|
Posted by cquirke (MVP Windows shell/use on January 4, 2006, 5:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>cquirkenews@nospam.mvps.org says...
>> More to the point is the chicken-and-egg question: Were these PCs
>> infected because they were not updated, or could these PCs not be
>> updated because they were infected?
>Since the same systems with current AV definitions had already detected
>and Quarantined the same virus during the same date range, it appears to
>me that the lack of definition updates cause the AV product to Miss the
>new virus, while the other machines were protected with their updated
>definitions.
Makes sense. Sometimes an earlier infection can nuke the
updateability; sometimes it's a Dial-Up Notworking thing, other times
it's user failure (of which the annual feeware death is one form)
>> Re-installing what - the av, or the OS?
>> A malware that knocks out an av's ability to update itself, is
>> unlikely to sit around allowing you to re-install the same av.
>I agree, in the case of machines that are compromised, we may take our
>personal time to clean them as a learning experience, but we never
>return them to the customer as "cleaned", we always wipe/reinstall from
>scratch (the OS and APPS).
That's exactly what I do not do. I have as less faith in "just" wipe
and rebuild as a fix as I do in cleaning (and 100% for either). Your
approach of performing both detection forensics and rebuilding is a
solid one, but has too much adverse impact for my sort of clients.
>> "Just re-install" is not a substitute for malware management :-/
>The only true way to ensure that malware has been removed is to
>wipe/reinstall the OS and APPS. While this is a hard-line to take, it's
>the only true way to ensure that the system is clean at the time it's
>returned.
Meaningless, in that simply being clean at the time of resuming
productive use isn't enough - the system has to *stay* clean.
If simply rebuilt to duhfult fresh install status, this is far from
assured. If building to SP2 specs and then adding patches and
additional risk management, you should be OK, but then if that was how
the infected PC was originbally set up, then clearly it wasn't enough.
The fact that the PC was infected, suggests that what ever the
defenses were, they were not effective. So you'd want to know what
the infectors were, how they got in, etc. to be reasonably sure the
same attack methods will not succeed again.
The degree of "reasonably sure" is fairly similar to the confidence of
having really cleaned an infected system - a malware that can escape
formal detection and cleaning, may also escape detection and
assessment and be able to re-infect the rebuilt system. By
definition, an undetectable malware can't be excluded either way.
So I don't see one approach as being as much "better" as the other,
and I see the blind "wipe and rebuild" approach (i.e. without any
assessment of what the infectors were, and certainly if no further
post-install/post-patch hardening is done) as the weakest method.
>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -
|
|
Posted by Leythos on January 4, 2006, 5:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
cquirkenews@nospam.mvps.org says...
> So I don't see one approach as being as much "better" as the other,
> and I see the blind "wipe and rebuild" approach (i.e. without any
> assessment of what the infectors were, and certainly if no further
> post-install/post-patch hardening is done) as the weakest method.
I see it as two issues, one is assuring a clean machine - a wipe does
that. Second is how did it happen and how can we prevent it - in most
cases, by the time the person is compromised and then learns they are
compromised, the AV vendors already have a fix, so, as long as you can
educate the users, give them quality AV software, give them apps the
provide LESS exposure, you've solved both problems as much as possible.
--
spam999free@rrohio.com
remove 999 in order to email me
|
|
Posted by Charlie Tame on January 3, 2006, 11:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>>Where the user has been advised (by someone else) to try reinstalling
>
> Re-installing what - the av, or the OS?
>
> A malware that knocks out an av's ability to update itself, is
> unlikely to sit around allowing you to re-install the same av.
>
>>the usual result is all hell breaking loose with bits left over, bits
>>working
>>and absolutely nothing one can rely on.
>
> "Just re-install" is not a substitute for malware management :-/
Okay, I meant reinstall the AV to fix it, but this doesn't seem to work too
well if there are bits left over since things like settings tend to hang
around and thus it remains "Broken" if that is where the problem was.
However from what I have seen NAV and McAfee are often installed by OEM's,
Vendors, or included on ISP set up disks because they are "Famous" names and
it looks like you are getting a good deal... kinda like the TV ads that
proclaim "We'll also send you product "X", a $50 value" when in fact it's
quoted value is purely arbitrary. To you it might be worth nothing :)
In such a case the user is generally ill informed and believes that the
original install is a lifetime thing, so they will believe paid for
"Updates" to be some new software, not an essential detection device. 2
years later they virus comes along and they can't understand how it got past
their system.
It is therefore my opinion that Leythos' observations are much more to do
with either the user base themselves or the fact that they are better
"Educated" as a result of his efforts. Either that or they are too damned
scared to admit problems due to getting their machines back "Wiped" a few
times :) (Sorry, couldn't resist that).
I also agree that the Corporate edition is vastly superior, in fact it
appears to be a different animal altogether, and that NAV on it's own is far
more stable than the all things to all users packages.
As for judging a product by update frequency it is not really a good way to
do it. One could arrange for daily updates where little changes or weekly
ones that provide lots of new protection. With AVG the frequency of checks
is user defined AFAIK, how often the updates actually change I have not
studied but they seem pretty frequent.
Charlie
|
|
Posted by cquirke (MVP Windows shell/use on January 4, 2006, 5:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>"cquirke (MVP Windows shell/user)" wrote
>> Re-installing what - the av, or the OS?
>>>the usual result is all hell breaking loose with bits left over, bits
>>>working and absolutely nothing one can rely on.
