how-to block ads
1. General Questions
basic port scan of your computer, which will give you a fast result.
The next logical step would be to start securing your machine by choosing a software firewall, a router or both.
Feedback received on this FAQ entry:
For example, if you run a web server on your computer, the www service uses port 80 and listens on it for connection, and in turn, when people enter your web address in their browsers, their browsers go to your address and try to establish a connection to port 80 of your computer to grab the information you provide.
But here's the important part: If you are not running a service such as www on your port 80, your computer sends a message to their browser, informing them that your port 80 is closed, at which point the browser will not be able to connect and gives up.
A port scan is very similar to what your browser does. It's an attempt to reach a certain port in order to determine whether the port accepts a connection. The ports may differ, but the process is the same. Port scanners simply determine if the port is listening for connection. In order for hackers to actually establish a connection and run commands on your computer, they need additional tools. What's important to know is that unless you are running a service on a port and your computer is listening for a connection to that port, it would be virtually impossible to connect to that port, and the response to the port scan will always be a closed response. This means a single scan of a port or ports by itself can do no harm to you whatsoever even if you don't have a firewall.
However, there are certain ports on your computer that will be listening for connection by default. It is possible for you to close some of them, such as port 139, which is used by file and print sharing, without a firewall, but some can't be closed, such as port 135 (the Endpoint Mapper), unless you have a firewall.
You can find a comprehensive explanation of ports that are assigned to certain services here and on a lot of other sites on the Internet.
The dangers posed by a listening port could range anywhere from leaking certain information about your operating system to a malicious connection to your computer or a Denial of Service attack.
Works at the Internet protocol layer and enables you to accept, reject or drop packets based on IP Address, Ports or Protocols. Packet filters perform these duties based on a set of configurable rules called Policies. Packet filtering is the original and the most basic type of firewalling, and most routers provide packet filtering. Disadvantages of packet filtering, however, are:
a) Address information on a packet can potentially be spoofed or falsified.
b) The data contained in allowed packets can't be checked, so they ultimately may contain exploits.
c) Packet filters can't provide application level or user level authentication.
d) Once a particular protocol is allowed to pass, external hosts can establish a direct connection to hosts on the Internal Network using that protocol. It could, therefore, expose the private Network configuration to everyone outside of the Network and reduce Network security.
The advantage of Packet filters is that they are very fast and transparent to users.
•Circuit Relay (Circuit Level Gateways):
In this approach, the firewall validates connections before allowing data to be exchanged. In other words, the firewall doesn't simply allow or disallow packets. Rather, it also determines whether the connection between both ends is valid according to configurable rules. Once validated, the connection is allowed only from the valid source and perhaps for a limited time. It can be configured based on source and destination ports or IP addresses, time of day, protocol user and password. In this method, each session is validated. However, once the session is established, the flow of data is not monitored.
Circuit level filtering is considered to be one step further than packet filtering, and it makes up for shortcomings of exploitable UDP protocol, wherein the source address is never verified due to the nature of the UDP protocol. It also makes IP spoofing more difficult.
The disadvantage of Circuit relay is the lack of application protocol checking. For example, if two cooperating users use an approved port number to run an unauthorized application, a circuit relay will not detect the violation.
•Hybrids (i.e. Stateful Inspection):
Due to weaknesses in packet filtering, some firewall vendors have introduced hybrid solutions. One of the more successful Hybrids (Stateful Inspection) provides access control at the Network layer by inspecting the content of incoming packets based on complex filters. However, more sophisticated techniques such as user authentication are not possible. A "stateful" firewall remembers the context of connections and continuously updates this state information in dynamic connection tables.
This method goes one step further. The Application Gateway acts as a Proxy for all applications and performs the data exchange with remote systems on their behalf and effectively makes the hosts behind the firewall invisible to the outside world. The advantages of this method are numerous. For example:
The firewall verifies that the application data is of a format that is expected and can filter out any known security holes.
The Application Gateway can allow certain commands to the server but not others, limit file access and authenticate users, as well as perform regular packet filtering duties.
Fine-grained control of connections is possible, including filtering based on the user who originated the connection and the commands or operations that will be executed. It can provide detailed logs of all traffic and monitor events on the Host system.
The firewall can be set up to trigger real time alarms when it detects events that are regarded as potentially suspicious or hostile.
Application level gateways are considered by far the most secure type of firewalls, especially when running services (www, FTP, Telnet, etc...) on your Network.
Disadvantages of Application Gateways are:
a) Loss of transparency to applications and slower response time.
b) Each application requires a unique program or proxy, making the process resource intensive.
What's important to know is that Intrusion Detection Systems rely heavily on their databases, and they are as effective as their databases allow them to be. This could serve as an advantage or a disadvantage, depending on how you look at it.
There are several good IDS on the market. Black Ice Defender is a good example, and it's popular among home users and business users alike. Intrusion Detection Systems are generally more concerned about incoming scans as opposed to outgoing communications.
One way to create a DMZ is with a machine that has three NICs in it -- one for the WAN connection, one for the DMZ network and one for the internal network. This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of all three networks to lie in one system. If your machine containing all three NICs is compromised, so is your DMZ and your private network. Basically, you are allowing the Internet to "touch" the very same machine that determines how secure your internal LAN is, and this is not a good thing.
A better way to do this is with three separate networks. The way this is accomplished is with two "firewall" devices -- one on the border of your WAN and one on the border of your internal network. Let us say that you have a broadband router/switch and a Checkpoint firewall. You would put your router/switch on your border (right behind your modem). That becomes your DMZ switch. You use one of the ports to connect your bastion host/public server. This is the machine that is running the service that you want people to be able to connect to from the outside. This may be a website, an FTP server or a multi-player game. You want this machine to be hardened to some degree, meaning that it is all the way patched and is not running anything that is vulnerable (although the border device affords it some protection via NAT). As a general rule, though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place.
Now, to that same switch, you are going to attach another network cable that goes to your Checkpoint firewall. Your firewall (this is going to be the better of the two firewalls that you have, so if you have a Checkpoint and a Netgear, you should use the Netgear on the border and the Checkpoint box on this one) is going to have two NICs in it -- one for the DMZ side and one for the private LAN side. Connect the cable to the DMZ side of the internal firewall, and on the other side of the firewall (the private LAN side), you connect a cable to another hub/switch that all of your LAN computers will connect to.
If that was confusing, think of it this way:
Internet to Modem
Modem to Router
Router to DMZ Hub/Switch
DMZ Switch to WEB/FTP/Game Server
DMZ Switch to Firewall External NIC
Firewall Internal NIC to Internal Hub/Switch
Internal Hub/Switch to Internal Systems
What this does is allow you to completely segment your network in terms of trust. You can initiate connections to the DMZ and to the Internet, but neither of those two networks can initiate connections to you. Essentially, you are saying that you don't trust those two networks, and they are considered completely separate from your internal LAN. This way, if your Host in DMZ is compromised, the intruder will not be able to compromise the other computers in your LAN.
The power is further extended by the fact that you can use NAT on your border device to pass only the ports needed into your DMZ. So, if you are only running a web server, then you only pass TCP 80 to your DMZ machine running that daemon; all other connection requests are refused at the border router/firewall.
Feedback received on this FAQ entry:
The important point is that you need to find out which one works best for you. Using a firewall that needs extensive configuration for a person who doesn't have the knowledge or desire to spend the time learning or configuring could be a disaster waiting to happen no matter how secure that firewall may be. By the same token, assuming a firewall is so simple to use that you can set it and forget it could have similar results.
You can take a look at our more recent Firewall polls (2009 and 2010) to find out what's available and what's popular. However, keep in mind, what works for others may not work for you, and what doesn't work for others could work like a charm for you. Popularity may or may not work to your advantage, and the price is no indication of how good a firewall is. The worst choice you could make is to pick up a firewall only because it's popular or fashionable.
So start simple and move up to more complicated firewalls if you wish or stay with the simple one if it works for you. It's up to you. However, if you decide to move to the more complicated, don't forget to protect yourself while you are learning. Using a firewall that you are comfortable with, alongside the one you're trying to learn, will ensure that you are secure while testing the waters. Remember, the time you spend thinking about which firewall to use is the time your computer stays wide open. Choose a simple firewall and protect yourself first, and you will have all the time to explore your other options.
These so-called "set it and forget it" firewalls, like Zone Alarm, provide very good inbound and outbound packet and application filtering, allowing only the traffic that you want/authorized. The drawback is that, in some cases, it is an all-or-nothing proposition. You either allow an application to access the Internet or your system, or you don't.
Rule-based firewalls, on the other hand, like Kerio or Norton Personal Firewall, offer you the ability to not only control what applications and services are granted access, but through which ports and what direction (in, out or both).
Another consideration is whether you want/need added functions such as ad, cookie, pop-up blocking and privacy measures. Many want a firewall to be just that, a firewall, no more, no less, while others prefer to have a more integrated security solution.
So, after weighing the options against your current needs and skills, you should choose the firewall that works for you. No matter your choice, there are many very skilled BBR members here to help you ensure that your system is as secure as it can be. All you have to do is ask!
Generally, a Trojan is not by definition a virus, and contrary to popular belief, they do not spread to other programs and other computers like a virus, either. However, they are one of the leading causes of computer break-ins. They can also contain a virus within them.
Trojans are generally programs that pose as a legitimate program on your computer and add a subversive functionality to it. That's when it's said a program is Trojaned. For example, a Trojaned login program can be written so it accepts certain passwords for any user's account to give the intruder access to your computer. A commonly used program called Toolkits is actually a suite of several Trojans that can be put on a Unix machine by an intruder. It contains a password sniffer, a backdoor program to let the hacker back into the machine at any time, replacement binaries for common programs and, finally, a log cleaner to cover its trace.
Trojans can contain a virus, a password grabber or they can be a RAT (Remote Access Trojan) that is designed to allow remote control over your system. Some Trojans contain built-in scanners that automatically scan the Network from your computer, looking for other copies of themselves. The most commonly used Trojan is The Sub 7 Trojan. What makes it common and dangerous is the fact that, unlike other Trojans that are written once and forgotten, Sub 7's author provides constant improvements and new versions for his Trojan. This Trojan can be really destructive or just annoying.
Remote access Trojans such as Sub 7 consist of two parts: one part that resides on the victim's computer and the Control module that resides on the intruder's machine. Using the control interface, the intruder can take control of your computer, flip your background picture, speak out of your speakers, reboot your computer or do serious damage to your machine. Basically, they can pretty much do whatever they want. However, these days, most Trojans are being used to turn your computer into a zombie. In other words, the intruder will be able to turn your computer, and a bunch of other infected computers like yours, into an army of zombies to attack a more important target. This way, the intruder can hide his or her own trace and use your computer as a front. This means the victim's firewall will show your IP address in the log as the attacker's IP, and you may end up with several complaint letters to your ISP and even lose your account as a result.
So, just because you think you have nothing important on your computer doesn't mean your computer itself and your bandwidth is not valuable to hackers. In fact, they are quite valuable and worth the hacker's time.
However, it's important to understand that having an anti-virus/anti-Trojan program and a firewall does not give you a free license to click on just about any email attachment or file you download. The most important part of security is eternal vigilance.
Having anti-trojan software is a great help, too. You'll be able to find free and paid anti-trojan programs on the Internet; all of them will do the job in one way or another. Of course, you should always be looking for strange programs in your firewall that are asking permission to get out of your computer. If you don't know the program, always say no and seek further help from our members in the Security Forum before allowing the program to get out.
By identifying the class of the Trojan you are infected with and visiting the website of your favorite virus scanner, you can find step-by-step instructions on how to manually clean your registry entries and correct other configuration changes made to your machine.
However, once you are infected and depending on how long you've been infected, the intruder may have made even more modifications to your computer manually and that makes it hard to detect and even harder to be absolutely sure if you are completely clean. Because of this, sometimes you'll have to be prepared to do a clean format if your computer has valuable information or if it's a mission critical machine.
Remember to be proactive. Running a good virus scanner and firewall is always an easier task than cleaning a virus or Trojan.
This FAQ is long, but that is because the instructions are step-by-step. You will go through most of the steps quite quickly, although a couple of scans may take a half-hour to run.
Please note that if you're here because you're infected and you're planning to ask for help in our Security Cleanup forum, then this is the link you should go to. It's shorter and it is kept up to date more frequently.
You will have to close your web browser windows later, so it is recommended that you print out this checklist and check off each step as you complete it.
When you need to come back here to link to something, use this URL:
If you need time to think and plan, unplug your computer from the Internet.
If you have a question on the steps, or something interesting to pass on, feel free to post in the BBR Security Forum, one topic per infected computer. Please include the virus, symptom or filename as part of the subject line. BBR Security Forum
If you are unable to perform a step, make a note and move on to the next step.
Don't stop when you find the first piece of malware. It is not uncommon for a computer that has been exploited through a security flaw to have been penetrated more than once. Also, some malware opens backdoors that facilitate the installation of software that enables use of the infected computer by remote control.
This FAQ is organized to guide you through these steps:
1. Update and run the defensive tools already on your computer
2. Run tools that look for viruses, worms and well-known trojans
3. Run tools that look for well-known adware and search hijacks
4. Create a report that will allow forum experts to do a manual examination for less common adware and trojans
5. Submit any malware that appears to be new or modified to the anti-malware vendors
6. Run tools that allow for examination of some security and system settings that might be changed by a hacker to allow remote control of the system
7-10. Determine the steps to clean the computer, and clean the computer
11. Rescan to verify that the computer was successfully cleaned.
12. Re-secure the computer and any accounts that may be violated. If applicable, report identity theft, cancel credit cards and change passwords.
13. Check that the anti-virus monitor is working again.
14. Take steps to prevent a repeat incident.
15. Post about lessons learned.
16. Report the crime.
17. Reference links to product tutorials and additional information sources.
a) Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it. If at all possible, copy (quarantine) suspected malware files to a password-protected compressed file (zip file) before deleting them. Do this in addition to any quarantine function that other products have. There is more on this in step 6. Be careful not to click (left-click), open or run suspect files. (How do I create a password protected zip file?)
Note the location of the file (the full path) because this is an important clue as to where the file is from and whether it has been activated yet. If only part of the path to the file is shown by the AV scanner, use the Windows search tool (Start button / Search) to locate the file and write down the full path to the file.
Compressed folders (also called archives, files with file extensions like .zip and .cab) are now decompressed to temporary files by many malware scanners. If the only sign of malware is in one of these temporary decompression folders it is unlikely that the malware has been activated. So be sure to mention the full path and file name when posting about any file found.
b) A file's properties may also give a reminder as to what the file is part of. Right-click on the file in Windows Explorer or Search and select Properties. Remember, properties can be faked by hackers, so consider them reminders not proof.
c) When in doubt about a suspicious file, submit if for analysis. Your iexplorer.exe may not be the same as someone else's iexplorer.exe.
d) When a step indicates running an update, activate the update function of the program. In general, once the update is complete, stop and start the program before running your scan. This will ensure your scan is done using the latest program and malware database versions.
e) Close all web browser (Internet Explorer) windows before having a tool actually fix a problem or remove a file.
f) Often, running in Safe Mode will solve problems removing files. Click here for instructions for running in Safe Mode.
g) If you are on a Windows system that has separate administrator accounts (Windows XP, 2000, NT), work using an account with administrator privileges.
Once complete, if you continue to have problems with a particular user account, repeat the scans in steps 2 and 3 using that user account. (On Windows XP, you will need to use the "Run As" function described here: HOW TO: Use the RUN AS Command to Start a Program as an Administrator in Windows XP.)
1. Update and run any anti-virus (AV), anti-trojan (AT) and anti-spyware (AS) products you already have installed on your computer. Do full scans of your computer.
Record exactly the malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.
If you can't access security web sites, check your "Hosts" file.
Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it. So click here to submit the suspect file to the anti-virus product makers.
2. Run two or three free web-based AV scanners. (This scanning is the most time-consuming step in this checklist, but it is important.) Go to web-based AV scanners
Record the exact malware names, and file names and locations, of any malware the scans turn up. Quarantine then cure (repair, rename or delete) any malware found.
3. Download, install, update and run the following free anti-hijacking and anti-spyware (AS) products. Be sure to both download and install the latest version of the program, and then update each products database.
When running the scan, record exactly the details of any problems turned up. (Tracking cookies are easily cleaned up by deleting them, so don't bother recording them.) Quarantine then cure the malware.
3.1 Spybot S&D (donationware):
Download it here:
a) Download and install Spybot S&D.
b) Click on "Update" in the left column.
c) Click on "Search for Updates."
d) Select a download location (usually one close to you).
e) Click "Download Updates" and wait of the updating process to finish.
f) Check that all Internet Explorer (web browser) windows are closed.
g) Click "Search and Destroy" in the left column.
h) Click "Check for Problems."
i) Have Spybot remove/fix all the problems it identifies in RED. The items not listed in red should not be touched at this time.
3.2 Ad-aware (free version available):
Download it here:
a) Download and install the latest version of Ad-Aware. If you previously had Ad-aware installed, grant the installer permission to uninstall it when it asks.
b) As the installation ends, leave these boxes checked: (i) Perform a full scan now, (ii) Update definition file now, (iii) Open the help file now. Click "finish."
c) Close all programs except Ad-Aware.
d) Wait for the scanning process to complete. (Optionally, glance through the Ad-aware Help window that has popped up.) Close Ad-aware Help when done.
e) Click "Next."
f) Click "Critical Objects" and select all the items found for removal. ("Removal" actually puts things in quarantine, so you can generally recover them if you need to.)
g) Click "Privacy Objects" tab. "MRU list" refers to history lists of "Most recently used" files for different programs. You can review this now and note anything that appears suspicious to post a question about later.
h) Reboot your computer.
i) From Start, All Programs, Lavasoft Ad-aware, rerun Ad-aware.
j) Repeat steps (c) through (i) until no more items are found
5. If the problem seems to be gone, skip this step. Otherwise, download and run HijackThis (HJT) (freeware):
Download it here: »www.trendsecure.com/portal/en-US···tall.exe
* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
* When the scan is finished, the "Scan" button will change into a "Save Log" button. Click the "Save Log" button.
* DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
* Copy the contents of the log you just saved and get ready to post it in the »Security Cleanup Forum
- The format of your post must be exactly as follows with no deviation or your post will be locked or deleted. This is to ensure you have followed the steps correctly and thoroughly, and to provide our helpful members as much information as possible, so they can help you faster and more effectively.
Start your own thread. Do not interrupt other similar threads with your problem.
i) Start the title of your post with "HJT Log" followed by a short remark regarding your problem.
ii) The first paragraph of your post should explain exactly what the problem is. For example, is it a system slow down? Is it Pop ups or ads? Is your computer trying to call out or send emails? Etc...
iii) The second paragraph should tell us in detail, which one of the above steps you followed and what the results were. Which steps you had to skip and why, etc... Please note the phrase "in detail." "I've followed all the steps" may not be enough information for those who are here to help.
iv) The third paragraph should contain the HijackThis log you copied in step 4.
- Most of what HJT lists will be harmless or even essential; don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.
f) Carry on with the steps 5, 6 and 7 while you wait for feedback from HJT specialists in the forum.
Remember that file names suggest what a program file is, but files can be changed or renamed. It is file contents that determine what a file actually does. So it is important to run the scans in the earlier steps before creating the HJT log.
5. Submit the suspected malware to AV and AT vendors. This will probably be the one thing you can do to "get back at" the virus writer.
All anti-virus, anti-trojan and anti-spyware (AV, AT and AS) vendors are interested in samples of possible new or reemerging malware because viruses are often changed and adapted over time by hackers.
In particular, be sure to submit copies of suspect files that:
- Got on to your system undetected by an up-to-date AV monitor
- Are not consistently detected by some AV scans
- Are acting differently from what was described in the AV company's write-up
- The scanner says are generically or heuristically detected (have no specific signature)
- Are heuristically detected because heuristic methods are prone to false alarms
- That you have continuing doubts about
- If you don't submit a malware file, retain it in quarantine for at least 2 weeks in case later computer behavior indicates that the file may not be what it was initially identified as
File names suggest what is in a file, but files can be renamed. Also, friendly files can have extra functions added. Only an internal analysis of the file can reveal what it really does. Your AV and AT vendors cannot reliably protect you from new malware until they receive a copy of it.
a) Copy the suspected malware files to a compressed folder (a .zip file). This will prevent the file from accidentally being activated. It will also stop the suspected malware being disinfected by email servers when you submit it for analysis.
In Windows XP, right-click the file and select "send to compressed (zipped) folder." Then double-click the .zip file to open it and do File .. Add a password. Make the password "infected."
In earlier versions of Windows, you need some third party software. WinZip is very easy to use and comes with a free trial period. Simply install WinZip and follow the wizard. Be sure to add "infected" as the password. (How do I create a password protected zip file?)
b) Click here to submit the suspected malware file (Outlook, Outlook Express and most other email clients).
Some Outlook clients may have a problem with the link above, in that case, Click here.
c) Attach the password-protected zip file and send. You're done.
(The above method sends your file to 36 anti-malware vendors. However, if the above is too complex for you, Hispasec lab's free multi-engine single file scan and submission tool www.virustotal.com is much simpler to use. It will scan your file and submit it to 19 anti-malware vendors.)
6. Even if the problem seems resolved, run security analysis products to check your settings and installed software. These analysis products are definitely not 100% thorough in the checks they do; they only check for common problems. Also, the messages produced are usually cautions to check that something is as you want it to be and are not definite instructions to change something.
