Slashdot Mirror
How To Avoid Viruses At Windows Install Time?
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
You can get a cd from microsoft(more info here that would have a lot of the updates you are looking for. You could also download it from your linux machine, and then do the whole installation offline.
When I install Windows it is behind a NAT firewall which helps (no open ports from the outside). The first thing I do is install SP1 from CD, next I update from Windows Update.
I recommend downloading SP1 and burning it in Linux, then using that CD to patch up the Windows box before connecting it to the network.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Do the installation behind a personal NAT/firewall device.
(Or, read all the posts about how you can put together some huge, convoluted update CD that's never completely up-to-date instead of just spending $35 on a little hardware firewall.)
Leave the software firewall turned on if you can, if not, get a cheap Linksys Cable/DSL router, it will block all of those viruses.
:P
I have to reinstall most of my family's computers when I go home, I made all of them have routers.
-Bill
-Bill
Keep the firewalling on, no matter what Microsoft says. I've never had an instance where having a firewall turned on kept windowsupdate from working properly.
We do this all the time where I work.
Use another machine to burn a copy of the latest service pack, and the Sasser worm fix, and whatever other updates you want to include.
After installing, install the updates from the CD, then check windows update for anything else.
With LOVE.
Learn it, love it. Free for non-commercial use, KPF rules me.
Bla bla bla long post extra padding blapsux.
Yes, a firewall and/or NAT is all you really need. Evidently Norton Internet Security did not live up to its promise, which comes as little surprise to me, I must admit.
I've had success installing Windows XP and upgrading it with only Microsoft's Internet Connection Firewall enabled.
What about a router/firewall?
How do you get these worms? This sounds incredulous...
Small potatoes make the steak look bigger.
format
Why don't people pay ~30$ for a router with built in firewall? Even if one got only one PC connected to it it's worth it. No worries about worms or hacks.
Well a good way of going about this would be to download the updates from microsoft. They do provide them in binary format which you can install without having to goto the windows update site. I got a XP box as well and I do not even try to connect it to any network before I have patched all I can. Plus a firewall between you and your connection would help as well while at it :) Trying running a gateway using FreeBSD or your fav *nix OS and that would get you well on your way.
Havin' it large, livin' the life, Welcome to the land of the rising sun.
Set up a firewall box (even something as simple as a linksys). Install like normal, but you're going through the firewall, so there's no direct exposure to the world. Update, patch, reboot ad nauseum without fear.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Turn up the firewall settings? Turn in the Windows Firewall?
I did an out-of-box startup of a new XP machine for my mom a month or so ago no problems with just the XP firewall.
Are you sure it's not a hardware problem?
Other than the obligatory, 'Windoze drools Linux roxxors' kind of statement, I'd advise you to download the updates separately, burn them to a CD/DVD from another previously patched machine (or a Linux box) and use THAT medium to apply the updates to your new install.
Don't park drunk, accidents cause people.
you can download the sp1 and save it to disc if i remember. then install it from there.how about going through a server, like dont directly connect it to the internet.
...all firewalls are turned off.
Why don't you try turning the firewall on? It will block the RPC calls that are necessary to infect your machine with the most recent series of worms and allow you to install whatever patches are necessary worry free.
Plus, it just makes your PC safer in general.
Duh.
Perhaps also turning on the firewall just actually might work. Windows is targeted for the average Joe. Microsoft doesn't want to have to incur the support costs of explaining to average Joe how firewalls work, so they suggest you keep it off.
If you've really been using Linux that long, you'd have a clue. Really, this submission just sounds like a troll...
It seems more likely you have a dodgy connection or overheat problem than a virus there. Did you detect a virus with Norton or are the shutdowns/reboots all you base this on?
Comment removed based on user account deletion
Elisa is a Finnish ISP.
:/
If Elisa detects a lot of packets coming from someone's computer, they give a warning to the web browser (making Windows Update unusable) and later closing the connection. Needless to say, this makes updating the system really hard, since as soon as Lovsan or other worm infects the system (takes about five minutes) and starts sending itself to other IPs, you're unable to update your system.
Yeah, you can use firewall (Windows update works with them, I think), but there are people who get one from the net.
Ridiculous, and I'm sure Elisa has heard some complains about that system a couple of times
I use a little four port router i got from Wal-mart for $50. I logged onto it using the instructions that came with it and configured it to be connected as needed and used its firewall. I have installed winXP on 6 machines and none of them have gotten a virus. None of the machines I networked on the job have gotten viruses either and all have been behind the exact same $50 wal-mart purchased brand named router with DHCP and firewall enabled.
"He's a real midnight golfer"
XP really doesn't have any services running while it installs, so it's reasonably safe. If it detects a network connection it will download an updated set of installation files that include all of the latest critical updates.
If its the rpc exploit, telling you windows will shut down in 59 seconds, then you go to the command prompt, and type shutdown -a (abort the shutdown) and all will be well until you can finish downloading the updates.
Barring the fact that I don't believe you when you say that you get viruses over the 20 minutes that it takes to download and install the patches, the fix is simple: get some sort of router/firewall combo, or install a soft firewall before doing the update.
Alternatively, shut down all the services so that you have nothing listening, but if you're too lazy to do that, go out and spend $40 on a Netgear router and voila, you're safe from that crap.
I usually use the built in firewall on XP. Even though it's a MS product, I haven't had a single virus / worm get in while doing updates using the built in firewall. I guess that will keep working until there's a bug found in it...
Turn on the firewall that comes with Windows XP. It at least protects you from worms infecting your system while you download updates.
properties of the network connection -> TCP/IP -> properties -> advanced -> options -> tcp/ip filtering -> properties -> enable -> permit only the tcp ports you need for the updates ...
:(
you can figure that out at least, can't you ?
Use logic and common sense, unplug the machine install a firewall then get it online and download the updates. XP even has some sort of built in firewall. Also lots of cable modems have a lock button on them, when you press it traffic is supressed.
This account has been seized by the GNAA. That is all.
First, boot into linux. Download all the patches you need. Save them to the win32 partition. Disconnect the network and reboot into win. Read the patches from the win32 partition and install. Restore the network.
Was that really so hard to think of? Are some kind of idiot? Sheeez.
You can always burn some of the updates to CD on a different machine so that you can go straight to SP1 and whatever norton updates before it's plugged in.
/that/ bad... you can always try to install from behind a NAT (linksys/dlink/whatever router), too, that might help.
I'd suggest turning on XP firewall, skipping norton (which isn't that great anyway), and trying from there.
I'm not sure where you are, but it shouldn't be
When done, head to housecall.antivirus.com and do a free virus scan.
Where exactly are these viruses you're getting coming from? Without an email client installed, and without navigating to any shady websites between install and patch, I don't understand how your computer could have been infected. It's not like Viruses just appear on unpatched computers, they have to be let in somehow. -- M
So the WORST case scenario is that you don't actually succeed in getting Windows installed? Man, talk about a win-win situation!
I have a cd-rw with avg antivirus and kerio personal firewall. I load windows with the ethernet unplugged. Then I load up the firewall. then I plug the ethernet back in and do the windows update. I have no problems doing the update through the firewall.
Jack Valenti and Orrin Hatch will be first up against the wall when the revolution comes.
before connecting the ethernet cable or connecting to an AP, enable the built in firewall
control panel
network connections
right click the connection
advanced tab
check the box
Seems like you have a good start and the only thing I can think of is putting your computer behind NAT (Cheap router) or a hardware firewall as this will not allow any software bugs to be exploted.
AC: To lazy to get an account
how fitting
For a home system, I usually do the following:
1) Install with the network/modem cable unplugged.
2) Once on the desktop, go into network properties and enable the built in firewall on all applicable devices.
3) Connect to internet and obtain patches.
4) Profit!!
Its much simpler with a hardware firewall/router protecting you.
liqbase
Put a "buffer" between the windows computer and the cable modem, either a hardware firewall/router or a linux/*BSD gateway server with iptables or pf running.
But before you go (re)install windows, download the "network install" of the service pack with another computer and copy it to a CD for use when you reinstall windows. Load up the firewall, AV, and SP before giving it the network connection. I personally haven't dealt with win XP-SP1, but just leave the software firewall on.....or doesn't matter if it's behind the buffer.
$cat
I've always turned the Windows software firewall on before running the windows update. It's kept me clean so far and I've never run into the problem. It's the simplest solution considering it's already there. No hardware/software setup or difficult CDs!
Even better, I would get a hardware firewall, so that none of the ports that worms travel through are even open.
Basic security from automated attacks isn't particularly hard, you know. Why is this even on slashdot?
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Download the SP1 Network install before beginning your XP installation. Stick it on a CD or a Samba share and install it prior to connecting to the Internet.
"We can't solve problems by using the same kind of thinking we used when we created them."
This solution seems so obvious to me that I wonder why you even bothered to ask. With your apparent technical knowledge, surely you must've thought of this. I'm inclined to think this question was just a veiled way to start an article bashing Microsoft about all the worms affecting their system.
"11. Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off."
Has MS ever been right? Leave them on, the download will work fine.
Of course you will get a worm if you turn them all off... Geez.
1. Install behind hardware firewall.
2. Submit article to Slashdot that amounts to a backhanded slam against XP disguised as a question from somebody who is a novice.
3. Watch the flames on a wasted sunday night.
Its pretty sad that it's almost kind of comical that this kind of stuff goes on with the #1 operating system. What does the everyday user (like our grandparents) do when they have to install XP... they dont have slashdot to come to for help. It's really sick that they can even charge for a product as poorly protected as Windows. There's a lot of respondsibility with being Microsoft and honestly, I dont think they have what it takes to handle it.
Whoever dies with the most toys wins.
DON'T DO AS MS SUGGESTS! if you do everything as they tell you, you will get burnt.. that's kinda sad when you think about it.
have the fw up.
however, the last time I installed win2k pro at my parents place I couldn't find a way to turn the (built in, filter thingy)fw on for an isdn dialup - and had no cd's or things like that with any fw at hand, didn't get infected in the few minutes it took to get external fw program downloaded(i opted for kerio). and downloading the updates when paying per minute.. no chance jose, better just lock it up, purge ie and outlook with xplite and install firefox as the browser.
world was created 5 seconds before this post as it is.
All you need for a home installation is a NAT firewall connected to your cable modem/dsl. As long as your firewall is properly configured and no other computer on your NAT network is infected, you should be okay.
Simply put... an out of the box installation of Windows XP is NOT safe to put on the Internet. When you are first booting it, you have to patch it before letting it touch the Internet. You need to get the Windows Update patches onto the computer before it's allowed online.
The way to do this is with another computer that's already online... Go to Windows Update and under the "Other Options" category select the checkbox for "Display the link to the Windows Update Catalog Under See Also" and then click "Save Settings". Under the "See Also" heading "Windows Update Catelog" will appear, click on it. This will lead you to a place where you can download all of the secuirity updates and/or service patches you need in a way that'll allow you to burn them to CD and take them to the new computer. The most critical package to obtain is Service Pack 1 (shorthanded as "SP1" on the site), because that will be a cumulative patch that'll save you several one-off packages.
Get all of the service packs, hotfixes and critical updates and put them on a CD. Install windows with no net connection. Install all the hotfixes and updates. Install a firewall program like sygate or zonealarm. Better yet, be behind some network level security like a real firewall or a proxy or something. THEN connect the net connection.
:)
All of those norton/symantec anti-virus programs are bullshit. Up until last week I was a dual-booter. I ran completely standard windows XP but I had every windows update in existence. I didn't use Outlook or IE. Actually I used IE for one purpose, Windows Update. I set the windows update to notify me when there were changes, but not install them automatically. My computer is at a college. A LAN with hundreds and hundreds of machines directly connected by ethernet. Possibly the most dangerous place it can possibly be. I only got a virus once when I installed with the net connection on and tried to race the clock to windows update.
There's a reason that I stopped using windows altogether last week
The GeekNights podcast is going strong. Listen!
Too much security with Linux, it lulls you into a false sense of safety. With Windows you have to be on your toes. Linux users would get eaten alive if the virus writers turned their full attention on them, they wouldn't know what to do!!!
Just turn on the internal XP firewall (Network Properties -> -> Properties -> Advanced) before you connect to the net. You'll be safe long enough to get SP1/Kerio/etc all downloaded and installed.
When I'm forced to build an XP box on an unsecured network, I leave it offline until the install is done, enable the integrated windows firewall, plug the CAT 5 in, and fetch the updates. The built in firewall is typically good enough to fend off blaster, nachi, etc. After that, I install antivirus then Zone Alarm and disable the integrated firewall. Whenever possible, run behind a hardware firewall and you won't have this problem.
If you have another windows XP box, you can use the corporate windows update to download all the patches and service packs to CD and update the system offline.
FYI, if you do get infected, running "shutdown -a" from the command dialog (windows+R) will abort the 1-minute shutdown timer.
Urgo: "I want to live. I want to experience the universe and I want to eat pie!"
Jack: "Who doesn't??"
Probably not the most efficient way, but if you have to reinstall often, you could invest the time setting up a bootable slipstreamed disk with sp1 already in the OS, you can dl the updates from MS and set those to install as well. In addition to this, you can create a full unattended install, allowing you to not be present at the time. A simple googling of "unattended windows" should hook you up.
As of now I have performed only a couple reinstalls in the past couple years but never have had an incident of getting "owned" before installing my patches. I have a Netgear MR314 router that I make sure to turn all port forwarding off before putting a "naked" box on the network. Sure, it isn't fool proof and I would not consider it a firewall, but the nature of NAT does a sufficient job of blocking unrequested packets from coming in. After Windows installs I turn of superfluous services (such as messenger), install anti virus software from cd, plug in the network connection and then update that and Windows.
Of course if your problem is most hardware routers will not work with your ISP, then this tactic is not going to work well.
Are you implying that no one ever does anything illegal with Microsoft software?
"We can't solve problems by using the same kind of thinking we used when we created them."
Comment removed based on user account deletion
I can't believe nobody's posted this yet!
Autopatcher
AutoPatcher was started in October of 2003. It was started by Jason Kelley and was a simple batch program that would install many updates silently. Upon reaching version 2.65, Jason was contacted by Antonis Kaladis, who offered to help make a VB front-end for the program. And thus, the current incarnation of AutoPatcher was born.
Not only does it install all your Windows updates with just one reboot, it can also (optionally) install many other programs such as the Windows XP Powertoys, IESpell, etc. There's even some registry config options such as increasing the max connections per server (IE) to something greater than 2.
One way I can think of off the top of my head is to get the updates through a source other than Windows Update (I just d/l'd XP's SP2 RC2 on Bit Torrent) via Linux, or a patched Win box. While you're at it, download Norton's latest virus definitions. Then just burn them to a CD, or use a USB drive. This could work if the problem occurs while going online unpatched.
You should probably also talk to your provider. They should be blocking certain ports that are known to be used by worms and trojans.
Just keep trying the same method. how many times can a 1000-1 shot happen to the same guy?
