Windoze Security

The following originally appeared on the Club100 Mailing List. I obtained permission from it’s author to share it with others a short time later, so here it is for the benefit of all. Thanks, Merch!

Rumor has it that “VBJ” may have mentioned these words:
> …Anyway, there are no bad AV, as long as the’re updated on a
> regular basis: i.e. automatic, or daily.

A common misconception.
In my own no-so-humble opinion, they’re *all* bad in the form that they give a false sense of security – most people just assume they can’t get a virus if they have a regularly updated antivirus. All antivirus programs are fallible and there are many other measures computer users should take to make sure they don’t get infected in case the antivirus fails for some reason.

Here’s some steps for extra security:
1) _Don’t_ use McAfee or Norton Antivirus. There’s a reason that McAfee is included free on a bazillion computers – it’s cheap for the OEM manufacturers to offer, and it sucks. I’ve heard a few rumors that Norton *Corporate* doesn’t completely suck, but I won’t take that chance. Corporate is also rather expensive. Ever since Norton removed the ability to immediately delete a virus & all viruses had to go thru the quarantine system, virus writers wrote their wormies to be able to survive & crawl out of the quarantine system.

When I owned my computer store, the breakdown of infected machines went something like this:
30% – latest updated McAfee AV,
25% – latest updated Norton AV (almost all of these were NAV Personal)
20% – any AV that wasn’t updated for 6+ months
20% – No AV whatsoever.
5% – Latest updated “Other” AV.

I used to steer people towards the free AVG antivirus, but the latest version (8.5) is becoming a resource hog just like the other “biggies” and unless you’ve got a CPU that supports Hyper-threading or a full dual-core CPU, I’d think twice about that option.

I’ve had “limited” good luck thus far with the free Avast antivirus. I’ve installed it on around 2 dozen machines and haven’t heard a peep, but that’s still a small sample from the (literally) thousands of computers I’ve worked with over the years. It does advertise that it works well with Pentium 3 series CPUs and still supports Windows 98+, IIRC. Very light with resources. I’ve only installed it on machines running W2K or XP, but about 1/3 of these machines were under 1 GHz and the machines still seemed pretty “snappy” after the install. I also tuned their machines quite a bit also, which helps. I’ll detail what I do & why below.

Personally, I use the ClamWin antivirus. This AV works _very_ well, but it is not for beginners, as it doesn’t have any shield technology at all. It’s good at removing viruses (especially on external drives, which is why I like it – it cleans viruses from other peoples’ drives hooked to an IDE->USB dongle very well. It does not protect me from getting infected, however. It’s great for resource utilization (none!) but poor for people who don’t have good security on their machine already. I’ve run ClamWin exclusively for 2 years on 3 personal machines, 2 of which run Winders fulltime and sometimes 24×7 for months _on the internet_ at a stretch, and I’ve not been infected. I’ve had more false positives with this antivirus system, but nothing “important” – no system files or anything like that. It occasionally flags installer utilities that have self-modifying code as part of the install process.

Also, because ClamWin has no “shield” system, it will not fight other AV systems. If you want use it for scanning USB keys & whatnot, you won’t hurt the OS or other AV program by installing it. I have both AVG (non-free) and ClamWin installed on my laptop at work with no issues. Most other AV systems will not co-exist due to their respective “shield” systems fighting for control, sometimes leaving the computer completely inoperable.

F-Secure used to be really good, but I have not used it since they went from $50 one-time (lifetime updates) to a $50/year cost model.

I also used to have good luck with the E-trust Personal and *great* luck with E-Trust Workstation/Server system, but Computer Associates as a company sucks beyond compare. The great thing about E-trust Workstation/Server is you could block any executable by extension, and there are a *lot* of files Winders considers executable. .PIF, .CHM, .HTA, if you got an email attachment with a virus with that extension, you could not get infected even if you didn’t have the latest definitions. Great security. You could also tell the system to leave certain system process alone, like Nero for burning CDs. This was the first AV I could use that wouldn’t burn coasters while the “shield” was on. πŸ˜‰ Haven’t used it in 2 years, however, so I don’t know current status.