6.1 Install and run Belarc Advisor (free): www.belarc.com
When you run Belarc Advisor, look for:
6.1.1 Users you didn't add. Check whether your computer maker or reseller added the users for support purposes before you bought the computer. Otherwise, they indicate a hacker has accessed your system.
6.1.2 Microsoft Hotfixes with red Xs beside them, indicating they can be verified by the automated process but failed verification. The earlier the version of Windows, the more likely the fix came off "innocently" when new software was added or upgraded. Click on "details." This will take you to a Microsoft webpage explaining the fix and allowing you to reapply it.
6.1.3 Under software versions, software you didn't install. Many software packages include other third-party software. So installing one product can make 3 or 4 products show up in Belarc and this is not a problem. On the other hand, hackers often install legitimate FTP server or email server software, and because the server software is legitimate, it will not show up in a virus scan.
6.1.4 Save a copy of the Belarc Advisor results. In a few weeks, compare your saved scan with a new scan, looking for unexpected changes.
6.1.5 Ask in the BBR Security or Software Forums before making changes other than reapplying hotfixes. BBR Security Forum
6.2 Install and run Microsoft Baseline Security Analyzer (MBSA) (free):
6.2.1 Review the results to see that they correspond with how you have set your computer up.
- Changes might indicate that someone has altered settings, or the settings may have been altered when other software was added or updated.
- Security updates with reason "306460" simply cannot be verified by the automated process.
- "File version is greater than expected" just means your software has updates MBSA doesn't know about yet.
- You may notice invalid password attempts in your security log. MBSA causes them when it checks for weak passwords.
- The messages above are not normally problems.
6.2.2 Save a copy of the results. Compare them with the results in a few weeks, looking for unexpected changes.
6.2.3 Ask in the BBR Security or Software Forums before making changes, other than re-applying hotfixes.
7. Different vendors have different names and version identifiers for the same virus, so first look up the virus in the encyclopedia of the scanner's vendor for specific disinfection instructions:
Go to virus encyclopedias
8. To end a process (program) that won't terminate any other way, use Advanced Process Termination (freeware): www.diamondcs.com.au/index.php?page=products
9. Depending on the instructions in the virus encyclopedia for your scanner, it may be necessary to use auxiliary virus removal tools.
9.1 First, be sure to submit a copy of any malware that is not consistently detected or that doesn't behave as excepted. Submit suspected malware.
9.2 If a removal tool is required, it is best to first try the tool of the scanner's vendor. If you need to use another AV maker's removal tool, use one of the multi-engine scanners here to find the name other vendors give the virus.
9.3 Read the complete write-up of the virus in the encyclopedia of the removal tool's vendor to find the disinfection instructions. In addition to running the scanner or removal tool, there may be a few manual steps required.
9.4 Generally, each removal tool will only detect and effectively remove the virus variants it says it will.
9.5 For very new virus versions, it may be advisable to wait half a day for the AV maker to update the removal tool.
Removal Tool Links
Microsoft Malicious Software Removal Tool
Panda & ActiveScan
PC-cillin & Housecall
10. In Windows XP and Me, to prevent important system files being deleted accidentally, System Restore makes backups of them and restores the backups if the original file goes missing.
To prevent malware being restored by the operating system, it is often necessary to clear the backup files from System Restore after the malware is deleted. (This is called "clearing the System Restore points.") To do this, turn System Restore off, wait 30 seconds and then turn System Restore back on.
Waiting until after cleaning to clear the System Restore points means that if there is a problem during cleaning, System Restore can be used to try to correct it.
The instructions on turning System Restore off and on are here:
Microsoft System Restore Instructions (KB 842839) --OR --
Symantec System Restore Instructions
11. If you removed any malware, reboot and repeat the scans that revealed it earlier. This is to make sure that the malware has not managed to reinstall itself.
If the malware did come back, use this sequence of actions:
a) Turn off System Restore
b) Repeat the cleaning procedure used earlier
d) Only then turn on System Restore
If the malware comes back a second time, it is likely that the malware is in multiple files, each of which will replace the others if they go missing. In that case, additional research into your malware is required before cleaning can be successful. Post fully describing your problem here: BBR Security Forum.
12. Re-secure your computer and accounts. The ideas in the following step-by-step guide are useful for cleaning any version of Windows: CERT Guide to Recovering from System Compromises
12.1 In particular, if private information is kept on or entered into the computer, and if the description of the malware uses the words or phrases "backdoor," "allows arbitrary code to be run" or "remote access trojan," and if it is likely that a hacker may have used the backdoor, strong consideration should be given to backing up data to be retained and then reformatting and reinstalling programs on the computer from trusted sources.
This is because a backdoor allows a hacker to make other changes that may reduce your security settings, but that are not readily detectable with current tools.
- After what kinds of viruses and trojans should one reformat and reinstall?
- Security Program Manager Microsoft Corporation: Help: I Got Hacked. Now What Do I Do?
12.2 If a keystroke logger or backdoor was detected, then hackers may have access to what was typed into your computer, including passwords, credit card numbers and account numbers.
12.2.1 Immediately cancel any credit cards used on the computer while the keystroke logger or backdoor may have been active and ask for replacements with new account numbers.
12.2.2 Using an uninfected computer, change any website and server passwords that were entered on the infected computer.
12.2.3 Depending on what information you have typed into your computer in the past, you may need to report a possible "identity theft."
13. Check that your anti-virus software is working again.
14. Go to How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach for tips on preventing re-infection.
In addition to a firewall and anti-virus scanner, SpywareBlaster and SpywareGuard will help keep malware off of your computer. Weekly scans by your anti-virus scanner, Spybot S&D, Ad-aware and Belarc Advisor will help detect malware that gets on your computer.
Remember to keep your operating system, security software and Internet-capable software up to date.
15. Feel free to post a question, or something you learn and want to pass on, in the BBR Security Forum, one topic per infected computer. (Please include the virus, symptom or filename as part of the subject line.) BBR Security Forum
16. Report the crime.
Reports of individual incidents help law enforcement prioritize their actions. With computer crimes, the total damages officially reported by all victims influences the criminal's sentence.
* Victims can report companies that distribute malware or that use fraud to get software installed to the FTC here.
* Victims can report malware incidents to the US DHS Computer Emergency Readiness Team (US-CERT) here.
17. Additional reference:
* Tutorial on Spybot S&D
* Tutorial on Ad-aware
* User-friendly registry editing tool, Registrar Lite
* HostsXpert: User-friendly tool for editing the "Hosts" file
* Microsoft Security Center
* Microsoft Knowledge Base: Info on messages and symptoms from MS products.
* MS DLL Help Database: Info on MS DLL, EXE and COM file versions.
* Eric Howe's excellent "Rogue/Suspect Anti-Spyware Products & Web Sites"
* How to find out what is using a port
* One way of removing Browser Help Objects
* BBR Security Forum FAQ on HijackThis!
* BBR FAQ on Adware and Spyware
* Other BBR Security Forum FAQs
* Virus hoaxes
* Webopedia encyclopedia of computer terminology
* What is the most efficient way to find information about computer security?
* US Computer Emergency Readiness Team (US CERT): for security alerts and tips, and reporting vulnerabilities.
* Internet Storm Center
* Internet Traffic Report
* The Internet Health Report
* PC World: Bigger Threats, Better Defense
* Subtram's Removal Tool Links. Please use the tools there only the advice of an expert.
* Subtram's Useful Tool Download Page
* For any "MSVBVM60.DLL not found" message, click here to download the VB6 runtime library."
* How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach
* Terminating Spyware With Extreme Prejudice/Re-formatting & Re-installing
* When should I re-format? How should I reinstall?
The advice in this FAQ is general in nature. If you are a business or organization that depends on its computers, we recommend you also obtain the services of an IT security specialist to assist you.
Most recent changes:
29 July 2010 by Wildcatboy: Added the link to the mandatory steps for requesting Assistance in SCU.
19 Nov 2008 by CalamityJane: Fixed broken link for HostsXpert
20 Oct 2008 by CalamityJane: Remove Virus@cai.com from Malware Submission list: Reported not working. Replaced with current new email submission for Computer Associates is: email@example.com (added to list)
30 July 2008 by Wildcatboy: Removed the reference to Malware Archive forum from the malware submission email form.
30 July 2008 by CalamityJane: Removed old/obsolete tools and references (CWShredder, AboutBuster, etc.); eliminated Step 4 re: AntiTrojan scanners (no longer needed) and renumbered steps accordingly; Updated URL & references for HostsXpert by FunkyToad.
04 July 2008 by CalamityJane: removed Mike@F-Prot.com from malware submission list - no longer valid
26 May 2008 by CalamityJane:
Changed Comodo submit email addy to: firstname.lastname@example.org
Removed F-Secure submit addy of: email@example.com due to emails bouncing reports
23 Nov 2007 by CalamityJane: Changed submit address for Comodo from firstname.lastname@example.org to: email@example.com
09 Oct 2007 by CalamityJane: Added to malwware submit list: firstname.lastname@example.org
Revised download link and instructions for HijackThis (now owned by Trend-Micro)
04 Oct 2007 by CalamityJane:
Removed email@example.com from malware submit list due to bounces.
Removed AboutBuster from list of removal tools (obsolete and no longer supported)
03 April 2007 by CalamityJane:
Section 4 removed temporarily for revision. BOClean purchased by Comodo (to be re-released at a future date); Ewido purchased by AVG, now branded AVG Antispyware (instructions to be updated soon)
03 April 2007
by CalamityJane: Changed BOClean submissions email address from firstname.lastname@example.org to email@example.com
03 July 2006:
By CalamityJane: Added firstname.lastname@example.org to malware submission list
30 June 2006:
By CalamityJane: Added SpySweeper to malware submission list email@example.com
24 Jun 2006:
By CalamityJane: Added F-Prot to malware submission list; made changes for Ewido AntiSpyware v 4.0
By CalamityJane: Updated link for Trojan Hunter update and install
(thanks to amysheehan )
by Wildcatboy: Added firstname.lastname@example.org (Super Antispyware) to the Malware submission list
by CalamityJane: Added email@example.com (Microsoft Windows Defender) to the malware submit list
by Keith2468: For the Virus Submit list, added firstname.lastname@example.org
by CalamityJane: For the Virus Submit list, fixed two bad email addys:
email@example.com (changed to: firstname.lastname@example.org)
email@example.com (changed to: firstname.lastname@example.org)
by CalamityJane: Updated various URLs, programs, Security Cleanup Forum links
by Keith2468: Added a section on reporting the crime
by CalamityJane: Revised instructions for new AboutBuster v. 6.0
by CalamityJane: AboutBuster download URL updated (is now Malwarebytes.org)
by Wildcatboy: Removed TDS and a duplicate from the virus submission email list
by CalamityJane: Adjusted instructions for AboutBuster (new ver. 5.0); adjusted instructions for use of Ewido
Removed TDS discontinued
Added Ewido Security Suite
Updated Hoster URL in list of programs
Removed Tips on TDS
By Keith2468: Added table of contents links to improve navigation within this page. Updated various links to other sites
By Keith2468: Added link to Eric Howe's "Rogue/Suspect Anti-Spyware Products & Web Sites"
By Keith2468: Update to virus submission email list
By CalamityJane: Updated the URL for CWShredder (now owned by Trend-Micro)
Updated BOClean instructions; thanks, K McAleavey
Added VirusTotal.com as an alternative virus submission method.
Added link to "Terminating Spyware With Extreme Prejudice"
Feedback received on this FAQ entry:
The original purpose of null sessions was to allow unauthenticated hosts to obtain browse lists from NT servers and participate in MS networking.
Null sessions are one of the most frequently used methods for network reconnaissance employed by "hackers." A null session connection allows you to connect to a remote machine without using a user name or password. Instead, you are given anonymous/guest access. Please note, even if you have disabled the Guest account, this will still work.
Using a null session connection to a remote machine and tools freely available on the Internet, "hackers" are able to export all manner of information from your machine, including password policy, user names on the machine, account lockout period, last logon time, blank password, etc. This will also inform the "hacker" if you have changed the name of the local administrator account, and it will neatly display the name of all accounts on the target machine, including the renamed Admin account.
Once a null session connection has been established, all that is needed is to type "Net view \\TargetComputerName" to be presented with a list of shared resources on the Target machine.
How do I stop this?
1. Get a Firewall.
a) Disable Netbios over TCP/IP, since Null Sessions are a "feature" of Netbios.
b) Add RestrictAnonymous=1 to HKLM\SYSTEM\CurrentControSet\Control\LSA, even though there are tools which sidestep this measure.
How do I know if this is happening to me?
Certain utilities are available on the Net, Desktop Sentry for one, which enable you to see who is connected to your machine, giving user name and IP address and if the connection is a null session or not.
It is estimated that 80% of attacks on NT systems occur in this manner.
Submitted by JohnD76
•Use random characters. The more random the sequence of characters, the more secure the password will be. You can use the first letters of words in a phrase.
•Don't make it obvious. For example, JohnDoe is too obvious; don't use your first and last name, company name, etc. Definitely do not use your children's names.
•Where money or confidential information is concerned, do not use the same password on sites for different companies.
Below is a list of some of the programs that constantly ask for permission.
Information obtained via PCMag.
Feedback received on this FAQ entry:
If you've put sites into the Trusted Sites zone, set ActiveX items to Enable and you're still seeing the above warning, that likely indicates that the sites you're visiting are pulling content from multiple sources. In other words, you visit www.site.com, but that site is displaying banner ads, Flash ads or some other obnoxious bit of garbage from ads.scam-artists.com. You can put site.com in your Trusted sites zone, but any ActiveX controls being pulled from scam-artists.com will still fall in the Internet zone (or the Restricted zone, if you've put scam-artists.com in that zone). A "Mixed" zone icon in the bottom right-hand corner of the IE window is a good tip-off that this is happening.
Example: If the page your receiving the warning from is loaded with Flash ads, it's undoubtedly macromedia.com that's causing your problem. If you've already got www.xxxx.com. in your Trusted sites zone, then the problem is this: either you've got macromedia.com in your Restricted sites zone, or you've got the Internet zone configured to disallow ActiveX controls.
Remedy? Enter macromedia.com and any other third party sites that the page uses into your Trusted Sites zone, if you want to go that far.
How can I tell which entry/website is causing the problem?
Web pages can draw content from multiple sources, including third-party sources. Thus, for example, you might visit www.cnn.com and encounter a widget on that page that doesn't work, but that widget isn't being drawn from cnn.com (which isn't even IE-SPYAD). In this case, you'll have to identify the sources for the content on cnn.com's home page. It's likely that the widget is being pulled from some third-party source (say, doubleclick.net) that IS in IE-SPYAD's list of Restricted domains and servers. If you can identify the source for content that isn't working, you can then remove the entry which is causing the problem from the Restricted sites zone.
It can be a bit tricky to identify all the sources for a web page's content. One good tip-off that a web page is drawing content from multiple sources is the "Mixed" zone icon that you might see in the bottom right-hand corner of Internet Explorer. A "Mixed" zone means that a web page is drawing content from multiple sources which fall into different zones. One of those sources is likely in the Restricted sites zone.
There are several ways to identify all the sources for a web page's content:
1. Info on the page itself
Hover your mouse over images (esp. banner ads) and other links and watch the bottom band of Internet Explorer, which previews the sites which are linked to. You can also right-click on images and look at the "Properties" for those images. Either method will provide some indication as to where page content is being drawn from.
2. The IE6 Privacy Report
In Internet Explorer 6.0, go "View" >> "Privacy Report." The Privacy Report gives you a rundown of "websites with content on the page."
3. Personal firewall logs
Most personal firewalls provide logging of some sort, and you can look through your firewalls logs to get some indication of the sources for a page's content.
4. View the HTML source
Go "View" >> "Source" to open the HTML source for a page. Looking through HTML can be a pain, but it does reveal all the sources for page content. Note: if the site uses frames, you'll have to open the framed page separately (right click on the framed page, then "Open Frame in New Window"). Then you can "View" >> "Source."
It's not always difficult to track down the specific entry in the Restricted sites zone that's causing a website not to work, but sometimes it does require some patience.
See this thread for original content and information.
Thanks to Eric L. Howes (eburger68) for this information.
Feedback received on this FAQ entry:
To maximize your security when using a public wireless hotspot:
1. Use a software firewall (also called "personal firewalls") that runs on your computer.
Put the network in the "untrusted" or "Internet" zone.
Kerio, Sybase, Symantec and ZoneAlarm are well-known makers of software firewalls. The use of wireless hotspots is justification for getting a version of a firewall that supports the feature of control by remote IP address and port number.
A new feature to look for in your software firewall is the ability to automatically detect whether the network is the regular office LAN or an untrusted hotspot and to automatically adjust the security settings appropriately.
2. Have file and printer sharing disabled on your computer, or use strong passwords on all shares.
3. Use VPN to tunnel to your organization's internal network.
4. Encrypt all email that you want to remain confidential.
In other words, you can't trust the wireless protocols to do the encrypting for you, so you should encrypt confidential data before it is submitted for transmission to a public wireless hotspot.
* Continue to practice general security procedures, including: keeping the anti-virus, operating system and applications up-to-date with security and critical fixes; running software firewalls; having on-site and off-site backups; and periodically checking firewall logs for evidence of intrusion attempts.
Other wireless security resources:
BBR Wireless Forum: /forum/wlan
BBR VPN Forum: /forum/vpn
BBR Security Forum: /forum/security,1
BBR Security FAQs: /faq/security
BBR Hardware Support Forum Index: /forums/18
1. Using Windows Explorer, locate the first file you want to zip.
2. Right click on the file and select Send To and Compressed (zipped) Folder. This will create a new compressed folder with the same name as the file, except with the extension .zip.
3. Right click any other file you want to compress and select Copy.
4. Right click on the compressed folder you created in step 2 and select Paste. The copied file was pasted into the compressed folder. Repeat this until your compressed folder contains all the files you want.
5. Right click on the compressed folder and select Explore.
6. In File, select Add a Password. Enter the password and confirm the password.
B. If you have an earlier version of Windows:
1. Download a zip utility. WinZip is very popular, and an evaluation version is available free.
(Other zip utilities are here: »www.freedownloadscenter.com/Util···ilities/)
2. Using Windows Explorer, locate the first file you want to zip.
3. Right click on the file and select WinZip and Add to Zip File.
4. In Add to Archive, enter the path and name you want your zip file to have.
5. Click Password and enter the password you want the zip file to have.
6. Click Add.
7. On the WinZip window that appears, click Add and select any other files you would like to add to your zip file.
8. When you are done, select File and Close Archive.
If you are creating a password protected zip file for the purpose of sending a virus to an anti-virus company, use the password infected and state the password is infected in the email the zip file is being attached to. In this special case, the password protection is simply to prevent the virus from tripping alarms and being disinfected before it reaches the anti-virus company.
Some tools for making "password protected zip files" (compressed folders) may use the term "encryption" or "encryption key." Encryption key is technically the more accurate description. They are talking about the same thing, though.
(Don't worry if an unencrypted copy of the zip file is created in your TEMP directory when you enter the password. The work-file will be deleted by the zip utility when it terminates. If your zip utility fails to do that, contact the zip utility vendor. - Keith2468 2008-07-21)
Feedback received on this FAQ entry:
Table of Contents:
Why Security Is Important.
- Costs To You.
- Costs To Others.
What To Do About It.
- System Log Notebook.
- BEFORE Connecting To The Internet.
- - Power Protection.
- - Secure Passwords.
- - Boot Disk.
- - Backup Regime.
- - Worms, Infections and You.
- - NAT Router.
- - Windows XP ICF.
- - Anti-Virus.
- - Modem Stand-by.
- Basic Security/Integrity (Continued) - Now Ready to Connect to the Internet.
- - Software Firewall.
- - "Windows Update".
- - Analyzer Tests and Tools.
- - Tighten Internet Explorer (IE).
- - Browser Alternatives.
- - Browser Filtering.
- - Email and Email Program Alternatives.
- - For AOL Users Only.
The Next Level.
- Free Software For Your Layered Security Arsenal.
- - Script Sentry.
- - RegistryProt.
- - Trust Setter.
- - Startup Control Panel.
- - SpyBot S & D.
- - MicroSoft Windows Defender.
- - AdAware.
- - SpywareBlaster.
- - Spyware Guard.
- Secure Your Operating System.
Security should be a risk assessment: balancing the overall risk magnitude, (the full "cost" both to you, and to others, if the event occurs, and the probability of the event occurring), with the full "cost" of eliminating the possibility of the event occurring. In most cases, it is only the reduction of the probability of the occurrence that can be accomplished. Fortunately, that is usually good enough.
COSTS TO YOU:
Computers (even the "home computer") have become enmeshed in almost every aspect of our daily lives. The amount and depth of detail of information directly related to a user's life that they contain, and that passes through them, is often large, and is increasing.
Identity Theft is a very real primary concern, and there are others, that vary from mere potential annoyances to financial, property, and even mental and physical health and safety. (Note: For possible Identity Theft, immediately follow »Security »How to report ID theft, fraud, drive-by installs, hijacking and malware? .)
Some examples of private, personal areas that a computer commonly is involved in, either directly through transactions, through communications (like "chat", Instant Messaging, email, or IRC), and/or the storage of the records/logs of these "conversations" (and of other documents and other data related to these areas), are:
•Personal Identifying Information (dates of birth, Social Security numbers, addresses, phone numbers, photographs)
•Financial information- Banking, Investments
•Health and Medical Information
•Home and personal security routines (when home, when not home, vacations, protection systems)
•Private, personal matters
•Business information (if used for this purpose)
It is possible for others to gain access to a machine and be able to "see", and even to "do", most everything that you can.