That's one reason I don't like av that are messy and cluttered with
uninstallers that don't work properly, particularly where the vendor
has deliberatly added DRM logic to deny service.
This alone is a very compelling reason to avoid Norton AV, IMO.
>However from what I have seen NAV and McAfee are often installed by OEM's,
>Vendors, or included on ISP set up disks because they are "Famous" names
Norton and McAfee are the knee-jerk choices due to the "famous brand"
effect, and are mainly spread through dumb retail. Dumb retailers
aren't going to talk about best-of-breed products that can be bought
directly via the 'net with no resale markup opportunity, nor are they
going to talk about free choices that also make no money. The same
goes for advertising-driven PC magazines, etc.
Because of this retail BS factor, our knee-jerk reaction tends the
other way, i.e. we may be biased against these products.
The use of the names "Norton" and "McAfee" as branding is interesting
retail BS in itself. Peter Norton was a utility guru in the DOS age,
but was on record as denying that viruses exist even as they had
started to spread, so he's an odd choice of figurhead for av cred; in
any case, he "left the building" long ago.
John McAfee was one of the early av pioneers, but his company was
merged into Network Associates long ago, along with Dr Solomons - in
fact it was the Dr Solomons engine that survived as the main product
line until further development left both legacy code bases behind.
The biggest problem with most OEM-bundled av is the value is poor
(30-days to 90-days is typical), so that effectively all you get is
feeware lock-in (especially when coupled with a bad uninstaller). An
exception used to be 12-month Trend PC-cillin that went with some
motherboards. As a system builder, my policy is to disregard and
discard any bundled av that runs for less than 12 months, if the user
can use a time-unlimited freeware av instead.
>It is therefore my opinion that Leythos' observations are much more to do
>with either the user base themselves or the fact that they are better
>"Educated" as a result of his efforts. Either that or they are too damned
>scared to admit problems due to getting their machines back "Wiped" a few
>times :) (Sorry, couldn't resist that).
That's what I call "punitive support", and it's one of several BS
approaches that pervade IT. It's a classic dumb-retail and/or big-OEM
thing that can be used in both 1-call and 0-call forms The game is
rigged to entice sales on the promise of support, then limit the
actual support resource drain to one and none calls, respectively.
The 1-call version: PC is promptly serviced as promised, but is
returned with everything wiped and restored to factory defaults. The
traumatized client does not partake of "support" ever again.
The 0-call version: PC is shipped with a crappy OEM "restore" CD that
can do nothing except destroy the installation and replace it with
factory defaults. Support calls then go like this...
"My PC has problem XYZ..."
' Did you run our Restore CD? '
"No, that will wipe my system!"
' Well, if you won't follow our advice, we can't help you ' <click>
>As for judging a product by update frequency it is not really a good way to
>do it. One could arrange for daily updates where little changes or weekly
>ones that provide lots of new protection. With AVG the frequency of checks
>is user defined AFAIK, how often the updates actually change I have not
>studied but they seem pretty frequent.
Yes, I have to agree there - in any case, on that metric, NAV may be
rather poor, if they are still releasing updates once a week.
I find that most seldom-updated tools (e.g. Avast's free
general-purpose malware cleaner) are pretty useless, and that most
good av have regular updates, but some tools buck this trend - for
example, Stinger is limited in what it catches and is seldom updated,
yet it often finds things that other scanners have missed.
I've been watching the WMF debacle with interest, and neither AVG nor
F-Prot haven't been keeping up with things as well as many other av.
OTOH, I've seen some scanning results for slippery malware, and the
results have been interesting and varied, with little correlation
between fee/freeware status and quality.
The surprise product has been AntiVir, which has been doing quite well
across the board. My own experience with it backs this up; good
detection rates, and the product is admirably flexible in use - it can
be used purely as an on-demand scanner, or resident, it survives
"scrape-over" and works from Bart-boot CDR, and it updates easily.
>---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
>---------- ----- ---- --- -- - - - -
|
|
Posted by Sandy Mann on January 4, 2006, 6:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> ............................................................................
> Dumb retailers
> aren't going to talk about best-of-breed products that can be bought
> directly via the 'net with no resale markup opportunity, nor are they
> going to talk about free choices that also make no money.
If I may ask a Dumb question in this 'tennis match' discussion: How do you
get on the 'net' to download these 'best of breed' AV's without getting
infected because you have no av?
--
Regards
Sandy
sandymann2@mailinator.com
Replace@mailinator.com with @tiscali.co.uk
|
| Similar Threads | Posted | | some good free program links | January 2, 2007, 1:50 am |
| Best Anti-Virus Program - Even if Not Free! | October 23, 2006, 4:30 pm |
| Free Anti-virus program | November 1, 2006, 1:46 pm |
| Re: Free Anti-virus program (again) | December 16, 2006, 6:29 pm |
| New Anti Virus Program to run With Free Downloadable Software from Shareware | November 30, 2005, 9:56 pm |
| Anti-Virus program: Free avast! 4 Home Edition | April 9, 2006, 9:10 pm |
| Cheap but good antivirus software? | March 22, 2006, 5:12 am |
| free virus protection | April 21, 2007, 3:28 pm |
| Re: Free access to several paysites! Free movies - games - software - mp3 - and more! | January 20, 2006, 9:56 am |
| says the name of best free Antivirus? | December 22, 2006, 4:38 pm |
|
XML site map