Privilege elevation through the use of an exploit and asking the user to elevate are two separate things. I think he's talking about the former because he said "regardless of UAC".
Disable Your Antivirus Software (Except Microsoft's)
- Thread starter AHarvey
- Start date
Privilege elevation through the use of an exploit and asking the user to elevate are two separate things. I think he's talking about the former because he said "regardless of UAC".
I think you need to make the distinction between real-time and on demand. I have not ran a real-time av for years. However periodically I do run an on demand scan from an av that isn't installed. So you can effectively run without an av but check that there is no malware.
Or a legit site which gets hacked and the specially crafted SVG animation inserted into the page.
(1) Using something like UAC to prevent privilege elevation attacks is a bread and butter security measure. I don't really understand the issue... what are you doing that means you see UAC prompts often enough for them to become an inconvenience?
(2) Restoring an image won't help you if your personal info is compromised because you've been running a keylogger.
(3) "Screw updates"? Really?
Last edited:
Don
That is a little different, but it's still much safer to run real-time protection at all times.
just installed Avast as a change from the (resource hungry) Avira scanner
was intrigued to see T&C's say
Avast has many, pathetically, documented components, I went for below selection which should hopefully give scanner, without any intrusion on the FF browser (already using ff+noscript), I am also using MS firewall.
I May also disable real-site which could be needlessly intercepting browser traffic
Does anyone have counter opinions on what is useful in Avast ?
was intrigued to see T&C's say
Avast has many, pathetically, documented components, I went for below selection which should hopefully give scanner, without any intrusion on the FF browser (already using ff+noscript), I am also using MS firewall.
I May also disable real-site which could be needlessly intercepting browser traffic
Does anyone have counter opinions on what is useful in Avast ?
Hilarious. You're just asking to be owned, regardless of how careful you think you're being.
The Australian Signals Directorate (their version of the NSA) has some great advice, what they call the Essential Eight:
1. Application Whitelisting
2. Patch Applications
3. Restrict Admin Privileges
4. Patch Operating Systems
5. Disable untrusted MS Office macros
6. User application hardening (i.e. block Flash, web ads and Java in the browser)
7. Multi-factor authentication
8. Daily backup
Of those, whitelisting is by far the most effective method for preventing malware attacks but there isn't really a good solution for that for home users that I know of.
AV is dangerous because it typically runs with elevated rights - if there's a vulnerability in your AV solution, an attacker can potentially leverage it to run code with the highest possible rights. There was an exploit with Symantec AV that a researcher found, when he emailed the sample code to Symantec to alert them it actually brought down their email servers because they were protected by their own AV: https://www.wired.com/2016/06/symantecs-woes-expose-antivirus-software-security-gaps/
Do you have a reference for 'application whitelisting' - for home user do you mean only installing software for which you have checked provenance and validated checksum's ? (if you have satisfied 4/5/6 it should not be easy for undesired applications to be introduced in other manners)
What do you mean by 'reference'?
Application whitelisting typically requires a piece of software, an agent of some kind, that runs on the desktop. The idea is that it stops any piece of software running that hasn't been pre-approved - so you could whitelist Word, Excel, Chrome etc, or maybe whitelist any app signed by Microsoft or Google to give you a broader range of usable apps. So when "ACME Ransomware" tries to run, it's not on the whitelist, so the whitelisting agent blocks it.
It's more effective than AV because you don't need to know what the malware looks like in advance using signatures or whatever, you just stop anything running that isn't explicitly trusted.
Thanks, the word 'reference' was vague - I meant the document that showed relative merits of application whitelisting,
and maybe addressed its relevance/practicality for home use.
I see here, for example, that MS has a Applocker product exclusively for servers.
In the 'chip' development business we are not using a whitelister afaik, rather app security relies on strict rules for having any apps validated by IT, plus records of what individuals are accessing/downloading.
