CIS 420 Personal Computer Security - 2profs.net2profs.net › steve › CIS420 ›...

CIS 420Personal Computer Security

Anti-Malware SolutionsApril 8, 2008

1

CIS-420User AccountsOverview

• It is generally recommended that most users should install and use anti-malware software on their Microsoft Windows computers to help protect p p pagainst malware

• Historically, the anti-malware software falls into two broad categories– Anti-virus software– Anti-spyware software

• More recently, a number of commercial anti-virus software vendors have begun incorporating anti-spyware capabilities into their anti-virus softwareWith d t th ti l ft• With regard to the anti-malware software

– Do not install more than one anti-virus program on a computer at a given time• the programs generally don’t “co-operate” with each other, and can likely lead to poor

system performance, incorrect detection of malware, and possibly system instability– Most people recommend installing more than one anti-spyware program

• their reasoning is that they will do a better job at detecting spyware• your instructor is not so convinced

– Although viruses exist for other computer platforms anti-malware software is

2

Although viruses exist for other computer platforms, anti malware software is almost always associated with Microsoft Windows platforms

CIS-420User AccountsAnti-virus Software

• Anti-virus software are computer programs that attempt to identify, thwart and eliminate computer malware (and viruses)p ( )

• Anti-virus software typically uses two different techniques to accomplish this– Examining (scanning) files to look for known viruses matching definitions in a

virus dictionaryhi i h h d b i i f• this is the most common approach used by anti-virus software

– and is the more reliable method– Identifying suspicious behavior from computer programs which might indicate

malware• although advertised by anti-virus vendors as a “huge benefit”, the vast majority of these

approaches in practice yield marginal results (with the potential of many false positives)– the basic problem is that it is not currently possible to recognize program “intent”

• in other words, how do you differentiate between an evil act and a legitimate operation?

3

CIS-420User AccountsAnti-virus Software (continued)

• For the virus dictionary approach, the anti-virus software will look at the contents of a file

– By referring to a dictionary of known viruses that the anti-virus vendor has identified

– If a portion of the file (program code) matches a virus identified in the dictionary, then the anti virus software will usually take one of the following actionsthen the anti-virus software will usually take one of the following actions

• attempt to repair the file by removing the virus from the file• quarantine the file

– make the file remains inaccessible to other programs so that it cannot executed l t th fil• delete the file

– The antivirus software will typically examine the files when the computer's operating system creates, opens, or closes them

• In order for the dictionary approach to work consistently, it requires periodic y pp y, q p(generally online) downloads of updated virus dictionary entries

– Anti-virus software that is out-of-date is only marginally better than not having anti-virus software

4

CIS-420User AccountsAnti-virus Software (continued)

• Malware authors have tried to stay a step ahead of the “dictionary” approach used by anti-virus vendorsy

– By writing “polymorphic” and “metamorphic” viruses• they mutate (or change) the underlying code dynamically• they encrypt themselves, in an attempt to disguise the actual malware• they re program themselves “on the fly”• they re-program themselves on the fly

– These approaches are used to defeat the viruses signature in the dictionary• thereby allowing the malware to go undetected by the anti-virus software

5

CIS-420User AccountsAnti-virus Software Solutions

• The following is an incomplete list of common anti-virus vendors– avast! antivirus

• http://www.avast.com/– AVG Anti-Malware

• http://www.grisoft.com/AVIRA A tiVi– AVIRA AntiVir

• http://www.avira.com/– BitDefender Antivirus

• http://www.bitdefender.com/– Computer Associates Antivirus

• http://shop.ca.com/– Dr. Web Anti-virus

• http://www drweb com/• http://www.drweb.com/– eScan Anti-Virus

• http://www.mwti.com/

6

CIS-420User Accounts

Anti-virus Software Solutions (continued)(continued)

• The following is an incomplete list of common anti-virus vendors– ESET NOD32 Anti-Virus