I'm putting XP on my laptop next to me right now actually. I think it is pretty safe because a) it is connected to the net using NAT, not directly to the modem and b) I slipstreamed SP1 into my XP CD, so that when I install it I'm already at SP1 level. See here for instructions (that's win2k, but same for winxp of course). And I dunno why you'd bother with Norton Anything quite frankly. Maybe you can just buy a cheap router doing NAT and put it between the modem and computer while you get updates.
Like others have mentioned, use a Router (eg. from Linksys, DLink, Netgear) as firewall or get FREE Zonealarm firewall or just turn WinXP's firewall on. You need a firewall or use another box (e.g Linux) as proxy to connect to web.
Windows XP: Surviving the First Day
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
Here is a fairly comprehensive guide, aptly named: Windows XP: Surviving the First Day
Comment removed based on user account deletion
Step 7a) With the builtin firewall on, download the network install of WinXP SP1.
Sure it's a big download but once it's downloaded, disconnect your cable and apply the service pack. Once everything is set and secured, reconnect the cable and check Windows Update for additional patches.
If you're still getting bitten even doing this, spend the $40 and buy a cheapo Linksys 4 port router. You can even use it as switch after.
Just click on "NO" and install Linux instead.
seriously, i never post here really, but this deserves a reply.... you should know how these machines are getting infected.... infected machines are scanning ip ranges and infecting vulnerable machines that have the required ports open (135 is one i know off hand) all you need to do is install windows xp with network connection unplugged, then enable the built in firewall on your network connection after installation... connect to windows update and download away. then, if you wish, can disable the firewall. tho i do recommend a hardware based solution.
You're not that smart, are you? I refuse to believe you have been using Linux since 1995. Why don't to do some research which patches would fix the worms first, download them from Microsoft using your (duh) Linux machine, burn them on a CD, then install them on the Windows PCs before you hook them up to the Net.
These days, using Linux means shit anymore.
sasser exploits a vulnerability in lsass.exe, which listens on 445. Some software firewalls leave this open, as it is required for Active Directory logins under some circumstances. If you do that and then go straight to windows update you should be fine.
Steps to protect yourself on the internet
1. Firewall on at all times
2. Up to date antivirus software
3. Never turn 1 + 2 off for any reason unless you determine through failure it is absolutely nesscessary and never remain connected to the internet during this time.
4. Never install, run or click on anything that looks suspicious or offers to enlarge any part of your anatomy.
On a side note, Windows XP requires an insane amount of tweaking till you get a stable, virus-free, annoyance-free operating enviroment. Also it requires that you develop smart computing habits. I have no idea how most people survive on windows computers without firewalls, up-to-date virus software, and no windows update patches.
A Fatal OE Exception has occurred, Sig will now reboot.
And the BSOD award for the only person in the world able to fuck up a simple Windows install goes to... (Just kidding!)
Can't you download the updates you need on another machine, and move them over? Failing that, use a knoppix CD or something and download them into a folder until you can boot up XP?
Pop a Slackware CD-ROM in the tray instead of that gawd-awful Windoze shit. Trust me on this - you don't really need Windoze. I've been Windoze-free at home and on all the computers in my business since October 4, 2000. I got the shits of all the Windoze crashes and viruses and worms and vulnerabilities and just said "enough." I ain't no rocket scientist or IT guru, if I could do it anyone can. For once in your life, take a stand and tell Bill Gates & Co. to stick their buggy, vulnerable, high=priced OS up their asses.
If your computer has nortan antivirus installed on before you update your computer, nortan will detect if something another application is acting like a virus. Since you are losing power to the machine, I would assume to check to see if your computer is overheating or if your have a faulty power supply. You may not have a virus after all!
A site cowboyneal will like http://www.freewebs.com/atpa/
I have people do this all the time without any problems. I have the WinXP firewall enabled then connect and go to windows update. No one has an issue doing it this way.
Admittedly, the last time I had to reinstall XP was at least 6 mo. ago, so maybe some new ass-kicking virus is out, but I never have trouble like this.
Are you sure your hardware is good? Update your bios. And whenever I start having mystery problems with a machine I start eyeing it's power supply. Maybe check your RAM as well.
I know many have already said this but, dude, it already isn't working, it can't not work any more, so leave the firewall on. It can't hurt to try.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
Evidently Norton Internet Security did not live up to its promise...
If you read the blurb, he turned off all firewalls as per instructions from MS. Thanks for playing.
Download the service pack on some other computer, burn it to a cd, apply it to your XP setup before connecting to the Internet.
Good luck!
I had to deal with this a while ago. I reinstalled WindowsXP during a massive worm epidemic.
Luckily for me, I had a free installer for ZoneAlarm (a firewall) backed up on a CD. So... I just kept the network cable disconnected, and installed WindowsXP. After finishing the install, I installed ZoneAlarm from the CD. THEN, I connected the network cable and connected to Windows Update. I had no problems.
I like the NAT/firewall idea. But since he states he's on cable already, I would much rather get some of the downloadable security patches straight from microsoft's website.
Automation isn't all it's cracked up to be. And this is exactly the reason. Why bother hosting / distributing a patch to something if it *WILL NOT WORK* when you install it? To apply them manually, then install it, of course! Microsoft Update Rollup
Something like this should be easily digested. Hope this helps. You may need something different, but check around on microsoft's website for that, if you can eudure it. oh, the pain! the pain!
A paper with step by step instructions on how to update a virgin Windows XP system can be found here: SANS Reading Room: Windows XP, surviving the first day (PDF)
---- join dshield.org Distributed Intrusion Detec
1 - Hardware Firewall Only. Software firewalls are for pikers and people waiting to be hacked.
2 - Download SP1 to a CD.
3 - STOP USING NORTON for ANYTHING OTHER THAN ANTIVIRUS
4 - Read 3 again
This
If you are still getting a worm after you install nortons firewall, then it sounds like its not working.. ( you wouldn't be getting a virus, yet )
Id go ahead and turn on M$'s firewall initially as well before you even plug it into the modem, just to get past the updates.. which you should have on CDROM anyway and not need to connect to RR until they are complete.....
---- Booth was a patriot ----
First, you know how some programs tell you "CLOSE ALL OPEN PROGRAMS BEFORE INSTALLING" just in CASE it needs to overwrite something, 99.99% of the time whaty ou have open, it doesn't need to overwrite.
Same thing with microsoft telling you to turn off your firewall, they don't want 10,000 extra people calling them saying, "WTF?!?" because of some random firewall problems with windows update, leave it on.
Excuse me, I don't mean to impose, but I am the ocean
I would definitely follow the advice of everyone else -- ditch the Norton crap and concentrate on getting your Windows setup first -- leaving Windows firewall on, and get all the patches/updates... THEN install your norton software. If you have an extra $30-50 definitely get a cheap Linksys or D-Link router (especially if you have a DSL connection, because the router will make sure your connection never gets cut off by the provider (*cough* Ameritech/SBC *cough*)...
Buy a LinkSys cable/dsl router for $50, which includes a firewall (if you can't afford a Cisco Pix). I've never had anything get through to any Windows box I was installing up to the point I got it completely updated.
No one should have any Windows box directly on a cable/dsl line anyway.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Since you're a Linux user, you probably have a good grasp of most computing concepts. I'm a little surprised that you don't know about slipstreaming. Google it. Simply put, slipstreaming will add all of the current service packs/patches into the main install, so you're essentially installing XP up to date.
You can do this on an old Windows machine, within WINE, just about anything that'll run an XP executable. At work, we create a new install CD every month (when the latest patches come out). Think of it as compiling from a CSV without the source (getting the very latest install).
Buy a god damned firewall..oh wait, you say you're a 9 year user of Linux - set it up as a firewall to block all the incoming crap...You're stupid if you can't protect yourself.
I dont really understand all the talk of windows being oh so incredibly bad. Norton has detected up about a total of 5 virus's getting anywhere near my PC, all in email attatchments I'd never have opened anyway.
All I do is not be a total idiot when it comes to opening email or clicking links in IRC, run Zonealarm firewall (free and piss-easy to use), head to windowsupdate occasionally and OK, OK, disable a few services that were blatantly unnecessary.
I've never had an infection in about 7/8 years of using windows. TBH, if Linux was the monopolising OS things wouldnt be so much better, there'd be the same ignorant users on an OS even harder to use, and the same people writing viruses for it.
... then install windows.
2) start->control panel->network connections . right click properties on the adpater used for the internet connection.
3) Go to the Advanced tab and turn on the firewall.
4) Reconnect the machine to the network and start downloading the patches.
Put the service pack and all critical updated an a CD or DVD, then install them all before putting it on the net.
I see people saying to use a hardware firewall instead of software but they are just as vulnerable, especially with the recent news of them having wide open web interfaces. If a software-based windows firewall isn't doing the trick, set your old 486 up with OpenBSD.
Congratulations, even Linux users can figure out Windows now.
scott
Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
...
Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
reallocate was just following the instructions that Microsoft and Symantec gave him/her.
A wifi router can be had for $20 if you shop around. Once the drive is reformatted reinstall XP. Disable File and Printer Sharing. Enable the Firewall. The router firewall will protect you while you update windows and norton.
What about using Tiny Personal Firewall? It fits on a floppy (last time i checked atleast)
Take that piece of crap Norton and toss it out the window.
Turn on the XP Firewall. Leave it on. Grab the updates.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
Wow how ironic, just an hour ago I reinstall Windows Xp Home for a friend, and it was attacked 5 minutes into a connection to the internet. Thats quite sad. Well for a solution, I just enabled the builtin firewall to deny all incoming connection... I assume that would do it.
At work we're NATed, at home I've got XP's Internet connection sharing plus an ADSL NAT router WiFi access point four port switch just waiting for the time I can finally find a decent ADSL service. I'd never give an unpatched PC a live IP address, Windows or Linux.
All you need is a NAT ... probably should have one anyway, since they are a very effective means of being the first line of defense for the worm du jour anyway.
-G
It's not my fault! It was this way when I got here.
I've installed a few new windows machines this way. Insert the network card into your existing linux box, activate the routing, and go!
get a NAT router
Step one: Obtain dicount priced grill lighter.
Step two: Locate your windows Xp Home cd.
Step three: Burn. Step four: http://www.linuxiso.org/
I would like to see a switch between every networked PC. As I have been led to believe that _SHOULD_ stamp out packet sniffing.
Not to mention the HUGE TRACKS of bandwidth that could be gained.
"He's a real midnight golfer"
Install 98 and upgrade? I have never had this problem before when installing XP and I use roadrunner. You could download the sp1 net install with linux and burn it if you had to.
I always keep Autopatcher on a cd nearby when I am doing this. Autopatcher is just the windowsupdate site on a cd with some goodies aswell. Check it out at autopatcher.org
Admitlay i havent done an update in ages,
but i dont recall ever turning off my firewall..
Its a recomendation not a neseity.
You have 5 Moderator Points!
Which Helpless Linux zealot/MS basher do you want to mod down today?
Enjoy!
The answer is simple: get hold of a copy of Tiny Software's Personal Firewall (or any other good free firewall) and install it PRIOR to connecting to the Internet! That's much easier (and safer) than waiting around for an update CD from Microsoft that will still not prevent you from getting cracked.
The higher the technology, the sharper that two-edged sword.
i've installed so many xp home and pro instances on alot of peoples computers (home users). they had no antivirus OR firewall, and never once got a virus before i got all the windows updates. once i had all of them, i THEN installed norton and zone alarm pro. updated those definitions, and ran them. had a perfectly clean machine. from the looks of this article, it's a troll waiting for loads of microsoft bashing from /.
Dufus. Not that most don't make the same mistake, but for a long-time Linux user NOT to have a physicially seperate stateful firewall between a PC and the Internet...sorry, "dufus" is mild.
If you even have a "Kirkland" (i.e., sold at Costco; could be Linksys, DLink or Netgear, etc.) Broadband Router/Gateway with WiFi for sharing your home connection, you'd solve most of your troubles.
However, on a Windows LAN I would recommend having an isolated subnet with its own Internet connection (at least one without routing of traffic to/from the main LAN) until all current patches and SPs are installed. This is keeping in principle of not sharing a network connection with unfiltered Windows boxes.
-- @rjamestaylor on Ello
http://www.autopatcher.com/index.html I have used this great windows patch tool. It is around a 500mb zip file. It also contains the latest JRE
You could download the network install of XP SP1 or even SP2 RC2 using Linux, then burnt it. That way when you need to install XP SP1/2 on Windows you wont need the net, just pop in the cd and let it in stall
... or any brand name for that matter. My windows box is behind one of these and I've never had any problems. You can choose to forward any ports you DO care about (it blocks by default), and you can also set up some cool net policy stuff on the later models.
Seriously -- you can pick one of these puppys up for about $50... and they're incredibally functional if you ever decide to start you own little home network (5 ports is the norm for the price).
Why do people even put up with this shit, it's Microsoft's f*cking duty to provide a working operating system, we pay for it!
To solve the need-to-windows-update-and-install-antivirus-befor e-being-wormed problem, follow the aforementioned steps for the windows install (offline),
then have your 'autopatcher' cd ready: autopatcher
This neat utlity lets you download an iso that has pretty up-to-date windows updates/patches -- and it has its own version of 'windows update' for XP/2000 as well. It works nicely to get your machine pretty up to date, before you go live on the internet.
" Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off."
Firewall is on before I connect to my cable modem if you're going to be DUMB enough to connect it without a hardware firewall protecting the machine. Get an intermediary device like a Linksys or Netgear router, and now you don't have to worry about it. And seriously. Don't install your AV until AFTER you've installed all your updates. You're only complicating the registry before it needs to be.
Seriously, is Slashdot a "News for Nerds", or "HOWTOs for N00bs"? Some of these questions would be better handled by Google and half a brain about networking.
Can you ping me now? Gooood! | Manhappenin.Net - Things to do
I've installed at last count close to 30 xp (home and pro) boxes, all from scratch in the last year (and not a single virus from any of them) ... and I fail to see how you can get a virus/cracked in the matter of an hour (or three, or however long the instal takes). I instal/update, instal FW, and then Av. I'll admit I'm no guru, but where are these coming from? Are you checking email w/outlook before installing patches, or downloading pr0n or something?
I've installed and configured over 60 brand new Dell systems (wipe, then install XP Pro) in the last 3 weeks and I have not had 1 one make it through WU. I didn't even burn everything to a CD to distribute. To me, this shows that yes, I am an idiot for not making it easier on myself, but as well, that it just depends where you are on the net, I guess.