I know friends that have had good luck with the Panda antivirus, but I have very little personal experience with them. Certainly better than McAfee or Norton, however.

Β Another common misconception:
> When are people going to understand that a computer virus that destroys
> the computer it has infected, can’t propagate. It’s like the ebola
> biological virus. If everybody (95%) dies, eventually there will be no
> hosts left to contaminate. If a virus only kills 1% of it’s hosts, but
> is very contageous – like the flu – it can propagate and cause much more
> damage. Same thing applies to computer viruses.

Except when those viruses can still propagate much faster through hosts than it takes to kill them. Look at the black plague back in ancient times. It killed over 25% of the population, and killed most everyone it touched, yet ran rampant so quickly as to decimate western Europe in about 3 years. That’s why time-delayed destructive viruses are still popular among virus writers, conficker being an example of this.

Wanna make your winders 2000 or XP computer faster, safer and last longer? Here’s some helpful tips:
1) Turn off anything in the startupΒ  file you don’t need. Dollars to doughnuts, there’s a lot more there than necessary, all taking up memory & resources.
a) Restart the machine, then without starting any program, click “Start” then click “Run” and type this command: taskmgr and hit “Enter”. This brings up a task manager system that shows you all programs that are running, and how much memory & CPU each are taking. Very handy critter. Click the “Performance” tab and look at the Physical Memory (K) parameters. This tells you how much RAM you’re using right on boot, and you might be surprised! This will give you a baseline to see how much improvement you’re getting after successive reboots after you start turning things off.
b) click “Start”Β  then click “run”Β  and type this command: msconfig and hit. Click the “Startup”Β  tab. Anything there that looks hinkey (yes, that’s a technical term) just uncheck the box. Go nuts, if you do turn off something you want you can just recheck the box later. Java updaters, Adobe updaters, itunes updaters, all unneccessary, yet they sit in memory full time & use up resources. When you’re done, reboot & see part (a) again and look at all that memory you have access too again! Yay!
c) How many of you have used System Restore successfully? (Looks around room, sees very few hands…) If you’ve never used it or it’s actually boned you in the past (read: nice safe secret virus storage vector) turn it off. It will speed up your machine by a fair margin. Right click on “My Computer” and click Properties. Click on the “System Restore” tab, and check the “Turn off system restore” box. Oh look at all that CPU and hard drive space you just got back! πŸ˜‰
c1) Don’t be fooled, this is _not_ a full backup/restore facility. It only concerns itself with parts of the c:\windows directory, registry files, drivers & system files specifically. If you are concerned by not having a full “oh crap” restore facility, go purchase Acronis True Image Home version. It will allow you to create your own protected restore partition on your hard drive that you can update whenever you want. Very handy, I’ve used it on 3-4 machines for others thus far and love it. Me, I yank my hard drive every few months & use Linux to backup the partition – it’s free & geeky (just like me! πŸ˜‰ but not for a Windows or Linux novice.
d) click “Start” then click “run” and type this command: services.msc and hit “Enter”. This is where you’ll have to be a little more careful, so don’t just go nuts, you _can_ break something in here. However, follow my instructions, and you’ll be fine. I already did all the breaking here. πŸ˜‰

To turn off a service until the next reboot, double-click on the service itself & hit the “Stop” button. To make sure it never turns back on again, click the dropdown box that may say “Automatic” in it and change it to “Disabled.” If you’re not 100% sure you don’t need it, choose “Manual” and any program that needs it _should_ be able to start it, but it shouldn’t start on boot.

Trust the geek, and turn off & disable these services; they’re wholly unnecessary:
Distributed Link Tracking Client
Error Reporting Service
Google Updater Service (if you have it. Update google shizzle manually.)
IMAPI CD-Burning COM Service (This is what makes Winders burn coasters. Go get Nero, Alcohol 120, or any number of free CD/DVD burning utilities that don’t suck.)
Messenger (this is _not_ Winders Live Messenger.)
Network Provisioning Service (I think this is for web servers, but I’ve turned it off on thousands of desktop computers & had no issues.)
Remote Registry (security hole the size of a Mack Truck!)
Telnet (Why would you want others to telnet into your machine?)
WebClient
Windows Time (I’ve never seen this work correctly… download a freeware time synchronization utility & sync to navobs1.oar.net.)