• http://www.eset.com/– Fortinet FortiClient

• http://www.fortinet.com/F P t ti i– F-Prot antivirus

• http://www.f-prot.com/– F-Secure Anti-Virus

• http://www.f-secure.com/– G DATA AntiVirusKit (AVK)

• http://www.gdata.de/portal/GB– Kaspersky Anti-Virus

• http://www kaspersky com/• http://www.kaspersky.com/– McAfee VirusScan

• http://www.mcafee.com/

7


Anti-virus Software Solutions (continued)(continued)

• The following is an incomplete list of common anti-virus vendors– Microsoft OneCare

• http://onecare.live.com/standard/en-ca/default.htm?mkt=en-ca– Norman Virus Control

• http://www.norman.com/S t N t A ti Vi– Symantec Norton Anti-Virus

• http://www.symantec.com/– TrendMicro PC-cillin

• http://us.trendmicro.com/us/home/index.html– TrustPort Antivirus

• http://www.aec.cz/index.php?english

• Refer to the following resource for CNET’s review of anti-virus softwarehtt // i t /A ti i /4502 3681 7 0 ht l?t di– http://reviews.cnet.com/Antivirus/4502-3681_7-0.html?tag=dir.av

8

CIS-420User AccountsAnti-spyware Software

• The distinction between viruses and spyware is becoming blurred, but in generalg

– Spyware often attaches itself to web browsers• they are contained within ActiveX controls that were (usually) installed via Internet

Explorer• they modify the behavior of a web browserthey modify the behavior of a web browser

– by modifying the user’s “home page” within the web browser– by adding web links to the web browsers “Favorites List”– by redirecting the search engine results to another website

A ti ft k b i t b i th d f ti• Anti-spyware software works by using two basic methods of operation– They can provide real time protection against the installation of spyware software

on your computer– They can detect and remove spyware software that has already been installed onto y py y

your computer• this type of anti-spyware protection is usually easier to use and is more often used

9

CIS-420User AccountsAnti-spyware Software Solutions

• The following is an incomplete list of common anti-spyware vendors– Lavasoft's Ad-Aware SE

• http://www.lavasoft.com/– Ad-Aware is a privacy tool that scans your memory, registry, hard, removable and

optical drives for known data-mining, aggressive advertising, and tracking components

– It then lists the results and offers to remove or quarantine the components– SpywareBlaster

• http://www.javacoolsoftware.com/spywareblaster.html– SpywareBlaster doesn’t scan and clean for so-called spywareSpywareBlaster doesn t scan and clean for so called spyware

• but prevents it from being installed in the first place– It achieves this by disabling the “Class IDs” (CLSID) of popular spyware ActiveX

controls• and prevents the installation of any of them via a webpageand prevents the installation of any of them via a webpage

– This allows you to run Internet Explorer with Active-X controls enabled• but it will not prompt you (or download) for any of the known spyware

ActiveX controls

10


Anti-spyware Software Solutions (continued)(continued)

• The following is an incomplete list of common anti-spyware vendors– KL-Detector

• http://dewasoft.com/privacy/kldetector.htm– KL-Detector is designed to find out whether your activity is being recorded with a

keylogger application• it scans for any suspicious activity during a test period that you initiatey p y g p y• it asks you to type text into the keyboard for several minutes• it then monitors your system to detect any suspicious logging activity

– Patrick Kolla's Spybot - Search & Destroy• http://www safer networking org/en/index html• http://www.safer-networking.org/en/index.html

– SpyBot Search and Destroy is an adware and spyware detection and removal tool• this includes removal of certain advertising components that may gather

statistics as well as detection of various keylogging and other spy utilities• it also securely removes PC and Internet usage tracks including browser• it also securely removes PC and Internet usage tracks, including browser

history, temporary pages, and cookies

11


Anti-spyware Software Solutions (continued)(continued)

• The following is an incomplete list of common anti-spyware vendors– PC Tools's Spyware Doctorpy