--- nick
step 1:
do not connect the pc to any phone or network and no wireless connections either.
step 2: install winxp
step 3: admin password
--at least 8 chars long
--letters numbers AND other charactors
--not a dictionary word
--not easily guessed
step 3: networking setup
choose custom
unselect client for msft networks
unselect file and printer sharing
(you can enable after it's all patched up)
on the 'will this computer coneect to the internet directly...' dialog, select the proper settings as they will be, but it still should not be plugged into the network
don't activate, remind every few days
step 4: user accounts
setup whatever user accounts you need, same rules apply to passwords. also, if your account has no password, it will not be accessable through the network.
step 5: verify network settings
in the network connections dialog, for each connection,
-- make sure client for msft networks and file & printer sharing are STILL off
-- turn on the windows based firewall
reboot now
step 6: windows update pass 1
-- you can now get online, because you should be safe enough with the firewalling set up
step 7: run windowsupdate/reboot as needed until the system is FULLY patched.
step 8: install other software, such as virus checking.
(it's still a bad idea to disable the firewall, but it's much safer now than before)
for the pdf guide that I basically copied here, check
http://isc.sans.org
Go to grc.com and get DCOMbobulate, click DCOMbobulate me! and you are safe from those worms.
While you are at it, get also the UPNP disabler and Shoot the Messenger! to avoid getting popups offering U N I V E R S I T Y D I P L O M A S (yuck)
Dear aunt, let's set so double the killer delete select all
There's a guide called "Surviving the First Day of Windows XP". Google it; I'll abstain. You should do this:
Basically, do this:
1. Install your hardware firewall. Configure it using the guidelines at Gibson Research. If your time's not worth the $30 for an on-sale router, don't bother installing anything and stop reading, since you're not worth my time.
2. Get your fresh install completed. Bring a book.
3. Disable messenger, server, and enable the XP firewall. Check with black viper to see what's safe to disable. (Hint: almost everything!)
4. Install an antivirus program.
5. Update your virus program.
6. Download your critical patches. DO NOT INSTALL ANYTHING BUT CRITICAL PATCHES.
7. Update your hosts file using Mike Skalla's ad blocking file. (Google for Mike's ad blocking)
8. Download Spybot-search and destroy. It has an immunize feature to stop a lot of processes from running.
9. Now you can update your non-critical files. This includes thing like driver updates, DirectX, etc. If you're keen, Spybot will check for registry changes so you can keep your eye out for spyware.
10. Check with Gibson Research again, and see if you've got a full green spread on the scan.
That's it. You can now enjoy a year or so of XP use before you have to go through this again.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Burn a CD with the latest norton defs, windows service pack 1, all those little updates for the trojans, and a firewall (I personally like Kerio Personal Firewall), and install that before you even put the network cable back in.
(Score:0, Interesting)
oops! Did I really mean to do that!
Engineering is the art of compromise.
I've read the unending Slashdot commentary berating Windows and have always assumed that most people that used Windows just didn't care enough to let the bad things bother them. But this is insane- not even being able to install your OS before your computer is infected with a virus?!! I can't believe anybody would put up with this. It would take me 10 seconds to ditch the thing never to be tried again. I'm a Mac user so maybe my ease of use expectations are high but how stupid do you have to be to choose a product that does that to you?
Unbelievable. Is this really what windows people have to deal with for a common vanilla install? With Microsoft's recommended and most current product? Does Microsoft not sell a version on CD which is actually secure enough to install out of the box?
How about instead switching to an operating system you can put faith in?
-b
myselfmusic
>> Autopatcher XP is for Windows XP with Service Pack 1 or 1a.
;-)
>> It won't help you if you don't have these installed yet
>> (i.e. new installation from original XP disk).
Download WinXP SP1 and Autopatcher.
In fact, they'll both fit on one CD
Enjoy,
Helevius
I can't find any instructions for Microsoft saying to turn off firewalls during SP1 installation (using google).
Does anyone know where it says that?
Even if it does say that, why on earth, after two virus attacks, wouldn't you try leaving it switched on while downloading the service pack to see what happens? (unless you just want to get an article posted on Slashdot).
sig's not here
Do the following before you put your machine on the net.
Start -> Programs -> Administrative tools -> Services - > Find the service called Remote procedure call (RPC) - Right Click and Select Properties -> Click the recovery Tab - Set all the drop downs to "Take no Action". Now reboot (of course). Now put the machine back on the net to do the windows update and you should be right.
* This is not a fix it just buys you some more time to get the updates down before your machine is overwhelmed by worms.
I suggest getting the smallest most critical updates before the larger service packs as they will take longer to download.
Between steps 3 and 4:
Make sure the firewall is active before you plug in the network cable.
I recently installed XP from a running copy of Win2k. It had an option to go download fromm automatic update and install with those changes in place. Sadly, this rules out the "wipe the drive" sort of install, plus it assumes that you already have a patched Windows install running. However, if you're doing a 'clean up the registry' sort of reinstall as opposed to a new machine install, this is viable.
I really wish Microsoft would allow one to create an 'Automatic Update' cd that you can download from a secured source. Pop that in before Windows goes online and run all that stuff. That'd be useful for any OS, really. Oh well, guess MS won't innovate there until somebody else does.
"Derp de derp."
Assuming you dont have separate firewall or CD with some tools on it:
1) Connect to net.
2) Launch IE, goto google as quickly as you can
3) Search for "xxx", "hardcore horse fuck", or "warez cracks serials"
4) Open as many sites as you can in a new window
5) These will sporn pop-up windows and slow your net connection down enough so that you might be free from incomming attacks (if you can download videos even better).
6) Download your updates and gradually close excess windows to divert bandwidth to your update downloading.
7) Disconnect
As a side-effect you will certainly catch some ad-ware/spy-ware but its better then getting a worm, and you can think of it as a metaphore - with IE, unprotected browsing is the same as unprotected sex with 300 annoying people that keep offering to sell you wireless spy cams. But unlike your dick, you never have to use IE again, so close it down and install Firefox.
This comment does not represent the views or opinions of the user.
There are several ways to accomplish what you're doing. Note that instead of specific instructions (install patch X, Y, Z) that will be out of date very quickly, these instructions are meant to be general and apply to Win2000/WinXP/Win2003 now and in the future.
.msi but once it's installed you'll find mbsacli.exe in the install directory, which you can burn to CD (along with supporting .dll files) to serve as an offline, command-line scanner. I make it a point to grab the latest
First thing I would recommend is slipstreaming the latest service pack. At the time of writing, Service Pack 1 is the latest available for Windows XP. Service Pack 2 is not yet here but two release candidates have been published. Expect the final to be out in a month or so. (Note: despite the marketing brouhaha about how much "more secure" SP2 will be, it looks like they've got a lot of things right. I would definitely download it and re-slipstream when it comes out.) Slipstreaming is the process of combining newer patched files with your original install files such that when you run your install, the update is already applied. There are plenty of instructions on the net, google for "slipstream windows service pack" or something similar. This one process (that boils down to mostly getting the files in the right place and running one command line) will save you hours of waiting, download, and patching later. Invest the time to do it now.
Second thing is to download the latest patches. This is much more difficult as you're never sure which patches apply, which ones have been superceded, which ones are relevant or have to be installed separately, etc etc etc. For Windows XP, start with Rollup 1 for Windows XP and work your way up from there. The Microsoft Technet Security Bulletin Search is a good reference point. At a minimum, you'll want to locate the latest IE patch (these are usually cumulative) and the latest patch dealing with RPC (this is the vulnerable component exploited by Blaster/Welchia), and the latest patch dealing with LSASS (this is the vulnerable component exploited by Sasser).
Third, prepare yourself. Burn relevant patches to CD. Physically disconnect your workstation from the network. Only now should you initiate your install.
Post-install, apply all the service packs/patches you've accumulated FROM CD. Notice we have not connected to the network yet. Some patches have optional reboots (ie, they require a reboot to take effect but do not a force a reboot as part of the patching process). Make sure you have rebooted after applying the last patch. If you're on Windows XP or 2003, enable the firewall for your network connection. Look in the properties of your Internet connection - the procedure varies slightly for Windows XP, XP SP1, XP SP2, and Server 2003.
NOW you can plug in your net connection. Hit Windows Update first. I'm not sure which guidelines recommend turning off your firewall, but ignore those unless you experience problems. Windows Update will operate just fine with only HTTP (80) and HTTPS (443) access. Get all the latest patches, and reboot. When installing applications, make sure to patch those along the way as well and you should be protected. Depending on who will be using the computer and how proactively you will be admin'ing, I would turn on the Automatic Updates feature now - download AND install automatically.
An excellent tool to help you along the way is the Microsoft Baseline Security Analyzer. It's meant to scan for not only patches but security misconfigurations and other potential vulnerabilities as well. It's packaged as a
Thanks Mr. Gates, only you could describe the Xbox as a "bitching game machine".
I ran into this problem about a year ago. Figuring the attacks were using the RPC exploit that was making the news about that time, I disabled RPC over TCP/IP and was able to patch with no further trouble. Accepting RPCs over TCP probably has a purpose in some enterprise environment, but not for me, so I left it off.
I don't know if the current attacks are using the same route, but if you want to try, just find HKEY_CURRENT_MACHINE/SOFTWARE/Microsoft/Rpc/DCOM Protocols in the registry and take ncacn_tcpip out of the string. Probably have to reboot.
For great justice.
1. Log on to slashdot 2. Pretend i make enough money to actually afford a copy of windows XP pro and norton 3. Play on collective community fears about internet worms 4. Make bogus claims on alleged damage caused 5. Revel in kudos received from embittered slashdot community 6. ??? 7. Profit ive installed windows thousands of times (literally) in the most unsevure environment and have never had it rendered unusable before even installing. I suggest you stay away from those ropey sites offerening downloads of free XXX pron if i were you.
I have discovered a truly remarkable sig which this post is too small to contain.
If you uncheck both Client for Microsoft Networks and File and Printer Sharing, in your network adapter properties.. you'll be able to surf pretty safe from infection.
That'll turn off all the NetBIOS stuff.. the only thing you should have checked in your network settings before you go online, should be TCP/IP
-=-Ze End-=-
Even when its updating, the Norton Firewall is active.
You can abort a system shutdown by issuing the command /a
shutdown
if you want something a little more permanent, type
services.msc
in the command line, then find "RPC Service" (or whatever), right-click, choose properties, find where it says "after failures" and set them all to "no action". Reboot and patch, and virus-scan and patch and rinse and repeat...
1) download Autopatcher XP (full) here: http://www.autopatcher.com/ ;)
t es/sp1/network.mspx
This program Has all the recent updates needed and wanted, plus a ton of extra features suck as the uxtheme.dll patch, tweak ui, directx 9, wmp 9, and a whole lot more.
2) Burn Autopatcher to CD or copy to any apropriate internal network source
3) unplug machine from any external network connection
4) install Windows XP
5) run autopatcher XP and select the updates you want
6) wait...
7) Voila! Done
Note: You will need to install the latest service pack to Windows XP before you can run this. Download SP1a Here: http://www.microsoft.com/windowsxp/downloads/upda
Simply burn it to the same CD and you have your own windows xp install solution... virus/"problem" free as well
A) Leave the firewalls on. Yes, I know MS says otherwise. I always have both a hardware and software firewall on, no problems what so ever.
B) Get a router with a firewall. I currently happen to be on a Linksys wireless router which is attached to cable broadband. It works very well, and contains it's own firewall.
C) To repeat something that others have said, get a copy of SP1 and burn it to disk, install that before trying to log onto MS for your other updates.
"It takes a very long time to count to 2 in binary." ~'Fourlegged'
Don't install Windows! Use Linux!
It doesn't take an Uber-geek to get Linux running. If you cant load a simple windows XP install and patched up. I recommend you stick with Linux. Or Better yet take your pc into circuit city or best buy for repair.
Install from a hacked/pirated copy of Windows, and you won't have to wait to become infected! No network connection even needed during the install.
I don't know, but it works for me.
Why spend money on a cheap router when you can use an old PC as a router/firewall. IPCOP is a free linux firewall distro that turns an old PC into a stateful firewall and more. Plus, these distros find a good use for an old PC that is just collecting dust!
Microsoft has many security hole's its very very true. However, the way you get worms that just install themselves, there has to be an infected machine that scans and finds you have a vulnerablity, and then exploits it. I just don't buy that this happened TWICE. Even once would be very rare. This feels like anti MS propoganda to me (believe me my anti MS qualifications are in order, but some but don't stick to the facts, which are in linux's favor anyway). If by some remarkably bad luck this actually did happen, I would advise you to just try again, the chances of it happening a 3rd time are very very slim.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
It is not active during startup or shutdown. This window of vulnerability will be fixed in SP2. That said, I wouldn't trust a "firewall" written by people clueless enough not to enable it before the network stack goes up.
Of course, you need broadband in order to use a router. If you live some place where there is no broadband you either have to get sattelite or use a linux box. A hardware firewall/router that supports dialup does not exist at all.
(Posting anonymously to preserve my precious karma.)
Have you ever heard of a firewall or a virus scanner? Come on millions of people do this every week, and they don't have problems. Why does a supposedly advanced computer user (Linux Guy) have trouble understanding the basics of security, such as a firewall and a virus scanner.
/. had a better story screening process.
I don't even install my e-mail client or plug in my ethernet cord before I have a virus scanner, and I always have my router blocking all incomming ports.
This guy just sounds like a moron, or he is just trying to spread FUD. I whish
There is a brief period of time when booting up between when networking is loaded and when the firewall kicks in. It is possible to be infected during those few seconds you are connected to the internet unprotected.
I don't quite understand what the poster is trying to do exactly, but it's pretty bizarre. Let me paraphrase:
"Hi. I'm putting a completely unpatched Windows box directly on the internet and I'm deliberately turning off the Windows firewall *and* the third party firewall I installed. But I get virused! Whyy??? Windows sucks."
That's just like people who build their houses on floodplains crying and moaning because God took their houses away when it rained. Then they build their new houses on the floodplain again. Some people just, well, they're just not smart. And so bad things happen to them.
But back to the security issue - what would happen if you put a Linux box, unpatched, directly on the internet with no firewall? How long would it take to get rooted? How about if you had an insecure root password? It would take longer than Windows, but it would still happen.
This isn't a windows problem, it's an end user problem. If you do stupid things, bad things happen to you.
I am government man, come from the government. The government has sent me. -- G.I.R.
When you get the shutdown warning, simply run shutdown -a at the command line to abort it. Then do your updates. The RPC service will already be dead, so you won't see another one till your reboot and restart the service.
Go back and read the FULL POST.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Well, the first problem is installing anything before the updates. You must do service pack 1, if it is not included, as well as all IE updates.
t es/sp1/network.mspx and download the full SP1a file.
Also, I assume that you have a network there. Go to http://www.microsoft.com/windowsxp/downloads/upda
Immediately before connecting to Internet, install SP1a, then do all other Microsoft updates. Then, and only then, should you install any 3rd party software.
Hope this helps.
DISCLAIMER:
I don't believe what I write, and neither should you.
Also, see these security forum folks.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Or place a NAT device (such as a cheap broadband router/firewall) out in front of your computer. Since all of the worms attack via open TCP/IP ports, the NAT device will block them all while allowing you to update your computer. Works every time for me.
