All posts by remotehelpexpert

Test Drive – Webroot SecureAnywhere Antivirus 2014

Computer Security

Avid readers of mine who have followed my articles over the last few years know that periodically I’ve been known to review Security Suites, i.e. antivirus programs. For those who didn’t know, well, now you do too.

Today I’m writing about Webroot SecureAnywhere antivirus 2014. This program came to my attention a few months ago. I gave it a quick whirl and was impressed on the light footprint it has and yet how it manages to have plenty of different functions. But I never put it under a formal test, like I usually do when evaluating security programs. Today, however, its turn finally came.

As many of you know, my basic test consists of installing the security program in question in my Windows-7-based test computer, and then proceeding to visit malicious websites and in general try to infect the test computer while keeping records of the security program’s behavior. The only passing grade is 100% success in thwarting efforts to infect the computer. And in this case… Webroot kind of failed. Let me explain what I mean by “kind of”.

On the plus side, its very, very light footprint makes it ideal for old and basic computers, since the average antivirus program these days will take a good amount of memory and computer processing power to operate. Not Webroot though. The claim that it doesn’t slow down one’s computer is true.

On the negative side, I was, strictly speaking, able to infect the test computer after a few attempts. But it’s not black and white, so allow me to explain what happened. I visited a couple of malicious websites that initiated infected files downloads onto the test computer. Initially Webroot caught and blocked the first attempts. But then came a particularly deceiving trojan.

I downloaded and opened the infected file without Webroot protesting or alerting me at all. Bad. But when the program tried to connect to the Internet to “call home”, Webroot did alert me that an untrusted program was trying to connect to the Internet (the antivirus has an outgoing firewall, meaning it monitors outgoing connections. More on that later). That was good. The bad part is, Webroot is designed to block any suspicious action by default while prompting the user for a decision on whether or not to let the program carry on with the suspcicious action. That’s not so bad. The bad part is that by default, after 2 minutes, if there is no response from the user one way or the other,  Webroot’s default action is to allow it (and I didn’t find anything in the program interface to change that behavior, i.e. a setting that would allow one to change the default action if there is no response from the user).

So potentially, if the user could not or would not respond to the prompt ,the malicious action would be carried out. That’s not good. Anyways, since I was evaluating, I allowed the action. Next I got an alert that a change to the registry was being attempted by this suspicious file. Again good. And again, unfortunately Webroot waited for 2 minutes for a decision as to what to do (allow or block the action) and when no response from the user, it allowed the action.

I then proceeded to ask Webroot scan the downloaded file to see if it would be recognized as a malicious file. Webroot failed to recognize the file as malicious. Then again a percentage of these malicious files get missed by the antivirus because they’re too new to be recognized as malicious, a subject I’ve covered extensively in earlier articles.

Circling back to the firewall, it is a good thing to have Webroot’s firewall in and the fact that it’s an outgoing firewall makes it a perfect complement of the firewall that comes built into your Windows computer, since that one is only incoming. So they complement each other and in fact one is normally supposed to have only one active firewall to avoid conflicts in function. But in this case, not only is it possible to have both the Windows firewall and Webroot’s at the same time – it is advised.

So all in all the program performed very well and under normal circumstances probably provides good protection at a ridiculously low resources consumption. But again, strictly talking, it did not pass the test. If, for example, you’re the type of user who pays attention to all windows pop-ups and alerts from their antivirus program, this might be sufficient, and a plus if your computer resources are somewhat scarce. If you abide by my security model, the protection provided by Webroot as an antivirus would be sufficient as well.

Microsoft’s Support for Windows XP Ending Soon, Implications for You

Computer Security, Technical Tips

So Microsoft’s support for Windows XP, at some point the most widely used operating system Microsoft has ever put out,  is ending early next year – April 8, 2014 to be precise. But what exactly does that mean?

Well, let’s break it down. It means that after April 8, 2014, there will be no

New security updates: These are part of the typical monthly updates Microsoft releases to address known vulnerabilities in Windows XP that a hacker could exploit to take control of your computer or steal information from it. But in fact any Windows XP based computer that otherwise abides by the security model I laid out 4 years ago, is well protected against these exploits. However it’s always a good thing to plug the holes in the fence that might otherwise allow scoundrels to get in. It’s just an extra layer of protection that might make the difference between a computer that is more likely to be affected by malicious programs and one that is not.

Non-security hotfixes: These are also updates, but normally try to mend a performance or stability problem in the operating system and not necessarily a security issue. They, in other words, try to fix “bugs” that have been uncovered, or developed.