Now, these can be turned off & disabled _if_ you’re not using them:
Alerter (turn this off if you don’t care about administrative alerts. I have this turned off.)
Fast User Switching Compatibility (Terminal services uses this, and I think Remote Desktop uses Terminal services. If you don’t use Remote Desktop (in or out), turn this off.)
Help and Support (turn this off if you never hit the F1 key. I don’t, it’s turned off. If you use the MS Help system, don’t turn this off. Why it’s a service, only BillG knows.)
HID Input Service (Turn this off if you _never_ plan on using a USB keyboard/mouse/credit card scanner/etc. Chances are, leave it on. πŸ˜‰
HTTP SSL (This is for the HTTP *Server* built into winders. However, it may be used if you use the Windows Media Network Sharing Service. I do not, I turned it off.)
Indexing Service (If you like slowing down your computer all the time to speed up file searches, leave this on. I do not, I turned it off.)
NetMeeting Remote Desktop Sharing (like the Fast User Switching above, if you don’t use Remote Desktop {in or out} turn this off.)
Network Location Awareness (NLA) (Not sure what this does, I always turn it off and never had a problem. I _suspect_ the Winders Media Sharing jazz might use it, I don’t use Winders Media anything.)
Network Provisioning Service (I think the HTTP server might use this; I turn it off and never had any heartburn.)
Remote Access Auto Connection Manager (If you have dialup Intarweb & like the popup to connect when you open a browser or your email program, leave this on. If you connect dialup manually, or your highspeed connects through the Ethernet port {DSL Modem, etc.} then turn this off.)
Remote Access Connection Manager (Only turn this off if your DSL/Cable access is “Always on.” Some DSL providers (CenturyTEL, possibly others) require this to be on, and all dialup shizzle does too. If you have DSL, turn this off & reboot. If your Intarweb stops, turn it back on & reboot, otherwise leave it off.)
Remote Desktop Help Session Manager (Again, if you _don’t_ use Remote Desktop, turn this off. Otherwise, leave it on.)
Routing and Remote Access (I have turned this off many times, but some corporate LANs might require it, and it’s possible some DSL shizzle may need it. I set it to “Manual” if I’m unsure.)
Security Center (Anything but. If you don’t want Winders telling you you’re firewall isn’t on or your AV is out of date (most AV’s do that for you anyway) turn this off. Huge resource hog.)
Smart Card (If you don’t read “Smart Cards” with your computer {most don’t} turn this off. If you do read smart cards with your system, you probably know it when you stick one in, or possibly have an RFID reader for it.)
SSDP Discovery Service (This may be used for the Winders Media Sharing stuff that I don’t use. I turn it off, but if you can’t find media on different computers, you might want to keep this on.
System Restore Service (If you’ve already disabled the System Restore following instructions above, disable the service to take it fully out of RAM.)
Task Scheduler (If you don’t have the computer start tasks at a specific time, turn this off. Conficker & other viruses also use this as a vector to
a) keep the file in use so AV proggies can’t delete it, and
b) do bad things at specified times.
I use a freeware unix-like Cron utility myself for timed thingies, so I turn this off. If you’re not sure if you have any timed tasks, go to the Control Panel and double-click on Scheduled Tasks. If all you see is “Add new task” you don’t need the Task Scheduler service.)
TCP/IP NetBIOS Helper (This goes unused for most people but I *think* that the Remote Desktop Sharing might use this. Turn it off and see if RDS quits working if you use it. If it’s all good, leave it off.)
Telephony (Do _not_ turn this off if you have dialup, or use your computer to send faxes. Otherwise, disable it.)
Terminal Services (Turn this off if you don’t use Remote Desktop. I think disabling this also disables the Telnet function.)
Themes (If you {like me} _hate_ the kandy-koated big-button crap of XP, turn this off. You’re computer will be the “ugly old Win9x/2k” look, but at least it’s a sensible ugly, IMHO. And you’ll save a lot of RAM to boot! I *think* you can’t use .jpg pix for your background either, export them to .bmp and use that. πŸ˜‰ IE & Firefox automatically do that when right-clicking on a picture and clicking “Use as Desktop Background.”)
Uninterruptible Power Supply (if you don’t have one, turn off the service. Otherwise known as a “Battery Backup” and will have a USB or RS-232 connection on it for this service to work.)
Universal Plug and Play Device Host (This is *not* device-based Plug and Play. It’s “Network” based for Windows Media server schtuff, and I don’t use it, so I turn it off.
Windows Audio (If you don’t have an audio card in your computer, turn this off. Most people do, but I have one that doesn’t!)
Windows Firewall/Internet Connection Sharing (ICS) (If you don’t use Winders Firewall {I don’t} then turn this off.)
Windows Image Acquisition (WIA) (If you don’t have a scanner or download digital pictures *directly* from the camera via USB/Firewire, turn this off. If you have a digital media reader (CF/MS/SC/etc.) this is not used and is safe to turn off.)
Windows Media Player Network Sharing Service (Remember me mentioning this? I don’t use it, I have it disabled. If you don’t share videos or music from your machine to other machines on the network, disable this & free up some RAM!)
Wired AutoConfig (This works on the 802.11x authentication on Ethernet ports. If you have ethernet you probably want to leave this on.
Wireless Zero Configuration (If you have a desktop machine without any wireless hardware {most don’t} turn this off. If you have a laptop and use wireless, keep this on.)
Chances are, you may need these unless you’re geekier than me:
DHCP Client (only turn this off if you’re using Static IPs.)
DNS Client (If you’re router has a DNS cache builtin, turn this off. If not, you’re computer will still work fine, but web browsing may become a bit slower. If you’re having issues browsing certain websites, stopping then restarting this service {without rebooting the machine} may fix that.)