I don't know what kind of crack I was on, but I suspect it was decaf.
- Copy the entire "I386" to a local directory
- download the updates via this link
Network Install
- "Slipstream" the service pack to your local copy
- Dump it onto a CD with a bootable image that you make so the XP install will boot right
ORGet a copy of the 911 CD compiler (Linux based!!) to make an image and will even start you off with install scripts that will give you hands off operation!
PS The 911 CD will ask you for your info (Computer name, Key, etc before the install all you have to do is type it in and your ready to go!
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
You didn't mention if you were sitting behind a hardware firewall. Will cost you 50 bucks, but if you can buy XP, you can also afford :-) a Linksys, Netgear, D-Link, or whatever cable-router.
Keep the firewall/router completely closed for external access and you should be fine. I've had unprotected Windows boxes behind a firewall running for years without a single virus.
I'm not saying you should keep your systems unprotected (!!), but you should be fine during the time between installing and having your Anti-Virus software installed.
Browsers shouldn't have a back button!! It's all about going forward...
Give it up, troll. Go back to Kuro5hin.
As my part time high school job I am a computer consultant. I have been using linux since it came out(its what my dad used so I started to use it). I fix win machine but this does including rebuilding them sometimes as well. I have that win CD with all the updates from feb but you do not need it. I start the same way you do disconnecting the machine and then formatting the drive and installing. I then have Win XP Service Pack 1 on a disc(you can find it for free to download somewere on their site) I then put that patch on(it can take awhile) then I would setup norton antivirus and firewall. Put it on the net(dont use the software the isp gives you they always suck just use the default win way). Once you have fully updated norton. Then you can finish all the updates on the win site. KEEP THE FIREWALL ON!!! I have no idea why your turned it off but you dont need to. Also a router can help with extra security(because of NAT) so if your real worried get a router(you can get an 802.11b router for $50 at staples.)
just install zonealarm as the first thing you do
That is what I have always done, never had a problem.
And if you make the mistake of waiting and get that old virus that makes the computer restart in 30 seconds. Just change the date to a month back and you have 30 days to fix up your computer.
I recently installed XP myself. I took my PC to work to install it since there is a solid system of firewalls there. Not to mention an under-utilized T1 line.
I honestly don't believe that your comp was render unsuable that fast. I install Xp all the time and it's NEVER that bad. My suggestion is to DL zonealarm or some other firewall and put the install file on a CD. (on your linux box)
Maybe learning how to setup boxen from the Honeynet Project wasn't such a good idea...
http://www.microsoft.com/downloads/search.aspx?dis playlang=en
If you visit the Windows Update site in anything other than IE, you'll get redirected to there-but it works in Firefox. Also easier(because of the non-ActiveX packaging) to just download and burn.
The role of the writer is not to say what we can all say, but what we are unable to say. -Anais Nin
Whenever I have to do a fresh Windows install, I keep a cd with Zone Alarm (along with AVG, Adaware and a few other useful tools) handy. I just install Windows, pop in the Zone Alarm cd, install, setup my internet connection and start the updates. I've never had problems updating with my ZA turned on, and it keeps my computer squeaky clean from worms. This has been my standard practice since blaster came out and has never failed me.
There are also modems that you can attach to a network for dialup. A friend of mine uses one of them.
Not a Twitter sockpuppet... but I wish I was.
MSFN's Unattended XP CD might be worth looking into. It allows you to automatically install programs as well as updates. I've messed around with it a little bit and it's definately a timesaver.
If at all possaible, no system, whether Windows or *nix should ever be connected directly to the internet, whether through broadband or dialup. A cheap NAT box, properly configured, will protect a broadband connection. There are NAT solutions which will work with a dialup connection. At a minimum, a software firewall should be employed when connecting a system with dialup. Windows XP has a built in firewall which can be enabled for a dialup connection. Any *nix distribution will have one as well.
I follow the following steps :
1) Plug of internet cable.
2) After install turn on windows firewall.
3) connect to internet. update windows..
this works
this problem is fixed in sp2, where firewall is turned on by default.
A bit off-topic, but you don't have to reboot to pick up a DHCP address. Unless you're installing some weird software that requires a reboot (like Roadrunner Medic that they (used to?) bundle), you can just open up a command window and enter
or click the Repair button in the Connection Properties -> Support tab.But you're a moron. Of course, you're getting viruses on your system. You are explicitly disabling your firewall.
Re-install XP off the net, as you started, but once you've completed the install, turn on the built-in Internet Connection Firewall and leave it on. Install whatever RoadRunner gives you, connect to the Internet, and start your updates. I'm not aware of any flaws in ICF, but if you're really paranoid, buy (or build) a stand-alone firewall and put your nacent Windows box behind it.
I'm proud of my Northern Tibetian Heritage
Show me a hardware firewall/NAT solution for dialup that doesn't cost over $1000. The only thing I have seen is this, http://nct.symantecstore.com/0001/appliance_sfvpn2 00r.html. I have not seen anything comparable to a linksys NAT box that supports dialup connections. The only solution is an old (power hungry) linux or *BSD box, which is a royal pain to set up.
Get either a dumb hub or a crossover cable, and connect the Windows box by that.
turn on NAT via iptables:
- iptables -t nat -I POSTROUTING -s 192.168.1.0/24 --out-interface eth0 -j MASQUERADE
Turn on packet forwardingiptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
# turn off most packet forwarding (other than outgoing connections above) iptables --policy FORWARD DROP
( echo 1 >
This, of course, presumes that ETH1 is facing your windows box with an IP address in 192.168.1.{1-254}.
You can then either set your Windows box IP address manually, or learn how to turn on dhcpd (i'm not going to go there, but it's not too hard.). In any case, this should be enough NAT protection to allow you to get out on the net from your Windows box without opening it up to inbound virus connections. You can then get to places like Microsoft and Norton's without being pre-emptively infected.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I also had installed Windows XP Pro and Norton Anti Virus/Internet Security and updated them via Internet. I din't have any NATs nor other hardware firewalls. I did't have any update CDs at hand either. Howerver, I dit not get infected with worms/viruses. Here is what I did.
1. Installed Windows XP on the PC, the cable modem disconnected from the network card.
2. Turned on the Internet Connection Firewall and then connected the cable modem.
3. Launched Windows Update and installed all security patches.
4. Installed Norton Anti Virus and Norton Internet Security
5. Launched the Norton update facility and get them updated.
6. Turned off the ICF.
By the way, I did not noticed any recommendation about turning off firewalls while doing Windows Update. Where can I see the info?
A cheap 486 and a couple of NICs... go download yourself the free smoothwall express install and have yourself a rockhard firewall with the heart of linux protecting your Windows machine.
Smoothwall
use another machine (linux) as a firewall and allow the XP box to connect only to microsoft.com and norton.com so that it can get the updates and do nothing else.
Question
http://www.ironfroggy.com/
It is simple but not necessarily obvious how to install Windows without catching something. I'm sorry if this is redundant, but I felt the need to counter the many posts that implied you need 3rd-party hardware/software.
1. Disconnect your network and install Windows from CD. Decline the offers to register or install updates.
2. Enable the firewall. Block everything.
3. Run windows update and install everything it suggests.
4. Configure windows to download updates automatically.
5. Punch holes in your firewall if you must.
That's it! An external router/firewall might be a a good idea to protect you from future worms, but it is not essential for safe installation of Windows.
1. Disconnect machine from net
2. Install XP
3. Before connecting to net, enable XP firewall. (Right click on network connection, properties, advanced, "Protect my computer.."
4. Turn on Automatic Updates (Right click on My Computer, properties, then click tick box on automatic updates).
5. Connect to net.
6. Let it patch itself, or if you want, do it manually via Windows Update.
Really, why this simple simple process seems so difficult to Linux users is beyond me. You wouldn't connect a Linux system running say, an old version of Samba or Apache to the net without IP Tables now would you?
How does this work from the other side? "That XP install took 10 minutes! I could EASILY have 0wned him by then! I just need to attack him in mid-install, and flash his BIOS before each new install starts."
Don't thank God, thank a doctor!
Admittedly, this is not a perfect solution, and others have suggested solutions to help. However, the following actually works quite well for me: I'm running IPCop, and have Squid enabled with a 2GB cache size. Not a huge cache, but big enough to pick up Windows Update stuff (and small enough to deliver maximal performance on a 128MB machine with RAM to spare).
When I install a new XP machine at home, all the updates are still in cache from my last install, so are downloaded at full wire speed.
I just installed my second XP machine, which is when I saw that all updates pulled from cache. (I think MS is wisely very cache-friendly on Windows Update.) I know, you have to have patched a machine already on your network, but it's nice because it doesn't require any specialized tools, and it doesn't require relying on an independent site like AutoPatcher that may go away (or charge) in the future.
1. Unplug network
2. Install
3. Enable xp firewall
4. Plug network
5. Update windows
Always works.
What about getting a worm in the process of installing windows which nukes your BIOS, thus preventing you from installing Linux?
Say, this is an idea for MS. A worm which attaches itself to the BIOS, notices Grub or Lilo and refuses to boot them?
How about the reverse? Every boot that detects an NTFS partition delivers an error message of "Sorry, Windows not supported. Try Linux."
Don't thank God, thank a doctor!
likewise samething. my last reinstall of xp (cos my 20gb hdd crashed last week). I did: a) install winxp from cd. b) hook on the net (Dlink router/bridge to ethernet modem with NAT) c) run windows update (v5) so everything here was fine. -- after that it went totally wrong when I went to one of THOSE sites.. 8) got infected immediately by the secure.html hijacker and , had to install norton/spybot to clean it up in safe mode etc. and no, I didn't have to turn off any firewalls to update norton (not that I installed any besides NAT)
Problem solved by intelligent application of basic networking. Any other questions?
Get DCOM exploit/Blaster fix here: http://tinyurl.com/khuz
Get LSASS/Sasser fix here: http://tinyurl.com/2vj4h
(Optional) Get SP1 here:http://tinyurl.com/6lab
Burn to CD, install updates, then run Windows Updates after that.
OR...
Just turn on the firewall, like everyone is suggesting.
http://www.fsckin.com/
backwards, you can hear satanic messages. But even worse, if you play it forward, it installs their software!
Thanks, I'll be here all week... try the veal...
1. unplug network cable
2. install windows
3. install windows sp1 from a cd i burned
4. install autopatcher xp
5. reboot and plug in network cable
6. goats
Use a frekin firewall.
You're a linux user, but you're pretty stupid.
It is the almost homogeneous nature of the Operating systems on the internet that permit the infectiveness of the viruses. The best answer is to disperse as much as possible the fundamental languages spoken on the net. I've used PAL8, DOS, Assembler code various flavors of Windows, Unix My answer has been been Macs No viruses / worms / etc. ever for as long as I've been a user (1984) My Macs just work....
Comment removed based on user account deletion
The Internet Connection Firewall offers a basic way to block inbound connections until you've got all your updates in place. Then switch to something more robust, like ZoneAlarm (www.zonelabs.com) To turn on ICF, do Properties on the NIC that's connected to the Internet. Then click the Advanced tab and check "Protect my computer and network by limiting or preventing access to this computer from the Internet" To be on the safe side leave the network cable COMPLETELY disconnected until setup is complete and the firewall is turned on.
No computer should be directly connected to a cable or dsl modem. A 40 dollar router can do an amazing job at blocking the majority of worms. Port forwarding only the needed services or servers will give any user anything he needs. Anyway if you get hit by one of the worms that forces continual reboots, either end process trees or tell which-ever service that is crashing not to reboot on failure. Usually it is the LSASS service that is failing.
Could Jesus microwave a burrito so hot that he himself could not eat it?
...because obviously you're too stupid to do it yourself.
You say you've been using Linux since 95, yet the obvious solution of using a firewall excapes you! If you're such a linux expert then where's your iptables firewall machine? Or even your $50 router/firewall. I have one for sale for $40 if you want. That's Cdn $$ too! Man, even installing sygate, zonealarm, or any other personal firewall right after winxp is installed would prevent the shit out there from getting onto your machine.
I've been using Linux since 95 too, but I know better to put any machine, Linux or Windows, directly on the net or in the DMZ unless that's my intention. Windows is much worse than other OS's, but I wouldn't even put a fresh linux install of any distribution on the net without doing some work on it first.
"Show me a hardware firewall/NAT solution for dialup that doesn't cost over $1000..." Off the top of my head, I can name one for you. The SMC Barrcicade 700x series (7004ABR, 7004AWBR, etc.) includes a serial port that you can connect to an external analog or ISDN modem. Can be used as dial backup (if your broadband goes down), or can be used as the primary internet connection. You can buy the SMC7004ABR for around $80 American. E.
Simple enough, at least if you have norton or zonealarm installed, the XP firewall will kill windowsupdate(don't really know why), but neither norton nor zone will. So long as you allow the update connections quickly enough, windows update will time out if you don't allow the connections through pretty quickly.
Follow the instructions here to download windows update files and save them to disk. Write them to CD, and then install them on your new machine. Finally, connect to the network...
Unfortunately, this doesn't work if you don't have another windows box around, but it can be very useful.
You probably want to install the latest service pack first, if you've got that on CD somewhere, and then only download updates from that service pack onwards.
I would use a storebought "websafe" router from Linksys or Netgear or a couple others. Mine cost $80, I think you can get them for $50 or less now. They are all set up to ignore requests from the "Internet" port out of the box. If you make your initial requests from inside, and requests from outside are ignored for you, you should be able to complete the updates in peace.
The likelihood of getting nailed behind a Linksys while you're patching the system is pretty slim.
I would respectfully disagree with this statement. Please see this article regarding Linksys routers or this article concerning Netgear routers.
Just set up a VPN and start patching. It's a more realitic approach than all the other singing and dancing.
Is it really? This idea of "I have a firewall and I am OK" is very problematic. There are several layers of defense that must be employed to provide a reasonable amount of protection. Simply relying one firewall with somewhat limited capablities is folly.
If VISTA is the answer, you didn't understand the question
Let's not mince words -- Windows sucks. It sucks so bad it's able to completely crash on its own, without any external aid.
Knowing this, what makes you so sure you got a virus and/or worm? Just because Windows locks up, or something else goes wrong doesn't mean your system has been infected with malicious code (well, other than Windows itself ;) ).
This sounds like the "newbie reason for anything going wrong". Anytime a newbie sees something go wrong on their computer, they automatically presume they have a virus. Have you done a scan to verify that you have an infection, or are you just assuming there must be an infection because you had an unexpected result?
When you get a headache after bumping your head, do you automatically assume you have an inoperable brain tumor? ;)
Yaz.
Before connecting to the internet:
You shoud first disable any unnecessary services (say IIS).
For Windows XP
You can enable the firewall that comes with Windows XP. (Easy and provides the best protection.)
For Windows 2000
You can use IPSEC. (May be complicated and time consuming.)
Set any IP which connect to your vulernerable ports (say, 80, 139, 445... etc) to use IPSEC.