• http://www.pctools.com/spyware-doctor/– Sunbelt Software's Counterspy

• http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/T d Mi ' Hij kThi– Trend Micro's HijackThis

• http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis– Webroot Software's Spy Sweeper

• http://www.webroot.com/– ParetoLogic Anti-Spyware

• http://www.paretologic.com/products/paretologicas/index.aspx– ParetoLogic XoftSpy SE

• http://www xoftspy com/• http://www.xoftspy.com/

12

CIS-420User AccountsWindows Defender

• Windows Defender is Microsoft’s real-time anti-spyware and pest detection and removal tool

– It is included with Windows Vista• and is enabled by default

• Information on Windows Defender can be found here– http://www.microsoft.com/athome/security/spyware/software/default.mspx

• You can download (for free) a version of Windows Defender that will run on– Windows XP Service Pack 2 (or later)

Windows Server 2003 Service Pack 1 (or later)– Windows Server 2003 Service Pack 1 (or later)• The download can be found here

– http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en&mg id=10134p y g g_

13

CIS-420User AccountsMalicious Software Removal Tool

• Microsoft released the “Malicious Software Removal Tool” (MSRT) inJanuary 2005y

– It detects and removes the most popular malware (families)– Although not included with Windows, it is automatically downloaded and run

monthly as part of• Automatic Updates• Automatic Updates• Windows Update• Microsoft Update• Windows Server Update Services (WSUS)

– It can be run on the following versions of Windows• Windows Vista• Windows Server 2003• Windows XP• Windows 2000

• The latest version MSRT can be manually downloaded from Microsoft here– http://www.microsoft.com/security/malwareremove/default.mspx

i d d l i l d h d l i

14

• MSRT is updated at regular intervals, and the updates are cumulative– which means you only need to run the current version

CIS-420User AccountsOnline Scan Tools

• There are a number of free anti-malware tools that can perform a real-time scan of your system through your web browsery y g y

– They run as an ActiveX Control through Internet Explorer– They require Internet Explorer 6.0 or later

• The following are some of these web browser based anti-malware scanning tools

– Kaspersky Online Scanner• http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

– McAfee FreeScanMcAfee FreeScan• http://us.mcafee.com/root/mfs/default.asp?affid=294

– Symantec Security Check• http://security.norton.com/sscv6/default.asp?langid=ie&venid=sym

– Trend Micro HouseCall• http://housecall.trendmicro.com/

– Windows Live OneCare safety scanner (Microsoft’s “solution”)• http://onecare.live.com/site/en-us/default.htm

15

p


How Effective are Anti-Malware Solutions?Solutions?

• Opinions on anti-malware program are mixed– According to the anti-malware vendorsg

• they are the panacea that will save the world from certain destruction– According to many security experts (including those working at Microsoft)

• they are leading us to believe that we are far safer than we actually are• they cause us to fail to focus on the actual problems• they cause us to fail to focus on the actual problems

– protecting users from attacks that are increasing• not signature based• targeting them

• The simple fact remains– Anti-malware is only able to contain exploits it is aware of

• by its very nature, this is a reactive approach to security• it will likely become a panacea only when it is able to take a proactive approach to securityit will likely become a panacea only when it is able to take a proactive approach to security

– and the industry is not close to this goal– Even so-called behavior blocking is about detecting known bad stuff

• if the bad guy can figure out something is bad, but not knownth th i t ti

16

– then there is no protection


How Effective are Anti-Malware Solutions? (continued)Solutions? (continued)

• A recent global survey was conducted with large financial institutions– In this survey, 99% of the respondents said they use anti-virus softwarey, p y– 63% of the respondents said they had “external virus/worm breaches”– 31% of the respondents said they had “internal virus/worm breaches”

• So the question has to be asked– How effective is anti-virus software?

