Been antivirus free for a little while now

My security consists of:
1) Chrome Beta with built in XSS auditor turned on.
2) DDWRT router with adblock script/ a malware black list.
3) Windows 7

That's it. No windows defender and no more MSE. Been virus free.

 

It must be ten years since I had a virus, I just have to eradicate them from other people's systems with depressing regularity...

 

I haven't had a Virus on Windows 7 yet.

I've definitely removed my fair share of them for people.

Oh and UAC off. That thing is a useless pain. But UAC is more about protecting the users from themselves, it has very little to do with malware.

 

Do you really find UAC such a bother? How often do/did you have to deal with it?

 

I dislike being asked whether I REALLY want to do things. Chances are, I really do. I tried just turning it down but I saw no real value in it so I turned it off completely.

Now I don't deal with it at all and I really don't feel any less secure.

Oh I also have javascript disabled on certain sites. It speeds them up and secures them even more. I honestly don't think that rogue javascript is something that Chrome has to worry about 99% of the time (outside of clever exploits that manage to stay in the sandbox and garner information) but it does stop some annoyances.

 

I sacked off NoScript etc cos I got bored with having to enable fifteen domains for every damn AJAX site, & moved over to running a VM for web surfing. Install as many damn viruses as you want, suckers, I'll burn the machine and set a new one up next time I go on the net.

And agreed on UAC, it does my head in. Yes, I just clicked on the program to run it, so I'm sure I want to run it - I didn't change my mind in the 0.00000001 seconds it took you to pop the dialogue box up. Agreed it is probably useful for >95% the Windows userbase tho.

(on a similar note: I just got a slimline Xbox. When I eject a disc, it makes an irritating 'ping' noise. Why? I'm right next to it - I just pushed the button, and my arms are only of average length. I pushed it because I wanted to eject the disc. I can see the tray ejecting with the disc in it. WHY DO YOU FEEL THE NEED TO MAKE A NOISE??)

 

Yes, noscript was a bit of a pain although after a few days and after you've visited all of the most visited sites you pretty much forget it's there. I have javascript allowed globally but I've used Chrome to block javascript on a few sites (streaming sites etc) that I would simply prefer to not give the chance.

This is one security measure I'd recommend to anyone since it speeds up that particular site while also keeping it more secure. You can't say that about most security measure, they almost always have some negative effect.

The only problem with it is that I already KNOW those sites. But I also know they're often vulnerable. Keeping javascript globally enabled means I am subject to malicious code, but I'm not worried.

And yeah, UAC is a paiiiiiiiin. I just didn't need it. I know a lot of people will benefit from having to second guess each click, but I'm not one of them.

And yes, the xbox is a decent analogy lol

 

It's so difficult explaining things like Javascript & arbitrary code execution, XSS scripting etc to your average man on the street though...

You obviously have knowledge behind what you're doing - same as me, you could probably name ten different ways of mitigating these attack vectors, with pros & cons for each.

The difficulty comes with trying to explain to Grandma that websites have the ability to completely own your computer though. The whole model needs redesigning to account for security from the ground up, although I can't see that happening. Every web browser in default installed state is so vulnerable to malicious code (yes, even Chrome - there's wide speculation that Google bought out whoever was going to hack it at pwn2own, but that the vulnerabilities actually existed).

 

With all security of any sort turned off on your machine, how can you be sure you don't have a virus or your machine hasn't been rooted?

All of the advice in this thread is horrible. Disabling UAC is just silly... it's not about protecting the user from themselves. It's about warning the user that "Hey, this program is trying to do something restricted... did you intend for that?" It's finally putting a Unix-style security model on Windows.

As for antivirus... even with all your protections, there could be something that slips through. I'm guessing you've uninstalled Flash? Go ahead and turn off real-time scanning and all, but not using AV at all on a Windows machine? That's just playing with fire for no good reason.

 

I'd be very surprised if Google bought out pwn2own. The fact is that Google has long encouraged people to show them bugs in Chrome so that they can fix them. There's even a 20,000 dollar reward for anyone who can successfully exploit Chrome and get out of the sandbox.

Out of the box I'd say Chrome is still the most secure browser.

