Is there a risk with firewalls ctd.

Dear Group,

Recently I wrote to this group under the title 'Is there a risk with
firewalls'.
Unfortunately the following discussion consisted mostly of rants and mutual
verbal abuse and did not help much to clarify the problem

I am opening the subject again and hope that this time the answers, if any,
will
be to the point and not mutual abuse.

The suggestion to use Kaspersky's free scan was of great value. It
identified
a number of files and said that two viruses were on the machine, without
giving
further info regarding these viruses.

I removed all the offending files. For one of them, call it *, I had to go
into
DOS mode outside of Windows, because this file was in use by windows and
could not be removed from within Windows..

A subsequent Kspersky scan showed the system to be clean.

On startup however a window comes up, complaining that the file called *
above is missing. After closing this window the PC works normally. This
notice indicates that virus components are still residing in the registry.

Question: Is there any way to locate these components and to remove them?

Thank you

GR.

Re: Is there a risk with firewalls ctd.

NoSpam wrote:


> I removed all the offending files.


Why that? You should *back them up* for later analysis and possible evidence
collection.

> A subsequent Kspersky scan showed the system to be clean.


So what? The system is still compromised, thus has to be flattened and rebuilt.

> Question: Is there any way to locate these components and to remove them?

No. This is why it's called a compromise!

Re: Is there a risk with firewalls ctd.

"NoSpam" wrote in message
news:2NRei.17$s%.6@trnddc02...
> Dear Group,
>
> Recently I wrote to this group under the title 'Is there a risk with
> firewalls'.
> Unfortunately the following discussion consisted mostly of rants and
> mutual
> verbal abuse and did not help much to clarify the problem
>
> I am opening the subject again and hope that this time the answers, if
> any,
> will
> be to the point and not mutual abuse.
>
> The suggestion to use Kaspersky's free scan was of great value. It
> identified
> a number of files and said that two viruses were on the machine, without
> giving
> further info regarding these viruses.
>
> I removed all the offending files. For one of them, call it *, I had to go
> into
> DOS mode outside of Windows, because this file was in use by windows and
> could not be removed from within Windows..
>
> A subsequent Kspersky scan showed the system to be clean.
>
> On startup however a window comes up, complaining that the file called *
> above is missing. After closing this window the PC works normally. This
> notice indicates that virus components are still residing in the registry.
>
> Question: Is there any way to locate these components and to remove them?

I think that most here would say flatten the HD format it, because of the
information in the link.

http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx

Just because you have had a virus on the machine does that mean you totally
wipe the machine out?

I can tell you that I have seen a virus or viruses compromise machines at
work. All that happened was the virus or viruses were removed, and no
machine had its HD flatten.

I guess that decision making process is going to be your decision to make.

Where you should also post is too alt.comp.anti-virus to people that deal
with viruses. There are some good people there.

You should consider cutting the attack vector down on the machine by
practicing safe hex.

http://www.claymania.com/safe-hex.html

You should also try to harden the O/S to attack a much as possible. Some of
the tips I could still apply to Vista as well.

http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm

Re: Is there a risk with firewalls ctd.

Dear Mr. Arnold.

I thank you for your measured response.

First off, you are correct this discussion has a better home in
alt.comp.anti-virus, but since the thread started in comp.security
firewall I continued it here.

I have read the article you pointed me to at
http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx
and found it to be an extreme approach. What the author does not
address and what is of interest to many users is the probability that all
of the bad things he is describing, have happened at once to the infected
PC. That probability must be very remote and would be of concern for
a system's programmer taking care of a data fortress. He seems to indicate
that not only the OS but all the data on that machine need to be discarded.

This unwillingness to be practical by demanding the utmost of security
for every user seems to be widespread among the contributors to this
group. If one applied the same caution in everyday life one would never be
able to drive through a green light because accidents have occured when
the controls malfuctioned and the other side was also green.

Thank you. I'll direct further questions to alt.comp.anti-virus.

GR.

"Mr. Arnold" wrote in message
news:%GTei.97$ub5.42@newsread2.news.pas.earthlink.net...
>
> "NoSpam" wrote in message
> news:2NRei.17$s%.6@trnddc02...
> > Dear Group,
> >
> > Recently I wrote to this group under the title 'Is there a risk with
> > firewalls'.
> > Unfortunately the following discussion consisted mostly of rants and
> > mutual
> > verbal abuse and did not help much to clarify the problem
> >
> > I am opening the subject again and hope that this time the answers, if
> > any,
> > will
> > be to the point and not mutual abuse.
> >
> > The suggestion to use Kaspersky's free scan was of great value. It
> > identified
> > a number of files and said that two viruses were on the machine, without
> > giving
> > further info regarding these viruses.
> >
> > I removed all the offending files. For one of them, call it *, I had to
go
> > into
> > DOS mode outside of Windows, because this file was in use by windows and
> > could not be removed from within Windows..
> >
> > A subsequent Kspersky scan showed the system to be clean.
> >
> > On startup however a window comes up, complaining that the file called *
> > above is missing. After closing this window the PC works normally. This
> > notice indicates that virus components are still residing in the
registry.
> >
> > Question: Is there any way to locate these components and to remove
them?
>
> I think that most here would say flatten the HD format it, because of the
> information in the link.
>
> http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx
>
> Just because you have had a virus on the machine does that mean you
totally
> wipe the machine out?
>
> I can tell you that I have seen a virus or viruses compromise machines at
> work. All that happened was the virus or viruses were removed, and no
> machine had its HD flatten.
>
> I guess that decision making process is going to be your decision to make.
>
> Where you should also post is too alt.comp.anti-virus to people that deal
> with viruses. There are some good people there.
>
> You should consider cutting the attack vector down on the machine by
> practicing safe hex.
>
> http://www.claymania.com/safe-hex.html
>
> You should also try to harden the O/S to attack a much as possible. Some
of
> the tips I could still apply to Vista as well.
>
> http://labmice.techtarget.com/articles/winxpsecuritychecklis t.htm
>
>

Re: Is there a risk with firewalls ctd.