Anything, and everything that you, your family, and other users do with the machine, could be discovered, disseminated, altered, stolen and/or destroyed. This does not mean that any of these bad things will occur, only that the potential exists, and that it does happen.
COSTS TO OTHERS:
You may have information concerning other people on your machine that could cause damage to them, if it was to be compromised. You may be legally responsible for such damages in some situations.
Even if you keep absolutely no information of any private or personal nature on an Internet connected machine, the machine could still be used by others for their own purposes. This could range from harmless pranks, to facilitating spam (theft of services, and often of fraudulent nature) and file sharing (perhaps illegal, perhaps child pornography), attacks, and other illegal actives, thus imposing harm ("costs") onto other people. While it may not matter to you if someone else gains access and control of your machine, this may aid in causing injury to others, for which you may be legally liable.
"Computer security risks to home users" , How Computer Viruses Work and Understanding Spyware, Browser Hijackers, and Dialers are three sources of more detailed information. See also the Security FAQ: »Security »What questions should I ask when doing a security assessment?.
In sum, while it's not a pretty thought, it is very important to take relatively simple steps to "secure" your machine, and to practice "Safe Computing" (Safe-Hex).
** It is well worth the small effort to greatly reduce your exposure to exploitation and abuse, which in turn reduces the exposure of others as well.**
The following are suggestions that serve as a starting point for basic security, presented in approximately the order in which they should be implemented. All items listed in "Before Connecting To The Internet" are to be implemented prior to establishing any Internet connection. It is a walk down a path that begins with the simplest essentials, and adds additional areas and layers.
Tightening up your Operating System (OS) and Internet Explorer (IE) really should be accomplished much earlier than their position below suggests. The reason they are listed as later steps, is to allow people to become increasingly familiar with how their machine, its OS and programs operate, and familiar with making changes to less critical configurations. If you are already comfortable with this, then there is no reason not to carefully proceed.
Knowledge, abilities, and habits should also be considered. The most experienced user may feel, and be, quite secure with less layers of software protections, as they will have taken the steps to secure their o/s, be far less prone to click on malware, and have the proper back-up available to quickly recover even if they do (in theory, at least).
The user who keeps data of a very important, valuable, private nature to them, and/or their business, or relies heavily on this information, or is exposed to greater threats by their particular usage (surfing, email and/or file-sharing habits), is a prime candidate for additional protection, no matter what their level of expertise.
Before proceeding, please read two excellent posts in recent (2/2007) Security Forum discussion threads concerning the correct approach to basic Security: ( Wildcatboy 's »Re: Beginner in Security (understand how infections occur!) and EGeezer 's »Security implementation - a process, not a product ).
If a computer is to be "usable", no amount of programs, or hardware, will provide complete protection from all possible risks, especially from it's user's own dangerous actions.
System Log Notebook (Good Practices Side Note) -
Computers are a complex amalgamation of numerous complex applications and pieces of hardware. You may save much time and trouble by starting a hardcopy "System Logbook" now, and make a habit of noting down the date, time and effects of changes you make to your machine (and router), including software updates, upgrades, and new software installations. A three-ring notebook, or binder works well for this. (Consider security implications of noting passwords in such a log). The level of detail is user dependant.
Use this as a trail-map, hopefully to arrive at, what is for you, a secure destination.
•Above all, as the operator of a powerful machine, in the end, it is up to YOU TO ALWAYS PRACTICE SAFE CYBER - It's the most crucial layer.
POWER PROTECTION - Before connecting to anything, a UPS (Uninterruptible Power Supply; which usually have surge protection built in) for your CPU/Monitor/Modem/Router will provide protection for your investment in many ways, including Security (See EGeezer 's summary: »UPS Good For Security? ). This is probably the most expensive item in this FAQ, most of which are free. While the UPS can be postponed, the sooner it is in place, the better.
If you do not live in a Severe Weather region, and do not have your machine on that much, and are lucky enough to have reliable, stable, clean a/c power (very rare), and the economic choice is between a UPS (basic models run from $30-$200 US) and a NAT router, postpone the UPS and get the NAT router now.
At a minimum, properly ground and Surge Protect your system before you plug it in.
SECURE PASSWORDS -Utilize strong Passwords at all sensitive points (i.e. Administrative Accounts, email, password protection applications, financial accounts, Router) and keep them secure (Password Safe, which is free). For a more automated program, check out KeePass: "a free/open-source password manager or safe which helps you to manage your passwords in a secure way". RoboForm "is a free password manager and one-click web form filler with some serious Artificial Intelligence". Try the Password Security Test.
BOOT DISK -In case of serious problems, having a boot disk on a floppy disk may enable you to get going again.
BACKUP REGIME -Establish and follow a backup regime of critical data, which includes physical security of the backups, and is appropriate to your usage.
What would the total "cost" (time, effort, money) be to you personally (financial, contact and other information, family pictures...), or to your business, if you lost all of the data on a machine? What would all of these costs be at the end of a few days, or a week, or even longer? What would the cost be in hours and time to recreate what was lost, if it was even possible?
While these questions apply to security in general, here it should be most obvious. Establish and follow back-up regime of critical data and other important items. This includes physical security of the backups. Tailor it so it is appropriate to what you are protecting. Do this right, and potential disasters can be efficiently mitigated. Do it poorly, and the financial and/or personal costs could be extremely severe. (See keith2468 's FAQ »Security »What should I do about backups? / How do I back up my hard drive? for more information, and links.)
WORMS, INFECTIONS AND YOU:
Connect to the internet for less than one minute, even with a dial-up modem account, and infections from worms can, and do, occur. One can no longer safely log-on "just for a quick-patch", without very real exposure to infection.
PLEASE NOTE: Brand new systems, and freshly installed Operating Systems are particularly vulnerable to exploitations, as they most often require "Critical Security Patches" and other updates to eliminate newly "discovered" vulnerabilities.
The simplest, strongest, most reliable and easiest to use solution to this problem is the NAT Router.
NAT ROUTER -If connecting via Cable/DSL, make the very important and relatively small investment in a Router (How Routers Work) with NAT (How NAT or Network Address Translation Works). In today's hostile Internet environment, no system should be without this protection ( »Security »When is an NAT router inadequate protection? ).
One example is the LinkSys Etherfast Cable/DSL BEFSR41. The price has dropped way down (05-2004: $40-$60US), and it will serve well in protecting against the hordes of INBOUND nasties.
It is very easy to set, and operation is, for the most part, "set and forget". Relevant DSL resources are: The DSL Linksys Forum FAQ: Tricks, Tips and Firmware , and the DSL Linksys Forum itself. There are other good routers.
Make sure the Router is properly configured (at a minimum, change its password, block WAN requests, disable "remote management", enable Stateful Packet Inspection or SPI, if applicable).
If you do not have a router or Windows XP, install one of the other software firewalls (see Software Firewalls below) to protect your computer.
Make sure your computer is protected before connection to the Internet even for one second.
**Wireless Set-ups*** Wireless components introduce one more point of vulnerability, and this area is beyond the scope this basic security FAQ. If you must use wireless, first ensure that you are comfortable securing, and keeping your hard-wired system and/or network secure. Please see keith2468 's FAQ »Security »How do I secure a wireless network (wireless router)? , as well as DSLR's »Wireless Security Forum, and its »Wireless Security FAQ , for more information.
WINDOWS XP "ICF" - For a Broadband connection, without a properly configured NAT router, and for a dial-up connection without a properly configured Software Firewall (SWF- see below) providing protection, Microsoft XP's software firewall (ICF), must be enabled.
By turning on ICF, you can temporarily utilize its limited protection against inbound threats to enable you to get MS Updates and patches (see below), update or upgrade your Anti-virus software, and to download a SWF.
To confirm that ICF is enabled, go to Start--> Control Panel ---> Network and Internet Connections--> Network Connections--> Local Area Connection Properties --> Advanced. 'Select "Protect my computer and network by limiting or preventing access to this computer from the Internet". Click OK. (Tutorial.)
ANTI-VIRUS -It's time to get a current version of a reputable Anti-Virus program installed, running, and properly configured. Once behind a NAT Router or SWF, the next step will be to make sure the Anti-Virus program is fully up-to-date with its latest Virus definition file.
When installing a program, upgrade, or update, or installing Windows Updates, if the instructions specify turning off (or disabling) your Anti-Virus before installation, always remember to:
1) download the file to your hard drive, if possible, and scan it with your AV's on-demand scanner.
2) Turn your AV's resident system scanning back on, making sure it fully enabled, as soon as the installation process is complete.
If you AV has "Auto-Restart" when disabled feature, enable it incase you forget to restart it yourself.
For the general user, remember this rule: Always run one, but only one, full time resident Anti-Virus application. Running less, or more, can cause serious problems.
If you are having problems with your AV, see the Security FAQ Why won't my new anti-virus package work right?
Modem Stand-by - If your Broadband modem has a "Standby" switch, consider using it to keep your machine disconnected from the Internet:
1) During Start-up, at least until your SWF and AV are fully loaded and running.
2) When you are not actively using the connection, especially if unattended.
3) During Shut-down.
4) When applying program Updates to the SWF or related Suite.
Networked Users Note: Unless your router has the capability to firewall your system from other systems on your LAN, and unless you are utilizing this capability, disconnect at the Ethernet card(s), instead of at the modem, during periods of potential SWF vulnerability.
*** Once all of above have been implemented, then, and only then, are you ready to connect to the Internet!
SOFTWARE FIREWALL -Download and properly configure a software Firewall (How Firewalls Work), like ZoneAlarm-FREE (ZAF), to help protect against OUTBOUND nasties, and to provide a further layer of inbound protection.
Should your Router be bypassed by you, or a guest, by using a dial-up connection or misconfiguration, or it fail or be successfully exploited, the software firewall will be there to protect you, for attempts at both inbound and outbound connections.
Even with the formidable inbound threat protection that a NAT router provides, exploits can still wind up on your machine in a number of ways, primarily by your "letting it in" (by your own, or a guest's, surfing, software installations, file sharing, removable media...). However a "marauder" succeeds in gaining entrance, once in, NAT will afford no protection from the marauder attempting to establish an _outbound_ connect to scurry away with data, or possibly worse, to allow further intrusions and exploitation.
The outbound application protection control that a SWF alone provides is why it so important to your security. The second layer of inbound protection is an added bonus.
The "One and Only One Rule" applies to SWFs:
For the general user, run one, and only one SWF. For the general user, when changing SWFs (other than XP's native ICF), completely uninstall the present SWF before installing its replacement (following safe practices).
If you decide to network multiple boxes, a software firewall on each machine will help keep potential unfortunate infections isolated from the other machines.
ZAF comes with a basic easy to digest tutorial. Reviewing it a few times will get you going. Markus Jansson's Firewalls and ZoneAlarm Guide and Tips is an additional source.
***Once you have downloaded ZoneAlarm, you can disconnect from the Internet. After disconnecting from the Internet, turn off XP's ICF. After turning ICF off, install, and configure ZAF. ***
WINDOWS UPDATE & UPDATE & UPDATE..........
Use Windows Update (Start---> Windows Update) to bring the OS, and other MS programs like Office, current by downloading and installing Service Packs, Critical Updates, Updates and patches that probably will be needed.
NEW MACHINE/FRESH OPERATING SYSTEM INSTALL? Though already mentioned, this can not be overemphasized: If you have a new machine, or a fresh OS installation, unfortunately, it will most probably NOT be up-to-date. Even if the builder tried to ship fully updated machines, patches are sometimes released on a weekly basis as the need arises.
Keeping your OS updated is very important in keeping it secured from exploitation, and so should never be overlooked.
To help make sure your OS is always kept up-to-date, consider setting Windows Update to "Notify" you when Updates are released.
See The Elder Geek on Automatic Update for Windows XP. In win2kp, this is under Start---> Settings---> Control Panel---> Automatic Updates.
Selecting "Notify me before downloading any updates...." is less intrusive and keeps you in control of what happens, when it happens, and what else is occurring while it happens.
No matter what setting you select, it is still a good idea regularly perform manually checks.
Make sure you always keep your other applications up-to-date, especially Anti-Virus, Browser, and Anti-Mal/Spyware. For Anti-Virus, also consider setting it to regularly check (at least once a day!) for updates.
Note on Updates: The DSL/Broadband Reports Security Software Updates Posse works tirelessly and nimbly at close to lightning-speed to keep the DSL Security Software Daily Updates Thread up-to-the-minute, with notification and details of Security Software detection database updates. Their bailiwick currently includes MS, well over a dozen Anti-Virus, and many Anti-Trojan and "Privacy Related" applications. The thread can be found as a "sticky" at the top of the DSL Security Forum. This is just another good reason to stop by the Security Forum every morning.
Note on the installation, upgrading, or updating of any software: It is always strongly recommended to make sure your AV is fully up-to-date, then download or copy from removable media, the file, and then scan the file that is new to your machine with your AV, prior to running such files.
This applies to files from "trusted" Vendors as well as trusted friends and co-workers. Even Microsoft has shipped infected files. While there definitely are varying discernable degrees of what should be "clean" files and "trusted" sources, no file and no source is completely immune to such threats.
SECURITY ANALYZER TESTS and TOOLS (free)
Check to see if MS Updates and patches were successfully applied and more:
The Belarc Advisor
Microsoft Baseline Security Analyzer
SECURITY PORT SCANS -Have your system scanned to determine how well you are protected, at the time of the scan, by the combined "filtering" of your ISP, your Router, your software firewall, and your operating system. One such test is Steve Gibson's Port Authority Edition - Internet Vulnerability Profiling.
TIGHTEN INTERNET EXPLORER - (IE)
IE is highly integrated in the Windows OS. Unfortunately, it is regularly exploited by malicious websites during everyday surfing, and even by "trusted" web-sites, should they become infected. Browser Hijacking, Drive-by downloads of malicious payloads and other malicious exploitations are causing damage to countless systems (and so to users) every minute. (See US-CERT Vulnerability Note VU#713878.)
Fortunately, there are ways to reduce this risk, and it is very important to employ them before venturing out.
As long as Internet Explorer exists on your box (even if you do not use it), follow Archie Bell and The Drells sage advice and "Tighten Up" its settings (click link for Markus Jansson's page on decreasing IE's known vulnerabilities). Eric Howes' Internet Explorer Privacy & Security Settings very thorough, yet easy to follow tutorial provides numerous screen shots of the procedure. See also Bubba 's excellent FAQ: »Microsoft Application Tips and Tweaks »Concerning Internet Options Security, what do some of the settings mean .
By following these recommendations, you will greatly reduce the risk of malware exploitation through IE.
BROWSER ALTERNATIVES - Better yet, also consider an alternative to IE for your primary browser, as one less likely to be targeted for exploitation. See US-CERT Vulnerability Note VU#713878, again.
Firefox (free, from MozillaPrivacy & Security Settings tutorial. For Firefox and Mozilla information, help and links, also see DSLR's »Mozilla Software Forum and »Mozilla and Related Browsers FAQ , along with Cookie Recipes .
Opera is also a free popular alternative. See the Privacy and Security tutorial).
BROWSER FILTERING - No matter which browser you primarily use, consider Browser filtering. WebWasher is free, and cleans away and gives control over megs of surfing scrud (Ads, Popups, Popunders, cookies, scripts, embedded objects/applets, frames, forms, links, backgrounds, animations, webbugs, referrers).
Proxomitron (also free) is far more configurable, possibly faster, but does have a much steeper learning curve. If you can 'get the hang of it', it provides almost limitless ability to filter and control exactly how web pages are downloaded and displayed.
-- Adblock Plus-
The free AdblockPlus extension for FireFox/Mozilla (also at Mozilla Addons, while less powerful than proxies, like WebWasher and Proxomitron, is highly recommended to give you easy control over downloading and viewing ads while surfing. This good filtering also brings an increase in privacy and security.
You must first add Filters to Adblock Plus, in order for it to start it's filtering protection. While designed for the outdated 2ed Generation "Adblock' extension on which the revived 3ed Generation Adblock Plus version is based (as is »Ads BGone - Ad Free Surfing FireBird/AdBlock - ),this excellent beginners Tutorial will, none-the-less, get you started on creating your own filters. Help is available here in DSLR's »Mozilla Software Forum, and at the developer's Adblock Plus Forum.
Once you get the hang of it, you might opt to employ reputable proven 3ed party Filtersets. While you can certainly skip right to using such 3ed party Filtersets, it may be better in the long-run to at least get a basic understanding of Adblock Plus and filtering, so you can deal with any False Positives that may block desired content, as well as any unfiltered ads that slip through, once you employ someone else's Filterset.
DSLR's own rick752 scrupulously maintains Filtersets that can be set to automatically update themselves, with no action required by the user once they are "subscribed". Here are instructions for how to very very quickly install and set to automatically keep up to date Rick752's Filtersets. They are extremely effective, and constantly, automatically updated.
Help for Rick's Filtersets is also available here in DSLR's »Mozilla Software Forum (Rick's "third home"), and at the developer's own Adblock EasyList/EasyElement Forum, in the unlikely event that you will need it.
With this set-up, thanks to the great work of the developers of Adblock Plus and Rick's Filtersets, most folks can surf with an amazingly high percentage reduction in undesired advertising content, at little to no additional effort on their part. Warning: Surfing on a non Adblock Plus protected computer will soon become painful to endure!
Note: Adblock Plus is being actively, responsibly developed, NOT Adblock. See Developer Wladimir Palant brief and fairly accurate history.
For FireFox, to move closer to having the filtering power of Proxies like WebWasher and Proxomitron, consider the NoScript extension: "Extra protection for your FireFox: NoScript allows Java, Flash, and Plugin execution only for trusted domains of your choice (e.g. your home-banking web site). This whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality..."
NOTE: NoScript (configured for "Global Ban") users have been protected from a series of vulnerabilities discovered in Firefox. To be exploited, a user would have had to 1st Whitelist the evil site(s). These vulnerabilities have been promptly corrected, but NoScript should be installed, and properly used, in Firefox non-the-less.
--Remove It Permanently (R.I.P.)
While not adding much Privacy of Security, RIP complements Adblock Plus and NoScript, by allowing each user to "Permanently hide content from web pages using the Context Menu. Simply, click and "Remove it Permanently". Now includes previewing of items before removal, support for IFrame as well as lots of advanced features to make it easy for anyone to remove annoying content from web pages."
EMAIL and EMAIL PROGRAM ALTERNATIVES -Consider an alternative email program that may be less subject to abuse than Outlook/Outlook Express like EUDORA (free, ads, or paid).
Regardless of which email client you use, tighten up its settings (disable: preview, html, retrieval of remote images, scripting), and always remember to follow safe email practices (see CERT Coordination Center's Use Care When Reading Email with Attachments, How do viruses and worms spread in e-mail? and novaflare 's Security Forum FAQ http://www.dslreports.com/faq/10692 ).
AOL USERS ONLY Check out AOL Privacy & Security Preferences tutorial for steps to tighten-up that service.
CONSIDER THESE EXCELLENT FREE SOFTWARE FOR YOUR LAYERED SECURITY ARSENAL:
You will increase your security by using of one, or more, or all of these programs. They work well together, and consideration should be given to them, depending on each user's circumstances. Add one at a time to allow you to learn each one's effects.
*Since there are significant costs involved in the continued development and provision of these programs, Donations are accepted by many of their authors to help defray their expenses. We all really need these folks to be able to continue this important work!*
Malicious Script Protection - Script Sentry
--- Script Sentry, Jason Levine's very tiny and effective program: "Script Sentry allows safe scripts to run on your system while alerting you if a script might harm your system. In addition, Script Sentry prevents against malicious scripts hidden in ShellScrap (hidden SHS and SHB extensions) files, Word/Excel macro viruses, malicious HTA files, and accidentally run REG files."
Malicious Registry Modification Protection - RegistryProt
--- RegistryProt is a "...compact, low-level real-time registry monitor and protector, that adds another dimension to Windows security and intrusion detection. By monitoring important locations and keys in the Windows system registry, RegistryProt will alert whenever a key is added or changed, and then give the option of accepting the key change, reverting back to the original key setting, or deleting the key.
Malicious Website Protection - Trust Setter
--- Trust Setter, also by Jason Levine: "Allows you to quickly and easily move sites from IE's Trusted and Restricted Zones." If you use IE for more than Windows Updates, consider adding this important feature.
Malicious Program Protection - Startup Control Panel
--- Startup Control Panel by Mike Lin: "Startup Control Panel is a nifty control panel applet that allows you to easily configure which programs run when your computer starts. It's simple to use and, like all my programs, is very small and won't burden your system."
Adware, Spyware and other Malware Detection, Prevention, and Removal - SpyBot S & D
--- SpyBot S & D: "can detect and remove spyware of different kinds from your computer. ... new toolbars in your Internet Explorer that you didn't intentionally install, if your browser crashes, or if you browser start page has changed without your knowing, you most probably have spyware. But even if you don't see anything, you may be infected, because more and more spyware is emerging that is silently tracking your surfing behavior to create a marketing profile of you that will be sold to advertisement companies." Other features include "Immunizing" against known nasties. Tutorials: BleepingComputers.com, and the Author's, to get started.
Adware, Spyware and other Malware Detection and Removal - MicroSoft Windows Defender
-- ms's "Windows Defender "detects and removes known spyware from your computer, which helps make your Internet browsing safer." Please see ms's "Getting Started.." for instructions.