• Do not take your instructor’s word for it, read the results yourself– “Deloitte 2006 Global Security Survey (Assessing the state of information

sec rit )”security)”• http://www.deloitte.com/dtt/research/0,1015,sid%253D2211%2526cid%253D121523,

00.html

17


Anti-Malware SolutionsAre Not PerfectAre Not Perfect

• Anti-malware is software– And all software has bugsg

• But anti-malware software often “hooks” itself into the Operating System– Which effectively becomes an extension of the Operating System– Therefore, if anti-malware has a “bug”, it can

• cause the Operating System to become unstable• damage the file system• provide an “exploit” for malware

– It is therefore critical that anti-malware software be well-written with high “code gquality”

• unfortunately, this is not always the case

18

CIS-420User AccountsWhen Anti-Malware Goes Wrong

• Here are some unfortunate events with anti-malware solutions 1– “Anti-Virus Software Gone Wrong”g

• http://uninformed.org/?v=4&a=4&t=sumry– “eTrust Antivirus Bugs in Arclib Library Let Remote Users Deny Service”

• http://securitytracker.com/alerts/2007/Jul/1018450.html“S h A ti Vi B i P i P tit A hi RAR A hi d– “Sophos Anti-Virus Bugs in Processing Petite Archives, RAR Archives, and CHM Files Let Remote Users Deny Service”

• http://securitytracker.com/alerts/2006/Oct/1017132.html– “Symantec Anti Virus Products RAR and CAB Decomposition Bugs Let

Remote Users Execute Arbitrary Code”• http://www.securitytracker.com/alerts/2007/Jul/1018383.html

– “Symantec false positive cripples thousands of Chinese PCs”(Virus signature update mistakes critical Windows files for malware)( g p )

• http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9019958&intsrc=hm_list

191 These are relatively recent events, which unfortunately are not that uncommon

CIS-420User AccountsKeeping Windows Current

• To minimize the spread of malware, it is critical that the Windows Operating System be currenty

– The first step is to make sure the latest Service Pack is applied• To determine what Service Pack (if any) is installed, do the following

– Select “System” within the Control Panel applet– Alternately, you can Right click on “My Computer” or “Computer” (depending on

the version of Windows, and select “Properties”– The Service Pack will show up beneath the version of Windows

• The following table lists the Service Packs by versions of Windows 1• The following table lists the Service Packs, by versions of Windows Windows Operating System Current Service Pack (SP) Date Released Windows Vista SP1 03/18/2008 Windows Server 2003 SP2 03/12/2007 Windows XP SP3 05/06/2008 Windows 2000 SP4 06/26/2003 Windows 2000 (Update Rollup)

SP4 - Rollup 1 09/13/2005

20

1 This table is current as of May 2008


Keeping Windows Current (continued)(continued)

• The Service Packs can be downloaded directly from here 1Note that Service Packs are cumulative (you only need to install the latest one)(y y )– Windows Vista Service Pack 1 Five Language Standalone (KB936330)

• http://www.microsoft.com/downloads/details.aspx?FamilyId=B0C7136D-5EBB-413B-89C9-CB3D06D12674&displaylang=en

– Windows Server 2003 Service Pack 2 (32-bit x86)Windows Server 2003 Service Pack 2 (32 bit x86)• http://www.microsoft.com/downloads/details.aspx?FamilyId=95AC1610-C232-4644-

B828-C55EEC605D55&displaylang=en– Windows XP Service Pack 3 Network Installation Package for IT

Professionals and DevelopersProfessionals and Developers• http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-

BE08-1E1555D4F3D4&displaylang=en– Windows XP Service Pack 2 Network Installation Package for IT

Professionals and DevelopersProfessionals and Developers• http://www.microsoft.com/downloads/details.aspx?FamilyId=049C9DBE-3B8E-

4F30-8245-9E368D3CDB5A&displaylang=en

211 Better have a high-speed Internet connection (otherwise it may take a while) ☺



• The Service Packs can be downloaded directly from here 1Note that Service Packs are cumulative (you only need to install the latest one)(y y )– Windows 2000 Service Pack 4 Network Install for IT Professionals