For Windows NT (and beyond)
You can use the TCP/IP filtering in the network interface (not IPSEC). (Not a perfect solution, but that's the only method that I know for NT).
The IPCOP Linux Firewall distro has built in support for dial-up using an external or ISA modem. Plus, I have a D-Link 604 router that has a serial port for a modem built in to it. That only cost me $90 2 years ago.
Download the updates to the booted external drive. Make sure the internal drive is physically disconnected. Disconnect from the net. Reboot with the internal drive. Start with the external disconected. Once fully booted connect the external drive. Virus check it. Don't execute any programs on it. copy the update. Verify the size and signature match. Virus check it again, and just to be sure the whole boot disk. Dismount the external drive. Maybe do the virus check at this point, or do another one. Install the update.
Alternately install an active virus scanner/firewall from a third party. Then connect to the net.
NAT is not always effective as it depends on the provider not routing NAT range packets. When I was on RoadRunner in KC a few years back, we were portscanned about once an hour from another customer on the net. It looked like they were forcing the DHCP server to give up new addresses as well as they seemed to increment across the address space (for the originating IP) in our NAT'ed address space range.
On our ISP we get around 256K bits per secound of port scan / viral payload constantly, added to that another 256-512K bps of incoming SPAM mail. That is per T1 circuit.
http://www.microsoft.com/security/protect/cd/order .asp
Free CD from Microsoft with the latest at time of pressing security updates. Throw that in immediately after install, and update the whole shebang. Then, you can put on your Norton and plug in the Internet connection. And never disable that. I rarely disable anti-virus or firewall even when an install tells me to, and I'm no worse for the wear. A nice hardware firewall (say, a Linksys router with the latest firmware) might not be so bad either.
I recognize people by their sigs. Is that a bad thing?
A "funny only" filter is something I've dreamed about! Probably because I don't know much about technology except for what I've learned from computers crashing/breaking and having to fix them on my own. Amazing what you can learn in such a situation.
I definitely agree that it does seem MS products have problems from the outset. I mean, am I the only one who realizes that this Ask Slashdot is basically saying - "Um, I can't even get windows to START. Can anyone give me some tips on how to make it START? Because it's NOT EVEN REALLY STARTING." It's so odd of a situation that it's laughable.
When I bought my powerbook, I plugged in the charger and pressed the on button - and it booted up. I literally said to my cat, "Did you see that?" As usual, he just licked his balls and ignored me - but I'll be damned if the computer did actually start. I suffered through similar problems as the question poster with being attacked under windows before even getting the system operational. Hence, my PC now has Fedora and I do most of my work on a powerbook.
Question: Did you hear how Windows plans to fix this issue?
Answer: Neither have I.
Thanks for the compliment too!
I've had no trouble doing a fresh install of Windows XP. I visit Windows Update first, before installing any other software. Of course, my router's firewall protects me from most worm traffic.
Here is a Microsoft article on the subject, with links to KBs on slipstreaming. Googling the words "Slipstream" and "Windows" will get you lots of advice on the issue.
Of course, you could just stick with Linux. Nothing wrong with that ;-) [/karmawhoring]
There is nothing inherently safe about liberty. That's why so many people died protecting it.
Dont use norton, use mcafee, plain and simple, I've been using both for 10+ years and to tell you the truth (this is not opinion) norton has never caught a damn thing, those pc's always get infected, mcafee on the other hand when up to date catches every little sneeze the system makes, annoying but safe.
Get a small cheap router with firewall.
With the popularity of wireless the wired routers are getting cheaper and cheaper. $35 and you can
have a firewall what will help you avoid all those nasty worms and
virus' until windows is all cosy with all the updates. I myself would NEVER connect
a windows box to the internet directly, yes even with a normal telecom modem.
sparkeyjames
I usually disable remote DCOM using dcomcfg.exe or something like that found in the system directories (just search for dcom*.exe and it should come up). There's also a bunch of documents out there on hardening Windows that let you know what services you can turn off and still have a functional machine.
linuxiso.org
bsdmall.com
apple.com
...then kiss your security problems goodbye!
Turn the windows firewall on before you connect to the internet, it only stops incoming connections unfortunately so it will stop you from getting infected whilst you get the updates from the microsoft site. Turn the firewall off afterwards if you want to install another one.
Other than allowing all programs outgoing access the firewall that comes with windows is really simple and easy to use
This is a waste of time. It's obvious what needs to be done. How about getting the patches for blaster and sasser worms ahead of time. Download the manual updates for norton, download SP1a. Maybe even download a few other things that are handy to have around such as adaware.
Burn to CD, and load your system.
And now we know of one more person that doesn't use common sense.
So...how would you do it?"
Leave network cable plugged in.
Install WinXP from a CD that has been streamlined with SP1.
Install Norton AV.
Live Update.
Windows Update.
Oh, did I forget to tell you that all of my machines are behind a firewall?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Those first my first thoughts too. XP has a built in firewall, once the network adapter is installed you can active it. You dont have to get on the net first.
..after reviewing your link that's mostly what the SANS people are telling people. Enable firewall. This slashdot article sounds like more MS bitching (ive dont my fair share to be sure) than anything else.
What I do is keep the patches for blaster, et al on a usb keydrive. No need to even get the stock firewall up during the upgrade process.
Also, correct me if I'm wrong but I believe XP has a mandrake-like 'check for updates now.'
This is a bigger problem in 2K, but you activate IP filtering, which is essentially XP's firewall.
The client-side firewall product that you were using, Symantec's Norton Internet Security, contains well-known vulnerabilities. During the time that your XP box was connected and downloading NIS updates, your computer was vulnerable via that hole that I am aware of, and most likely others as well.
It is extremely difficult to connect a Windows computer to the Internet using a public IP address without exposing several known vulnerabilities, unless you know all about disabling MS networking and how to configure NIS to shut off all the netbios stuff that it should shut off by default but doesn't so that things work in network neighborhood situations.
Unless you're a person with IT admin skills and experience setting up and maintaining Internet-facing windows servers in a DMZ or with no external firewall protection, you'll stand little chance with an internet-facing windows consumer box. Spammers don't relay a hundred million spams a day through DSL-connected windows boxes by accident. Life becomes much easier with a $40 NAT box (linksys, dlink, old 486 running slackware and ipchains, whatever) between a windows PC and public IP space.
Go to Best Buy and get a Linksys BEFSR41 router / firewall device.
Plug your computer into the LAN side.
Clone the MAC address of your computer.
Change the password on the router to something other than 'admin'.
Plug in your cablemodem into the WAN side.
Enjoy your new worm/virus/trojan free existance.
How many times do we need to spell it out??
Glonoinha the MebiByte Slayer
Windows is a fine system as long as you follow one basic rule. Never connect it, even by sneakernet, to any untrusted machine. If you plug Windows into the Internet then it can, and probably will, be compromised. Windows is fine for running Office or playing games but it can never be secure. This is my experience of years as a programmer, hacker, admin, and security guy.
:)
But then.. any system can be penetrated. It just depends how far those trying are willing to go and risk as to if they can do so. Windows is just easier than most systems.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
You can get a residential broadband router with NAT for less than $50. These do some limited firewall-like filtering as well. Or put a second NIC in and setup your Linux box to do the same (or just use your Linux box as a proxy). All you really need to start with is a NAT boundry with no inbound routing or port forwarding to the new PC. This will keep-out the worms until you finish patching. Without a firewall or NAT, a fresh PC is typically compromised within 15 minutes.
Go to WindowsUpdate FIRST and nowhere else until all your Windows and Internet Explorer service packs and patches are installed. Then install and update your antivirus. Follow this with a personal firewall (at least the free version of ZoneAlarm). Proceed from there. Just be very careful to not mistype the URL for any of these trusted websites, or you might get an unpleasant surprise.
As noted elsewhere, Microsoft has an update CD but it's not up-to-date, and it seems to take forever to arrive. Ordered mine in Feb, received it in April, and it was only updated through Oct of last year. Since then there's been more than 30MB of new patches. There are about a dozen projects on the web to help you make your own complete and up-to-date patch CD, or even Windows install CD. I don't know how good/reliable/trustworthy these projects are because I use network-based commercial tools at my shop, but they seem to be making some people happy.
Microsoft recommends you disable so-called "personal firewall" software on the PC you are updating. I find that with the right settings, this is unneccessary. But in any event, a hardware-based firewall or simple residential router/NAT device will not interfere in anyway with WindowsUpdate (unless you want it to).
As silly as it might sound, I keep a cheap router in the back of my car at all times. I can't tell you how often I've had family, friends and clients with completely-trashed machines that need rebuilding and don't have a firewall. I used to try to maintain a CD of all the service packs and patches for Win98 through XP, but it took too much effort to maintain. The router is easier and cheaper in the long-run. It also looks nice sitting back there next to my propeller-beanie.--- A man with a briefcase can steal more money, than any man with a gun. [Don Henley]
Ok honestly, is it really that bad installing windows that you get hit that quick?
I run Slackware mainly on my laptop, but on my desktop I have Windows XP. I have never had any problems installing windows, nor have I had any issue with doing it on anyone else's computer. I've gotten full installs, with updates and never had any kind of virus. I also use AntiVir, which is a free windows antivirus. That's usually one of the first things that goes on.
Am I lucky, or is it seriously that large of a problem? If it was, I'd imagine Microsoft would have quite the issue with new users installing windows. Not everyone is a techie that knows how to install it without getting hit by virii.
The greatest experience we can have is the mysterious.
- Albert Einstein
I have a linksys wireless router between my DSL modem and my computers. I've gotten malware and spyware on my main computer (I found out later when I ran a checking program) but never got a virus or a worm. When I later installed Apache locally on a Win 98 machine and put in a .hosts file with a list of all the adware companies and their servers routed back to localhost, (which causes the local copy of Apache to try to serve them and report no such page) it also stopped almost all popups and a lot of in-line ads.
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
1. Buy and use an internet router. 2. Go into your network settings for your network card, find TCP/IP and open up its properties. Once there, select "Advanced" then "Options" then select TCP/IP filtering. Then set port 80 as the only allowed port. Then connect to the internet and update your computer. Rinse, repeat... etc. until fully up to date, then remove or adjust your filters accordingly.
do the install from behind a linux firewall. Windows is very insecure in every fashion you can come up with.
Linux is not, so count on linux for your security if you really have to do an XP install.
Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
Microsoft says that as a CYA. I doubt MS's firewall or Norton's would block windows update. Do NOT turn the firewalls off.
shutdown -a do that every time
Sig:
You're best bet is to install as normal connected. After the installation stabilizes download ZA, AVAST and Spybot.
Install ZA then install and RUN Avast and Spybot. If you have problems during these steps you can disconnect from the cable modem. If you have already been attacked these tools will find them.
Configure both Avast and Spybot with all the real time blocker tools you need and set Avast resident scanners to HIGH or, Custom, depending on your circumstances. Set both resident Spybot scanners to ON.
Hookup your cable modem. Reboot, reacquire your IP address and you are done.
I have done this numerous time w/o problems. If the machine gets infected during this time then the tools find it and remove it.
The easiest way I have done it is to do an install of windows on a network that is firewalled by a linux box. Never had a problem of viruses on install.
Leave the firewall turned ON, perhaps? Norton's stuff sucks, better to not install it at all if you want your machine to run well. Their stuff is bloated...VERY bloated. Use AVG for antivirus if you want one that small and free. Leave the XP firewall on and have fun! It's really not that difficult.
Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
http://www.workorspoon.com
"XP-Out-of-the-Box" http://www.ameritech.net/users/mpr_support/XP_Box. html
It works for me...
Get SP1 and Microsofts RPC vulnerability patch ahead of time and have them ready on CD. My ISP does a poor job controlling recent RPC exploiting viruses, and I will get hit too unless I run the patch locally first.
This account has been seized by the GNAA. That is all.
"Dont install it to begin with"
Take it anyway you want, but as a support of Free Software, I eat my own dogfood. I DONT USE MS software, not even the OS.
You can use an unattended install with hotfixes. Qchain.exe is a file that automatically installs the hotfixes in the correct order. The article mentions where to download qchain.exe.
The answer to this question is obviously yes. I mean I cannot count the number of times I have installed and updated Windows from virus recoveries and from clean builds and never get a virus before securing the PC is complete. It sounds to me like you may be missing a critical step. I mean please tell me you are reformatting on the install to. Otherwise why both to install the second time. The virus would still be sitting around there somewhere waiting.
There is really no excuse for you to have a virus/worm that quick unless you are an incompetent windows user. Of course you could be failing to mention the virus filled email you opened, or the pr0n site you were visiting during your updates. Seriously man, unless you blatantly go look for a virus/worm then you should not get one before you get patched and updated. BTW, windows firewall a la SP1 is crap and so is Symantec/Norton's. Seriously get yourself a Hardware firewall and then throw in Zone Alarm for good measure. Any good firewall should still let you successfully patch windows without having to turn it off.
I love linux and all, but dude it sounds like you should come and take a breath. Windows may be the devil, but Linux (at this point) can only take the geeks so far.
"Some days you just can't get rid of a bomb."
How about downloading updates and burning them to a CD?
I agree, it's a terrible situation. I'm a Windows fan but this is not one of the times to defend Microsoft's software - the XP installation problem stinks. You simply can't follow their instructions and install XP without getting hit by an RPC worm. What I'd recommend is to either leave the firewall on while installing the patch, or download the network install of SP1 (this is a full installer that you can use offline), the RPC fix, and the LSASS fix, and install them with the network unplugged.
Another option is to order the security update CD from Microsoft - they'll send this to any Windows user for free.
As many have suggested, you can install behind a router. Not an ideal solution but it does the job. I hate NAT, and I hate recommending that people use it for security. NAT is a step backwards.
IT professionals can slipstream SP2 onto an installation CD once that comes out. It's due within a month or two. SP2 includes all current security patches and the new firewall, which is on by default. The new firewall also loads before TCP/IP, so there's no window of vulnerability during startup.
Have copies of the following programs on CD.. htm
http://xpy.sourceforge.net/
s ecurity/bulletin /MS04-011.mspx/ technet/security/bulletin /MS03-039.mspx
d .htm
SafeXP
http://theorica.click-now.net/safexp
XP-Antispy
http://www.xp-antispy.org/
XPY
With those three, you can disable most pesky services that XP runs that can put you at risk.
I used to swear by the 3 big GRC.COM utilities, but the above handle dcom, uPNP, and windows messenger already.
Also, have SP1, and the recent patches on CD ready to apply.
Sasser
http://www.microsoft.com/technet/
Blaster
http://www.microsoft.com
And you need a good firewall. Don't think of using none. And a good free software one will do you good.
http://smb.sygate.com/products/spf_standar
I had the same problem with XP two years ago with UPNP. I was hit with security problems before I could update the machine. Since Microsoft essentially requires network access to authorize the machine and get security patches, this seems like very bad design. Also, I think Microsoft charges for the security CDs.