In article <2NRei.17$s%.6@trnddc02>, NoSpam@verizon.net says...
> A subsequent Kspersky scan showed the system to be clean.
>
> On startup however a window comes up, complaining that the file called *
> above is missing. After closing this window the PC works normally. This
> notice indicates that virus components are still residing in the registry.
>
> Question: Is there any way to locate these components and to remove them?

Look, this is getting kind of old - we've told you how to remove them
and also that some malware removal tools will never get it all, that's
just the way it is.

Follow these directions and life will be good - MAKE SURE YOU READ THE
INSTRUCTIONS WITH EACH TOOL.

Only download software you can validate as uncompromised - in the case
of non-vendor site you have no guarantee that the files are unmodified
or uncompromised. Anyone providing a link to a non-vendors site with a
direct download should not be trusted, the vendors sites are the safest
place to download their application.

No person of sound mind would download files from a hack site that
requires a password to access the unknown files when they are available
directly from the vendors.

Always remember - only download files from Trusted Sites.

The following links will take you to vendors sites for Spy Ware / Ad
ware removal tools and also for Antivirus tools. After you install any
of these applications and update them, run them in SAFE MODE to allow
them to properly clean your system.

First, make sure that your Java is updated to the latest version:
http://www.java.com/en/download/index.jsp

These sites are for downloading Anti-Malware and Anti-Spyware tools, in
order that I would use them myself:

Dave Lipman's tools:
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

AdAwareSE can be found here:
http://www.lavasoft.com/products/ad_aware_free.php

SpyBot Search and Destroy can be found here:
http://www.safer-networking.org/en/download/index.html

SmitRem.exe by Noahdfear's SmitFraud, SpyAxe, SpyFalcon, removal tool
http://noahdfear.geekstogo.com/click%20counter/click.php?id= 1


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: Is there a risk with firewalls ctd.

NoSpam wrote:
> I have read the article you pointed me to at
> http://www.microsoft.com/technet/community/columns/secmgmt/s m0504.mspx
> and found it to be an extreme approach.

Wrong.

> What the author does not address and what is of interest to many users
> is the probability that all of the bad things he is describing, have
> happened at once to the infected PC.

Doesn't matter as long as you can't guarantee that none of it had
happened. If you can't be sure, your ONLY way to a clean system is
format and reinstall. Period.

> That probability must be very remote and would be of concern for
> a system's programmer taking care of a data fortress.

What makes you believe that?

> He seems to indicate that not only the OS but all the data on that
> machine need to be discarded.

No. You can check and restore your data once your system is back in a
known-good state. However, as long as the system has been compromised
you cannot trust anything that system tells you, because there IS a
non-zero chance that it may be manipulated.

> This unwillingness to be practical by demanding the utmost of security
> for every user seems to be widespread among the contributors to this
> group.

The unwillingness to follow due diligence seems to be widespread among
your group. This group is about SECURITY. If you're not interested in
security: go somewhere else and don't waste the time of people who try
to give you reasonable advice.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: Is there a risk with firewalls ctd.

Post removed (X-No-Archive: yes)

Re: Is there a risk with firewalls ctd.

NoSpam wrote:
> Recently I wrote to this group under the title 'Is there a risk with
> firewalls'.
> Unfortunately the following discussion consisted mostly of rants and mutual
> verbal abuse and did not help much to clarify the problem
> I am opening the subject again and hope that this time the answers, if any,
> will
> be to the point and not mutual abuse.

The answer is: "yes". Firewalling means adding extra code or even extra
devices, which can be attacked, too. So there is additional risk by
adding firewalls, one has to compare this risk with the improvements in
security those firewalls are bringing with them.

> The suggestion to use Kaspersky's free scan was of great value. It
> identified
> a number of files and said that two viruses were on the machine, without
> giving
> further info regarding these viruses.
> I removed all the offending files.

This is not enough. If your computer was infected, only flattening and
rebuilding will help you to get back a clean box.

Yours,
VB.
--
"Es muss darauf geachtet werden, dass das Grundgesetz nicht mit Methoden
geschützt wird, die seinem Ziel und seinem Geist zuwider sind."

Gustav Heinemann, "Freimütige Kritik und demokratischer Rechtsstaat"

Re: Is there a risk with firewalls ctd.

In message "NoSpam"
wrote:

>This unwillingness to be practical by demanding the utmost of security
>for every user seems to be widespread among the contributors to this
>group.

Indeed -- Many of us have seen systems so thoroughly infected that
simply saving data (DOC files) is sufficient to guarantee reinfection
immediately upon system restore.

Some of us have done it, either to prove we can, or for actual nefarious
purposes (I'm in both categories, although in the "actual nefarious
purposes" it was to annoy a friend, rather then attack an enemy)

If you want a secure answer, it's simple: Start from scratch. If you
want a practical real world example, find out when the system became
infected, figure out how (if you can), then restore back out to a
previous date, patch the problem and hope for the best.

--
If quitters never win, and winners never quit,
what fool came up with, "Quit while you're ahead"?