My Windows XP machines typically use less than 90Meg of RAM on boot and everything I need works. I could easily get Win2K down to 65Meg. Again, if you use the Media Server schtuff or Remote Desktop Sharing, this number may change a bit. If I didn’t mention a service, then either
1) I don’t have it on my machine,
2) I’ve never touched the default settings so I have no idea what disabling it might break, or
3) it is necessary for the daily operation of the computer.

Remember, I’ve not had an active “virus shield” system on my Winders computers for over 2 years and have not gotten infected. However, I have a much better firewall in my home router which helps protect me, and most systems on my home network (10+) run Linux. But also, a lot of the services above are active vectors for viruses to exploit, and outright disabling them stops not only past & current but also *future* viruses cold if a security-challenged service is just plain turned off.

A good analogy to the “Automatic”,”Manual”,”Disabled” settings would be a Steel Door on a building. Automatic means the door is wide open… come on in! Manual means it’s closed, and maybe has a manual deadbolt on the outside of the door. Flip the lever & turn the knob and you’re in, but many hackers (crackers, actually) would not check for that, they’ll just look for wide open doors. “Disabled” is welded shut.Β  πŸ˜‰

This is a distillation of almost 20 years of Dos & Windows experience from DOS 3.3 and Windows 2.0 386 to XP. I have precious little Vista experience and hope to keep it that way. πŸ˜‰ There might be errors in the above and I don’t know everything about windows as I’m still much more a Linux engineer and I refuse to use Windows as a server platform at home & try to avoid it at work (and we use Server 2003, not XP for that also). But I’ve worked on literally thousands of XP machines both at my current employment & before with Iceberg Computers cleaning viruses & whatnot, and this is a compilation of my “If you remove it and it doesn’t break, don’t put it back in” engineering mantra. πŸ˜‰

I apologize with the length of this missive, but remember: I wasted a whole lot more of my bandwidth than yours sending this! <snicker> πŸ˜‰ Hopefully this helps people on the list improve the operation of their windows computers & keeps ’em running longer. Enough geek stuff, now I have to go unload DJ equipment & mow lawns. πŸ˜‰

This entry was posted in Computer Tech. Bookmark the permalink.