Imagine buying a car, and once you get it home, being told that you need to patch it within a day, and the patch will either cost you money to send, or put you at risk.
1) acquire a simple p100 (most people have similar already)
2) install smoothwall on the p100
3) install xp behind the firewall
No other way.
Ona different machine, go find the "redist" version of SP1 (SP1a actually) and burn the executable to CD.
Or better yet, go visit AutoPatcher.com and download the latest one of those, including all the newest post-SP1 patches.
Spontaneous power downs and reboots (if they are really spontaneous, i.e. no sign that Windows knows it is going to reboot) are my number 1 sign of hardware problems. Get a motherboard monitoring program to watch the heat and PS readings. Get a memory testing program and check your memory. See if you can get a HDD diagnostic program from your HDD manufacturer.
Tim
Omnia vestra castrorum habetur nobis.
I've run 98 and XP for about 4-5 years now, never updated anything except IE, and ran a firewall for about 6 months sometime in that period.
:) and have newly installed system at the mere thought of a virus. I back up my media anyway, and I put the most important stuff on external drives at it is (which stay unplugged while not in use. I don't see why more people don't do this, unless your one of those types that upgrade every week, it seems the most logical way to do things.
Other than that, nothing. I guess I've been vulnerable this entire time, through all these major news story worms and the like. And I can recall only ONCE that I've gotten a virus/worm that just totally screwed my system. WTH? This article makes it sound as though it will bring your computer to it's knees in a matter of minutes, yet I've done nothing as far as security goes and I've been running great for YEARS. Am I just not a good target? Am I lucky? What gives? I don't keep anything on my system that is critical without backup, which explains why I don't really care about these things, but come on, I think some people are interpeting every single unexplained attempt at connecting is a death threat to thier system.
Of course, I say all this and I'll get hit tomorrow, but the sad thing is, is that I want a reason to do a fresh install so I can ghost the drive with xp and my essentials installed (hell, why not even a SP or 2
Who in their right mind gives a shit about Windows? Windows isn't even an operating system, it is a toy, meant to teach children how to use computer peripherals. That is all it is worth.
Who cares about Windows? Piss on Windows... and Microsoft. I wish they would just die already and leave the rest of us to use Linux - a real operating system. I love Windows virii and worms... it shows how vulnerable that so-called OS is. I wish people would write more trouble making programs for Microsoft to deal with.
Go to http://www.microsoft.com/technet/security/CurrentD L.aspx
Select OS, get list of security updates, download, burn to cd, installed patches before connecting new OS install to network.
Phillip
...that I have never installed a firewall on my system because I don't need it. Never ahd any problems getting updates before a virus hits, and never had any problems with virus on my system ever. I also have Road Runner, the only difference is, I'm on a LAN. Hook the system up by the switch, have the cable modem hooked up to the router, router up to the hub or switch, and wow, a firewall that is nearly impossible to break through. If you are using Windows as the router, big mistake there. Most of these viruses/worms that you speak of are attacks of windows machines. And yes, my webserver is always getting hits by worms, usually by other RR IP addresses. So, these worms to crawl RR, but if you are behind a routers, there is nothing the worm can infect on the router. You are safe that way.
I need a sig.
I was installing XP Pro TODAY, and was infected in under 15 mins, blaster. So I figured ok, no problem, reformat/reinstall and this time without network connectivity until AFTER the install is done and I've enabled the software firewall on the interface.
GUESS WHAT? I was infected, even WITH THE MS FIREWALL ENABLED!! Not with blaster, I don't know what it was. But my browser went nuts, and started opening all sorts of porn. All I did was go to windows update, and install SP1. Shortly after rebooting and trying to DL the next thousand MS patches, I was infected with pr0n worm.. WTF?
Anyhow, the ONLY way I know of to do this without getting WORMED is using a natting HW Firewall. The MS firewall must drop its pants at some point.
Good luck.
Put the winbox on a non-routable IP (10/8, 192.168/16, etc...) with NO port forwarding. Simple enough to do in IPtables or FreeBSD's ipfw.
Do NOT count on stupid software firewalls (BlackICE, Norton Internet Firewall, etc...) as putting a firewall on the machine its supposed to protect is like wearing a bulletproof vest on the inside.
...XP Pro often (sadly) on new machines. Did it on a new FTP machine the other day which was connected straight to our unprotected T1. I didn't have the problems this guy is reporting, lol.
In any case, you simply install XP while not connected to your broadband service, you install a software or hardware firewall (zonealarm for example) and then connect and update, how hard is that?
Loading...
http://www.newegg.com/app/viewproductdesc.asp?desc ription=33-122-008&DEPA=5
Start reading- http://unattended.msfn.org/
There's a link to a forum thread which lists EVERY required update patch from MS & the URL to download each one directly.
There are also some premade scripts in the forum for building quite up to date installations of XP, by burning your custom install cd with all the patch updates on it. The installation would autopatch without having to be connected to a network.
Problem pretty much solved.
If you want though, before you ever plug in the network cable, you can:
Craenor
go to MSs site
Order the patch CD
WHen you get the patch CD, intall the OS, sans connection
Update the system with the updateCD
reboot.
reconnecect.
I would wager you could probably get one from any mom and pop shop for just a couple of bucks.
If you deal with intalling OSes, you should already have a copy.
It is not brain surgery.
The Kruger Dunning explains most post on
Download SP1 and as many critical updates as you can, then burn them to a CD. Do this on a Linux box or a Mac, or on a known-safe Windows PC. Install everything, including SP1 and all critical updates. THEN get online. Alternatively, you could also put the PC behind a hardware firewall, such as a router, and then try the updates. Then install BlackIce or Panda and let the script kiddies do their worst.
It's been said before, and I'll say iot again because it bear repeating:
Use a hardware firewall!
There is no excuse not to. You've obviously got the know-how to operate a $10 Linksys router/firewall. Plug one in and with the default configuration you can install at your leisure. Honestly, whenever I hear someone complain "I can't install XP on a machine plugged directly into a cable modem without getting 0wnz0rd", it sounds like someone complaining that their wallet gets stolen every time they leave it on the roof of their car in the supermarket parking lot!
If a job's not worth doing, it's not worth doing right.
I have has exactly 1 virus, and it was on DOS 3.
I have a linksys switch, no anti virus protects. I don't run outlook, and only run IE when I have to, whch is hardly ever anymore.
I do scan my system every couple of weeks, but I can't stand anti-virus software that is always on. You can coult on it to muck something up.
The Kruger Dunning explains most post on
Here is the perfect solution to the problem:
Step 1. Throw Windows OS in the trash,
Step 2. Install Linux,
Step 3. Learn how to use Linux,
Step 4. Kiss all your problems goodbye
At www.winhelpline.info you can download an installer for all the critical updates. It's great.
It's a two-step process:
- Get a hardware router/switch. Make sure it does not, I repeat not, support Universal Plug-and-Play. You do not want arbitrary applications able to manipulate your firewall.
- Install and update Windows as normal. The firewall will prevent anyone outside from initiating connections to your machine. All you have to worry about is websites you visit and e-mails you read before you finish the security-update process and get your anti-virus and anti-malware software and software firewall (to protect the rest of the world from you) up and running.
Hardware routers of this sort run for well under $100 and are a lot easier to deal with than the convolutions needed if they aren't there.I would follow the recommendation of our friends at thebroken.org and burn your computer from the inside out.
Seems fairly straight-forward to me. Turn it on before you connect to the Internet...
Why did this make it to slashdot and furthermore, why hasn't anyone else suggested this?
I am not sure why he need to disable the firewalls he has installed anyway. Most give a way to open up the machine to specific sites when needed.
-- I ignore anonymous replies to my comments and postings.
I got Roadrunner and configured it myself with Linux did not even need to touch windows after all it is just a dhcp host at the modem through in an el cheapo router (linksys here) set up dhcp and firewall and anything that touches the network can get on
I have dial up, but if I don't turn on WinXP's firewall before I log on, I get hit too. I say use xp's firewall and forget Norton until you're safely online.
Ad Astra Per Asper
I have had this happen to myself one time as well. The computer was compromised before I was able to get the security updates from Windows Update.
What you need to do (if you want Windows XP to work) is to download the service packs and security updates in advance and install them before connecting your network. Install firewall/anti-virus software and then turn on your network. Windows XP SP2 will be out soon on CD-ROM which should make things easier (for a few days/weeks at least).
Turn on the XP firewall before going online or get a $20 NAT. Either will protect you, except the XP firewall against IPv6 traffic, but no worms I know of support IPv6.
And forget Norton/Symantec, at least for now. Their virus scanner is a big performance hit, so much that you'll feel the difference on any computer. It has historically been a cause of many problems, like system freezes scanning some compressed exes, though I haven't experienced any with recent versions. With good practices alone you will probably never get a worm or virus.
as simple as that
So I should reinstall my OS and depend on some third party tool to remove crap installed on it?
What you are saying is that it is impossible to install Windows cleanly?
Try using a firewall/router instead.
If you can't afford a hardware router you can't afford Windows. Add $50+ to the TCO of Windows.
Or if you can't afford that, use another free OS, such as any BSD or Linux.
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
a broadband router. What's the big deal?
hell a pentium 120 or 486 can act as a dialup router with no problem. I use mine as trot line wieghts but if you have one laying around it will install a thin version of slackware. Install webmin use it to setup your firewall and you dialup. It works fine I have done it for buisness's to run their whole office off of a dialup. Slow but it works.
I've actually been looking for something like this for my parents who don't have broadband available, but would like wireless access.
:)
Solution is a wireless access point / router that has a serial port to connect an external modem to. The router should support "dial-up on demand" over the serial connection.
The SMC7004AWBR was one I found that has this feature ($10.00 on ebay) with a cheap external serial modem ($15.00 on froogle), I can have them set up quite cheaply. Now I just have to convince my mother to actually purchase a computer!
Thanks for your comment, which lead me to the right google search terms to use!!
---John Holmes...
I work in tech support for a major manufacturer. We just have the user enable XP's firewall before the network cable is ever plugged in. This wasn't decided on a whim, but from experience.
Frankly, we don't care what Symantec or Microsoft say.
Oh, and let me assure you of how much I just love it when someone calls back because the previous agent neglected to mention the necessity of enabling the firewall immediately after a reinstall. Can you believe they tell me I can't strangle co-workers?
Install Linux :)
Actually, virii/worms/trojans/etc. aren't the problem. The problem is that too many stupid people are still using Windows - an OS that is really easy to screw up.
Cool solution!
Now that I know how to cover up the SYMPTOM of the infection, I can just ignore that I have a virus on my fresh new install of Windows!
I agree, get the router. It isn't optional these days.
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
Oh yea, sure just use a linux firewall?
Or the suggestion that reads like a NASA space launch check list.
How about a solution that works.
1. Take Windows install disk out of package.
2. Grasp disk firmly.
3. With malicious forethought and intention strike disk against solid object.
4. Inspect bits, ensuring positively that no viruses will be present at install time.
5. Insert favorite *nix boot disk in infected computer, format drive and continue install.
"There are no Windows experts, they all signed NDAs."
While I do think that this whole story is a troll, I'll give some suggestions:
1. Firewall on. Yes. The Windows one. No matter what the directions say. It's not perfect, but it's better than nothing. (ZoneAlarm or BlackIce are better. McAfee or Norton are barely acceptable.)
2. Hardware firewall. Amazon.com has a wireless router for $16 after rebates. Buy two.
3. Download the various updates (SP1 'net install' and the various Knowledge Base downloads to patch against specific virus holes,) and burn them on a CD. Install these before you turn on the internet connection.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
setup a private network.
IS it just me or d oes windows-help.net suck major donkey balls now that infini-sopurce isn't managing it anymore?
I know this is off topic but i went there a couple weeks ago to find an article i viewed over 2 years before and it seams that someone took a well organized site with tones of information about most of the windows product and turned it into a crap looking shill for windows xp that doesn't apear to even have as much info about xp as i remeber the regular site having.
i know this is off topic but you link pointed to it and it has me wondering if anyone else thinks as little about it now as i do. I guess you can't give me watter and pass it off as wine unless you a certan type of person.
Really.
Why?
When you guys update off the Windows Update do you install ALL of the updates or only some of them? I had the impression that having all of them sorta bogs down the computer but I was never sure. Tips for which ones to install and which not to are appreciated. THANKS!
http://seanism.com/
1. Pull machine off net
2. Install box
3. Configure TCP/IP and enable windows firewall
4. Plug in network cable
5. Windows update
6. Repeat windows update
Job done.
...is to turn on the firewall (excuse me, ICF.)
The average home user thinks NAT is a no-see-um.
The average user plugs the computer into the cable modem. Unless Sparky at Best Buy told them they needed a "Web Router" or a "Broadband Router" and they have the neighborhood geek kid come over and install it.
The average user doesn't know their IP address, gateway, or DNS server. They may have trouble figuring it out even when given instructions over the phone.
KISS!!!
-- Alive and kicking in a VM
A hardware firewall inspects packets and determines whether they should be routed from one physical (hardware) interface to another physical (hardware) interface.
A software firewall inspects packets and determines whether the packet should be passed between different layers of the TCP/IP stack (software) on a single machine.
This isn't simply a matter of semantics. Just because hardware firewalls run software doesn't make them software firewalls. duh.
1) Hide behind a NAT router - Install windows disconnected from networks. Find someone with DSL and a NAT router. Intall all the patches from the safety of their home network.
2) Before installing windows, format the disk to have a FAT partition. Boot Knoppix Linux from a CD. get on the internet and download the patches to the FAT partion. Boot Windows - install patches.
Religion is the main cause of atheism.
Use a hardware firewall, or a decent router with a firewall built in, instead of depending on something that's software-based. That way, the nasties are stopped before they even get to your computer.
I've not had personal experience with them, but others I've spoken with have had good luck with Linksys and D-Link. For my part, I've always depended on our Watchguard Firebox II to handle things.
Granted, such a unit is well beyond the cost range of most home setups (unless you get a phenomenal deal on it used, as I did). However, before I had the Firebox, I was part of the Beta testing team for the Zyxel 'Prestige 312' combo dual-Ethernet router/firewall. The 312 has been discontinued for some time now, but it performed like a champ for me.
If I were going to pick another unit today, I would look at Zyxel's ZyWall 100 series, or something similar. They're quite a bit less expensive than Watchguard's products, and I see no reason they shouldn't work just as well.
If the 100's a little too costly for you, the entire ZyWall series comes in a variety of sizes from 1 on up. The number usually designates the number of VPN connections the unit allows.
If you're a DIY'er, you can, of course, just get hold of a spare PC, stick a couple of NICs in it, load it up with FreeBSD or some such, and turn it into a router/firewall.
The bottom line is that I don't believe any purely software-based firewall can ever be as secure as one that's hardware-based, and dedicated to the purpose of just being a firewall. I certainly don't trust Uncle Bill or Symantec to do it right (witness the problems you've already had).
Happy hunting.