I think it's more likely that whoever was signed up had planned on using a bug that had been patched the week before pwn2own (Google released a rather large security update the day before the cutoff that patched 14 exploits as well updating the V8 and Webkit.)

Simply by enabling XSS auditing in about:flags I feel that that is all the "tweaking" I need to do in Chrome. Obviously it's not all the tweaking I've done, but I'd still feel pretty safe. V8 + sandboxing makes malicious javascript feel pretty tame. I know of a few exploits myself and I personally have never run across them (it's possible they're patched by now but I'm fairly certain they aren't.) Even those exploits can only gain very limited information.

I set up a LOT of computers for people (and I get payed to sometimes for it too! haha) and it's very very difficult to explain that the McCaffee antivirus that they paid for is in fact not doing a great job and they can do much better with a free antivirus. They don't want to hear that and most of the time I just don't bother because they won't want to uninstall a program that they've paid for.

Pitabred, I'm sure to scan once a month or so. I've dealt with dozens of infected computers and there's often at least some sign of infection.

Yes, UAC is a great step towards the unix-style security model. I'm just not interested in it. It can stop viruses from doing things that take certain permissions but that's it. It's more of a pain than anything else.

As for flash, it's not installed except for the one that comes in Chrome. As of Chrome 10 flash is sandboxed, which is a huge security feature considering how terrible flash can be in that area.

As for no good reason, I just no longer see any reason to keep it on the computer. If I get a virus I'll remove it and go back to using an AV but I don't think I will.

UAC will stop a virus from totally destroying the entire OS on the computer lol you won't have a virus messing around in a lot of folders. However it won't protect your personal data that's stored on your desktop and it won't prevent much of anything else.

 

Please don't confuse discussions of what people with knowledge are doing with their own machines, with advice being offered to everyone else.

 

Oh, in case I need to clarify I would NEVER recommend someone stop using an antivirus. I'm personally doing this because
a) I want to see how well the rest of my system's defenses work
b) I was cleaning up my computer and I realized I probably didn't need one

I wish more people knew about using and upkeeping an antivirus program (I see people with antiviruses that they never run and that are never updated) because I have probably spent the equivalent of a month just troubleshooting different people's problems, all of which could have been prevented by simply having kept their AV up to date.

 

The problem is that this is a public forum, and people will read this and say "Hey, that guy isn't using AV, so why do I need to?" and promptly become part of a botnet.

Anything posted in this forum ends up being advice, which is why I posted that disabling UAC and AV is a silly thing to do. Even for very knowledgeable users it's bad practice. Take ownership of directories that need to be written to, or install programs that behave badly to somewhere other than Program Files, don't disable UAC.

I'm glad you both think your machines are uncompromised. They even possibly are clean. But it's not an example that should be set for normal or even advanced users.

Exactly. Thank you

 

That's a good point. I'll quote myself and throw it in the first post.

I was simply trying to show that other methods can be effective against viruses but I wouldn't want anyone to get the wrong idea.

 

@Hungry Man:
Multiple consecutive posts clutter up the forum and are against the rules.

UAC is another hurdle for attackers, always a welcome thing.

Chrome's sandbox is not magic, basically the sandboxed code will be run at a reduced privilege. If you want real sandboxes, try one like Sandboxie, but a very very good attacker can break through even those because of the silly security model of Windows.

Browser vulnerabilities always exist, and detecting virus by using the "force" is not recommended, it is not exactly the Pentium age when too much HDD activity or serious slowdowns would be hallmarks of a malware infection, malware writers these days are pretty good at hiding you know...

Flash is not the only troublesome component either. There is Adobe reader there is Java runtime and other cool stuff. There was even this cute .ani vulnerability affecting a ton of computers when it came out and exploitable only if you happen to load a page with a problematic .ani

 

Windows 7 UAC is one of the best security tools in a personal PC arsenal and its free!

MSE and avast run lean and mean as does windows defender even on the slowest hardware. So there really is no excuse for removing good malware protection...

 

....use a (proper) VM.

Apologies if I wasn't entirely clear, but my first post in this thread about UAC does specify that I have disabled it myself, but would not recommend the same to '>95% of the Windows userbase'.