Adware, Spyware and other Malware Detection and Removal - AdAware
--- AdAware: "With its ability to comprehensively scan your memory, registry, hard, removable and optical drives for known datamining, aggressive advertising, and tracking components, Ad-aware will provide the user with the confidence to surf the Internet knowing that their privacy will remain intact." See Tutorial at BleepingComputer.com and DSL's own CalamityJane 's Adaware Tutorial Updates & Scanning for excellent guides.
-Spybot, ms Windows Defender (msWD), and AdAware are similar, but not identical. Often one will catch malware that the other does not yet detect. A good routine is to update and run each one, once a week. If you follow good practices, including tightening up IE, employ the "Immunization" of SpywareBlaster (below), and/or use an alternative Browser, you will find that soon SpyBot, msWD and AdAware will have very little, if anything, to clean from your machine when you do run them.
-Unfortunately AdAware's reliability as a standalone malware detection and removal tool has been undermined by a history of questionable definition listing/delisting, prior notice and user/customer communication practices by it's Vendor, LavaSoft, making it even more important to not rely solely on any one malware scanner, especially AdAware.
-Before downloading, let alone installing ANY anti-malware application, it is vital to insure that it is a confirmed as being a safe, effective, and reputable application (for one evaluation, please see Eric Howes' The Spyware Warrior Guide to Anti-Spyware Programs: Recommended Programs. There are literally hundreds of Rogue/Suspect applications that run from merely ineffective (leaving you exposed to already existing threats), to actually being malware threats themselves.
Adware, Spyware and other Malware Prevention (and more) - SpywareBlaster
--- Spyware Blaster: ""SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed." This expands on SpyBot's Immunization feature, and works well in concert with Spybot, and SpywareGuard. See BleepingComputer.com Tutorial.
Adware, Spyware and other Malware Prevention - Spyware Guard
--- SpywareGuard: "SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!" See BleepingComputer.com Tutorial.
--- The DSL Thread: Maximum security WITHOUT any $$$, for even more good suggestions.
FURTHER RECOMMENDATIONS & INFORMATION ON SAFE-CYBER PRACTICES, SETTINGS, & MORE SOFTWARE:
--- DSL Thread: Maximum security with minimal $$$
--- The BBR Security FAQ.
--- Markus Jansson's site for a wealth of security information (including Securing XP).
Securing the Operating System itself should be a priority, as has already been mentioned.
--- Major GEEKS' partial reproduction of "Black Viper's" Operating System Guides for more detailed information on how to "Tighten Up" your Operating System.
In order to efficiently determine what can be left disabled without breaking something you want or need, be sure to: 1) Shut down only one or two Services at a time 2) Immediately after each change, Re-start, and your test your system thoroughly for effects in the potentially impacted areas (including connectivity, application functionality, printing...) 3) Keep a log, noting the date and time of any changes, what you test, and the results.
--- Steve Gibson's Internet Connection Security for Windows Users, is a great tutorial. Don't miss out on the thrills of his "Network Bondage: Discipline Your Network Bindings in the Privacy of Your Own Home". Windows98 users, be sure to check out his "Network Discipline for Windows 9x".
-Consider an Anti-Trojan program. While some Anti-Virus applications are including some level of Trojan detection, many here add the protection of a dedicated AT. The two most popular choices here are: TrojanHunter and BOClean, but there are others.
»Microsoft Application Tips and Tweaks »What is the difference between MSN Messenger and Windows Messenger ?
The Messenger Service is a service in Windows NT 4.0, 2000 and XP that allows messages to be sent from a server to a workstation or from workstation to workstation over a network via the "net send" command. Unfortunately, spammers figured out how to send spams via the service, and a recent flaw was discovered in the service that would allow a hacker to take control of the computer.
If you are one of the many people who has received pop-up spam via the messenger service, or you think you might be receiving it, there is another helpful faq entry here that will explain how it works and tell you how to stop it from happening again: »Stopping Spam »Why am I getting spammed with pop-up windows and how do I stop it?
In a corporate environment, network administrators may use the messenger service to alert employees that a server is going down for maintenance, or they may set up a server to automatically send them a message when a virus is detected on a computer. Most home users have no need for the service, which is why so many sites suggest that it be disabled. In fact, Microsoft is going to disable the service by default in XP Service Pack 2, due out in summer of 2004.
Many news sites equate the two. They are not the same thing! Hackers cannot hack you because you use MSN or Windows Messenger, nor will disabling the Messenger Service prevent you from chatting.
Keeping your systems relatively safe from the perils of the online world is not as difficult as it is often made out to be. In fact, following just a few basic rules will keep you safe from 99% of what a home user faces. Here are a few simple steps that cost nothing to implement and can greatly improve the security of your home network.
E-mail is the easiest way into your network!
First and foremost, dont ever open mail that looks suspicious in any way. If you arent expecting it and/or it looks strange in some way, just delete it. Also, avoid using the preview function of your chosen e-mail client; you dont want malicious e-mail payload to launch just because you highlighted a message. If possible, switch to a non-Microsoft e-mail client such as Mozilla Thunderbird. You are much safer using a non-Microsoft e-mail client at this time, mostly because the majority of people writing viruses and other bad stuff are targeting Microsoft software specifically. Also, ask your ISP about spam and virus filtering options; get them to help you configure your e-mail client to do these things if possible.
A web browser can run malicious applications on your machine without you knowing -- if you don't have it configured correctly.
The easiest way to secure your online browsing experience in one easy step is to switch from Microsofts Internet Explorer to Mozilla Firebird. Internet Explorer has a horrible security track record, and it often makes things too easy for attackers by letting special and potentially malicious content (activex, java, scripting, etc) run on your machine without you knowing -- unless you have configured it to do otherwise. Running Firebird lets you avoid the majority of these issues altogether and still offers a very nice browsing experience.
Be aware of updates.
Subscribe to the Microsoft Security e-mail list (link below) so that you know when there are Security updates available that you should install. When you see one is available, just run Windows Update, and it will be installed for you. Its also a good idea to set up the critical update checking that is available to you in Windows. Pay attention when you see the little globe in the bottom right hand corner of your screen, and when you see that it has updates available, try to install them as soon as possible.
Passwords are the keys to your online world.
Come up with a password scheme that is sufficiently complex, yet easy to remember. For low to medium security sites, I suggest the use of a common scheme that involves using the first letter from each of a six to ten word phrase, and then changing some of the letters to numbers. For example, "There is a lot of money in the lottery" becomes T1AL0M1TL (plus you can vary it with lower case as well). The phrase is easy to remember, but guessing that password is really difficult. For higher security sites, you can either make your passwords much more complex and change them more often, or you can use a free program called Password Safe. It's available here::
Be ready if something bad does get through.
Run an updated anti-virus solution at all times. AVG, by Grisoft, is an excellent solution. Panda and Norton are more feature-rich solutions that are available for purchase. The key thing, however, regardless of which product you go with, is to remember to keep it updated.
Don't let people into your "house."
Block all inbound access to your network. If you have a dedicated NAT device to do this (or a firewall if you have money to buy it and the skill to set it up), that is fine, but if you don't, you can achieve excellent protection with a free software firewall like Zone Alarm Free Edition.
Watch for tricky software.
If you have multiple users, and/or are unsure of where all your computer has been online, run Ad-aware on a semi-regular basis (depending on how much it's used online) to ensure that your computer is not being littered with Spyware (small applications designed by companies to gather information about you for marketing purposes). A free version is available here:
Consider the source.
Do your best to stay on reputable sites when browsing the Internet, and be cautious of who you deal with. The odds of you receiving something nasty go up exponentially when dealing with obscure presences on the Internet.
Common sense is king.
This is perhaps the most important rule. Allow for a healthy dose of skepticism when conducting yourself online. If something sounds too good to be true, it probably is. If you ever doubt something, do not participate immediately. Consult with an Internet savvy friend or relative, or come to a forum like this one and ask someone what you should do.
Tips and Links
*Do not reply to or attempt to unsubscribe from spam. They use your responses to create lists of e-mail addresses to sell. If you want to do something about it, forward the spam to email@example.com and/or email your congressperson about it.
*Be cautious of who uses your computer systems at home and what they do when they are on them. Not only are you responsible for what is done on those systems, but you never know what they could be downloading and installing on your system that could hurt it. Consider implementing precautions such as password-based access control to reduce the risk from outside users, such as your kids' friends, etc.
*Make backups of anything you can't live without. Storage media is too cheap these days to lose valuable data to a power surge or theft. Things like images and letters often can't be replaced.
*Try to use plain text e-mail as much as possible. Set your outgoing e-mail to be plain text, and consider requesting that those who send you e-mail use plain text as well. HTML e-mail is a haven for malicious content and should generally be avoided. Pictures and attachments work just fine within plain text mail.
*Remember that you can have multiple web browsers on your system, and that you can use one for one thing and another for something else. Some banking sites, for example, are still built for Internet Explorer. Use it for those sites and then go back to Firebird for your regular browsing.
It's not impossible to defend yourself from online dangers. Follow the steps above on your own, come ask questions when you need help, and together we can make your life online a whole lot more secure.
Although this seems like a long list of instructions, if you print them off and go through them one at a time, they are not complicated. Some steps won't apply to a household situation; some won't apply to a mid-sized or larger office environment.
If you have unusual security requirements, a large network, or if you want more background information, please consult the linked articles.
If you are a high-value target or business that depends on its computers, we recommend periodic audits by an IT security professional to ensure that all vulnerabilities are protected against.
This article provides background explanations of most of the steps in this FAQ. »www.extremetech.com/article2/0,3···5,00.asp
You should upgrade your operating systems and firmware to use Wi-Fi Protected Access (WPA) or the newer Wi-Fi Protected Access 2(WPA2).
Wireless Equivalent Privacy (WEP) no longer provides adequate security. Cracking tools have been distributed that exploit a serious flaw in WEP: After enough data has been monitored, the encryption key can be determined using available cracking software. In a busy office network, or if large files are being transmitted, the WEP key can often be determined in a few minutes. If one device cannot be updated to support WPA, you will have to replace it.
If you you must use WEP, please consult this link: »www.arstechnica.com/paedia/w/wir···y-1.html
It contains additional detailed steps on how to add as much security as possible to WEP.
The following steps below work incrementally to make it more difficult and time consuming for a hacker to enter your wireless network. You should implement as many steps as you can. Some of the steps below can be bypassed by scriptkiddies in minutes, but reduce the public visibility of your network in off-hours. Others would take professional hacker months to bypass electronically, but could be quickly breached by social engineering or disabled by misconfiguration. The objective is to have multiple layers of protection.
Where a hard-to-guess password, key or identifier is suggested:
- Use a long hard-to-guess sequence that includes both letters and numbers
- Two words separated by 2 digits, or the first letters of words in a phrase with some digits added, are good sources of something hard-to-guess
- Dont use anything involving your companys name, childrens names, birth dates or words in dictionaries of any language
Make sure that records of passwords, keys and identifiers are backed up and securely locked away.
Do not transmit keys and configuration passwords over any wireless connection (including WLANs and cordless phones).
Do not give keys or passwords by telephone to any caller whose voice you do not easily recognize (telephone caller ID info can be faked). Instead, offer to telephone them back and verify their number against your corporate directory before you do.
1. Use a wired connection to change the security settings on your Access Point (AP or "wireless router").
2. If you can, use WPA2. Otherwise, use WPA. WEP is no longer adequate.
2.1 With Windows XP, you can get WPA2 and "WPS IE" support by following the link here: »support.microsoft.com/?id=893357 (update Q893357).
WPA support for Windows XP (Q826942) is available through Windows Update.
For machines running earlier versions of Windows, youll need to obtain WPA client software. Sometimes this comes with the Access Point (AP or wireless router), sometimes with the Network Interface Card (NIC) or wireless adapter.
2.2 Update the firmware on your AP and drivers for wireless adapter cards to versions that support WPA2 or WPA.
2.3 In the router configuration, activate WPA2 or WPA. Use WPA2-PSK or WPA-PSK (Pre-shared key) and Advanced Encryption System (AES). Use Temporal Key Integrity Protocol (TKIP) if AES doesnt work with some devices.
2.4 Use a hard-to-guess key.
3. Change the default Service Set Identifier (SSID or network name) in your AP. Use a hard-to-guess SSID.
They can detect your SSID when your network is active, but you can make it hard for them to know who it is they are seeing.
4. Turn off SSID beaconing if your AP supports this.
Turning off SSID beaconing isnt great protection, because although the SSID isnt being beaconed, it is still being broadcast as part of regular traffic. However, turning beaconing off will help prevent accidental connections by neighbors, and it may reduce the visibility of your network when it is not in active use.
Some devices may not connect with SSID beaconing turned off. If you have such devices, turn SSID beaconing back on and try increasing the SSID broadcast interval instead.
5. Change the administrator password on your AP. Use a hard-to-guess password.
6. Turn on the highest level of encryption your hardware supports.
7. The AP should be configured to drop any unencrypted network traffic so that unauthorized wireless stations or rogue access points cannot "associate with" (connect to) the AP since they do not know the pre-shared key.
8. Use Media Access Control address (MAC address) filtering on your AP, if you can. Specify which MAC addresses are allowed to access your AP. /faq/9763
9. If your router supports SNMP and you dont use it, disable it.
Otherwise, choose a hard-to-guess community name.
There may be separate SNMP read-only and update passwords. Both should be changed to hard-to-guess passwords.
10. In a large building, locate the routers centrally, away from the outside walls, to limit how much the signal radiates outside. In a smaller building, you could try locating the router in the basement. Directional antennas that focus the signal to one side are available. Trying to reduce the range the signal travels simply makes detection harder, but it doesnt make it impossible. There are antennas available that can detect ordinary wireless signals at distances of several kilometers.
11. Make sure the AP are physically secure and that they cant be tampered with by disgruntled employees or visitors.
12. If an employee leaves the company, retrieve their wireless adapter card. Otherwise, you will have to change all the keys.
13. If you can, use static IP addresses on the computers and disable DHCP on the router.
Limit the number of IP addresses your router recognizes to the ones in use, if you can.
Consider starting the IP addresses at a non-standard point, such as 192.168.3.113, instead of 192.168.1.1 or 192.168.254.0.
14. Where it is not required, users should not be allowed to set up their wireless stations in "ad-hoc mode." This means they won't be able to communicate with each other or a rogue computer without going through the access point. Removing the configuration setup software will help prevent users re-enabling ad-hoc mode.
15. Power down the wireless stations when they are not being used for a long periods of time (after office hours).
16. As with wired stations, wireless stations (workstations, desktops and laptops) should not have simultaneous direct connection to any untrusted network, such as a direct dial-up connection to the Internet, while they are on the WLAN.
17. In a company, consider isolating your WLAN from the rest of the company with a firewall, and then have the computers on the wireless network use Virtual Private Networking (VPN) to access your main network.
There are different implementations of VPNs from different vendors that may be incompatible with each other. Check the capabilities and requirements of hardware and software vendors to be sure all of the VPN clients are compatible.
With wireless connected computers, you want a VPN client on the computer itself tunneling through the wireless network and firewall to your wired internal network.
Properly configured, VPN creates an encrypted and authenticated tunnel between 2 devices (computers or routers) on a network, but computers at either end of the endpoints can access one another without going through VPN. This means an outsider could try to break into one of your computers, access its VPN client and pass through the tunnel into your main network -- which is why layers of security are needed.
18. Computers on a WLAN should be provided with software firewalls. File and Printer Sharing should be removed, or all disk, folder and printer shares should have hard-to-guess passwords. (More on securing laptops and roaming computers here.)
19. Restrict physical access to the routers/access points (APs) to prevent tampering and to prevent disclosure of keys and passwords.
20. WLANs are readily susceptible to intentional and unintentional Denial of Service (DOS) attacks. For example, nearby heavy construction equipment or large electric motors can disrupt wireless signals.
Therefore, for essential services, wired facilities should be provided as backup to wireless connections.
21. Consider implementing Internet Protocol Security (IPSEC) on all of the computers in the organization/family. IPSEC supports network-level peer computer authentication, data origin authentication, data integrity, data encryption and replay protection.
There is more on IPSEC for Windows computers here.
* Continue to practice general security procedures, including: keeping the anti-virus, operating system and applications up-to-date with security and critical fixes; running software firewalls; having on-site and off-site backups; and periodically checking firewall logs for evidence of intrusion attempts.
When installing Windows XP or XP SP1 on a computer equipped for wireless access, remove or shield the network card on the computer until you have had the opportunity to complete the initial install and activate the internet connection firewall (ICF). Do not turn ICF off until you have applied all the critical fixes and service packs for Windows and replaced ICF with another firewall. (Windows XP SP2 has Windows XP Firewall, so it is free of the ICF issue.)
Run Windows Update immediately after you connect to the internet the first time. Install all Critical Fixes and Service Packs (Express Install). If you don't have time to install all the Critical Fixes and Service Packs, physically disconnect from the Internet (by removing or shielding the wireless access card) until you do.
The advice contained in this FAQ is general. If you are a company that depends on its computers, we strongly recommend using the services of a security consultant to ensure that no gaps are left in your security protection.
Webopedia encyclopedia of computer terminology
How-to Windows XP VPN Server Configuration
How-to Windows XP VPN Client Configuration
BBR Wireless Security Forum: /forum/wsecurity
Other BBR Wireless Security FAQs: /faq/wifisecurity
BBR Wireless Forum: /forum/wlan
BBR VPN Forum: /forum/vpn
BBR Security Forum: /forum/security,1
BBR Security FAQs: /faq/security
BBR Hardware Support Forum Index: /forums/18
- Clarified caution on entering passwords and on ICF steps.
- Fixed broken links to MS VPN support pages.
- Added WPA2.
- Strengthened the recommendation to now avoid WEP.
- Added point 21 on IPSEC. Thank you Daniel and Zipp.
- Added references to the BBR Wireless Security Forum & FAQs.
- Added additional caution on giving out passwords by telephone, since caller ID info can be faked.
Feedback received on this FAQ entry:
www.google.com/) is the grandmaster of all search tools. While doing pretty much anything in Google will get you decent results, there are a few things you can do to make your experience even better.
Word order matters. Put the most pertinent search terms first.
Repetition matters. Entering a particular search term multiple times will, at the very least, change the order of your results. In general, the term with multiple instances (and therefore more weight) will be more prevalent in the search results.
Case does not matter. Don't spend extra effort on capitalizing -- it's ignored by Google completely.
Use quotes when looking for exact phrases; otherwise, use multiple separate words.
"opportunities multiply as they are seized"
The Google Toolbar (»toolbar.google.com/) is an invaluable tool that grants you Google's powers without having to go to the site each time you need to find something. Also, when Google toolbar is installed, highlight any text on a webpage (double-click it if it's a single word) and right click it. Select "Google Search," and Google will search for that text and return you the results.
Using the advanced features of the toolbar requires that you send information about the pages you are viewing to Google. Be sure to disable the advanced features if this is an issue for you.
Do not include words like "a," "to" and "the" in your queries; they are omitted by Google because of how common they are, and they don't help your search in any way. If you really want to use one, add a '+' (plus) to it, and it will force Google to include it in the query. Also, when using quotes to search for phrases, these words are not omitted; the entire phrase you entered within the quotes is searched for.
By default, Google uses the Boolean AND operator when performing searches when given multiple arguments. In other words, if you enter two words into Google and hit enter, it will search for pages that have both of the words in them, not one or the other.
You can use 'OR' to search instead of the default 'AND' by putting an 'OR' between search terms.
You can also use '|' (the pipe character) as OR.
house OR car
cat | dog
When you perform a query and get your results back, the blue bar located under the search tabs will say, "Searched _ pages for *your_terms." If *your_term* was a word with a definition at dictionary.com, the word *your_term* will be a link to the definition of the word at dictionary.com.
You can group search terms using both the default 'AND' and the 'OR' operations together.
cats (pets OR wild)
plants green (ocean | land)
It is possible to remove results that contain certain words by using the '-' (minus) sign. This allows you to filter out results that you know don't pertain to what you are looking for.
ford mustang -horse
You can use an '*' (asterisk) as a full-word wildcard in a phrase lookup. This is helpful when you want to fill in gaps in a search phrase with any full word.
"rule of *"
Can use 'intitle:' to find things that exist only in the title of web pages.
Can use 'inurl:' to find things that exist only in the url of a web page.
Can use 'intext:' to find things that exist only in the body of a web page.
Can use 'inanchor:' to find things that exist only in the anchor of a web page. An anchor is the text associated with a link that helps to identify it.
inanchor:daycare OR babysitter
Can use 'site:' to isolate a search to just a certain website or domain. This, by the way, is a far better way to search the Microsoft site than using their built-in search feature.
site:microsoft.com "securing windows 98" (good luck)
Can use 'link:' to find all pages that link to a given site:
Can use 'cache:' to find the cached version of a certain site. A cache is a snapshot copy of the site that is helpful if the site is offline or changed from when you saw it last.
Can use 'filetype:' to find various file types that exist on the Internet. This is very powerful when combined with other search options.
filetype:ppt "nursing education"
Can use 'related:' to find pages that are related in type/classification to the input given. For example, 'related:www.slashdot.org' will yield hits like www.userfriendly.org because they are both "geek-oriented."
Can use 'info:' to get all Google-related information (cache, stocks, links, related, etc.) about a given site.
Can use 'phonebook:' to find phone number and address information about people and businesses. This very powerful feature will find phone numbers when given a name and state abbreviation. To get more specific, just add the city to the query as well. There are three different phonebook related searches available - phonebook, rphonebook and bphonebook. The first searches the whole phonebook directory, the second only residential entries and the third only businesses.
bphonebook:round table, fremont
Can use 'stocks:' to check stock and other company information for a given company.
