Monday, December 28, 2009

Security Expert don’t like AntiVirus

It’s like saying don’t use condoms. They know, but believe it or not, they have never used Anti-viruses and never got damage from viruses. Prefer to take other kind of protections elsewhere to prevent viruses to come near to my Ethernet card instead of worrying to remove it with dozens dollars solutions and software packages when the virus is already in. Ethical Hacker hate Anti-Virus.

So slow, so heavy for system. You will be wondering if still run a 486. No, have a dual core with 2 GB of RAM; still Anti-viruses slow your system down.

So you may be wondering why I decided to write this post. Here is explained.
Yesterday I boot my laptop with XP, and I see a wonderful error message saying “Generic Host Process for Win32″ was shut down due to an error. After few seconds the famous and familiar box of “NTAutority\SYSTEM” with a countdown appeared saying RPC service has been shut down and the system had to be rebooted.

This made me think of some worm or virus exploiting some new rpc-dcom vulnerability.
Quite strange, but still possible in windows. My laptop was unusable.

So I decided to try that McAfee 2006 that the good old friend fuder sent to me from the other side of the World.
Installation was smooth. After reboot I was asked a password for the McAfee Security center. Every time I wanted to use the antivirus I had to put that password. I have not investigated the arcane reason for this choice but it’s ok to type a password. A full scan of my hard drive took about 4 hours. I left my laptop work while I was studying.

When it finished to check everything I found out that it deleted all (and only) my source codes saying they were viruses (they were c++ codes for networking tools, troubleshooting programs and a couple of pop3 crackers I wrote when I was a child to which I am still attached). Now I don’t understand the reason why it had to consider
100 lines of raw socket coding a virus. But above all I don’t understand why I couldn’t have the chance to decide what to do with the “viruses” on my system. I want to be free to keep them in! Damn!

I had backup copies fortunately.

Being always skeptic on the use of an antivirus I hadn’t used an AV for the last 5-6 years and I wanted to see how and if things got better: McAfee ate about 80-100Mb of Ram in background and about 160 Mb while running a scan, 40-100% of CPU if you are lucky.
I was not lucky. Indeed, I restarted my laptop, at least I tried to do it but all the services run at start up by this AV, freeze my Pc because of background scans, update requests and attempt to protect my system. I still thought I had a bad virus even if I hadn’t noticed any suspicious activity in FileMon nor in TcpView, nor in the Registry with RegMon. Until I uninstalled the AV and understood that it was causing the system to freeze while my original problem was due to Windows error that I was able to fix with the installation of a hot fix provided directly on Microsoft’s website.

I will never install an Antivirus again, and I have never had a virus in my laptop. This may sound crazy. But the correct usage of a great firewall like 8Signs’s Firewall, the use of Adaware for spyware and adware, the correct and tempestive patching of your windows machine can drastically decrease the chances to get a virus (Using Mozilla of Firefox is always a good choice).
Then I always keep little handy great programs like TcpView, to monitor what processes are accessing the net (useful for malicious programs sending your personal data on internet, like Trojans), or RegMon to monitor registry activities at API calls level keeping track of all the processes reading or writing in the registry.

In the end Root kits are real menaces to your server or home pc. They are so sophisticated that can be 100% undetectable, by injecting themselves into important system libraries and able to hide suspicious files, processes, registry values, modify apis and so on. For this kind of root kits I advise the use of Gmer, nice little utility that lets you keep track of hidden services and processes that are most likely malicious root kits. Gmer lets you kill the process and delete the exe/service.

My “manual” approach versus the automatic approach of antivirus should be relegated to advanced users, with a deep knowledge of how viruses and worms work. Wear the condom if you are not sure who you are going with.

No comments:

Post a Comment