• http://www.microsoft.com/downloads/details.aspx?FamilyID=1001AAF1-749F-49F4-8010-297BD6CA33A0&displaylang=en

– Update Rollup 1 for Windows 2000 SP4 (KB891861)Update Rollup 1 for Windows 2000 SP4 (KB891861)• http://www.microsoft.com/downloads/details.aspx?familyid=B54730CF-8850-4531-

B52B-BF28B324C662&displaylang=en




• Microsoft makes Hotfixes, Security Updates, and Updates available for Windows on a periodic basis (usually the second Tuesday of every month)p ( y y y )

– These “updates” can be installed after (or on top of) a Service Pack• There are a number of ways to obtain these updates

– Automatically• from “Control Panel”, select “Automatic Updates” or “Windows Update”

– depending upon the version of Windows• make sure “Automatic” or “Install updates automatically” is selected

– Manuallyy• from the Start Menu

– Windows Update• from a command prompt

– WUPDMGR Windows 2000 Windows XP and Windows Server 2003WUPDMGR Windows 2000, Windows XP, and Windows Server 2003– WUAPP Windows Vista and Windows Server 2008

• from Internet Explorer(note that 3rd party web browsers are not supported)

– enter the following URL in the Address bar/field:

23

enter the following URL in the Address bar/field:• http://windowsupdate.microsoft.com/

CIS-420User AccountsKeeping Microsoft Office Current

• To minimize the spread of malware, it is critical that the Microsoft Office applications be currentpp

– The first step is to make sure the latest Service Pack is applied• To determine what Service Pack (if any) is installed, do the following from

within an Office application– For Office 2007

• Click on the “Office Button”, select “<application> Options”, select “Resources”, then select “About”

– For versions of Office before Office 2007• Select the “Help -> About” menu item

• The following table lists the Service Packs, by versions of Microsoft Office 1

Microsoft Office Version Current Service Pack (SP) Date Released Offi 2007 SP1 12/08/2007Office 2007 SP1 12/08/2007Office 2003 SP3 09/17/2007 Office XP SP3 03/30/2004 Office 2000 SP3 10/21/2002

24

1 This table is current as of April 2008


Keeping Microsoft Office Current (continued)(continued)

• The Service Packs can be downloaded directly from here 1Note that Service Packs are cumulative (you only need to install the latest one)(y y )– The 2007 Microsoft Office Suite Service Pack 1 (SP1)

• http://www.microsoft.com/downloads/details.aspx?FamilyId=9EC51594-992C-4165-A997-25DA01F388F5&displaylang=en

– Office 2003 Service Pack 3 (SP3)Office 2003 Service Pack 3 (SP3)• http://www.microsoft.com/downloads/details.aspx?FamilyID=E25B7049-3E13-433B-

B9D2-5E3C1132F206&displaylang=en– Office XP Service Pack 3 (SP3)

• http://www microsoft com/downloads/details aspx?FamilyID 85af7bfd 6f69 4289• http://www.microsoft.com/downloads/details.aspx?FamilyID=85af7bfd-6f69-4289-8bd1-eb966bcdfb5e&DisplayLang=en

– Office 2000 Update: Service Pack 3 (SP3)• http://www.microsoft.com/downloads/details.aspx?FamilyID=5c011c70-47d0-4306-

9fa4 8e92d36332fe&DisplayLang=en9fa4-8e92d36332fe&DisplayLang=en

• These Service Packs can also be used to update stand-alone Microsoft Office products

– Such as Microsoft Word, Microsoft Excel, and Microsoft Access

25

, ,



Keeping Microsoft Office Current (continued)(continued)

• Microsoft makes Hotfixes, Security Updates, and Updates available for Office on a periodic basis p

– These “updates” can be installed after (or on top of) a Service Pack• There are a number of ways to obtain these updates

– Automatically• from Internet Explorer

(note that 3rd party web browsers are not supported)– enter the following URL in the Address bar/field:

• http://office.microsoft.com/en-us/downloads/maincatalog.aspx– Manually

• from a web browser– enter the following URL in the Address bar/field:

• http://office.microsoft.com/productupdatesp p p• navigate to the version of Microsoft Office you want updates for• select the specific Office component or application

26


Keeping Third PartyApplications CurrentApplications Current

• To minimize the spread of malware, it is critical that third party applications be kept currentp

– Every one of updates listed in the table below addresses critical or important security issues in the software

• The following table lists the most ubiquitous third party software 1h lik lih d f fi di l f h f li i d k– The likelihood of finding at least one of these software applications on any desktop

version of Windows is virtually 100%

Application Name Vendor Current Version

Date Released Version

[Acrobat] Reader Adobe 8.1.2 01/11/2008 Firefox Web Browser Mozilla 2.0.0.14 04/16/2008 Flash Player Adobe (Macromedia) 9.0.124.0 04/08/2008 Itunes Apple 7 6 2 04/02/2008Itunes Apple 7.6.2 04/02/2008Opera Web Browser Opera Software 9.27 04/03/2008 Quicktime Apple 7.4.5 04/02/2008 Safari Web Browser Apple 3.1.1 04/16/2008

271 This table is current as of April 22, 2008


Keeping Third PartyApplications Current (continued)Applications Current (continued)

• The third party software listed on the previous slide can be downloaded from here

– Adobe [Acrobat] Reader• http://www.adobe.com/reader

– Mozilla Firefoxhtt // ill• http://www.mozilla.com

– Adobe Flash Player• http://www.adobe.com/products/flashplayer/

– Apple Itunes• http://www.apple.com/itunes/download/

– Opera• http://www.opera.com/download/

Apple Quicktime– Apple Quicktime• http://www.apple.com/quicktime/download/

– Apple Safari• http://www.apple.com/safari/download/

28

CIS-420User AccountsAutoruns

• Malware needs to be running (or executing) on the system in order for it “perform whatever action it was designed to do” (or for it to “do damage”)g ( g )

• Therefore, part of the goal of malware is to “hook” itself into the system in such a way that

– It starts running (or executing) when you start the system– It starts running (or executing) when you logon to the system

• There is a tool from SysInternals (now part of Microsoft), that can be used to identify all software (both good and bad) that automatically starts on a Windows SystemSystem

– The tool is called “Autoruns”• Autoruns can be downloaded from here:

– http://www.microsoft.com/technet/sysinternals/Security/Autoruns.mspxhttp://www.microsoft.com/technet/sysinternals/Security/Autoruns.mspx• When you run the tool

– You will be surprised by how many things automatically start on a Windows system– There is an option to not show Microsoft “signed” entries (cuts down the clutter)

29

– There is a way to disable an entry so it will not automatically start up

CIS-420User AccountsAutoPlay

• Since Windows 95, Windows has the ability to automatically start an application when media is inserted into a CD or DVD drivepp

– If the media is a music disc, it will automatically play the music• by default through Media Player

– If the media is a movie (DVD), it will automatically play the moviei i t MPEG d i i t ll d• assuming an appropriate MPEG codec is installed

• assuming a movie playback application is installed– If the media is a blank recordable media, then the appropriate authoring/recording

software will start• assuming the appropriate software has been installed

– If it is application install media, then an application may automatically start• usually an installer application

– If there is mixed content media, then Windows may “suggest” an application toIf there is mixed content media, then Windows may suggest an application to view the content

• such as a picture viewer• note that Windows can easily get it wrong

30

CIS-420User AccountsAutoPlay (continued)

• Microsoft views AutoPlay as a productivity enhancement– And making it easier for non-technical users to “use” the mediag

• AutoPlay is enabled by default, and as a result– You may not want not always want this behavior– You may feel the behavior is annoying– It adds to the time to “mount” the drive

• which can be significant if Windows decides the media contains mixed content– It can be exploited through malware

• especially on versions of Windows prior to Windows Vista• especially on versions of Windows prior to Windows Vista