Images - The largest image archive online. Allows you to search several hundred million images using the power and speed of Google.
News Headlines - Gathers news from over 4,000 sources and organizes it into categories for you.
News Groups - Allows you to search the entire Usenet archive reaching back over 20 years. You can also post to the various newsgroups using the Google interface.
Directory Search - Lets you search a more "Yahoo-oriented" type of system that is organized into categories.
Product Catalogs - This feature scans over 5,000 catalogs regularly and allows you to peruse them as if they were in front of you.
US Government - Narrows your search terms to US Government-related sites and resources.
GNU/Linux - Lets you search only Linux-related materials.
Microsoft - Let's you search only Microsoft-related materials. An excellent way to search the Microsoft site since their own search features are limited at best.
BSD Unix - Lets you search only BSD-related materials.
Apple Macintosh - Let's you search only Mac related-materials.
Much of this content has been gathered from other sources, namely »www.google.com/help/features.html. Always check the Google site for the most up to date information pertaining to features.
What would be the cost of data (accounts, documents, family photos) on your computers being unavailable for one or two days or one or two weeks -- or if the data were gone forever? What would be the cost of re-inputting the company's data and reentering its documents? What would be the impact of losing the only copy of family baby pictures?
What you should back up and what you need to back up depends on your individual needs, your business needs, how hard it would be to recreate and reenter the data and possibly other factors like customer service and legal concerns.
Backups are essential in case the hard drive in your computer malfunctions, your computer is stolen, the desk your computer sits on is over-turned, a virus clears your computer's hard drive or the building your computer is in is destroyed by fire, flood, tornado or earthquake.
A backup from one computer to another in the same building, or to an external hard drive, will protect data against a disk drive malfunction or accidental file deletion, and it will do it in a way where the data can be very quickly searched and restored. However, such backups don't protect data from being destroyed if a virus gets in the network, or if there is a large voltage surge, the building burns down or there is a flood or earthquake.
Off-site backups protect data from a single disaster by storing the off-site backups in a building sufficiently separated from the computer and the on-site backups that it is not susceptible to damage by the same disaster.
1. You don't necessarily have to back up your entire computer, but you should backup critical, hard-to-replace data.
This might include:
- Address books
- Calendars and schedules
- Project work and project data
- Freeware installation programs that are no longer available
- Web browser favorites
- Digital photos
- Saved games
- Data on diskettes, CDs and DVDs (you may want off-site backup copies)
2. As well as backups of data from your system, you should have backup copies of the disks and CDs you need to re-install your system on a new computer. Don't forget copies of irreplacable printed material, like special instructions and notes.
Write the license or registration numbers of your software in on-site and off-site notebooks, or use a fine soft-tip pen to write them on the product and backup CDs.
Belarc Advisor (free download here) will create an HTML file with an inventory of the programs on your system and their registration numbers. This file can be copied with the backups and also printed off.
3. At least one copy of your backups should be stored on-site and at least one copy of your backups should be stored off-site at all times.
The on-site copies facilitate rapid restoration in the event of accidental deletions.
The off-site copies facilitate recovery from disasters.
The off-site copies should be stored where they won't be subject to the same fire or flood damage as the on-site copy.
As a minimum for a home, you might use a son-father-grandfather system. Using this you always have at least one copy of the backup on-site, one copy off-site and the third copy is in transit or at either location.
Depending on individual circumstances, quite a few generations of backups may be necessary to meet business and legal needs.
4. Depending on needs, one might do daily incremental backups and weekly full backups.
A full backup is a backup of everything. An incremental backup is a backup of only those things that are new or have changed since the last backup.
5. The duration that you keep (retain) long-term backups may be dictated by legal or accounting guidelines. If you are a business or institution, it is best to check with both your accountant and your lawyer.
A common practice for mid-sized and large companies is to do daily backups that are retained for 1-2 weeks, weekly backups that are retained for a month, and monthly backups that are retained for 16 months (longer than a year in case year-end balancing problems turn up late).
Frequent short-term backups primarily protect against accidental corruption and deletion.
Long-term backups serve 2 purposes:
(a) in case seldom used files become corrupted and that corruption is not noticed for a long period of time,
(b) in case of legal or accounting difficulty, as an archive of short-lived files to later document discussions, transactions or work.
6. Backups can be kept on diskette, CD, DVD, tape, a second computer, external hard drive or off-site file server.
For tape backups to last longer than 12 months, the tapes have to be kept at a steady temperature and re-tensioned (run to the end and rewound) at intervals no greater than every 12 months.
A backup on an off-site fileserver should never be the only backup. There should also be an on-site backup.
A backup on another on-site computer or external hard drive should never be the only backup. There should also be an off-site backup.
Over the long term, magnetic media can be affected by the electro-magnetic fields of monitors, power supplies, speakers (shielded or not), cell phones, microwave ovens, telephones, TV, etc.
CDs, DVDs and magnetic media can be affected by being too close to heat sources, uneven temperatures, direct sunlight or extreme humidity.
Retaining data for periods longer than 16 months is beyond the scope of this document. Consult the manufacturer of the storage media you plan to use.
7. Backups of sensitive information should be secure. Backups can be encrypted, but backups should still be protected against theft and damage.
Backups for a small business might be stored in the owner's home, a relative's home, your accountant's office or a bank.
Backups for a home might be kept in the home owner's bottom drawer at work.
8. Backups can be made by these methods:
8.1 By inserting a CD or diskette into a drive, and using Windows Explorer to drag and drop files onto it
8.2 Using Start / All Programs / Accessories / System Tools / Backup
8.3 Using a .bat file such as:
rmdir /Q /S "x:\computername\foldername backup 2"
ren "x:\computername\foldername" "foldername backup 2"
echo Backup now starting
xcopy /e /h "\\network machine\share\foldername" "x:\computername\foldername"
8.3 A utility such as Norton Ghost, Acronis True Image, or Symantec LiveState Recovery
The advantage to these utilities is that you can generally back up and restore an entire hard drive without having to individually re-install any programs. They can save you considerable time in getting back up and running after an emergency.
For Mac OS, Carbon Copy Cloner
For *ix, rsync-backup
Backup software comes included with many external hard drives. But keep in mind, if the building the computer and external hard drive are in is destroyed by fire, both the original copy of the data on the computer and the backup copy on the external hard drive will be destroyed at the same time. The loss of both the original copy and backup can also happen if a hard drive-destroying virus strikes while the external hard drive is connected or if there is a lightening strike or severe power surge.
9. Periodically test that your backups are working. Make sure the backups can be restored to the type of computer you plan to use for recovery in an emergency.
With file-by-file backups of documents in a folder, a mail database and address books, this just means checking that all the files are there and that the disks haven't worn out and are still readable.
However, if you are doing full volume (disk image) type backups, as a business would probably want to do in order to be able to do a speedy restore, these backups can quietly become unusable due to major operating system or major hardware upgrades.
- If you are saving an old computer for emergency use (for restoring the backups to), ensure that the old computer is kept sufficiently upgraded with compatible hardware.
- The only way to ensure this compatibility is to test that the backups will still restore to the intended computer initially and after each hardware upgrade.
- Test by restoring your backup to a computer that has a wiped or formatted hard drive. Do not restore your data to your original computer. Restore your data to a test computer of the type that you would actually use in the event of a disaster.
- Then make sure that all the programs still work and can still update the address books, files and so on.
- If you are a small company using a consultant, watch the backup and restoration process to see that it works -- and that it works in a timely manner that meets your business needs.
10. RAID (Redundant Array of Independent Disks) may or may not enhance data security, depending on which type of RAID it is. Some types of RAID merely provide faster data access.
Those types of RAID that provide some enhanced data security only provide protection against the electrical or mechanical failure of a single disk drive. They don't protect against the failure of 2 or more disks, loss due to viruses, accidental deletion, large electrical surges, vandalism, theft or fire. RAID also doesn't guarantee protection against corruption due to RAID controller failure.
Click here for more information on RAID.
*** If you are a company that depends on computers for its continued operation, you should seek the assistance of an IT professional in evaluating your needs and seeing that they are met.
* Off-site backups: A critical tool for disaster recovery
* The Seven Golden Rules Of Data Backups
* The Tao of Backup
* Windows Backup for Windows XP and Windows 2000: here for your data, and here or here for your registry
* Installing Backup on Windows XP home edition
* Earlier versions of Windows Backup here or here
* Easy Backups With WinZip and Freeware
* Fred Langa: Fast, Easy Backups For Win98 / ME / NT / 2K / XP
* BBR Microsoft Application Tips and Tweaks
* BBR Windows XP FAQ
* NIST Care and Handling of CDs and DVDs
* Digital preservation: a time bomb for Digital Libraries
* Webopedia: Dictionary & Encyclopedia of Computer Terminology
* Click here to read the posts from those who helped me develop this FAQ
Feedback received on this FAQ entry:
Once you decide how many days a month and which days you can do this, you'll be scheduled, and your name will be placed on the Hosting Calendar Schedule. If the days you want are taken, let us know because other hosts may be more flexible on dates.
Simple. The updates hosts start the daily thread according to their schedule, no sooner than 12:00 AM and no later than 9:00 AM Eastern Time. After they post the thread, they are required to check the thread about 3-4 times (or more if they want) for the next 12 hours to edit and update the list based on the new posts.
It takes approximately 5-10 minutes to start the thread and the updates take approximately a minute.
Knowledge of HTML coding is not required. If you can post and edit your post, you already know how to do this. You will also be invited to a members only forum which is mainly set up for the purpose of training and helping volunteers until they are ready.
If you would like to volunteer, PM any of the updates hosts listed at the bottom of the updates threads, and they'll get you started.
Example...this was today's first post to start the thread for 23 Feb 2004.
• Microsoft Security Bulletins last update: 10 Feb 2004
• AntiVir/AVPE - last update: 22 Feb 2004
• Avast - last update: 20 Feb 2004
• AVG 6 Free - last update: 20 Feb 2004 /AVG 6 Pro: 20 Feb 2004 /AVG 7: 20 Feb 2004
• Bit Defender (Web site) / FTP Site (daily.zip) - last update: 23 Feb 2004
• Dr. Web - last update: 22 Feb 2004
• eTrust EZ - Newly Detected list last update: 23 Feb 2004
• F-Prot (Web site) / FTP Site (fp-def.zip) - last update: 18 Feb 2004
• F-Secure - last update: 23 Feb 2004
• KAV - last update: 23 Feb 2004
• McAfee Weekly - last update: 18 Feb 2004 - Daily files: 23 Feb 2004
• NAV LU - last update: 18 Feb 2004 - IU / FTP (2003MMDD-00X-i32.exe): 20 Feb 2004
• Nod-32 - last update: 20 Feb 2004
• Norman Virus Control - last update: 18 Feb 2004
• Panda - last update: 23 Feb 2004
• RAV - last update: 23 Feb 2004
• Sophos - Release Dates - last update: 20 Feb 2004
• TrendMicro (PC-cillin) - last update: 22 Feb 2004 (#775) / Beta: 23 Feb 2004 (#776)
• a Free - last update: 13 Feb 2004 / a Personal - last update: 13 Feb 2004
• BOClean - last update: 23 Feb 2004
• PestPatrol - Version Info - last update: 15 Feb 2004
• Tauscan - last update: 20 Feb 2004
• TDS-3 - last update: 23 Feb 2004
• The Cleaner - last update: 22 Feb 2004
• TrojanHunter - last update: 20 Feb 2004
• Trojan Remover - last update: 22 Feb 2004
• AdAware - last update: 18 Feb 2004
• AGNIS - AGNIS for Outpost - AGNIS for AdShield - last update: 23 Feb 2004
• Hpguru's Hosts File - last update: 13 Feb 2004
• IE/SPYAD - last update: 23 Feb 2004
• MRUBlaster - last update: 19 Jul 2003
• MVPS HOSTS File - last update: 18 Feb 2004
• Spy Sweeper - last update: 15 Feb 2004
• Spybot S&D - last update: 02 Feb 2004 / last Beta update: 02 Feb 2004
• Spycop - last update: 21 Feb 2004
• SpywareBlaster - last update: 20 Feb 2004
• Spyware Block List File - last update: 06 Feb 2004
• SpywareGuard - last update: 22 Jan 2004
= Updated today or yesterday.
= Updated in the past 2 - 7 days.
= No updates for more than a week.
Important Note: If you found this list through a search engine, do not bookmark it. The list is updated on a daily basis, and the link location changes daily. To see an up-to-date list, please visit »Security
Current posting rules: All application updates can be freely posted in the forum as usual and do not belong in this thread. Questions about individual definition updates, discussion of components of a definition file in detail, etc., can still be freely posted outside this thread and in the forum as usual, so long as they are not simple announcements. This thread is meant as a one-stop location for announcements of definition file updates and is not intended to limit discussions in the forum.
Submissions: If you wish to announce an update to one of the definition files covered in the above list, post a notice to this thread, and the master list will be edited accordingly. If you want your application to be added to this list, please post your suggestion in this thread along with the appropriate links to the software, its definition files and a brief explanation for our consideration.
•Go to the first post that started the previous day's thread on the sticky in the forum. Hit reply and then Auto Quote. Highlight and Copy all the text in the box to notepad or word pad. Then hit Upon Reflection I do not wish to post (because you don't want to really reply - you just want to get all the code out of the reply window :-)
•In the copy you saved, remove the first line that reads:*QUOTE=*user=YesterdaysHost** I put asterisks in place of the [ brackets ] so the board would not convert and you can see in these instructions.
Now your list begins with the line beginning *OL> in angle brackets.
•Next, go to the bottom and remove the end quote tag */QUOTE*
•Go back to the thread from yesterday.
»Security Software Updates 22 Feb 2004
•Write down any updates posted since the last time the list was updated either by Wildcatboy or, if he didn't get the chance to update, go back to the last signoff by the host from the day before.
•Edit the list you saved in notepad with the updated info. Change the button colors for them to green while you are at it (button color changes instruction will be included further down in this tutorial)
•Notes: Trend=Micro has a pattern number for it's Official Pattern Release & Controlled Pattern Release (Daily Betas). You'll want to make note of those in addition to the date.
IESPYAD & AGNIS Lists are TWO separate entries on your list but usually listed in one post (by Eric Howes). Be sure to update both of them in Privacy Programs.
Some programs have more than one version but are all on one line (AVG, a2 are examples).
•There is a color codes key at the bottom of the daily sticky that tells you what the green, grey and red buttons represent. Hint: Red is always confusing. Red is only for updates MORE than a week (so 8 days). A good example for today was SpySweeper. It had been grey, changed today to red.
•You will see the code for each button color just in front of each program listed:
jgrn.gif = green (Updated today or yesterday)
jgrey.gif = gray (Updated in the past 2 - 7 days)
jred.gif = red (No updates for more than a week)
•Change your button colors to match the day you are posting.
•Special note regarding weekly vs daily updates for Trend, McAfee & Symantec: The daily updates for each of those is considered a *beta* update and not a true pattern release so even though you will change the date on the daily updates, the button for those products will not be changed to green until the weekly (or *Official*) update comes out. The weekly update is the first link in the listing and the daily is the second.
Trend-Micro: Weekly = Official Pattern Release
*Daily = Controlled Pattern Release (Beta)
McAfee: Weekly DAT
*Daily DAT (pre-release)
Symantec: Weekly (or official) = NAV LU (LiveUpdate)
*Daily = NAV IU (Intelligent Updater)
*Daily updates do not affect the button color for these products
During a virus outbreak, it is not uncommon for these programs to release an official update ahead of the usual weekly day (Wed). In that case, the release of an official update will turn the button green.
•Highlight your final edited notepad/wordpad text, copy and and paste into a new Topic in the Security Forum
•Title your thread with this format (using dd/mm/yyyy); the month should be abbreviated with 3 letters. That format is easily interpreted by anyone around the globe
For example the above was titled:
Security Software Updates 23 Feb 2004
•Press Preview button to check your work, then Post Now!
•Copy the URL for the thread you just started.
•Go back to the end of yesterday's thread and ask everyone to post any further updates to the new thread for today and include the url (example).
Ask Mods to close and unsticky yesterday's thread
•Go the the first post of yesterday's thread (in this example that was Garbs' post for Sunday 22 Feb 2004) and press the Hey Mod button on his post that started the thread.
•Put a dot in *Other* for reason and request that the thread be closed and made unsticky because today's new thread has been posted.
They are usually expecting us as they are used to us by now ;)
•Go to your post for the new thread and press the Hey Mod. Choose *other* and ask them to make the new thread sticky for today.
•Note: Give them time to act on your *Hey Mods*. If someone doesn't get them attended to right away, it just means none of them are available. If your threads have not been stickied/unsticked as requested after about an hour, feel free to Hey Mod again and submit a second request.
This is not a "have to," but it is helpful, we think.
Reply to your new topic and let folks know what updates for the current day were posted to the end of yesterday's thread and posted in your new list (reference the URL to yesterday's thread).
•You need to somewhat verify updates before you edit the list. This is a loose definition, but keep in mind that some folks get confused (or are behind on updating their own app) and rush in and post an *Update* for today's date, when in actuality it might be a program update (not a new signature/ pattern definitions) or it may even be an old update. For new programs or program upgrades, ask the poster to post a new topic in this forum
Generally, the frequent posters and the hosts are the most reliable, and they need little checking and usually include some additional info or screen shots that verify they HAVE indeed checked the program or the website (you can PM them to ask, if needed; they'll be glad to help you out). For the relatively new to the Updates thread, those are very welcome too. Just be sure you go up in the List and check to be sure they are correct if they haven't given you anything definite to go on like a copy & paste of the update notice including the date or a screen shot of the program. Be aware that many times people's programs have an update, but the website has not included it yet. If your poster hasn't given you enough Info, you can ask in the thread for a little verification of it (very politely, of course). I would say something like, "Hi So-n-so, thanks for the info. The website still shows yesterday's date, could you provide us with a screen shot or other info to verify the date of that update?" Sometimes you have to ask for a little more information with programs that don't host their update info on a website.
•Watch those double dates on some programs, Trend, McAfee, NAV, AVG,a2 etc. Make sure you know which one you are updating. Sometimes folks don't state which update it is, they will just say "AVG Update".... (you can usually look it up on the website links and, in that example, look to see which versions that applies to). Same thing with Trend. If they don't specify a CPR(daily beta) vs an Official (or weekly), you can check the website to see which one you need to change.
•Note re: Microsoft Security Bulletins
We point the Microsoft Security Bulletins to the "Official Thread" posted in the Security forum by JmanB , our MS VIP. This is usually the 2nd Tuesday of each month. However, sometimes a special bulletin might come out (February 2004 was just such an exception).
If MS has posted the official Bulletin thread in the Security Forum, copy the URL of the thread JmanB started and insert into the link on our list for the MS bulletins and change the button color & date.
•When you change the day, also change the button color if there is a change. Sometimes they are already green if they updated yesterday.
•At the end of your shift, make your sign off announcement and let everyone know the list is up-to-date (or list any programs that might have snuck in just before your edit button expires). It is helpful to note who tomorrow's host will be. Check the schedule jfgnet keeps for us here:
We try to keep the Updates Calendar by the month. We try to let Jfgnet know our Picks usually a month ahead, but sometimes it goes by the week. Should you find that you need to reschedule a day you have picked, please PM another host and ask if they can substitute. You can also ask jfgnet to find someone for you -- he's really a great support to the Hosts.
•Relax and don't worry on your first day. There hasn't been a mistake made that we haven't made already ~grins~. There also isn't a mistake made that we haven't been able to help someone fix. Just PM someone on the list of Hosts for help -- we're always there for each other.
• Feel free to PM any of those on the hosts list to review your practice thread or answer any questions you have.
•When you are ready to Host a thread for a day, send a PM to jfgnet and let him know which day you would like to host and about what time you estimate you will be starting it. If one of the regulars has already scheduled that day, we will be happy to move aside for a new Host to try it out :)
(a) Open a command prompt window. From Start / Run enter: cmd
(b) From the command prompt enter: netstat -ano
(c) Note the PID (process identifier) associated with the ports you are concerned about. (Also note the Local Address, Foreign Address, Protocol and State.)
(d) Then do ctrl-alt-del to bring up the Windows Task Manager.
(e) In Windows Task Manager, select the Processes tab.
(f) Look for the PID you noted when you did the netstat in step (c). Look to left to the image name and that tells you which process has that PID.
- If you dont see a PID column, click on View / Select Columns. Make sure PID is selected. Click OK.
- Make sure Show processes from all users is selected.
2. On Windows NT/2000/XP, the following products will provide the ability to locate which software is using which port:
- TCPView (free)
- Active Ports (free)
- OpenPorts (free)
- Foundstone Vision (free)
3. On Windows 95/98/NT/2000/XP, the following product will provide the ability to locate which software is using which port:
- Port Explorer (30-day free trial)
4. You can research the port using the links in this FAQ:
/faq/8226 (Why am I being probed on port XXX?)
or these sites:
5. You can research the IP address using this FAQ:
How do I look up an IP Address?
6. If youre stuck, feel free to post what information you have been able to gather in the BBR Security Forum and let us know your question. Be sure to give the full port description: port number and protocol (TCP or UDP).
7. If you are a business, organization or professional that depends on the security of your computer system, we strongly urge you to consider using the services of an IT security professional to review the security of your system.
Other useful links on BBR:
Useful links elsewhere:
On Internet protocols:
On firewall forensics:
SANS Reading Room:
Packet analysis (note, you probably do not want to reduce firewall protection unless you have a test computer you can put outside your firewall):
The advice given here is general in nature and not adequate for high-value or highly attractive targets.