 

Albeit the default settings of Windows 7 UAC are not good if my memory serves me correctly, you have to tweak it a bit to make it as powerful as Vista's.

Most users don't want to go through that trouble, but, yes, that can be also pretty effective (although you would also have to watch out for driver and virtual device exploits as well. I see a worrisome amount of exploits for Virtual Machine software.)

 

Consecutive posts? I've posted twice in a row... twice o_o but I'll try to edit.

UAC is another hurdle but it assumes malware has already gotten onto the computer. I honestly don't think it will get that far.

As for "the force" perhaps you underestimate it ;D

=p But I will be scanning once in a while. I keep a .exe of superantispyware on my RAM disk (I had extra space and I felt like it was being wasted >_> lol) so I can always run it at any time. I always have a USB that I used to repair others computers and a Hiren's USB.

I'm aware malware has gotten very good at hiding. A properly working rootkit is almost impossible to find.

I don't have adobe reader. I use Chrome's .pdf viewer. Java is a pain though! Not much to do about that one except try to prevent as much as possible.

Yes, sandboxing relies on the OS's security but it has a decent enough track record. Disabling javascript on sites that I don't trust (and that I KNOW have been infected before *cough*surfthechannel.com*cough*) is a big help. Same goes for XSS auditing, which is a huge security issue for even uninfected sites.

My malware list and my regular adblocking are also very nice but of course they don't prevent anything when I'm not on that network.

Mujtaba, I Think you're right about having to tweak it. Vista got so much hate for UAC (people didn't understand it at all) that they toned it down in 7, which sacrificed security.

I wouldn't bother with a VM. Too slow.


edit: Didn't realize I was the post above this >_> sorry lol

 

True, although this is countered by the fact that that's usually saved for more targeted attacks where it is already known that the target is using a VM - i.e. they're not commonly found in your run-of-the-mill web drive-by attack.

I just can't see why more people (particularly OEMs) aren't deploying web browsers as standalone VMs, like VMware ThinApp, or the Firefox for HP Virtual Solutions that comes on HP's business PCs but not the consumer ones.

When it's presented like this (on a per app basis rather than virtualising a whole OS), it's not really any more complicated to the end user, and offers vastly more security.

 

Been out of windows for a while now so Im not sure the default setting, but I think its medium. So yeah to make it was powerful as vista the slider needs to move up a notch, but still an indespensible tool for windows users and Ill always click a box when running a binary/script/application if it means my box is clean and clear.

 

^I hate clicking boxes =p I'll take my chances.

 

@Hungry man,
So far a double post and a triple post. I'll dock you brownie points for that.

@ssssssssss
I wonder how soon they will add VM exploits to the list though, malware writers so far have proven to be far more versatile than their targets.

First things first, I think we better worry about having users migrate to an IE version higher than 6... Or just not disable Windows Update. Even many tech firms have terrible security, just take a look at the usual tech horror sites...

EDIT: Albeit I would applaud the idea of OEM installed VM

 

o_o tripple post? where? I posted the last post on page 2 and the first post on page 3. Am I missing something? >_>

And yes, keeping your programs up to date is one of the most important things.

By the way:
http://malwaredomains.lanik.us/malwaredomains_full.txt

That's a list of malware domains that are blocked.

edit: and here is the one I use on the router:
http://www.mvps.org/winhelp2002/hosts.txt

 

Couldn't agree more. +1 and I would give you more if I could!

I'm not going to bother reading all of the replies to this thread, since most of the people on here are smarter than me when it comes to coding and each of them is quite verbose in their explanations. But UAC is intended on notifying you of programs that are attempting to install, with or without your knowledge. The intent is to remind the user to use elevated priveledges in order to complete a task. If you're logging in as an administrator and have UAC disabled, then I hope you know what your doing.

As for not having AV, well, if you're careful I guess you can get away with it. Have fun surfing the Internet reading text only webpages.

I'm reminded of a quote from Full Metal Jacket when the drill sargeant finds an unlocked footlocker in Private Pile's bunk: "If it wasn't for ***** like you, there wouldn't be any thievery in the world would there?"

