? Exactly. If anything most people have already got a small piece of code on their pc running away quite happily and don`t even know it.It would more as like be used purely as a collective bit of processing power just like SETI or Maxcoin, on the golden hour it would be triggered to access whatever it was they were after,and that don`t include my Halifax

 

[Mikesphotaes]

Thank goodness that threat's over, can sleep again at nights now

 

[petersmart]

What a load of crap. When was the last time you heard of someones bank account getting hacked? Exactly. If anything most people have already got a small piece of code on their pc running away quite happily and don`t even know it.It would more as like be used purely as a collective bit of processing power just like SETI or Maxcoin, on the golden hour it would be triggered to access whatever it was they were after,and that don`t include my Halifax

http://krebsonsecurity.com/2014/06/banks-credit-card-breach-at-p-f-changs/

Halifax?:

http://www.theguardian.com/money/2014/may/30/halifax-lloyds-banking-online-security-hacker

.

 

[mid_gen]

Most people end up infected by explicitly granting privileges to a nasty because they don't know better.

Having a resident AV flash up a big red warning and automatically clearing up this kind of thing before an unsuspecting user grants it admin privileges is invaluable.

I've never had a virus, but I do run NOD32 on all my machines because I don't know if the other half or a visiting friend might do something dumb if they use one for some browsing.

 

[mattyg]

I had my router hacked just last week. They changed my DNS so everytime I clicked a link a new window popped up with some damn advert.

 

[robhooley167]

I've had the Zeus virus which is a gateway for cryptolocker apparently get through my Sophos AV on a filtered network at uni. I say apparently as I haven't actually seen the PC it's infected for a couple of days and was only sent an automatic email from our network admins saying it was detected.