Feedback received on this FAQ entry:
a) Source IP addresses can be spoofed. That is, the real source IP address is not necessarily the source IP address reported.
However, if the source IP address is spoofed, replies go back to the computer at the spoofed-source IP address instead of the real source. This often happens with Denial of Service (DoS) attacks.
b) The computer at the source IP is often a zombie. That is, it is owned by another victim and is under remote control by a hacker. Or, the computer at the source IP may be a victim of a virus.
c) The computer at the source IP address may simply be misconfigured or may be attempting to reconnect with the computer that used to have your IP address.
In any of these cases, the computer at the reported IP address is owned by another innocent person. That said, they will generally appreciate being politely notified if research shows that they seem to have a security problem.
2. Some IP addresses are reserved for special use and are non-routable on the Internet (they have bogon prefixes). You cannot look up these IP addresses because they have no meaning on the Internet, just on LANs or individual computers.
However, some ISPs, notably Hughes Satellite, protect their customers by placing them behind NAT routers, so customers will see other customers as having non-routable IP addresses.
If your ISP does this, a non-routable IP address can be originating with another customer of your ISP. While you wont be able to directly determine which of their other customers had a given non-routable IP address at a given point in time, your ISP should be able to.
The main ranges of these IP non-routable addresses are:
10.0.0.0 10.255.255.255 (LAN)
172.16.0.0 172.31.255.255 (LAN)
192.168.0.0 192.168.255.255 (LAN)
127.0.0.0 127.254.254.254 (loop back lets one process on a computer talk to another)
More bogons are here:
Some IP address ranges have special uses, which are noted here:
3. You can look up routable IP addresses at any of these whois sites:
www.centralops.net/co/ Domain Dossier
www.samspade.org IP whois
You can check to see if myNetWatchman and DShield participants are seeing events from the same source IP address here:
www.MyNetWatchman.com see Look Up Incidents by IP Address.
www.DShield.com see Submit.
4. Often the email addresses in the whois are out-of-date. You can generally email the administrator of the domain by emailing: abuse@, wanabuse@, cirt@, cert@, antispam@, postmaster@, admin@ or firstname.lastname@example.org, where xxxxxx is the domain and yyy is the top level domain (tld: .com, .org, .co.uk, whatever).
5. You can research the associated ports from the links here:
/faq/8226 (Why am I being probed on port XXX?)
6. If youre stuck, feel free to post what information you have been able to gather in the BBR Security Forum and let us know your question. Be sure to give the full port description: port number and protocol (TCP or UDP) and both IP addresses. For security, it is a good idea to disguise the last 2 parts of your own IP address (123.123.xxx.xxx).
- Removed dead link to bankes.com.
- Added links to mynetwatchman.com and dshield.com to part 3.
1. Make hidden files visible. In "Windows Explorer," in View / Folder Options / View, make sure these items are selected:
- Display the contents of system folders (XP)
- Show hidden files and folders (XP)
- Show all files (W98)
Make sure these items are not selected:
- Hide extensions for known file types
- Hide protected operating system files (XP)
2. Use File Search advanced functions to list files changed in the last day or two (going back to before the problem was first seen).
3. Run the Disk Cleanup wizard (from Programs / Accessories / System Tools).
4. Scan for disk corruption. From Windows Explorer, right-click on the disk drive, select properties, select tools and check for errors. (Do not normally select recover damaged sectors.)
5. Empty the Norton Recycle bin, if you have one.
Disk space can seemingly mysteriously disappear when the Norton Recycle bin is in use. Do not panic; just right-click on it and select to empty it.
If you want to adjust the Norton Protected Recycle Bin, right-click the Norton Protected Recycle Bin in the tray and choose Properties. Click the Norton Protection tab.
If you have or had a Norton product (NSW, NAV Pro, NIS Pro, etc.) that installs the Norton Protected Recycle Bin, and you still have a problem, refer to these links.
How to remove the Norton Protected Recycle Bin and/or the Windows Recycle Bin:
Symantec (Norton) support search:
Debugging problems with the Norton Recycle Bin:
Removing Norton System Works:
Removing Norton Anti-virus:
Removing Norton Internet Security:
Computer showing 8 GB less free space than there is
6. Chart disk space use using one of these utilities:
DiskSpace Explorer Home Edition:
Showman (under disk utilities):
Jam Software's TreeSize:
7. Check for "alternate data streams":
Frank Heyne's Lads.exe
8. For NTFS drives, check the Master File Table. You are identifying where the space is going. You must not delete files and folders in these locations.
How NTFS Reserves Space for its Master File Table (MFT):
How to Gain Access to the System Volume Information Folder:
9. Try these commands from a command prompt to view hidden and system files:
dir /ah/as/s | more
This will make the root directory the current directory. Then it will display all the files that have the attributes hidden or system, giving a "more" prompt at the end of each screen. (Press ctl-c to stop the display.)
10. Check for hackers creating and using hidden disk space:
11. Checklist for problems deleting files and folders:
From the Microsoft Knowledge Base on problems deleting files and folders (KB320081 - You Cannot Delete a File or a Folder):
From Diamond Computer Systems: Advanced Process Termination:
12. Additional information:
a) How to Locate and Correct Disk Space Problems on NTFS Volumes in Windows XP:
b) Chkdsk in Read-Only Mode Does Not Detect Corruption on NTFS Volume, This behavior can occur if the $logfile data region in the Master File Table is damaged:
c) How to: Create a Boot Disk for an NTFS or FAT Partition in Windows XP:
d) How to calculate space lost to clustering in Windows 95, 98 and Me:
e) PC Guide debug guide on missing disk space:
- You can give the site the first part of the MAC address (the MAC prefix), and it will return the make of the equipment.
- Or you can give the make of the equipment, and it will return the MAC prefixes of that manufacturer.
Keep in mind that the maker of the internal equipment (e.g. network interface card) may be different than the maker of the overall device.
Also, remember that MAC addresses can be spoofed.
2. Given a local piece of equipment, you can determine the MAC address as follows:
2.1.1 Click Start, click Run and enter the command: winipcfg
2.1.2 Use the pull-down menu to select the network interface for the cable modem (rather than any PPP dial-up). Look for the line "Adapter Address."
2.2.1 Click Start, click Run and enter the command: cmd
2.2.2 In the command prompt windows, enter the command: ipconfig /all
2.2.3 Look for the output section related to the network interface for the cable modem, and look for the line "Physical Address."
2.3 Alternate procedure for WinXP:
2.3.1 Open control panel Network Connections.
2.3.2 Select the icon for the cable interface, right-click it and select Status.
2.3.3 Click tab Support.
2.3.4 Click button Details.
2.3.5 Look for the line "Physical Address."
2.4 Cable modems: Cable modems have multiple MAC addresses, one for the HFC side (Hybrid Fibre-Coax/cable TV coax socket) and one for the CPE side (Customer Premises Equipment, the ethernet socket). USB-capable cable modems also have two further MAC addresses: one for the cable modem USB socket and another for the emulated network interface in the USB driver in the PC. Although it is possible to discover the CPE MAC address(es) of the cable modem, there is no application or procedure that requires them.
Some cable ISPs require you to register the HFC MAC address of your cable modem with them.
2.4.1 The HFC MAC address of a cable modem is stamped on the manufacturer's label on the cable modem or on the label of the shipping box.
2.4.2 Sometimes cable modem MAC addresses are visible from their diagnostics. To see if your cable modem supports web based diagnostics, visit here:
2.5 Finding the MAC address of any other PC or device on the LAN. This procedure only works for PCs/devices in the same "IP sub-net" as the PC doing the discovery.
2.5.1 Click Start, click Run and enter the command: cmd
2.5.2 Type the command: ping xxx.xxx.xxx.xxx
(where xxx.xxx.xxx.xxx is the IP address of the PC/device for which you want to know the MAC address)
Make sure that you get at least one reply.
2.5.3 Type the command: arp -a
2.5.4 In the column "Internet Address," look for the sought IP address, and then in the same line, read the corresponding MAC address from the column "Physical Address."
2.6 To discover the MAC address of the WAN port of your router, please consult the documentation for your router. It may be on the manufacturer's label, or it may be viewed from a configuration panel.
*** Additional instructions on MAC address lookups are here: »homepage.ntlworld.com/robin.d.h.···ddr.html
Feedback received on this FAQ entry:
In their default configuration, common NAT routers do effectively handle the particular problem of unsolicited inbound packets reaching a computer on an internal network.
But sometimes networks have requirements that make NAT boxes inadequate, and that is what this FAQ explores.
NAT routers are sometimes called Broadband routers, DSL routers, or "networks in a box". NAT routers are devices that let you build a network with multiple local computers sharing a single IP address on the Internet. Technically these devices are called "many:1 NAT routers" (abbreviated "M:1 NAT routers") or NAPT routers, to differentiate them from other sorts of special purpose NAT routers that exist.
Switches and hubs are different devices that do not have the same security features.
NAT routers provide very good protection for normal homes, and small offices and home offices (SOHOs) against unsolicited inbound events from outside the network. So an NAT router is normally adequate for homes and SOHOs for protection against incoming events.
However, you will want to consider additional protection for these reasons:
1.1 You should definitely run a software firewall on any computer that connects to AOL using a different Internet Service Provider (AOL's Bring-Your-Own-Access plan or AOL MAX using an ISP) no matter what kind hardware firewall or NAT router you have.
AOL BYOA connects to your computer by creating a "tunnel" through the Internet. With AOL BYOA, tunneling uses your real IP address to connect you to AOL's network where you have a second IP address. Traffic using that second IP address is inside the tunnel.
With AOL, the far end of the tunnel is other AOL customers and the Internet, so it is untrusted. »www.mynetwatchman.com/kb/securit···ndex.htm
The solution is to use a software firewall. A software firewall will effectively filter the traffic after it leaves AOL's tunnel and before it gets into the rest of your computer. In some countries AOL9 Max includes the free option of installing the McAfee Firewall Express software firewall.
Somewhat similarly, if you connect to an untrusted network using Virtual Private Networking (VPN), you should either use a software firewall or an external VPN firewall.
VPN uses encrypted "tunnels" for privacy. Traffic is only decrypted when it leaves the tunnel. Each end of the tunnel looks somewhat like an extension of the LAN at the other end: one end of the tunnel may have LAN IP addresses such as 192.168.1.xxx and the other end may have LAN IP addresses such as 192.168.10.xxx. Network Address Translation is not used for traffic when it leaves the VPN tunnel, so there is no NAT protection for traffic through the tunnel.
With VPN, you can use software firewalls. Alternatively you can use an external VPN capable firewall. With an external VPN firewall, the VPN tunnel can be configured to end on the external VPN firewall. This means the external firewall is decrypting the VPN traffic, and it can then examine the traffic and protect your computers.
Be sure to test that your external firewall is configured correctly to protect against unauthorized traffic from outside and inside the tunnel.
1.2 If you have to turn on port forwarding or the DMZ to run servers or other applications you should consider either a software firewall or a more expensive SPI firewall.
Turning on port forwarding means traffic for the forwarded ports is forwarded to the specified computer automatically, without the protection of NAT. (Most NAT routers do at least basic packet filtering, in addition to NAT. So there is some protection, but not specifically against unsolicited traffic.)
In this circumstance you can add a software firewall, or run a more complex and expensive hardware firewall or firewall appliance.
The safer methods of "port triggering" or UPnP can be used instead of port forwarding or the DMZ, and this avoids this vulnerability. (See below.)
However, if you are running a publicly available server you will probably have to use port forwarding.
1.3 Generally software firewalls provide valuable additional protection that supplements the protection provided by NAT routers and SPI firewalls.
They can inexpensively provide good protection for individual computers on your network in the event that one of the computers gets infected.
Software firewalls can also watch for trojans, viruses, or unauthorized legitimate software, trying to connect out. Software firewalls have the advantage that they know what is going on inside your computer, they can see which program is trying to get out, and whether that program has changed since the last time it tried to get out. External firewalls and NAT routers can't do that.
The downside of software firewalls is that they can be shutdown by users, stalled or terminated by other software on the PC malfunctioning, and certain viruses and trojans disable them or shut them down.
On the other hand, while external firewalls and NAT routers don't know exactly what is going on inside your computer, they are simple devices that are much less likely to have problems that cause them to fail dangerously.
Ideally a software firewall should be an additional layer of protection behind an NAT router or external firewall. For homes a free version of a software firewall is normally adequate for this additional layer of protection.
- ZoneAlarm Free
Look for the free version / free download, and continue to ask for it rather than the Pro version.
- Sygate Personal Firewall
- Kerio Personal Firewall Limited Free Version (Sunbelt Kerio Personal Firewall)
Look for the "limited free" version.
For businesses, computers running public servers, and computers on wireless networks, a paid-for version of a software firewall provides more protection by allowing more customization and more precise control.
2. In selecting an NAT router, software firewall, or hardware firewall, consider its logging and alerts capabilities.
A good protective system lets you know if there is a determined attack against you.
- Does it let you see what events have occurred recently, including the date and time, local port and IP address, remote port and IP address, and protocol?
- Is it supported by the free firewall log analysis and reporting organizations myNetWatchman and DShield? ( »www.mynetwatchman.com »www.dshield.org )
- Is there a good log analysis tool available from the manufacturer, or are third party log analysis tools available?
Ideally you want tools that will let you see the one month history of those IP remote addresses that have caused firewall events in the past 24, 48 or 72 hours. Also they should have the ability to show events from only those remote IP addresses that have caused events on more than one local port.
For some products, third party log analysis tools are available that will provide this capability.
There is more on this topic here: /faq/8226
3. If the router or firewall is wireless, secure the wireless interface.
These days many routers and firewalls include both wired and wireless capabilities. And there is not always a visible antenna.
Be sure to check the router's manual to see if it has a wireless capability. If it does, either disable the wireless interface, or configure the wireless interface so it is properly secured.
4. Firewalls are not a replacement for adequate backups of data. (Firewalls don't protect against real fires, or burglars.) /faq/10194
5. Other security precautions still need to be taken. For example, operating systems and anti-virus software need to be properly installed, configured and updated.
6. There is no hardware or software you can install that will protect against massive amounts of traffic jamming your communications lines. "SPI firewalls" only protect against certain types of denial of service (DoS) attacks involving malformed packets, or protocol sequence violations and vulnerable software.
7. Historically, the original network firewalls did not do packet inspection. They were rule based, using tables of permitted IP addresses and ports. Packet inspection is not historically in the definition of firewalls.
8. The NAT firewall was a major advance. It limited inbound traffic based on the basic state of communications with the external IP address. Outbound traffic triggered permission for inbound traffic.
Internal packet inspection was the next advance, checking for malformed packets. SPI firewalls sometimes also incorporate a more detailed examination of the state of communications, often checking outbound traffic as well as inbound traffic.
However, currently (1Q2005) a common SPI firewall is usually little better at providing inbound firewall protection than a $60 NAT router. The "SPI" label is basically there for marketing purposes. To have effective better protection than an NAT router, one needs a high-end SPI firewall, typically costing over $150.
The next advance is firewall appliances. These add extensive virus scanning of network traffic to the features of SPI firewalls. Currently these cost over $700 and are aimed at offices and institutions.
Some NAT routers and SPI firewalls include parental and employee controls, limiting access times, and restricting certain sites. This FAQ is not considering that kind of protection.
9. This is basically how a pure many:1 NAT router works. M:1 is the kind of router commonly used for home and SOHO users to provide a connection for many local computers using one public IP address.
First, packet filtering is applied to eliminate malformed packets and selected other packets based on fixed rules. With ordinary NAT routers this is fairly basic filtering compared with purpose-built firewalls.
With outgoing packets, the NAT router substitutes its own IP address and one of its currently unused ephemeral ports (that is, ports > 1023) for the source IP address and ephemeral port the local computer used.
All this information is then recorded in a state table with a timestamp. Additional traffic will update the timestamp.
For an incoming packet, an attempt is made to map the source IP address and ephemeral port on the router that received the packet to an entry in the state table.
- If a match isn't found in the state table, the packet has nowhere to go, and is discarded.
- If a match is found, the state table entry is used to translate the routers IP address and port to the local computer's IP address and port, and the packet is routed to that local computer.
Both the local computer's local IP address and its source port are mapped, which allows multiple local computers to connect to the same remote server and have independent conversations.
The state table is only filled by outgoing traffic, which means inbound traffic cannot make it overflow.
Of course as with any program, there can be a bug in the implementation, but you can't be much more simple and failsafe than the M:1 NAT algorithm.
Simplicity and failsafe-ness are good features. The more lines of code, the greater the chance of a bug.
10. Port forwarding bypasses the state table and that source of protection provided by the NAT router. Port forwarding (on a pure NAT router) causes almost all traffic that arrives at a particular port to go to a particular local IP address. (Basic packet filtering is the only protection for the port.)
Trigger ports or UPnP should be used in preference to port forwarding when possible. For example use port triggering for UDP replies for Windows Media Player so the port forwarding is limited to the source IP that was contacted on the trigger port. The forwarding will time-out (terminate when it isn't being used) rather than being always-on.
You need to configure both the software's own options and the router's setup so that the ports used correspond. After you make the changes, use the software to make a connection, and then check your firewall/router logs to see that the UDP traffic is not being blocked.
Typically the trigger port is a TCP port used to establish and control communications. The triggered port is normally UDP and is used to receive large amounts of data with minimum overhead (with no overhead from "receipt verified" packets).
These port triggering settings are possible:
Real Player 7070 TCP is trigger for 6980-7000 UDP
Real Player 6970 TCP is trigger for 6980-7000 UDP
QuickTime 554 TCP is trigger for 6970-7000 UDP
BitTorrent 6969 TCP is trigger for 6881-6889 UDP
Windows Media Player 1755 TCP is trigger for 6980-7000 UDP
Remember, the settings in the router and the software must correspond. For example, you have to update your router, and you have to update your QuickTime options. If you cannot find the ports in the software's options, check the software maker's website for which ports it is set to use.
UPnP is also an alternative to port forwarding, but not all NAT routers and not all software are UPnP capable. The software uses UPnP to ask the router to open ports for its use. When the software shuts down, it asks the router to close those ports. This saves you having to configure the router and software with specific ports. A small downside of UPnP in its current form is that, if the program that opened the port crashes, the port is left open until you re-boot.
If you need instructions on UPnP, check your manuals and FAQs, and consult a search engine using UPnP and the program name, or UPnP and the router make, as search terms.
Trigger ports and UPnP are safer than port forwarding.
11. The DMZ should be totally avoided on most NAT routers.
A DMZ is not normally required, provided you know your software. Check the software vendor's website, or email their support area, or search here in BBR, to find out what ports you need to set as trigger ports for which ports, or which ports to forward.
If you really do need a DMZ, use a device that treats the computer in the DMZ as though it was an untrusted computer outside your local network. Ordinary NAT routers do not normally provide this type of DMZ; they normally just forward all unsolicited traffic to the machine in the DMZ, leaving it with no NAT protection.
(You can create the desired level of separation with 2 ordinary NAT routers, or with 1 NAT router and 1 hub, or 1 high-end NAT router or firewall.)
Here are some security testing sites: /faq/5503
Here is more on securing your home computer: /faq/8463
Here is more on securing a wireless router: /faq/8698
For discussion about your individual circumstances you can post a message in the BBR Security Forum here: /forum/security
Be sure to mention if you have unusual requirements, like offering "public servers", confidential client data, etc., how many computers you have, which operating systems, and so on.
If your network is high-value or a particularly attractive target, or if you are a business that depends on its computers, we recommend you also obtain the services of an IT professional to help plan and maintain your security.
* Here is the thread where the proposal for this FAQ was researched, discussed and refined. My thanks to all those who participated with me in developing this FAQ.
- Removed dead link to UPnP configuration instructions.
- Improved opinion of UPnP.
01 Jan 2006
- Kerio PFW is to be Sunbelt Kerio PFW.
- Clarified trigger port setup.
- MS Messenger can now easily do file transmission through an NAT router, so the old instructions have been removed.
01 May 2005
- Added caution to check that if the router is wireless, and to secure the wireless interface.
- Added NATP as a technical term for the kind of router being talked about.
(Thanks Doc Olds.)
Feedback received on this FAQ entry:
(If you get an e-mail complaining you sent someone a virus, you can follow these same steps.)
Usually there is an infected computer somewhere that contains both your e-mail address and the destination e-mail address. (For example, the infected computer might belong to a mutual friend or to a company you both deal with.)
The malware (virus or trojan) on the infected computer scanned that computer for e-mail addresses. It picked one e-mail address to be the fake sender and sent copies of itself to the other e-mail addresses.
The malware didn't use the real e-mail address of the computer's owner because any undeliverable e-mail that bounced back would tip the infected computer's owner that he had a problem.
The other common possibility is that a spammer sent spam and, accidentally or intentionally, used your e-mail address in the "sent from" field. Normally this is a one-time occurrence, although you might see bounces for a couple of days.
Either way, it is unlikely your computer sent the e-mail.
Just to be sure you don't have a problem, follow these 2 steps:
1.1 Make sure the anti-virus software on your computer is up-to-date and run a full scan of your computer.
1.2 For a second opinion, run one or two of the web-based anti-virus scans listed here:
1.3 If your ISP abuse department contacts you, which rarely ever happens, telephone them back (look up their number in a phone book or on a bill, so know you aren't being set up for a scam). Ask them to e-mail you the e-mail headers that prove you sent the e-mail. You can post those headers in the anti-spam forum, asking for advice:
(If you want help, only disguise the actual e-mail addresses, not the IP addresses, times or website addresses (URLs).)