 

I'm not very careful at all when it comes to browsing. I consistently go to pages that I know have been infected before. Surfthechannel and megaupload are great examples of this. At one point I had to fix more than a dozen computers for a vundo virus that was infecting computers via these sites.

I still use both of those sites. If I'm infected it's hiding well. I'm sure I'll find it when I scan if it's there, but I honestly don't think there will be anything.

 

Hey to each his own. Most of my contacts won't allow a computer on their network that isn't properly patched and has an AV solution. It's not something I would ever recommend. But I would recommend a good image restoration system.

I like going to sites that I probably shouldn't go to. I take the necessary precautions, but I know that I run the risk too. Even with the highest security, you are still vulnerable. Hackers are always one step ahead.

 

A direct attack from a hacker is virtually defenseless barring you shut the internet off. Generic malware created by pseudo-hackers is a different story and is much easier to defend against. Yes, if someone makes a virus that specifically targets Chrome Windows 7 using my defenses it'll get passed them.

If a hacker personally attacks me I can't defend against it outside of turning the internet off completely or implementing more tiresome techniques.

Generic viruses/rogue scripts are meant to hit as many people as possible, and not many people use the defenses I do so they won't be too successful.

 

These kind of threads pop up every couple of months, they're sort of amusing

You can run AV/firewall free with no problem, if you are a smart user. My AV (mse) alerted about my first virus in 8 years on a pc of my own, and it turns out that it was actually something I wrote myself years ago, so it was dormant/docile/sealed away, and it wasn't detected because I tend to not scan my externals Other than that there hasn't been a single virus on my machines because I don't click on suspicious links, don't fall for the "you are infected click here to scan!" crap, ect.

If people are looking for advice there really are 2 "set and forget" options: either get MSE and leave it be, or do your daily browsing and whatever under a linux environment. Plenty of distros are computer-newb friendly (had a couple friends ask me if I was using a Mac/OSX because it looked easy to use, it was ubuntu) and while they aren't completely secure on their own they really don't fall for most attacks out there, since an .exe won't work without WINE running!

 

Well I'm not too careful when browsing lol but I'm not about to click on "Hey you've just won a million dollars!" pop-ups either =p

MSE uses so little resources I would prefer to just leave it in the background than have to get used to using linux. Plus I play games and dual booting is just a waste if I'm going to be on windows anyway. Plus I use VS'08.

Easier to just use MSE. But I also feel that all of my current defenses are enough.

 

I'm not sure what you mean by you can't defend against a hacker personally attacking you without turning off the internet.

If you're patched, running a decent firewall (windows firewall will do), not using IE6, not using XP, and don't have any programs you don't need open, you should be fine. There are very few ways to actually defeat a firewall without having the user click something first. If you also cut out Microsoft Office (including Outlook) and Adobe Acrobat, you'll be REALLY safe.

If you're running a fresh install of Win7 SP1, patch it, and run a patched Chrome, there's almost nothing a hacker can do unless he can trick you into visiting to a malicious website... and even then, Chrome is damn secure. Basically, unless they're at a professional level and can develop 0-days or happen to have a bunch laying around unused and unknown, there's nothing they can do. 99% of "hackers" are just script kiddies that wouldn't even know where to begin with development.

Now if someone malicious has access to your layer 1 stuff, then you're screwed anyway and you have much bigger problems. I recommend a Smith and Wesson M&P9.

 

Patched/firewall/OS won't really matter.

Hacking is not like infecting. Infecting someone with the things you mentioned is pretty much impossible (I don't use Office or acrobat =p) but actual hacking is different from all of that. It's not about getting a user to do anything, it's about exploiting the OS itself (Most people use telnet instead of SSH, makes it easy)

I definitely agree that 99% of hackers are by name only and really don't know how to do much other than patch up older viruses. There are hackers who know enough that we just can't stop them, but they'd have to have some personal vendetta against you lol. My point was just that there's a big difference between protection from a legitimate hacker and protection from a generic malicious code.

 

No,most people don't use telnet. They don't have any way to console in because most people use windows. If you don't have any way in to your os or openings in your firewall, there is nothing any hacker can do without what I stated earlier: 0 days, the user voluntarily (but unknowingly) opening up ports, or layer 1 access.