Free or paid assisted support options: Not much to explain here. Microsoft provides support for issues related to Windows XP, some issues for free, some for a fee. This won’t be available as an option after the April 2014 deadline.

Online technical content updates: This refers to technical publications that Microsoft publishes online, mostly for computer type guys like me, who can use them as a resource to look for solutions to issues related to the operating system when providing support to end users.

 The bottom line

If you’re still using Windows XP, it’s probably a good idea to upgrade to a newer operating system at some point in the near future, namely Windows 7. I don’t recommend Windows 8 (or 8.1 for that matter), but I do recommend Windows 7.

 

Philippines Typhoon Disaster Email Scams

Computer Security

As it has been a practice before on disasters of magnitude, malicious/fraudulent email scams are being spread over the recent Philippines typhoon disaster. These emails might contain malicious links or attachments. Beware of such social engineering attempts.

To help you distinguish whether the email is a scam or not, you can do the following:

1. Review the Federal Trade Commission’s Charity Checklist.

2. Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau’s National Charity Report Index.

Social Engineering

Glossary

It is a known fact that malware creators often appeal to users, trying to lure them into action to aid infection of the target computer. In computer security this is called social engineering. The user is presented with a scenario that looks legit and then he/she is asked to click on something or install something in order to continue/avoid damage/correct what’s wrong, etc. All fake/rogue antivirus use this technique, trying to make the user install the rogue software or pay for the full version, lest an apocalypse of infections will go unhandled in the user’s computer.

Two Reasons Why it’s a Bad Idea to Leave Your Backup Drive Always Connected to Your Computer

Computer Security

This applies mostly to those who have an USB external hard drive that is used for periodical backups of your data. I myself use that method for my daily computer data backups. However, I only plug it in at the time of the backup and otherwise keep it disconnected from my computer. Why, you might wonder?

1. In power surge prone areas, if one hits your computer, and your external hard drive is connected to it, and it’s powerful enough, it will fry your computer AND your external hard drive.

2. There are malware infections that will encrypt your files and then ask you for a ransom to decrypt them (aptly named ransomware). The recent versions of it will encrypt files in any drive connected to your computer, not just your internal hard drive. So your only hope for recovery from such infection would be thwarted since the backup data in your backup drive will also be encrypted.

So know your backup schedule, and do what I do, put a reminder in your calendar so it reminds you a few minutes before your scheduled backup, and only then connect your external hard drive to your computer. And unplug it from your computer (and from any power source if it has its own power adapter) when done. Doing this might save the day if disaster strikes.

And if you don’t have a backup plan in place for your computer data, well, I suggest you get going on that. Don’t say I didn’t warn you. 🙂

 

 

 

Malware

Glossary

Malware is a coined word from malicious software. It includes any program that can adversely affect your computer. Traditionally the word virus was used to describe such, but as time went by and the types of malicious software grew, a new, all-encompassing word was needed to include other types of malware that were not necessarily viruses.

Not for Beginners – setting up a FREENAS 9.1.1 file server in a Windows workgroup

Not for beginners

This is so I don’t forget what I did to set this up correctly, since I spent hours tweaking.

1. Install FREENAS on designated computer. In my case I used a 4 GB flash drive as the target for the install.

2. Create a ZFS volume. This is important. Don’t create a UFS one, it will get in the way of changing permissions from the Windows side later on, due to some unknown bug, took me hours to realize.

3. Create a group for all the users in the LAN that will have equal access rights.

4. Create as many users as needed to match the users and their credentials in the LAN computers (workgroup style).

5. Configure CIFS service settings for workgroup so it matches your LAN workgroup. Set authentication model to local users.

6. Create a new volume, with the main LAN user as the owner, and the group created in step 3 above as the owner (group).

7. Change permissions to rwxrwxr-x. This is so you can allow certain shares to be accessed but not modified.

8. Set ACL to Windows.

9. Create a Windows CIFS share. Allow guest access. If prompted to start service, click yes.

10. From a Windows computer, create the main folders that will be public and private. Edit the security in the private one by removing the everyone from the permissions. That effectively makes the permissions for that folder rwxrwx- – – , i.e. if you’re not the owner or belong to the group, you don’t have access at all.

11. If you wish to remove write permissions from subfolders of the publicly shared folder, edit advanced permissions for Everyone to allow only:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

Apply to This folder, subfolders and files.

12. I ran into a problem deleting files and folders when logged in as owner/group member. To handle, I granted full control to the first private folder of the share, and set it to propagate to subfolders and files.