• How can AutoPlay be exploited through malware? – Place your favorite malware application onto the root of the media– Include an “autorun.inf” file at the root of the media, with the following lines

[autorun]open=Malware.exe

, g

Name of malware application

31

CIS-420User AccountsHow to Configure AutoPlay

• The following methods can be used to configure (or disable) AutoPlay– From Windows Vista

• Control Panel -> AutoPlay– From Windows XP and Windows Server 2003

• install the Tweak UI tool from Microsoft, which can be found herehttp://download microsoft com/download/f/c/a/fca6767b 9ed9 45a6 b352– http://download.microsoft.com/download/f/c/a/fca6767b-9ed9-45a6-b352-839afb2a2679/TweakUiPowertoySetup.exe

• from the Tweak UI utility, navigate to “My Computer -> AutoPlay”– From Windows 2000, Windows XP Professional, and Windows Vista (not the

home versions)home versions)• from a command line, enter the following command

– GPEDIT.MSC• Navigate on the left side of the display (console tree), to the following location

– Local Computer Policy -> User Configuration -> Administrative Templates ->System

• On the right side of the display, right click on “Turn off Autoplay”, and select “Properties”

l t “E bl d” d ith “All d i ” “CD ROM d i ”

32

– select “Enabled” and either “All drives” or “CD-ROM drives”– Refer to the Resources slides on “Information on AutoPlay”


How to Determine if You Have Malware RunningMalware Running

• The following are a few primary performance issues that could indicate that your computer might be infected with malware 1y p g

– Your computer runs more slowly than normal– Your computer often stops responding to program or system commands– Your computer fails and requires you to restart it frequently– Your computer restarts on its own and then fails to run normally– You cannot correctly run applications on your computer– You cannot access disks or disk drives on your computer– You cannot print correctly– You cannot print correctly– You receive unusual error messages or popup windows– You see distorted menus and dialog boxes– Your Internet browser’s home page unexpectedly changes– You cannot access administrator shares on the computer– You notice an unexplained loss of disk space

331 This is not a complete list of symptoms (but are generally the most common)

CIS-420User AccountsWindows Recovery Techniques

• The following information can assist in recovering a Windows system in the event that malware has been installed

– “A description of the Safe Mode Boot options in Windows XP”• http://support.microsoft.com/kb/315222

– “Advanced startup options (including safe mode)”(this is applicable with Windows Vista)(this is applicable with Windows Vista)

• http://windowshelp.microsoft.com/Windows/en-US/Help/f9c50a72-04ec-4088-9fd4-a4f979eef5a71033.mspx

– “How to restore the operating system to a previous state in Windows XP”htt // t i ft /kb/306084• http://support.microsoft.com/kb/306084

– “Windows Backup and Restore Center”(this is applicable with Windows Vista)

• http://www.microsoft.com/windows/products/windowsvista/features/details/backup.mspx

34


Personal Computer Security ChecklistChecklist

• The following step-by-step checklist can aid in securing your Personal Computer

– “A Home User's Security Checklist for Windows”• http://securityfocus.com/columnists/220

• Be sure to complete the survey for at least one of your home or office computer systemsp y

35

CIS-420User AccountsThe Real Effect of Malware

• Self explanatory

$%^#*&(InternetExplorer

36


The Problem withAnti-Malware SoftwareAnti-Malware Software

• Self explanatory

37

CIS-420User AccountsResources

• Anti-malware performance-related reports– From AV-comparatives.orgp g

• http://www.av-comparatives.org/– From AV-test.org

• http://www.virusbtn.com/news/2008/03_13a.xmlF Oki I l d T di C– From Okie Island Trading Company

• http://winnow.oitc.com/malewarestats.php– From VirusTotal

• http://www.virustotal.com/estadisticas.html

38

CIS-420User AccountsResources (continued)