Patching helps with 0 days. Running a user account helps with accidentally running malware (but doesnt eliminate it). And a nice fire arm deters people from messing with your router and computer.

 

Telnet was one example, I'm told there are quite a few others that are exploitable. I'm not a hacker but I know a few. 0 days will obviously do it but it's not like everything is patched as soon as it's found. And it's not like everything is found anyways. There are exploits that the programmers aren't necessarily aware of.

 

Nonsense. UAC has absolutely nothing to do with any of this. UAC is a convenience feature. See here for a bit of background.

In my experience, it's a pain only for those people who don't know how to use a real computer, and are comfortable only with 1980s-style DOS.

That's a popular fairytale, and I'll leave it at that. My money is on IE, if anybody wants to know.

This discussion certainly doesn't sound like one that "people with knowledge" are having. Au contraire...

No, you clearly are not. I have worked in (professional) computer security for a fair amount of time, and I'll tell you that you're just fantasizing. Hacking into an updated and properly maintained and configured Wndows 7 box isn't easy at all.

 

Pirx, I've never seen you post one thing I've agreed with! lol

1) UAC doesn't let the user mess around with things without hitting "yes" which was my point.

2) I can't see how this has anything to do with DOS. I know how to use a computer lol

3) "I'll leave it at that" -- Please don't. I'd love to hear all about Chrome's lack of security features. No one's saying it's perfect, but it's security is effective and non-invasive.

4) More silly ad hominem statements. Yet another user on the internet who thinks that condescension somehow makes them look better.

5) Hence the "I'm not." I know hackers. They seem confident. No one is saying it's easy, did I? Please show me where I said that lmao

Read the entire topic. It's easy to pick at a single post but you're way off base.

edit: And IE as the most secure? That's silly. It has the most widely known vulnerabilities, whether they're patched up or not. It's social engineering protection is great, but it has to be, because the (majority of the) people who use IE are the ones who are actually vulnerable to that. IE has plenty of protection features but if you exploit it you get full control. That's not the case with Chrome.

edit2: agh and suddenly I realize I don't actually want to have that argument.

 

You're quite the funny guy, eh?

Uhmm, I have quoted from a half dozen posts there...

Yep, we knew already that you have no clue of what you are talking about. I won't waste anymore of my time with this. Pearls before the swine...

 

Golly what a big internet tough guy! My poor opinions have been torn to shreds by your unrelenting wit ;_; plz have mercy

edit: I also love how you cleverly avoided responding to the majority of my post. Masterful, really.

 

There are ways to add layers of protection against 0 day exploits. You can use generic behavior monitors. Regardless of which 0 day attacks are out there, all of them need to do something on your system that is suspicious whether it be accessing an area of the registry auto run areas, using trusted programs to spawn child processes to access the internet, opening ports, terminating a process etc. If you take a look at the steps needed for malware to gain control over a system you will see a pattern and even if there is not one, it will still need to do certain things each time to gain control over a system.

 

Haha, that's an awesome statement. My bulletproof vest is bulletproof unless you have a bullet that can penetrate it.

Anyways, I'm with Prix. A fully patch system is quite secure. Most firewalls by default block all incoming connections, so I'd have to find a program to exploit (hello separation of executable code and data) (hello randomized virtual memory). Then I'd most likely have to raise privileges (hello UAC). And only then can I maybe do something malicious as long as what I've been doing up to this point hasn't been detected (hello antivirus).

The true "unprotectable" scenario is when the attacker has physical access to the machine. But at that point, you could just punch him in the face.

 

Lithus, your analogy don't work. It's like if your suit only protected you from 90% of teh bullets on the market and Chrome's suit protected you from 50%. You'd get hit by 10% and Chrome would get hit by 50%, but Chrome has an extra layer under there to protect you.

Out of the box, IE does not.

I'm not saying a fully patched system isn't secure, I'm saying that it isn't invulnerable. To try to make your system invulnerable to someone who knows what they're doing is a waste of time because that's never going to happen unless you go out of your way to a hacker off. And it's not like it'll be easy for them.

 

The analogy was a joke. I was poking fun at how you phrased your sentence.