2.0 If you get e-mail that is infected with a virus, it is highly unlikely that it was sent by the e-mail address indicated as the sent-by address. The reasons are the same as described above.
You might be able to determine the ISP or the mail server of the infected computer by examining the internal e-mail headers. You would forward the e-mail, including all of the headers, to that ISP asking them to let the owner of the infected computer know they are infected.
3.0 Recommended steps you can take to secure your computer.
There is more on disinfecting computers here:
There is more on e-mail safety and security here:
There is more on securing computers here:
If you have a computer security question, a question about disinfection or would like to make an observation, feel free to post here:
Symantec's bulletin on this.
4. How to analyze e-mail headers.
You can try to locate the Internet Service Provider of the source of the original e-mail, if you have the headers of the original e-mail. How to find the source of e-mail.
How to get your e-mail program to reveal the full e-mail headers. You will need the headers from the original e-mail, not the bounced e-mail.
Click here for a tool for finding source of e-mail. Note: If you believe the e-mail is from a virus, you can give Spamcop.net the e-mail headers to decode ("process spam"), but do not proceed to the second step of "submitting" a complaint through spamcop.
If you believe the e-mail is from a virus, instead submit the complaint in a polite personal e-mail to the contact address spamcop.net provided in its analysis. State that their customer seems to have an infected computer. Paste the original e-mail with all of the headers and the spamcop analysis near the bottom of the e-mail.
Feedback received on this FAQ entry:
Security Cleanup FAQ
You can follow it here:
»Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?
A. The use of the computer is the primary factor in the decision whether to re-format and re-install, or just disinfect.
B. How the variety of malware influences the decision on whether to re-format and re-install, or just disinfect.
C. Tips on Re-installation.
D. Useful links.
When deciding whether a re-format and re-install is needed after an infection, the most important factor is generally what the computer is used for, and what information can be accessed via the computer.
The kind of malware and how it got on the computer are only the second and third most important factors.
One major intention of this FAQ is to urge techie friends, forum regulars, technicians, consultants, and service representatives to ask more questions of the computer's users (and administrators) about how the computer is used before making any kind of recommendation on re-formatting and re-installing.
If you are both the computer's owner and only user, and you are removing malware from it, you have two hats to wear. Remember to stop, and switch from technician to business person thought-mode before making the decision on whether or not to re-format and re-install.
Remember to consult the other users on what they use the computer for. (The computer you use for music may be the same one your parents use to manage your future inheritance.)
It is dangerous and incorrect assume that simply because one backdoor trojan has been removed from a computer that the computer is now secure.
When posting questions on this topic, mention if the computer is used for more than games and music.
All of the cautions about backdoors also apply if the hacker or cracker was able to actually physically sit at the computer while it was logged on.
A re-format and re-install should always be considered.
The question is, "Should a re-format and re-install be strongly considered, or merely considered?" The decision is the computer user's and computer owner's, based on their knowledge of their computer's use, and their informed acceptance of the risk.
The experts at CERT and SANS don't think an on-site team of certified trained and experienced professionals can reliably clean a system that has had a backdoor installed, up to the standards of everyday commercial and institutional use. So how can one expect to do that long distance?
We can't and shouldn't force people to do re-installs, but we should:
1. Ask what the computer is used for.
2. Ask if there is any confidential information about patients, customers or clients on the computer, or accessible through the computer (say through an employer's network that the computer connects to via dialup or VPN).
3. Ask if their own banking or personal information is on the computer.
4. Based on those answers, and the nature of all the malware found, and whether the hacker had direct access to the computer, either recommend or strongly recommend they consider a re-format and re-install.
Give them enough information about the risks to make their own informed decision.
5. Let them decide based on what they use their computers for, their assessment of the risks, and their financial and technical resources, whether the re-format and re-install is actually done.
6. Then assist them in securing their computer following the method they choose.
A lot of the people who need help with their computers are in other professions. Some people who come here use their computers for work, and the computers may contain the patient records of a physician, the financial records of an accountant's clients, or credit card and bank account information of their employer's customers.
1. There may be tremendous risks and legal liability for such users in not fully securing the computer. We won't know this unless we ask. We don't want to be accidentally putting those we help in vulnerable positions for law suits.
2. Here is an example of why business factors outweigh technical factors in making the re-format and re-install decision.
Sometimes techie friends give missing CDs or lack of expertise as a reason for not doing a re-format and re-install.
The cost of replacing missing Windows XP and MS Office CDs, and getting an MSCE to come in for 3 hours to do the re-install and apply all the critical updates, is trivial compared with the potential cost of a multi-million dollar lawsuit for breach of trust if confidential client or patient information is disclosed.
3. In specific situations where highly confidential information about others is on the computer, and a backdoor virus or trojan is found, we are helping people more by identifying that they have a backdoor and are in a particularly vulnerable situation, and sending them to seek local professional help from a MSCE, CISSP, GIAC CSE, CCP or ISP, than we would be trying to fully resolve their problems long distance.
Look up the malware using the virus encyclopedia of the scanner that detected the virus. Click here for virus encyclopedias. If you can't find the virus in the correct encyclopedia, scan click here to scan with a different scanner and then try that scanner's encyclopedia.
The words to look for in the description of the virus, worm or trojan are "root kit", "backdoor", "allows arbitrary code to be executed", or "remote access trojan".
If the computer was connected to the Internet for a long time with the backdoor installed, or if the malware used ICQ to actively contact hackers, then it is more likely the backdoor was used. Therefore there is a high risk if re-formatting and re-installing is not done.
If the backdoor merely opens a port to listen the risk is slightly lower.
If the backdoor merely opens a port to listen and the computer was behind a working firewall or NAT router, then the risk of the backdoor being used is greatly reduced. Therefore there is probably a much lower risk if re-formatting and re-installing is not done.
Most search hijackers and pop-up producing adware contain a capability for the maker to automatically update them and to add additional adware. In other words, most of them install backdoors of some sort.
In a case where only search hijackers and pop-up producing adware are found we should not automatically recommend re-formatting provided the malware can be removed another way, and providing the computer requires only normal levels of security. Hijackers and adware are written for advertising money, and their authors are not normally interested in anything more malicious than getting click-through payments from advertisers. Seldom is a backdoor in adware used by the maker to install anything other than more hijackers and ad-ware.
However, there is the potential for any backdoor to be used by others, not just the original author, so the situation with adware and search hijackers is generally one of much lower risk, not no risk. The use of the computer has to be considered, as well as the nature of the specific adware found.
The MBSA and Belarc steps in here /faq/8428 (step 7) will spot-check whether certain common security settings have been changed.
From the May 5, 2004 Handler's Diary on SANS's ISC:
And from CERT, the other main source of professional advise on handling viruses and trojans:
And if this precaution applies to on-site professional security experts on UNIX, LINUX and Windows NT systems, you can bet it applies doubly to home systems with Windows being supported long distance.
The one mitigating factor is that many home users will accept more risk than will businesses, depending on the use of their computers and their own personal circumstances. And this is usually reasonable.
Anti-virus vendors, because they are in competition, and because they charge money for their products, are highly reluctant to recommend re-formatting and re-installing. Vendor A is afraid to recommend re-formatting if vendor B claims just running his tool will clean the system. We don't have that issue because we are not selling anything.
We may be leaving people open to serious financial and liability hazards if we don't make them aware of the potential hazards of not doing a clean reinstall after their system has been infected with a back door.
This is not to say that we shouldn't walk them through the process of identifying and reporting the malware. It is important to prevent further infections that suspect new malware be copied and submitted to the anti-malware vendors before systems are cleaned.
* Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete.
The re-format process will wipe the computer's hard drive clean, destroying all data and programs.
* PCs are made so they can be reformatted. But sometimes, especially with major brand-name computers, there are special procedures that require reading the manual, visiting the manufacturer's website, or, if the manufacturer has gone out of business, searching on www.google.com.
Some computers have the BIOS or re-installation software in small partitions on the hard drive.
- Do not re-partition the hard drive without carefully consulting the maker's manual and website.
- Check on the use of any partition, other than C:, before re-formatting it.
* Some computers require special drivers which are downloadable from the computer manufacturer's or vendor's website or device manufacturer's website. Use an uninfected computer to download these files to diskettes or a CD, and print out the installation instructions, in advance.
* Gather together the CDs, diskettes, and Internet addresses required to re-install the software.
* Since you should avoid searching the web until your computer is fully secured, it is a good idea to download any programs you will need to secure your computer prior to re-formatting. Use an uninfected computer to do this.
* Physically unplug the computer from the Internet before re-formatting.
* Leave the computer physically disconnected (unplugged) from the Internet until it is protected by a firewall (ICF, an NAT router, or other hardware or software firewall).
If the computer has a wireless card, remove or shield the card so that the computer cannot connect to any access points.)
* An unpatched computer without proper firewall protection can be infected within seconds of being connected to the Internet.
The computer must be protected by a hardware firewall, NAT router, or a software firewall before plugging it back in to the internet or you can be infected in a few seconds.
* When installing from a Windows XP SP2 CD, the installation will default to having the Windows XP SP2 Firewall activated, so the hazard is greatly reduced. With earlier service packs of Windows XP and earlier versions of Windows, you must manually turn on a firewall.
* Assistance on re-installing operating systems is available from the FAQs on the "Links" pull-down menu here: BBR Microsoft Forum
* Be sure to run Windows Update to install all service packs and critical updates, and to update your anti-virus and other security products, before using your computer to do anything else.
Terminating Spyware With Extreme Prejudice
»Security »What questions should I ask when doing a security assessment?
»Security »I think my computer is infected or hijacked. What should I do?
»Security »How to report ID theft, fraud, drive-by installs, hijacking and malware?
»Security »When is an NAT router inadequate protection?
Microsoft Security at Home
Microsoft Security Guidance Center
Search Microsoft Knowledge Base
BlackViper' Operating System Guides (including installation tips)
All BBR Security Forum FAQs
2008-07-21 by Keith2468: Fixed some broken links.
Feedback received on this FAQ entry:
1. What are your needs?
2. What do you use the Internet for?
3. Do you run any public servers? What type?
4. Do you run any local servers? What type?
5. What new uses of the Internet does the company anticipate making in the next 12 months?
6. How many employees does the company have? How many people access the computer network?
7. What is the rate of personnel turnover?
8. What is the potential business impact of an outage?
9. What is the potential business impact of infiltration?
10. Are you an "attractive target," a "high value target" or a regular non-high tech, non-financial, low-profile business?
11. Are there any other security factors that you are concerned about?
The first 7 questions narrow in on the exposures needing protection.
The second 4 questions give an indication of how secure the protection needs to be.
The answers to these questions will lead to new questions customized for your client's situation.
The report should include a comparison of the costs of not having security versus the costs of acquiring security.
It is best to produce a range of alternate solutions with different costs and protection levels. This lets the client make the choice (and take more of the responsibility) for the business decision of which level is most appropriate.
- It could be a network problem. The Internet Traffic Report will give an indication of widespread problems. Call your Internet Service Provider's (ISP's) support desk for information on local problems.
- The website you are trying to reach may be out-of-service.
- Another computer user may have altered the computer's settings.
- Click here if you suspect you have a virus or trojan.
This FAQ will only look at security-related causes. For non-security causes, start by checking part 5 of the BBR Main FAQ
1.0 If you are unable to access some Internet sites, or requests to one Internet site are redirected elsewhere, but you can access other Internet sites, your problem may be "Hosts File Hijacking."
Click here to recover from Hosts file hijacking.
This is the simplest problem you can have, unless whatever did the hijacking is still on your system. So once you have fixed the Hosts file, it is important to follow the steps here: Click here if you suspect you have a virus or trojan.
2.0 If you are unable to access some Internet sites, or mistyped URLs take you to an unusual site, but you can access other Internet sites, your problem may be "search or browser hijacking."
Click here to recover from search or browser hijacking.
3.0 If you are unable to access any Internet sites, it is possible that the computer's winsock has been corrupted or damaged.
This can happen when spyware and trackingware is removed, or it can happen when buggy software is installed.
The type of software involved is called Layered Service Provider (LSP). Different layers (modules) are connected together like links in a chain to provide services for Windows' TCP/IP processor. Each link leads to the next link. If one link is removed and the remaining links are not reconnected, the chain is broken.
Here are utilities that try to repair that.
Important Note: These utilities are ONLY for Windows versions XP SP1 and below. Do NOT use on XP SP2 or above
After running these utilities, and testing that your connection is again working, you should reapply any tweaks that you made to your connection (for example, tweaks made with DrTCP).
Winsock XP Fix for Windows XP.
Winsock 2 Fix w2fix.exe only use on Windows 98, 98SE and Windows Millennium.
LSPfix Repairs Winsock 2 settings, caused by buggy or improperly-removed Internet software, that result in loss of Internet access. (Windows XP SP1 or below)
XP SP2, SP3 and Vista Refer to the following MS KB knowledgebase articles
How to determine and to recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista
How to reset Internet Protocol (TCP/IP) in Windows XP
For more on troubleshooting the Winsock and LSP, please check the BBR Microsoft Application FAQ: Winsock Troubleshooting and Repair.
4. Other possible causes and their cures:
- Your current security settings prohibit running ActiveX controls.
Edit 30 July 2008 by CalamityJane: Removed references and links to Lavasoft LSP explorer (no longer available). Added warning to not use these utilities on XP SP2 or above (includes Vista). Added links to KB articles for winsock repair on XP SP2 and above.
What the Hosts file is:
On the Internet, people usually talk about Internet sites using domain names, like microsoft.com, dshield.org, whitehouse.gov or gc.ca, ut computer networks function using IP addresses.
Data to be sent on the Internet is broken up into chunks called packets (also called datagrams or "messages"). The destination IP address is put in the header of each packet and is used to by each machine along the path to route the packet to the destination computer.
Before packets can be sent through the Internet, the sending computer must look up the destination domain name, find out its IP address and put that IP address in the header of each packet.
The "Hosts" file is a special file in which your computer first tries to look up domain names. If it doesn't find the domain name there, it looks it up using your Internet Service Provider's (ISP's) domain name server (DNS).
Thus, altering the Hosts file can make Internet sites unreachable by misdirecting packets intended for one Internet site to the wrong place (the wrong IP address).
The steps for investigating and cleaning the Hosts file:
1. Backup the Hosts file. Here are the standard Hosts file locations:
Windows XP & Vista: C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K: C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME: C:\WINDOWS
First, locate the Hosts file; it is a file named "Hosts" with no extension. Right-click on it and select Copy. Now, right-click in the clear space to the right of the Hosts file and select paste. At the bottom of the file list, there should now be a file named "Copy of Hosts" (or "Copy (2) of Hosts" if this is the second time you are doing this).
The backup is no danger to your computer because the name is changed. Keep it on your computer for at least one month, just in case you need to refer back to it.
2. Examine your Hosts file.
Download HostsXpert (free easy tool for viewing and editing the HOSTS file)
* Extract all files (that is, decompress or unzip) the contents of HostsXpert.zip to your desktop. This will create a folder called: HostsXpert. To run the program, open the HostsXpert folder and doubleclick on the file HostsXpert.exe
Click the "BackUp Hosts File" button.
The contents of the Hosts file appear in the window on the left. You will be able to edit, remove unwanted lines and save the Hosts file with HostsXpert. But don't change anything until you get to step 6. First, you have to analyze what is there now.
3. Analyze the Hosts file.
The Hosts file consists of lines with up to 3 parts:
a) The IP address to direct messages for a domain to
b) The domain name
c) Anything after "#" on a line is a comment for people, and the computer will ignore it.
Here is a sample Hosts file:
3.1 "127.0.0.1 localhost" is in every Hosts file. It merely tells the computer to send messages for other parts of the same computer (the local host) to the "loop back" address 127.0.0.1. In a new default installation of Windows, this is the only line in the Hosts file that is not a comment.
3.2 The line that reads "127.0.0.1 abcsearch.com" was added by anti-spyware or anti-tracking software. Since the anti-spyware in question mentioned in the comment is installed on the computer, this is not unexpected.
Before sending messages to abcsearch.com, the computer would check the Hosts file and see that it should send the messages to IP address 127.0.0.1, which loops back to the computer itself, which, in turn, will ignore the messages. In this way, messages to abcsearch.com are blocked from ever getting there.
3.3 The line that reads "188.8.131.52 aardvark.com" was added to make access to aardvark.com faster. The computer won't have to look up the IP address of aardvark.com on a DNS because when it first checks the Hosts file, it sees it should send messages for aardvark.com to 184.108.40.206.
The Hosts file is rarely used to speed access anymore, because of the problems with keeping it up to date as domains move from one IP address to another and because DNS servers are usually very fast now. DNS servers are updated automatically. The host file has to be updated manually.
3.4 The line that reads "220.127.116.11 emeraldcs.com" was added when Emerald's clock software was added, so that customer computers enter their site using a different IP address than non-customer computers.
This is invisible to Emerald's customers unless they check the Hosts file. To determine that the entry was put there legitimately, one would have to ask someone else who also ran Emerald's software and had a clean machine to check their Hosts file; or check the FAQs and forums on Emerald's website; or email Emerald's technical support. (Because your email goes to an email server first, and not directly to Emerald, you can still contact Emerald using your ISP's email or a web-based email like Hotmail.)
3.5 The lines that read "127.0.0.1 kaspersky.com," "127.0.0.1 mcafee.com" and "127.0.0.1 symantec.com" were added by a malware in an attempt to prevent the computer from communicating with and getting anti-virus information and database updates from anti-virus companies.
When the program that updates Symantec's anti-virus database tries to contact the Symantec Internet site, the computer will read the Hosts file and find the line saying to use IP address 127.0.0.1 to reach Symantec. Therefore communications with Symantec and the other anti-virus companies listed will fail.
If there are lines for many anti-virus, anti-trojan and firewall companies in your Hosts file, it is a pretty safe guess that they were put there by malware or a hacker. To solve the immediate problem, you will delete the unwanted lines and save the Hosts file.
If your Hosts file looks okay, then you are done here. The problem has a different cause. Try following the investigation steps here instead: Click here.
4. If you need help cleaning your Hosts file, post the Hosts file in a new topic in the BBR Security Forum.
5. Make the desired changes to the Hosts file using the HostsXpert utility and save the changed file.
(Caution: Only use HostsXpert utility or notepad.exe to edit the Hosts file. The file has to be in text format, not word processor format.)
If you aren't sure what to do, after you have done "Backup Hosts File," remove all the lines that do not begin with a "#" except for the line "127.0.0.1 localhost." If it makes things worse, click "Restore Backup Hosts File."
Once the Hosts file is saved, you can optionally go into Windows Explorer and navigate to the file again, right-click on it, select Properties, select the "Read Only" attribute and click OK (or click the "Make Hosts File ReadOnly" button in HostsXpert).
If you have problems, you can go to the Hosts file with Windows Explorer, delete the Hosts file and rename "Copy of Hosts" to "Hosts."
(Few computers actually make any use of the Hosts file and almost all will work perfectly fine without one. The extra steps in here are in case your computer is one of the few that needs one.)
6. Check your computer for the cause of the Hosts file hijacking.
Hosts file hijacking is the simplest problem you can have, unless whatever did the hijacking is still on your system. So, once you have fixed the hosts file, it is important to follow the steps here: Click here since you may have a virus or trojan.
7. Take action to secure your computer so it doesn't happen again: click here.
For more on using the Hosts file, please check the BBR Security FAQ: What is a HOSTS file and where can I get one?
Edit 19 Nov 2008 by CalamityJane: Updated HostsXpert link.
Edit 30 July 2008 by CalamityJane: Hoster is now HostsXpert. Updated links and directions.
Edit 11 Jul 2005 by CalamityJane: Updated download link for Hoster program
Feedback received on this FAQ entry:
1. Be suspicious of the browser window used to enter payment information.
- Most, if not all, legitimate businesses use SSL encryption and have a "lock" symbol either in the browser address or on the bottom of the browser.
- A URL for a secure website will begin https:// instead of http://.
2. Be informed: research the company's background history at Resellerratings.com or at Bizrate.com
-It is better to find out beforehand that a company is bad than to order and never receive the item or have it arrive very late.
3. What about credit or debit cards?
- Most, if not all, credit cards offer fraud protection from unauthorized charges in the form of fraud "chargeback" protection.
(A chargeback is where the card issuer, such as a bank, will take the money back from that company in addition to a fee for processing the chargeback.)
4. Protection for debit cards (check cards)
- It depends on the card issuer.
Some banks, such as Citibank »www.citibank.com/us/cards/tour/c···_van.htm, offer the ability to generate a one-time use number for purchases.
Visa cards: debit (check cards) & others
- Most banks/credit unions issue these and usually offer some protection.
- Please inquire with your card issuer for additional information.
Visa has a "zero liability" policy available here: »www.usa.visa.com/personal/securi···ity.html
It applies to both credit and debit cards.
Most credit/debit card issuers may call you in case of "suspicious" activity, such as making several expensive purchases or if the expensive item is to be shipped to a third world country such as Nigeria.
Author's note: This FAQ originated from this thread »purchasing online
(free tool) is used for the latest variants of EliteBar, including the pokapoka strains.
You can download it here: users.pandora.be/bluepatchy/miekiemoes/tools/LQfix.exe
1. Download it to your desktop.
2. Double-click LQfix.exe and click install.
3. Leave the default settings. If you change them, the fix will fail.
4. Make sure "Launch LQfix" is checked. After clicking finish in the install, the fix will start.
Follow the prompts on the screen. Your system will reboot afterwards.
Your system may take longer than usual to start up this one time; please be patient.