Bruce Lane, KC7GR,
Blue Feather Technologies
Just read the instructions for service pack one, and I cannot find any mention of the phrase: "turn off all firewalls"
A fine troll couldn't understand why soemone would have so many problems with such a simple activity.
"If we hit that bullseye, the rest of the dominoes should fall like a house of cards. Checkmate." - Zapp Brannigan
trying zonealarm?
http://www.palmzone.net
Get a router, theyre cheap. Run NAT.
Set up the computer behind it.
Install patches.
Seems a bit of a no-brainer to me...
did anyone think to download the norton av updates first, then install before you connect to the net???
Why, oh why are people who can't even think to use a firewall allowed to submit questions to "Ask Slashdot?"
It doesn't even have to be that fancy of a firewall. Shoot, even just being behind a NAT will protect you sufficiently from incoming attacks that you should be able to update the machine without being exploited - and that's not even a firewall, that's just routing!
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Demand compensatory payments from your ISP for damages caused by a service they provide... ...like making lemons into Apple Cider
That is exactly what popped into my head the instant I read the article. I couldn't believe how stupid of question that moron asked... then I read the comments. People are suggesting shit like: "install the updates in WINE first" and other totally retarded stuff. Slashdot fucking blows man.
NAT is an evil abomination that breaks the Internet's end-to-end model, but for machines that will really never receive incoming connections (VOIP, games, IM, etc. as well as web servers), it's cheap insurance, and for machines that aren't ready to connect to the net, like unpatched Windows, it's pretty much essential. And once you've got your machine patched, you can then open up whatever ports you want on your firewall, if it's bright enough to do that.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's nice that the firewalls are on by default in SP2, once you've got SP2 installed. Plug the cheap hardware device in to your network connection before you try to use them. Once you've got everything really configured the way you want, _then_ you can _think_ about removing the hardware firewall.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I suggest you look into "slipstreaming" of Windows XP.
/x option.
Basically, you copy the files to a folder on your hard drive. Then you download whatever service packs you want installed and extract them with the
Done correctly this gives you a directory with I386 pre-patched with whatever you want. Next, create an ISO image utilizing mkisofs from Cygwin (or linux) and finally burn it to a CDROM using Nero or whatever windows/linux app you want to use. PRESTO.. an install CD with all relevant patches!
WH
(For what it's worth, I just learned this trick the other day while trying to fix a laptop with a broken HD.)
fsgn
HOW THE HELL CAN YOU GET A VIRUS JUST UPDATING WINDOWS! I'm not being rhetorical. I really worry about you incompetant 'linux' users. I mean honestly, I've used Windows almost my entire life, and gotten 3 viruses total. The only security exploits that actively dog windows are ones caused by egotistical bitter linux users who slashdot from their mother's basement.
Screw linux, microsoft's 'incompetant tech support' has an 800 number. Why waste all your time trying to recreate windows features in open source... just use windows. Right after you have to reprogram keyboard drivers to boot.
For my own abysmal formatting!
Do you see what I did there?
That it is getting impossible for a normal windows user to re-install his or her machine. The virusses will get to you before you can get up to date.
I notice that in my surrounding: 5 minutes online on a dailup connection on a not yet patched machine (download a 300MB patch over a dailup takes pretty long) is good enough to catch blaster and some others.
Well, the system is not useable anyway: Spyware ruins IE everytime, making re-installs of windows necessary
Is that most users are not capable to do things like 'turn on firewall' or 'install this program to fix that vulnarability'. Most solutions that I have seen posted here involve some kind of tweaking to firewalls or installing some external firewall box and things like that. Please don't forget that most people don't even know what a firewall is, let alone know that they even need it. I wonder what solution there is for a non-technie home user who is just capable enough to install windows but nothing more. Of course one could argue that that user should just have his OS installed at the shop. That might be the only solution perhaps.
Greetings,
Project Manager of Crystal Space (http://www.crystalspace3d.org). Support CS at http://tinyurl.com/cb3x4
I'm currently connecting to the internet through a Mandrake Linux box. It's got two NIC's (One to modem, one to switch). To initially get things working, I did the sinful thing and clicked the "Enable transparent network connection sharing" button from drakconf. So in short, it will act as a gateway to anyone on eth1.
To secure the box:
- I set security to "higher" to generally make the box a little more paranoid.
- It doesn't run any services it can live without, period.
- I installed Shorewall to block most of the crapflood coming from the Internet; It accepts local (over eth1) connections for http, https, ftp, ssh, and a couple others that don't immediately come to mind. Except for exactly two IPs belonging to my friend, it silently drops every incoming packet except for HTTP and FTP.
- For what it's worth, I wrote a primitive script that uses openssl dgst -md5 to watch for any changes in
/etc, /usr/sbin, /usr/bin, and /var/log (beyond normal entries, of course).
Well, that's what I've done to secure my gateway. The whole reason we started using this box as a gateway is because it's predecessor, a D-Link hardware gateway/router, wouldn't work with the new DSL modem. Thus, it's unfortunately directly connected to the internet for the moment. The IP changes constantly, so it isn't going to be pinned down. I have looked atAnyone got suggestions for further securing the gateway? BTW, on my end, I ssh into it frequently and check for bandwidth use, users online, file changes, etc.
I'm suggesting this because I am mainly a FreeBSD and Linux user, but I use Windows 98SE, the latest version of that stuff that I will touch, and I do not need to apply patches of any kind as these machines never connect to the 'net. In fact, my firewall rules do not allow any packets to or from the Windows machines, and they are used solely for running specific applications that have no alternative OS replacement. Yeah yeah, Wine and CrossOver Office, Bochs and VMware, yeah yeah yeah... :-)
But seriously, how come you can't download those patches using Linux, and avoid letting that Windows box touch the 'net until it's locked down (as much as possible)?
Finally, I highly recommend getting a hardware firewall like the firewall/NAT/hubs that Linksys sells... They're not foolproof, but they'll make your life much easier.
simple suggestion: ignore microsoft's INSANE suggestion to disable all firewalls. they dont know what they're talking about. (even the built in xp firewall would do...)
This is a 100% true story. Any time this year I tried to reinstall a machine at school (UC Santa Cruz) that was connected to the network, it would immediately be attacked by blaster. No warning, the system would get the RPC death knell and die. This was with a copy of XP that I made that had SP1 slipstreamed into it. The answer, however, is very simple. 1) Download the SP2 network install ahead of time and burn it on a CD (throw on your chipset drivers too) 2) format and reinstall with the network unplugged 3) install chipset drivers (for DMA) 4) install SP2 5) plug into network and run windows update etc... volia. If you can't get ahold of SP2 ahead of time, use any decent software firewall (Zone alarm and norton both work pretty well) or a hardware firewall preferably. They aren't really necessary though, SP2 will save your life.
After installing the OS and AV software (McAfee in my case) offline I activate the XP firewall and download the update for the AV software then the windows OS updates. What idiot uses software that tells you to turn OFF the stupid firewall??
I know, there are no stupid questions but only stupid people, but... How to avoid viruses at Windows install time? By avoiding the Windows install time maybe? Seriously, asking "how to avoid viruses at Windows install time" is equally smart as asking "how to avoid viruses at anal sex without a condom time." Maybe consider some alternatives: Debian, EROS, KeyKOS or maybe even OpenBSD would be a good place to start instead of asking loaded questions.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
You should always use a router between your PC and the cable modem. My PC is safely hidden behind the router and has never been hacked.
I tell every person I know who gets a broadband connection to buy a hardware firewall device. If they invest in a wifi router for about $80, then they not only get a built-in firewall but also wifi a hub/switch as a bonus. As far as I am concerned, this is an absolute requirement these days.
The NAT that is setup by default for all such routers is just the ticket to avoid viruses like blaster.
Dude, Linux for the PS2 is official stuff..
Sony provides it.
Tua consilia omnia nobis clariora sunt quam lux. Tu delenda est!
Cert/CC has an article called "Before You Connect a New Computer to the Internet"
I usually (i do this for a living) install windows, install ZoneAlarm, then connect to network. I mostly have to use this on computers hooked up through MSN internet, or some of the other large Inet providers. As far as all the "this guy an idiot" remarks here, ignore them, they are idiots that dont think about the fact that most users aren't versed in internet security, and dont realize the threats that are out there. It was a good question, I just hope others aren't turned off from asking other questions of the like. Most people that own cars dont know how to service them either, that's why there are mechanics to go ask and webpages that deal with car maintenance.
Oh what a relief. I see all the good suggestions here. For a moment I thought the Windows platform had finally died out! What a relief it survived!
I like Windows - I really do, I really really do - and it would be a shame to see it go all for the sake of a nasty bug or two. Or parasite. Or whatever you call them.
OK, that's all I can write now. Me and the wife are going for a walk. We live in a bad neighborhood so it takes a while to get dressed. We wear body armor made out of kevlar and she and I both carry AK-47s and hand grenades and I wear a mortar on my back just in case and if things get really bad we've got a bazooka in the car.
It's a good neighborhood really - we feel really safe here.
Bye!
The Linux Version(Distribution would be Redhat 5.x iirc) for the PS2 was actually developed and published by sony
? page=home.
http://www.linuxplay.com/
The only other Distribution for the Playstation I know of, is blackrhino
http://blackrhino.xrhino.com/main.php
Also hardly Illegal as it requires the original Linux Kit
run 'shutdown -a' once blaster or similar worm hit and system counting down to reboot, windows will stay crippled but should allow enough time and functionality to download the updates (probably not to install tho), and of course will need to remove whatever worm that got in after updates are installed.
Debian GNU/Linux, for example, doesn't initially listen to any services that could be cracked. If you have network connection available during installation you'll always install the latest versions of every software. A bug in the kernel TCP/IP stack could still do it, but even the installation medias are updated every now and then.
- bo otcd.html
:-)
I agree that using stale install medias and having services up before they're patched is inviting disaster.
Microsoft isn't completely oblivious to the update-hell: You can preinstall WinXP SP1 to the installation media (it's called slipstreaming). And you can add new drivers too (using the unattended installation mechanisms, I think.)
http://www.windows-help.net/WindowsXP/winxp-sp1
Now, if you complain that linux is hard to install, can you imagine instructing your granny to slipstream her windows installation medias and add lastest drivers?
The MasterCard way:
Installing 'doze unconnected to network - $189
Installing software Firewall - $69
Connecting to Linksys/D-Link/Netgear - $45
Having Windows boot without turning into the great whore of the internet - PRICELESS
For everything else, there's Macintosh.
(Don't you think this smiling gentleman agrees?)
Some days it's just not worth
chewing through my restraints.
The VERY FIRST THING you should do after installing XP is TURN ITS FIREWALL ON and LEAVE IT ON unless it causes problems with one of the software packages you're trying to use. At the very least you should leave it on until the system is completely patched. Then you should make sure the system is set to automatically download and install updates without any user intervention. You can do this via the group policy editor. If you leave the firewall on, set the system to auto-update, and use a good anti-virus program (which should also be set to auto-update) then the only thing you have left to worry about is spyware/malware and end-user stupidity.
I have to deal with haxored systems at work all the time and every time I do a rebuild I yank the ethernet connection and make sure that the firewall is turned ON before I reconnect it to the network.
I would think that this would be common knowledge if not common sense. I can understand that you don't do windows support for a living, but how about doing a little research before you make a post to slashdot asking how to tie your own shoelaces? I expect that the only reason this made it past the moderators is because its inherently anti-MS.
When I first started to read your post I was worried that there was some worm that the XP firewall didn't block. I was shocked to learn that you hadn't even bothered to turn it on.
Maybe this will teach you rule number 1 when it comes to Windows security: You can never been too paranoid.
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
It doesnt suffer from such attacks.
In win2k you can try doing this (same should be applicable for winxp),
1) open the advanced TCP/IP settings
2) click on options,
3) Select TCP/IP filtering
4) click on properties
5) Enable the checkbox Enable TCP/IP filtering
6) select permit only for all the three options (i.e. TCP ports, UDP ports and IP protocols) donot add any ports as this is for incoming connections only
7) say ok to save settings (on all the dialog boxes)
8) You will be asked to reboot for the changes to take effect.
9) Reboot and connect to the net and install the updates.
The solution is to install a firewall from CD before connecting to the Internet - unlike anti-virus software, firewalls don't really need updating, so the fact you are installing a CD version doesn't matter. A relative of mine runs an NT4 PC that doesn't have the latest security updates, but that doesn't matter since she has a firewall, so she has never been hit by a worm.
Then, install and update the anti-virus software, and run Windows Update, before using IE or Outlook for anything else.
And of course, using Mozilla Firefox and Thunderbird will avoid one class of future infections.
Firstly, it looks like he was using a Firewall. The Norton one. He didn't conncect until that one was up and running.
Secondly he says that the recommendations from MS were that firewalling software was turned off during updating.
Now to me that's not a good idea. And MS have got to have their head in the clouds to suggest it. Oh, that and sometimes ignoring Microsoft's recommendations is the best way to go...
...but having said MS updates don't always play well with other things.
TiggsTiggs
"120 chars should be enough for everyone..."
the ICF isn't great, but what it does do is BLOCK INCOMING CONNECTIONS ON ALL PORTS VULNERABLE TO INFECTION. not OUTGOING, just INCOMING but that's good enough to get you patched safely unless you're dumb enough to go looking at dodgy sites. sheesh, this isn't rocket science.
also note that any decent firewall (kerio personal firewall's free and great) will also work. those who've installed norton and still got hit are just being plain dumb.
First of all, download SP1 and all other critical updates from another machine, or even through Linux (as many people have suggested). That way in the future, you should never have to connect to the Net to install SP1, and afterwards you should be fairly "safe".
If you have cable/xDSL, then get a router. Most have NAT firewalls, which blocks all desired ports from virii and attacks (and you'll get a lot, believe me).
However, many people haven't mentioned what to do if you're a dialup user after a fresh install, and that's a fairly big problem. Once I dialled into my backup ISP without patching, I got hit by Blaster and the likes within 20 seconds. Only thing I can suggest is a software firewall like ZoneAlarm, but I don't know how good it is at preventing infection. If you set it to asking you what to let through once you install it, you should be ok.
Fun fact; if you're connected via dialup or xDSL to AOL, you're automatically protected. Don't believe me? Try an unpatched machine connected via normal Windows dialup, then try an unpatched machine via AOL. You won't get hit by anything.
I think the main error here was using shrinkwrapped software "as is" on a machine you were trying to connect to the Internet. These days whenever I'm dsue to reinstall Win2K I make sure I know where my copy of the latest Service pack is, and pull down a fresh copy if I have to.
Seeing that you work with other computers, I assume it's possible to download other software first. These days, I'd say that's essential.
My personal recommendations would be to firstly use a hardware firewall if possible. I know sometimes this isn't always possible, but it's a good idea to have something between the Internet and your newly-installed machine.