I think you greatly over-exaggerate what Chrome can do and under-emphasize what antivirus/UAC provides. I also think you're caught up on the sci-fi movie version of computer hacking. A hack is nothing more than a program attempting to do something in a circumspect way. Antivirus and UAC were created to secure your system against these types of attacks. It serves you no good to turn them off.

 

If I thought Chrome was the perfect defense I wouldn't bother with the others. I think Chrome is the most secure browser (Since I'm hardly vulnerable to social engineering hacking) but it's hardly my one defense.

And that's not what hacking is. Hacking does not necessarily mean you infect them with a virus or something.

UAC protects you, but I don't feel like hitting a button every time I need to run something as an admin. It's a pain in my , and it's unecessary if you take other precautions. IS it useless? No, I've said multiple times in this topic that UAC should be used on other computers.

I don't use it because it serves as more of an inconvenience than anything else.

As for sci-fi movies, not quite =p though I do enjoy them.

 

Everyone thinks that they're invulnerable. Just like how everyone thinks that they're a better than average driver. By flaunting your skills, you're just opening a vector for an attack.

Check out this article on social engineering and hacking. You're more vulnerable than you think: http://goo.gl/VjNKl.

Not at all what I said.

 

Whaaaaaaat? I just said that I'm not invulnerable. But I don't click ads and send my personal info willy nilly.

also, I enjoyed that link. I've had that before =p expected.

It also doesn't mean anything.

edit: I'm on my CR-48, but on my other computer I have an extension that expands those to show the real link =p

 

Yeah, with Win7, the OS isn't the vulnerability anymore. It was fun playing with ms08_067 and surprising how many people actually still run XP SP3. But even with that, you had to get past a firewall.

I really don't want to explain networking on a forum post, Hungry Man, but you should learn more about it before acting like an expert and handing out advice.

You can't just brute force your way into a system. It has to be running a vulnerable application with a hole in the firewall. Contrary to popular belief, if you don't drop malware on their system and they have a firewall up, you aren't getting in unless they're running a vulnerable application or service.

I mean yeah, running a telnet/ssh/vnc/rdp server is a misplaced/brute-forced/social engineered password away from losing root access, but 99.99999% of people at home don't run those services.

 

Who's acting like an expert/handing out advice?

I've said a few times already that I wouldn't suggest anyone do these thing.

 

Hungry Man - I had been doing the same as you for awhile on my gaming PC at home - since it is ONLY used for playing videogames and some highly paranoid web browsing. With MSE now low enough on resource consumption that I don't mind it running, it does run now, but I didn't feel unprotected without it. My "working" computers, at least any that aren't running Linux, all have AV of some sort, simply because they might need to handle data backup/shuttle duty at some point. Nasty things can be found in user's computers - thank God I can normally extract the data with a networked Linux box.

Mind sharing that extension? I would certainly put it to good use if it's Chrome compatible.

 

https://chrome.google.com/extensions/detail/lokepaohjmeeoopmnhknjecdpeggbcpl
^The extension.

MSE is very light. 60MB in the background is nothing.

 

so much talk about UAC.. you realize that every random trojan/pw-stealer can disable UAC without problems? :S

about beeing virus free without any security software.. how can you be sure if u dont use any software? Trojans are installing on your pc, as soon as they are dedect they will update themself to become undedect again.. so if you arent going for a lucky scan and catch the trojan while it didnt update itself you will never find it.

Also i have a trojan-builder (creates polymorphic server.exe with all those features.. remote webcam,password stealer, file explorer,... ) here which i once bought for 10$ or smth (like 6 months ago). Its still fully undedectable to any anti-virus (according to a priv. site which is like virustotal.com). So a random AV-Scan wont help you at all. You need a firewall to disallow random programs to send data from your pc (password stealer,keylogger,trojan,..) aswell as proactive-security / HIPS which will dedect such undedect trojans.

Ever heard of java-drive-by ? You pay 10$ and get a flash script which changes pictures every 5 seconds. At the same time it will silently download & execute a .exe file in the backround. You wont notice it. A simple AV-Scan also wont dedect it if the .exe file is undedectable.