The free version of Ewido Security Suite can also safely remove most of the variants of pokapoka and EliteBar: »www.ewido.net/en/download/
»Security Cleanup FAQ »Trojan Vundo/Virtumonde/Winfixer Removal
Edit 22 Dec 2007 by CalamityJane: referral to link in SecurityCleanup Forum with updated links.
Edit 27 Jan 2006 by CalamityJane: Added Important note about updating Sun Java and removing older vulnerable versions
Edit 18 Jan 2006 by CalamityJane: Updated for new v.4 VundoFix by Atribune
Feedback received on this FAQ entry:
»Security Cleanup FAQ »Screenshots of Desktop Hijack
Removal instructions can be found here:
»Security Cleanup FAQ »Zlob/Smitfraud Removal
Common sense will go along way in protecting yourself.
But there's more to common sense than not opening an email attachment from an unknown person or email address.
What about your friends who email you every week and sometimes include picture or zip file attachments? Do you just open the attachment, or do you scan it first? If you just open it, then you could easily be infected by a mass mailing worm. Do you scan it?
Saving and scanning email attachments before opening them is a great habit to get into, but sometimes the virus is new, or the program is a custom Trojan, and the scanner passes it.
What happens then is your anti-virus scanner fails to see the attachment as a virus, Trojan or keylogger. You open it, and you infect yourself with a keylogger named something like wedding.scr, for example.
Why would you not open wedding.scr if one of your friends recently had wedding? So you click it and no screen saver. Instead infection.
So how do you protect yourself against such things?
The answer is very simple: You set up a rule for your friends and family on sending attachments.
You will not open any email attachment unless one of the following happens first:
1. They send you a separate email without an attachment stating that they just sent you a file and giving you the file's name. No email and you don't open that file no matter how legitimate it sounds.
2. Same as above but a phone call.
Even with this precaution in place, you should still save and scan attached files before opening them.
This question is commonly asked because of concerns about privacy or communicating anonymously. Armed with your IP address, a remote server can match it with a geographic location, or a person or organization can ask your ISP (Internet service provider) for information about which subscriber was assigned that address at the time of your activity.
Before answering the question, let's consider the role of IP addresses. An Internet Protocol address is a number that uniquely identifies any device on the Internet. When you contact a remote server, by clicking on a link on a web page for example, you're making your computer request some data from the server. Just as your computer knows where to send your request by the server's IP address, similarly, the server must use your IP address to send an answer back to you.
In this respect, IP addresses are like addresses on postal mail. If you don't include any return address on a letter, or when ordering from a mail-order merchant, the correspondent or merchant will have no way to get an answer back to you or send you your item. Or, if you use a false return address, the reply will go there instead of to you. Thus, while it is possible to falsify the IP address on your packets, you're unlikely to have any use for such a hack.
You can hide your IP address. In the physical world, you can have a package sent to a friend and then pick it up from him/her, concealing your address from the sender. Likewise, on the Internet, you can use a proxy, i.e. relay your communications through another device. Then, from the remote computer's point of view, the request comes from the IP address of the proxy, and it sends the response there and does not "see" your computer's IP address, but the proxy relays the responses to you.
You can find a proxy server available for use, either free or by subscription, by using your favorite web search page. To use a proxy server for web surfing, you would enter its address in the appropriate box in your browser's settings. Then, any remote computers you connect to will see the proxy's IP address instead of yours.
The problem with this from a privacy point of view is whether you can "trust" the proxy. Your ISP will be recording the fact that you connect to the proxy's address, and the proxy server itself can log your activities. Also note that free proxies are usually not intended for use with high-bandwidth traffic such as video or music.
Another way to be untraceable online is to use an open wireless access point where you don't have to log in. These are rarely offered intentionally, however. To stay within the law, and ethics, you must not make use of someone else's Internet connection without their permission.
If your purpose is to participate in file sharing without getting in trouble for copyright infringement, concealing your IP address is unlikely to be a realistic approach. You will have to look at file sharing sites for more information on that topic.
If you want to hide your IP address to evade a ban at a forum, or to do something illegal, please reconsider your activities instead of seeking help here. If your purpose is to communicate without being subjected to political persecution, look into Tor, which amounts to a trustworthy proxy for this purpose. If your concern is to avoid being tracked from site to site by advertisers, you can counter such tricks by refusing cookies, scripts and images from certain sites.
Feedback received on this FAQ entry:
For example, your computer may be:
(a) Hijacked by hackers, a hidden file server is installed without your permission, and then illegal content is downloaded onto this server. You are then in a position of "hosting" seriously illegal content.
(b) Hijacked by hackers and hidden chat/chatroom server software is installed. You could then be in a position of having a computer that is aiding the commission of seriously illegal activities and conspiracies to commit serious crimes.
(c) Infected by a spam relay trojan/worm. You are then in a position where it appears that spam promoting child pornography is originating from your computer.
Whether the situation results from negligence on your part in failing to adequately secure your computer, or from very skillful hacking, you have a serious concern.
In situations (a) and (b) above, you or your organization will probably want to contact your local police before taking any action to clean the computer. Cleaning the computer would likely destroy any evidence that points to the actual criminals.
Situation (c) is more common. When ISPs discover your computer is a source of spam they will blacklist it, and then it will no longer be any use to spammers. The spammers will move on. There is generally very little likelihood that your computer will contain any useful evidence for police. So you may decide to simply clean your computer of the worm or trojan. The decision is yours.
2. You may have received e-mail or accidentally stumbled across a website, chat room, forum or file server site where child abuse or child pornography is occurring or being organized, and you want to know what to do about it.
Online child abuse includes: (a) searching for, sharing and downloading images of children being physically and sexually abused and (b) grooming children in chat rooms, for example, with the intention of committing sexual abuse both online and off.
Because these crimes usually cross international borders, the solution is international cooperation by law enforcement agencies.
A single point of contact website has been setup here for this purpose for all participating countries:
Look for the link to file a report. Then look for the link for your country.
In the USA, you can report child pornography and child abuse through the National Center for Missing and Exploited Children here: »www.missingkids.com/
You can also report child pornography websites to the Association of Sites Advocating Child Protection (ASACP) here: »asacp.org/report.php
To report fraud or attempted fraud of any kind, follow the instructions here:
2006-11-11 Added links to the NCMEC and ASACP. Thanks EGeezer and Cundi for the suggestion.
Feedback received on this FAQ entry:
A. How do I respond to possible identity theft, or to someone stealing my credit card or bank account number?
B. How do I report Internet fraud, drive-by installs, hijacking, viruses, malware, theft of computer services or theft of telecommunications services?
C. How do I prevent identify theft and Internet fraud?
D. Other links
E. Phishing email (a type of scam email) is covered in the FAQ here »Security »Scam Email: What is Phishing? What do I do about it?
A. How do I respond to possible identity theft, or to someone stealing my credit card or bank account number?
Immediate action is important.
1. If a criminal may have your credit card number, use the credit card issuing company's 7/24 phone number to report the card "stolen" right now, day or night. Once that is done, return here to follow the other reporting steps.
In most jurisdictions, by reporting a credit card or card number as stolen as soon as you realize it has been stolen, you limit your liability for charges made on it.
2. Minimize the time the criminal has to work, so that the damage to your credit and the effort to restore your credit is minimized. Follow the other reporting steps promptly, no later than the morning of the next business day.
Different countries have different reporting steps, and these are given at the websites below. Generally, they involve:
(a) Contacting all of your country's central credit bureaus to place a "fraud alert" on your credit file.
(b) Closing any account that you know has been tampered with. This includes confirming that the credit cards or card numbers reported stolen in step 1 have been canceled and new cards with new numbers issued.
(c) If your checks or checking account numbers have been stolen, close the account and ask your bank to notify the appropriate check verification service.
(d) Filing a written report with your local police.
(e) Filing a report with central/federal agencies.
USA: FTC FTC ID Theft Input Form/
Do NOT wait for credit companies to phone you.
Do NOT wait for your monthly statements.
(f) If/when you later receive monthly statements for accounts you did not open, promptly follow the instructions for your country to notify those companies that you did not open the account. Print out and complete an Identity Theft Affidavit for each company using these forms:
US 'ID Theft' and 'Fraudulent Account Statement' Affidavits
Canada 'ID Theft' and 'Statement of Unauthorized Account Activity' Affidavits
These affidavits can be adapted for use in many other countries.
3. For possible identify theft, immediately follow the instructions on the web page for the country you reside in:
USA: FTC www.consumer.gov/idtheft/
B. How do I report Internet fraud, drive-by installs, hijacking, viruses, malware, theft of computer services or theft of telecommunications services?
1. If you are certain of the country the criminals reside in, use the website for that country. Otherwise, use the website for your own country.
For economic crimes, like computer crime, the total amount of damaged caused to victims is used to prioritize investigations and to determine sentencing. Be certain to mention any damages (economic loss, time wasted, etc.) due to the crime.
USA: DHS (virus, malware and hijacking type crimes) »forms.us-cert.gov/report/index.php
USA: FBI (fraud and theft type crimes) »www.ic3.gov/
You can also use those links to report websites that you strongly suspect are being used to commit these sorts of crime.
There are more reporting links here:
2. If you have lost money, or suffered possible identity theft, make a report to your local police.
When you file a police report, to later complete the ID Theft Affidavits you will need the Officer's name, badge number, phone number, police force name, report number and report date. Ask if you can have a copy of the report to attach to the ID Theft Affidavits for your creditors and others.
Do not use any compromised or hacked computers, especially not to check on your accounts, until you are certain they have been cleaned of any trojans and keystroke loggers.
C. How do I prevent identify theft and Internet fraud?
* At merchant sites, pay by credit card only.
- There is legislation limiting your liability in the event your credit card number is stolen.
- This legislation does not limit your liability for debit cards, bank accounts or other payment accounts and methods.
- However, you can safely use your bank's website to pay bills.
* Sign all credit cards when you receive them.
* Never loan your credit cards to anyone.
* Cancel credit cards you do not use.
* Immediately report lost or stolen credit cards, and any discrepancies in your monthly statements, to the credit card issuing company.
* Never leave receipts at bank machines, on counters or at unattended gasoline pumps; ensure you destroy paperwork you no longer need.
* Never provide personal information such as Social Security Number (Social Insurance Number in Canada), date of birth, credit card numbers or PIN over the telephone unless you initiate the call.
* Promptly remove mail from your mailbox. Do not leave mail lying around your residence or work.
* Shred or destroy pre-approved credit card applications, credit card receipts, bills and similar papers when no longer needed.
* Avoid keeping a written record of your bank PIN number(s) and computer passwords, and never keep this information in your wallet or hand bag.
* Memorize your SSN. Take your SSN card out of your wallet and store it in a safe place at home.
* Avoid mail or telephone solicitations disguised as promotions or surveys offering instant prizes or awards. Sometimes these are designed merely to obtain your personal details.
* Be aware that telephone caller-id information can be faked/spoofed.
* Follow the steps to resist the Internet identify theft technique "phishing" What is Phishing? What do I do about it? In particular, expect that any legitimate email about your accounts will include your name, account number and other details.
D. Other links:
* What is Phishing? What do I do about it?
* I think my computer is infected or hijacked. What should I do?
* How do I avoid online Credit/Debit card fraud?
* Anti-Phishing Working Group
* Cyber Criminals Most Wanted LLC
* Department of Justice Computer Crime and Intellectual Property Section (US)
* Privacy Rights Clearing House (US, but fact sheet 17A is useful for anyone anywhere)
* Privacy Rights Clearing House: How to prevent identity theft (US, but useful for anyone anywhere)
* ID Theft: When Bad Things Happen to Your Good Name (US FTC)
* Identity Theft Q&A Government of Canada
* Identity Theft Consumer Advice Government of Australia
* ScamWatch New Zealand
(If you know the URL for a central website for identify theft or Internet fraud complaints in other countries where BBR members live, please let Keith2468 know by Instant Message.)
Updated US government reporting links.
2006-01-02 by Keith2468
Updated US government reporting links.
01 July 2005
Added UK links.
28 May 2005
Added link to Crimes-of-Persuasion.com.
25 Apr 2005
Be aware that telephone caller-id information can be faked.
25 Feb 2005
Added "C. How do I prevent identify theft and Internet fraud?"
Feedback received on this FAQ entry:
A. What is Phishing?
B. How You Can Protect Yourself From Phishing.
C. What To Do If You Gave Information To A Phishing Site.
D. What Can You Do About Phishmail? Report it!
E. Examples of Actual Phishing Emails and Websites.
A. What is Phishing?
Phishing involves using email and websites that impersonate the email and websites of organizations the target victim already deals with. The goal is to gather information in order to impersonate the target victim while a committing crime.
The impersonating email ("phishing email" or "phish-mail") lures target victims to the impersonating website ("phishing site" or "phish-site").
At the phishing site, target victims are asked to divulge confidential information such as their account name or number, password, mailing address, credit card number, social security number, mother's maiden name and so on.
The information obtained may be used to impersonate the victim while committing fraud, identity theft, theft of services, spamming, corporate espionage and other crimes.
1. Conventional phishing involves sending mass amounts of unpersonalized phishing email. The small percentage of phishing email recipients who already deal with the impersonated organization are the target victims.
2. Targeted phishing ("spear-phishing") involves sending the target victim a personalized email. At the phishing site, the target may be greeted by name.
The inclusion of a few personal details in a targeted phishing email, and on the targeted phishing site, greatly increase the likelihood the target can be lured into divulging additional confidential information.
B. How You Can Protect Yourself From Phishing
No web browser or email tool provides total protection against phishing because phishing relies on fooling people.
1. Be suspicious of any urgent requests.
Phishing email will try to convey a sense of urgency so that you will act before you think. Common techniques are to say that your account will be frozen, terminated or billed unless you take immediate action.
2. Be suspicious of unpersonalized email concerning an existing account.
However, personalization does not guarantee email is legitimate. Targeted phishing uses personalized email.
3. Avoid filling out forms in emails. The security of email is low.
4. If an email or postal letter asks you to visit your account, visit your account the way you normally would. Open your web browser and click on the "Favorite" or "Bookmark" that you normally use to access your account.
Do not click on or type a URL (web address) in an email or postal letter.
5. Only enter confidential information on web pages that appear secure.
(a) If a pop-up appears saying that the certificate for a website was issued by an untrusted authority, click "no" to the question asking if you want to trust the certificate or the site. Do not trust untrusted authorities.
(b) In the URL box, it will say https instead of http.
(c) With the FireFox browser, the URL will change color.
(d) Make sure the domain name in the URL is what you expect.
Even though these domain names look similar, they are all different domain names that could be owned by different phishers:
www.worthybankllc .com (a non-displayable character follows the "llc")
www.vvorthybankllc.com ("vv" replaces "w")
www.w0rthybankllc.com (the digit "0" replaces the second letter "O")
www.worthbank11c.com (the digit "1" replaces the letter "l")
(e) At the bottom of the window frame you would be entering your information on, look for a padlock (lock). You are looking for a padlock in the window frame itself. Padlocks and security seals on the web page mean nothing.
Double-click the padlock icon in the browser window frame. A security certificate will pop up. On the "General" tab of the certificate, verify that the domain and company name are what you expect.
* In MSIE (MS Internet Explorer), right-click on the web page you would enter your information on, and select "Properties." Or, from the "File" pull-down menu (at the top of the page), select "Properties." On the Properties pop-up, you can examine the domain name and the security certificate.
* In FireFox, right-click on the web page you would enter your information on and select "View Page Info." Here you can examine the domain name and the security certificate.
6. Do not depend on spelling mistakes or grammar to spot phishing websites.
The phisher may flawlessly copy the wording, styles, graphics, animation and favicon (the icon to the left of the URL in the URL box of your web browser) from the organization's real site.
7. After the victim has entered the information requested, the victim may be smoothly linked from the phishing site to the impersonated organization's real site.
If an account name and password were entered on the phishing site, the phishing site may even sign the victim onto the impersonated organization's real site.
Even if the victim is suspicious at this point, all they see is the organization's real site. There is no clue that confidential information was just stolen.
8. If something doesn't quite appear correct, telephone the organization using the phone number on a recent account statement or the phone number in the telephone book. (Directory assistance for the 800 area code is 1-800-555-1212.)
Then, click here for instructions on how to report phishing email.
9. Add one of these anti-phishing tools to your web browser:
Click to download Netcraft Toolbar.
Be sure to read the tutorial on how to recognize a phishing site using the tool.
Click to download EarthLink Toolbar.
Click to download SpoofStick
10. Only use credit cards to make online purchases. Most jurisdictions have legislation to limit consumer liability from fraudulent credit card use. Similar protective legislation does not exist for checking accounts or debit cards.
11. Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate. If anything is suspicious, contact your bank and all card issuers immediately.
Some companies offer an option to send an email or cell phone text message within a few minutes of account activity occurring. Check with your bank and credit card company to see if they offer this service.
The more time crooks have to use your personal information, the longer it will take you to clean up the mess they create.
12. If you work for a company that has a website that may be phished, register with PhishRegistry.org. This free service of CipherTrust will email your company a report if it detects elements of your logon pages elsewhere on the Internet.
13. Keep your personal information personal. Phishers may seek personal information for targeted phishing by:
a) Searching the Internet for the target's name and email address.
b) Searching the target's garbage for discarded credit card slips, financial statements, pay slips, magazines and paperwork.
c) Searching a garbage dump, looking for papers containing personal information, and selecting a target based on what they find.
14. To further reduce your exposure to targeted phishing:
(a) Use a different form of your name for business than you use casually. For example, if you normally go by "Keith Smith," use "Keith A. Smith" or "Keith Adam Smith" for business.
(b) Only use nicknames when posting in forums and newsgroups.
(c) Use at least 3 separate email addresses. Use a different email addresses for work, personal business and casually.
(d) Shred old bills, credit card statements and other paper work, before you discard them.
14. Before disclosing personal information on the telephone, make sure that it is you who dialed the telephone call.
Telephone Caller ID information can be faked.
If they phoned you, take down the caller's name and phone number and extension. Use the phone number on a recent statement or in the phone book to call the company back and then ask for that person.
There are illustrated and explained examples of actual phishing pages and emails in the links in Part E below.
C. What To Do If You Gave Information To A Phishing Site:
1. If you have disclosed personal information to a phishing site you may become a victim of identity theft.
The more time crooks have to play with your personal information, the longer it will take you to clean up the mess.
Reporting identify theft early reduces the amount of work you'll have to do later to restore your credit. Do not wait for credit companies to contact you. Do not wait for monthly statements.
If you gave out a credit card number, call the issuing company's 24/7 phone number to report the card number as stolen right now. Do this now, before reading further. (If you gave out a debit card number or checking account number, contact your bank.)
Carry out the remaining credit protection steps no later than the next business day. The credit protection steps are here: What Do I Do About Possible Identify Theft?
2. Immediately change the passwords of any accounts whose passwords you disclosed.
Notify the organizations concerned that the earlier passwords had been disclosed on a phishing site, and ask if there has been any abnormal account activity.
3. If you merely visited a phishing site, you should scan your computer for malware that may have been downloaded through your web browser ("drive-by downloading").
a) Update your anti-virus software and run a virus scan of your computer.
b) Run the Ad-aware step here.
D. What Can You Do About Phishing? Report it!
Promptly report attempted and suspected phishing. It only takes a minute to report suspected phishing email.
Trained investigators will determine if the email or website is an actual attempt at crime. Merely visiting a phishing website can lead to malware being loaded onto your computer without your permission. Leave the investigation to the experts.
1. Report the suspected phishing email by simply forwarding the email as an attachment.
Forwarding the phishing email as an attachment allows semi-automated processing to eliminate duplicate reports, and it preserves the internal email headers needed to trace back the actual source of the email.
Do not add a subject line or comments; just forward the email as an attachment.
- For Outlook Express: Go to the inbox, right-click on the phishing email in the email selection list and select "Forward as Attachment."
- For Outlook or Netscape: Create a new email. Drag and drop the phishing email on the new email (with Netscape, drop it in the attachment area).
- Instructions for sending the full header information of an email using other email tools are here Spamcop.net: How do I get my email program to reveal the full, unmodified email? Follow the instructions for "web submission" but instead paste the full unmodified email in a new email.
2. Cut and paste this set of email addresses into the TO: box of your email.
- or, with commas -
3. Send the email.
4. Forward the email to the DSLR PhishTracker. Your personal DSLR PhishTracker contact email address is at the top of this page (at the end of the line that begins "Got Phish??")
E. Examples of Actual Phishing Emails and Websites
Illustrated examples of phishing are here:
Note that many examples display fluent business English, flawless graphics and professional layouts.
BBR ScamBusters Forum
Why Phishing Works
How to Secure (and Keep Secure) My (New) Computer(s): A Layered Approach
I think my computer is infected or hijacked. What should I do?
Webopedia Encyclopedia of Computer Terminology
2006-06-07 by Keith2468
2006-03-31 by Keith2468
- Added link to CypherTrust's free service "PhishRegistry.org."
2006-03-18 by Keith2468
- Added suggestions on avoiding targeted phishing.
2006-03-12 by Keith2468
- Added link to millersmiles.co.uk for examples.
2006-01-30 by Keith2468
- Added link to the DSLR PhishTracker.
2006-01-02 by Keith2468
- Replaced email@example.com with firstname.lastname@example.org in the mailing list.
Apr 28, 2005
-Added note that telephone caller ID information can be faked.
Feb 5, 2005
-Added instructions on site certificates.
Dec 30, 2004:
-Added Netcraft anti-phishing tool links.
-Clarified that no browser or email tool provides total protection against phishing.