• Information from Microsoft– “Establishing End to End Trust”g

• http://download.microsoft.com/download/7/2/3/723a663c-652a-47ef-a2f5-91842417cab6/Establishing_End_to_End_Trust.pdf

– “Help Wanted—Need ‘People’ People” (Security Watch)• http://www.microsoft.com/technet/technetmag/issues/2006/07/securitywatch/default.http://www.microsoft.com/technet/technetmag/issues/2006/07/securitywatch/default.

aspx– “Security at Home”

• http://go.microsoft.com/fwlink/?LinkId=42641

39


• Information on AutoPlay(Articles dealing with how AutoPlay can be exploited)( g y p )

– “Defending against U3 & Switchblade”• http://www.edgeblog.net/2006/defending-against-u3-switchblade/

– “Island Hopping: The Infectious Allure of Vendor Swag” (Security Watch)htt //t h t i ft / / i / 137730• http://technet.microsoft.com/en-us/magazine/cc137730.aspx

– “Social Engineering, the USB Way”• http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1

– “Sony BMG CD copy prevention scandal”• http://en.wikipedia.org/wiki/2005_Sony_BMG_CD_copy_protection_scandal

– “Sony Rootkits your computer”• http://www.theinquirer.net/en/inquirer/news/2005/11/01/sony-rootkits-your-

computerp– “Sony, Rootkits and Digital Rights Management Gone Too Far” (very technical)

• http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx

40


• Information on AutoPlay(Configuring AutoPlay through the Registry - from Microsoft)( g g y g g y )

– Detailed information on the “NoDriveAutoRun” Registry Key• http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/935

06.mspx?mfr=true– Detailed information on the “NoDriveTypeAutoRun” Registry KeyDetailed information on the NoDriveTypeAutoRun Registry Key

• http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true

– “How to Enable or Disable Automatically Running CD-ROMs”• http://support microsoft com/kb/155217• http://support.microsoft.com/kb/155217

– “The AutoRun feature or the AutoPlay feature does not work when you insert a CD-ROM in the drive”

• http://support.microsoft.com/KB/330135– “The NoDriveTypeAutoRun subkey value is reset to the original default value on

a Windows Server 2003-based computer, on a Windows XP-based computer, or on a Windows 2000-based computer”

• http://support.microsoft.com/kb/895108

41


• Internet Explorer Updates– “Internet Explorer 6 Service Pack 1” (posted 09/21/2005)p (p )

• http://www.microsoft.com/downloads/details.aspx?FamilyID=1e1550cb-5e5d-48f5-b02b-20b602228de6&DisplayLang=en

– “Windows Internet Explorer 7 for Windows XP SP2” (posted 10/04/2007)• http://www.microsoft.com/downloads/details.aspx?FamilyID=9ae91ebe-3385-447c-http://www.microsoft.com/downloads/details.aspx?FamilyID 9ae91ebe 3385 447c

8a30-081805b2f90b&DisplayLang=en

42


• Tools from Microsoft– “AutoRuns for Windows”

• http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx– “Malware Removal Starter Kit”

• http://www.microsoft.com/downloads/details.aspx?familyid=6CD853CE-F349-4A18-A14F-C99B64ADFBEA&displaylang=enA14F C99B64ADFBEA&displaylang en

– “Microsoft Windows Malicious Software Removal Tool (KB890830)”• http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-

4F54-9AB3-75B8EB148356&displaylang=en“RootkitRe ealer”– “RootkitRevealer”

• http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx– “Sigcheck” (Verify that images [program files] are digitally signed)

• http://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

43


• Tools from other vendors– “F-Secure BlackLight” (Rootkit Elimination Technology)g ( gy)

• http://www.f-secure.com/blacklight– “McAfee AVERT Stinger” (This tool is available for offline use)

• http://vil.nai.com/vil/stinger/

44

CIS 420 Personal Computer Security - 2profs.net2profs.net › steve › CIS420 ›...

Documents

Transcript of CIS 420 Personal Computer Security - 2profs.net2profs.net › steve › CIS420 ›...