I supposed individual shares could be set up, as an alternate method, using ZFS datasets. As of this writing I have not tested that route so can’t say if it’s more convenient/configurable/flexible. I know the above works.

Adobe Hacked, What to do

Computer Security

If you get an email message from Adobe with the below text, it is real and not a hoax: 

Important Password Reset Information
To view this message in a language other than English, please click here. 

We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account. 

To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information. 

We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.
Adobe Customer Care

More data and exact instructions on what to do you can find here: 

http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html

 

Latest Windows Updates Break Some Versions of Microsoft Office

Technical Tips

I confirmed this at least on Office Starter 2010. Other versions might be affected. The short story is, there were 3 updates for Office as part of the latest Windows Updates released this week. After installing them, users who are trying to open a Word or Excel file might get prompted to enter a key or purchase Office.

If you are experiencing this, it can be corrected. To correct this, you need to repair Office. Here’s the link with the step by step instructions on how to repair it:

http://office.microsoft.com/en-us/starter-help/update-repair-or-uninstall-office-click-to-run-products-HA010382089.aspx#_Toc272139012

If you need help with the above, contact me.

This is What Scares Me About Traditional Antivirus Programs

Computer Security

So here I was, minding my own little business this morning, when I checked my email for the first time. As I went through the unread emails, I found one from “eFax Corporate [message@inbound.efax.com]”. I checked the detailed information about that email and it actually seemed legit. Kaspersky had labeled the email as probable spam, but that was it. Nothing else out of the ordinary. And of course, the email had an attachment, compressed. So I decided to look into it.

I raised all my defense mechanisms to the highest, and proceeded to decompress the file that came attached to that email. It turned out to be a program, not a document. I scanned it with Kaspersky. Came out clean. Next, and this is the kicker, I submitted the file to a website that scans it against FORTY SIX different antivirus engines. All the brands you might have heard about and then some. How many of these antivirus engines identified the file it as malicious? ZERO! NONE! Unbelievable. I’m not kidding. Look:

Last Scanned: 2013-08-29 16:24:27
MicroWorld-eScan Not Detected
nProtect Not Detected
CAT-QuickHeal Not Detected
McAfee Not Detected
Malwarebytes Not Detected
K7AntiVirus Not Detected
K7GW Not Detected
TheHacker Not Detected
NANO-Antivirus Not Detected
F-Prot Not Detected
Symantec Not Detected
Norman Not Detected
TotalDefense Not Detected
TrendMicro-HouseCall Not Detected
Avast Not Detected
ClamAV Not Detected
Kaspersky Not Detected
BitDefender Not Detected
Agnitum Not Detected
SUPERAntiSpyware Not Detected
Emsisoft Not Detected
Comodo Not Detected
F-Secure Not Detected
DrWeb Not Detected
VIPRE Not Detected
AntiVir Not Detected
TrendMicro Not Detected
McAfee-GW-Edition Not Detected
Sophos Not Detected
Jiangmin Not Detected
Antiy-AVL Not Detected
Kingsoft Not Detected
Microsoft Not Detected
ViRobot Not Detected
AhnLab-V3 Not Detected
GData Not Detected
Commtouch Not Detected
ByteHero Not Detected
VBA32 Not Detected
PCTools Not Detected
ESET-NOD32 Not Detected
Rising Not Detected
Ikarus Not Detected
Fortinet Not Detected
AVG Not Detected
Panda Not Detected

I started to think, maybe the file wasn’t malicious after all; Then I laughed at myself for thinking that. Since I felt a little lazy, rather than firing up my test computer to analyze the program behavior when opened in real time, I submitted the file to a service that does that for me online, and then emails me the complete analysis results. I got an email back and…

I’ll spare you the technical details but that little file reminded me of that scene in the movie Transformers where a cell phone is radiated with the special beam of energy that animates it and the cell phone transforms into this destroying little machine inside a secure container; It goes berserk. That program did all kinds of things, from creating files, to deleting the original program, establishing network connections, modifying  the registry, on and on. Definitely malicious.

This was the first time I’ve seen a program that is obviously malicious get a 0% rate of detection when scanned with those 46 antivirus engines. I had seen 6/46 or even 4/46, but never 0/46! Must have caught a really fresh one that no one has had the time to label as malicious and incorporate to the antivirus black lists so it gets detected.

But my point and the moral of the story is that, unfortunately, and as I’ve said in several occasions, traditional antivirus detection methods are just not enough to catch all malware anymore. It takes the full 4-prong security model laid out in my pivotal article, written a while back, to ensure the best chance at remaining immune to most attacks.