I think such engineers are disciplined versus say a general commerical office. (albeit the stuxnet virus found its way into an engineering environment)
and maybe addressed its relevance/practicality for home use.
I see here, for example, that MS has a Applocker product exclusively for servers.
In the 'chip' development business we are not using a whitelister afaik, rather app security relies on strict rules for having any apps validated by IT, plus records of what individuals are accessing/downloading.
I think such engineers are disciplined versus say a general commerical office. (albeit the stuxnet virus found its way into an engineering environment)
AppLocker is a good example in the server space. There are some good enterprise desktop solutions as well, but nothing really available for home users as of yet that I know of.
I think you're giving your engineers too much credit!
Also, sometimes it's not about how careful your users are, there are a number of attacks that can be executed without the user's knowledge - I think someone already mentioned the examples of malware embedded in advertisements on big-name sites like the NYT. You can also be subject to a cross-site scripting attack which again might affect a 'trusted' site. If you have a compliance requirement, telling the regulator that your users are more disciplined probably isn't going to wash.
Soldato
- Joined
- 14 Mar 2011
- Posts
- 5,421
Interesting discussion... I use Sophos AV because my work provide me it for free and it seems pretty good...
It has flagged things a few times - as discussed above I've navigated to what I'd have considered "trusted" pages such as news sites, or even on one occasion this very forum and had it flag that it had detected some sort of unexpected/illegal instruction being issued by the page. I think Sophos uses some sort of "on-access" method, which I was initially worried would be a performance hog but however it's doing it seems to have little to no impact (that I can tell anyway)
It has flagged things a few times - as discussed above I've navigated to what I'd have considered "trusted" pages such as news sites, or even on one occasion this very forum and had it flag that it had detected some sort of unexpected/illegal instruction being issued by the page. I think Sophos uses some sort of "on-access" method, which I was initially worried would be a performance hog but however it's doing it seems to have little to no impact (that I can tell anyway)
OK
- You visit a Site, it has a hijacked .Png file that contains a Keylogger (very easy to implement), andantech & many other reputatble sites have had infected files on.
Caporegime
- Joined
- 21 Jun 2006
- Posts
- 38,372
Will an antivirus stop that from infecting your computer?
How does the "hijacked .Png" infect the machine?
yes, now days. Google blocks sites with virsuses injected into their pages, but they do not catch them all & can take days to alert. now days AV like Eset/Kaspersky have their reputation stats which are done by day/month/year & they all check Files/Images as they are downloading
Its possible to inject Keyloggers/Trojans another malware into Jpgs/png files. Then once loaded or read they "can" execute the code. it was one of the ways people was infecting .PDF files with trojans it was Jpegs inside the .PDF. but it can exexcute inside a browser
this is why UAC is so important. it can block unauthorized access to areas trojan may want to hide itself
And to make things more crazy, This means any site you visit could infect you. EVEN OCUK through signatures. Have a nice day!
Last edited:
Soldato
- Joined
- 14 Mar 2011
- Posts
- 5,421
This is true - like I mentioned above I've had my A/V suddenly light up when loading certain threads on here before; I imagine it's more likely with sigs made via sig generators (like the steam ones some of us, myself included use) because you ultimately can't be totally sure that the site generating the sigs isn't compromised
Browser 0days in the wild are incredibly rare, so this scenario is very unlikely to take place.
Attacks against browsers and plug-ins aren't as lucrative as they used to be because vulnerabilities can be patched in a matter of days. Java web plug-in & Silverlight are almost dead, with Flash not far behind.
In my opinion, the one to watch is ransomware.
Associate
- Joined
- 17 Sep 2008
- Posts
- 1,729
If only Microsoft would come up with a basic easy-to-use system for home users that stops untrusted executable code from running with admin privileges until it's been explicitly authorised to do so...
Soldato
Is this sarcasm?
UAC.
Also technically we should not be using user profiles that have admin privileges. (Including me)
We should need to use like a 'sudo' to gain admin privileges.