Sunday 27 July 2008

Adventures with Windows security

Windows security really drives me nuts... The whole thing. It's not that it should be easier, only it shouldn't be impossible, and this unnerving.

I had to reinstall my Windows XP recently, due to a failed hard drive. I could use a back-up but it was pretty slow recently (but no other problems), so I thought, give it a fresh start. Of course Acer didn't supply any install CDs with my computer, so let's download one from the Web and use that shiny, holographic, temper proof Windows XP(TM) serial number, attached to my laptop case with superglue (i think). Yeah, right, of course the install CD told me that it is an invalid code... So here you go, I have a code but I'm a pirate, forced to use some knock off code again from the web, and we are not at security yet....

Where I was, is a fresh new install, pulling down all he necessary software updates, new Firefox, and let's get started with digging the trenches against the invading forces...

Firewall, I need one for sure... I ended up having COMODO Firewall Pro, which is free for personal use. I had two previous generations of this program (one still on Win98, and one on the previous install), and I was glad to see, that they made some effort and it loos much better now, more logical - even if the amount of possible settings could make your head spin...

One thing was different - included "Proactive Defence". What it does is checking every single operation that any and all running software does, against some malware blocking criteria, or such. In the end, it is just prompting you 10 times a minute, that:
"XYzw.dll" is trying to use "AbCD.com" for an unidentified purpose. If you thing it is a safe operation, click authorise.
Or:
"Blabla_Nice_Program.exe" is modifying the registry entry "HKLM/Software/Run/Currentrun/OMG/BBQ/WTF/", do you authorise? Well, we no longer say, instead we say affirmative...
How would ANYONE really know what to do with EVERY program? Is it alright if "system.exe" uses "explorer"? No, what ends up being is click, to "authorise", "authorise", "authorise".... So, does it protect?

I assume not. One day into the new setup, i was no longer search Google, Yahoo or Altavista. MSN was there (but no, I'm not using that for search). The answer was always "waiting for reply". No direct going to their sites, no using the searchbar in Firefox... Gmail was working and iGoogle was there, so it must be a problem with my machine not with the tubes. Fortunately there's a Terminal Server I can log in at the office, so I can look for info on this strange behaviour. Apparently there's a trojan called Qhost, which would do something similar. Download the Symantec removal tool for Qhost - nope, nothing. Look a little bit further, use carpet bombing instead of precision sniper attack, so let's get a Spyware removal. Yeah, which one? In the end again I settled for Spybot Search&Destroy. It's pretty minimalistic, and in many corners it looks as free software would look (yeah, free once more...), but apparently it does it's job...

After 20 minutes of crunching away, it came back with the diagnosis: you have Virtumonde. "Web access may also be negatively affected. Vundo may cause many websites to be unaccessible; these websites will just hang." Yeah, exactly.... Let's remove... Done.... Wow, everything works again! Great....

So, in the aftermath I just disabled the defence feature of the firewall, as it was proven pretty useless. Kept Spybot and "immunized" my system. It does a few clever-looking tricks that could cause problem sometimes later but might work: e.g. redirecting the DNS queries for known malware websites to 127.0.0.1, which makes them unable to function. We'll see how this would work in practice. And also, I'm looking for an anti-virus program. AVG Free Edition (been there, done that), Moon Secure Antivirus (it was pretty crappy when I tried, and slowed evvvvrrrryytthinng down), Avira Antivir Workstation (going to try this one now. I think I had some years ago, but let's see what it can do nowadays).

But the whole thing is just so annoying. The Windows Registry. The Windows services and system files - when the same file does a dozen different functions, and half a dozen copies are running in the same time. When there's no way to know what's a malicious attempt, and what's a legitimate request from a software.....
If this happens on my parents computer and I have to distance-diagnose it, I'd go nuts and they wouldn't have a working system for quite a while.

Anyway, my feeling is that probably I'm more lame that I thought (come on, getting infected on the first day!!!) and that even if Linux has tens and hundreds of annoying things (subject of many future posts, probably), those annoyances now feel more manageable, more transparent, and more familiar... I'm really looking forward to the day of my complete switch, when I don't have to worry about this many firewalls/spyware/virus/malware things. I'd rather fight software bugs.....

Now, just switching off the Internet, take a book that I wanted to read for a while, and let's go outside.... maybe a computer virus infection does have a positive side....
blog comments powered by Disqus