Secondly pull down the full installation package for the Service Pack first, and burn to CD. (Either that or slipstream it) Then get the SP on before connecting. This means that any vulnerabilities that were closed in teh latest Service Pack will be closed before you even go online.
On a similar tactic to the second point, download (if possible) the latest signature file for your anti-virus software. The problem with store-bought software here is that the virus definitions will be woefully out of date. So download the latest definitions and get them installed first.
With whatever your firewall-of-choice is, start off by closing off anything you don't need yet. Similarly go through Services and deactivate anything you don't need. (Same theory as in Linux, really. Don't leave any services running that you don't use)
Putting it all togther, make sure that your system is as up-to-date as it can be, with an active firewall, recent anti-virus, and no unnecessary services running.
TiggsNow connect it to the Internet.
Tiggs
"120 chars should be enough for everyone..."
Install a damned hardware firewall (LinkSys, etc) and you won't even have this problem. Sheez...
If you have a CD-Burner, you can install the MS patches right into the i386 directory using a technique called slipstreaming.
:)
This will leave you with an up to date system before the network drivers are even activated. I've made several myself, and they're a godsend.
It's been a long time.
im glad someone posted this, i didnt think to, but just recently i had reformat 3 time in a row because of this very problem before it even occured to me to do it this way (i know, im lame) and its funny, i did it exactly as you did, even the same programs :)
good work posting it :)
Magic087
I had this problem as well when i had a internal ADSL modem in my old windows XP box.
The solution i came up with is to route everything through a Linux box. I used the internet connection on my Linux box and set a connection up with network card and a cross over cable, effectively using the Linux box as a NAT box.
These days, i have a dedicated ADSL NAT (Binatone ADSL 2000) box which doesnt let though a great deal by default, so its relatively safe unless a machine at the wrong side of the network is infected. Graham
Like many others said: Get a cheap "internet router" that does NAT (Network Address Translation). If the attackers can't get to the fresh XP machine, they can't kill it. Easy, isn't it? Just turn OFF UPNP support and all DMZ / port forwarding stuff on the router.
If you still have a spare PC (minimum 486SX-25, 8 MB RAM, Floppy, two ethernet cards), give fli4l (or any other small Linux router software) a try. Download size is a few MBytes (ask your friends / neighboors), complete boot floppy is created within a few minutes on any Windows system. No linux knowledge required.
Keep the NAT router between the XP machine and your internet connection even after you have completed the XP setup. Though the router may not help against using IE and Outlook, it will help against all TCP and UDP based attacks. All viri and worms that spread by connecting to any TCP or UDP port on your machine will fail to infect your machine thanks to the NAT router.
Tux2000
Denken hilft.
Complete crap. Unless you install a Linux distro that opens 50 ports to the web by default (no modern ones I assume), then you will NOT get infected. Example: on install, Mandrake will warn you about services set to run that will listen on outside ports. At that point you can choose not to install those services. Also, you can disable any service during the installation.
With Red Hat/Fedora, you configure your firewall during the installation. You can block all incoming ports out of the box until you can hit Red Hat update, and grab the patches.
I'm sure other distributions are similar. Most Linux distributions these days don't do moronic things like install processes that open ports to the internet by default, and CAN'T BE SWITCHED OFF without crippling some essential functionality.
Sorry, I couldn't help it!
See my journal, I write things there
Just turn on ICF (Internet Connection Firewall) before you plug it back in, yesh, it's right there.
WTF was this even posted?
My email addy? should be easy enough.
argh.. ive been a linux user for a long time now without touching windows for a while, but lately ive tryed installing windows 2000, and its a pain in the ass, virus, problems, unstability etc... now i remember why i switched to linux in the first place....
It isn't our fault this guy couldn't be bothered to toss a simple NAT device in between him and his ISP's externals.
And for you "Oh no, extra cost/hardware Windows sucks!!!!" people, remind me when the last time you spent ten or twenty bucks bothered you all that much.
And you won't be able to re-activate your Windows XP again
I found it the hard way.
Fair? Who said life was fair?
That is how I do it. My home network(s) are located behind not 1 but 2 stateful linux firewalls and each machine has its own firewall Linux(iptable), BSD(ipfirewall) and window boxes (Nortons, zonelabs). When building windows boxes behind my walls I have not had anything get to them when they are in their "virgin" state...
the last few times I installed WinXp... 1) got the SP1 and the latest drivers 2) got the update-pack from http://winboard.org which includes all patches until two month ago 3) got http://www.free-av.de (virusscanner) 4) burn all these things on a CD 5) unplug cable to internet, boot, install XP, SP1, updatepack, free-av, plug cable back in, to to windowsupdate.... 6) finish my 2 rappen scheuri
Just put it on a memory-key/usb drive and you are good to go.
Dear aunt, let's set so double the killer delete select all
It seems to me that the easiest way to clean avoid these problems would be to build a simple firewall into cable/dsl hardware.
.
The way I imagine it, the thing comes with all incoming ports blocked by default. The installation tech simply generates a random admin password for the modem and includes it with the literature along with instructions on how to access a web-based interface. The benefits here are immense:
(1) The ISP will probably make its money back on bandwidth consumed by the worms' random scanning, irate morons hogging tech-support lines and complaints from people being scanned by their network. Honestly, how much could a dinky little firewall add to the cost of a cable modem?
(2) Totally transparent to regular users. It just works . .
(3) Anyone that *needs* open ports ought to be smart enough to figure out how to use a simple web-based interface to open the ports he needs.
Am i missing something? I mean, it won't protect dial-up users but it sure is a start.
?
i unplug the machine, install and everything...i set up the network and stuff...patch the computer for blaster and its friends, reboot and then i connect it to the net... I agree its pretty stupid because in order to get the patchs you need to get infected at least once:) so what i did is mainly kept a copy somewhere and when i got a computer to install i do this and over the network i find the patch and install it...usually before going online i install two things...antivirus, and firewall...this helps a lot. when i go online finally i update everything, OS, antivirus, firewall, etc and then another nice reboot and everything should do fine:)
If I had half as many problems as people here seemed to have with windows, I would've stopped using it a long time ago. However, after many years of using 98 and XP:
1) I don't recall ever seeing BSOD
2) Never gotten a worm, much less one in 6 seconds after fresh install
3) Never had my computer hijacked
4) Usually when something does go wrong, I can pinpoint the source of the problem by looking in the mirror
Unfortunately the same can't be said for my friends or family. They seemed to be perpetually plagued with windows problems.
This makes me wonder, while windows is far from perfect, maybe the main problem is sitting in front of the monitor?
What I do (on Win2K, but XP should be similar) is:
1. Download the free ZoneAlarm, and save it.
2. Go offline.
3. Install Windows
4. Install ZoneAlarm
5. Re-boot, starting ZoneAlarm
6. Confirm that ZomeAlarm has blocked all unnecessary ports.
7. Go online, and surf to Windows Update (it works over Zone Alarm).
That would prevent an attack on the machine during installation, and for simple applications one can find cheap routers with firewall integrated.
The second benefit is that it helps transferring files from any older computer you may have. You do not plan to use floppies for this, right?
The way I'd do it (in fact, the way I did do it, before I got laid off due to the computer shop I worked at closing down) is to download the necessary patches beforehand on another computer and burn them to CD. Then you can install them on before connecting it to any type of network. Alternatively as someone suggested you can get an Update CD from Microsoft, which might be easier if you don't have access to broadband.
I have been trying all weekend to re-install Windows 2000 without getting a worm before I finish downloading the security updates. I have tried to do that three times so far but have failed each time. When I finish I always run the free ClamWin virus scanner and it says that I have the Lovgate.W-2 worm. I plan to try using a different virus scanner to see if perhaps it is just a false positive. I also had the same thing happen about a year ago, except that back with I was using the McAfee virus scanner and it was a different worm that got in before I was done.
On the last two attempts, I started by installing Windows 2000 with service pack 4 from the CD. I then installed the latest free Windows Security Update CD which is the Feb 2004 version. I then installed the free version of the Zone Alarm firewall which I had downloaded while running Linux. I also avoided turning on my old computer which is attached to it by ethernet cable. I had already become aware that that my old Windows Me computer has both a virus and a worm on it.
I then connected to the Internet with my dial-up connection at 26.4k. The telephone lines in my neighborhood are only good for 26.4K so it takes several hours to download all the critical security updates. During those several hours the Zone Alarm firewall is always going crazy with warnings. Various messages would pop up asking me if this or that connection should be allowed. I had no I idea which messages were for things that are part of the Windows update process and which were not.
There were also several attempts to connect to my NetBios. During one attempt to install Windows, Zone Alarm blocked about 50 minor intrusions and one serious attack. It was also disconcerting how the Windows update would say it was done downloading and then during the install phase the lights on my external modem would show continuous downloading. The install phase required almost as much downloading as the download phase did. When I was all done WinClam said that I had a worm already. Maybe that was just a false positive. ClamWin 0.35 is still in an early beta version so maybe it is wrong about my having a worm. By the way, I also use the Linx version of the Clam virus scanner under Linux and it says (as expected) that I do not have any viruses on my Linux partitions.
I should also add that, I use Linux most of the time and only check my e-mail when running Linux. I do not plan to enable the use of my pop e-mail accout from within Windows. I like to have all of my old e-mail messages in one place and it is safer to open the messages from within Linux anyway.
With a slow 26.4K dial-up connection I felt like a sitting duck for the first several hours while I was online download the critical security patches. Cable and DSL is not available in my neighborhood in this part of Arizona. Not being an expert in security, I am totally confused on how to safely install Windows. I am thoroughly tired and fed up after a weekend of this.
This really was such a not usefull contribution. Really thank you for your thoughts. -NOT-
Perhaps, if you don't understand the problem behind the question, better withhold your sleve from reacting.
OTHO the last part could be intetresting, but that's an obvious 'solution'.
I wonder why you reacted like this to a question that addresses a serious problem.
Privacy is terrorism.
Can anyone link to any documentation on how to make a Linux firewall?
You say you've been using Linux for years? Okay, so then you know about IP
Masquerade, yes? Use it. Pull a spare Pentium-90 out of the closet, put an
extra $8 NIC in it, set it up with your favorite distro, and connect *that*
system directly to the net. Set it up with a second, local network on the
second NIC (I usually use 192.168.0.*), and have it masq that network onto
the internet. Hook your Windows system up to the local network and have it
use the IP-Masq box as the gateway. This protects you from anything that
relies on open ports to spread, which includes most worms. You still have
some vulnerabilities, mostly in clients, _especially_ Outlook Express, which
you should avoid entirely if at all possible and certainly at least until
you've got all the updates installed.
People with no Linux experience can buy a hardware NAT gateway or firewall
and accomplish basically the same thing.
When you finish getting Linux installed, you should still leave it behind
the NAT gateway. You can turn off all the software firewalls you want then;
although they do provide one additional piece of protection (namely, flagging
certain kinds of rogue outgoing traffic that can be caused e.g. by spyware),
that's more a form of detection than prevention, so switching it off for a
few minutes to install some updates is not a big deal. The NAT gateway will
cover the more important function of preventing rogue incoming traffic.
Cut that out, or I will ship you to Norilsk in a box.
It would have save me a lot of work because I probably would follow some of the suggestions here presented before doing a windows XP reinstall this weekend. So 5 minutes after I completed the installation and connect to the internet to do the critical updates, the computer shuts down, the sasser worm attacked. So an hour later and countless reboots I get ride of it a can complete the updates, only to find out that some spyware ad already infected the computer before I could even install firefox. Install a bunch of ad-awares and run then, and still one remains, surf the internet for removal instructions; find it in some forgotten forum, complete the clean-up. So conclusion part of the weekend wasted, and the next time someone asks me to install XP I tell them that I out of town this weekend. Well at least Portugal beat Spain so the weekend wasn't a total lost.
...because the exact same thing happened to my Mom recently. She got a Toshiba Notebook, installed the Earthlink Internet software, went out on the web, and picked up Sasser in record time. I fussed at her and told her to reinstall from scratch, then install Norton before going out on the web. She did; same thing happened. Obviously, she aquired the worm either
a) WHILE she was activating Norton over the Internet, or
b) BECAUSE Norton didn't automatically shut down ports once it was activated.
My question is, why is Norton not designed so that it closes all ports during the initial "registration" process, except of course for the port used to serve their registration process?
Human being (n.): A genetically human, genetically distinct, functioning organism.
I just install winXP with my network card unplugged. When windows installs, turn on the XP firewall, that thing isnt letting anything through...do updates, turn off crappy (yet almost too highly effective) windows firewall. Or just install it behind a router with only port 80 forwarded.
Momma told me that sigs are for the devil
Get a firewall, and get behind it. That is #1 way to avoid viruses at install time. What was so hard about that?
That darn Slashdot is so cool... Hey did you pay the phone *(#(Q%$#$ NO CARRIER
For those of us with a slow dial-up connection we do not just simply "connect and update". The telephone lines in my neighborhood are only good for 26.4K and DSL and cable is not available. When re-installing Windows 2000, downloading the critical security patches was a several hour ordeal during which my Zone Alarm firewall was going crazy. The firewall kept giving me pop-up messages asking me if various types of connections should be allowed or not. I had no idea which were really part of the Windows update process. It also said that there were a couple of attempts to connect to my NetBIOS. Zone Alarm claimed that it had blocked over 50 minor incursions before the critical security updates were installed. It would probably have taken longer if it weren't for the fact that I had already installed the latest free Windows Security Update CD from Feb 2004.
Afterwards ClamWin 0.35 said that I already had the LovGate.W-2 worm. I plan to try a different virus scanner to see if perhaps that was a false positive. About a year ago I once installed Windows 2000 once before and was using the McAfee virus scanner back then. When running the McAfee virus scanner for the first time just after installing the critical security updates it found a worm. It was a different worm back then.
There is always the possibility that you've got bad memory, messed up hard disk, your CPU is frying itself, you've got some hardware that makes Windows crash... It's not necessarily a virus or an attack. I can always get my Windows machines patched before anything bad happens to them.
Pick up a router from SMC ( I can recommend the 7008/4 ABR series). Even if you don't want to setup a home network, this is the best way to go I think. Even with the sygate firewall it could ( in theory) happen that the software silently crashed, leaving the icon still in the system tray until you move the mouse cursor over it. Also I wouldn't rely on Windows Update to keep your computer safe. If your unpatched version can get infected, your updates will not prevent infection when someday an exploit gets releases sooner than the patch. When using a router, all incoming connections will be refused by default since the router itself is only running the administration tool. Add a personal firewall for save measure in case the router gets compromised and you are set to go. Also you can seamlessly add computers to your network, all sharing the same internet connection and printer. As a side note, the Norton firewall has crappy configuration options and its all in baby talk. I didn't like it very much. Zonealarm doesn't work well with edonkey, overnet, emule, also, if you forbid all the notorios windows applications (explorer.exe, alg.exe, svchost.exe) all access to the network, you are in for a very unstable windows expierence. Sygate is still the best of the three. ;)
I bought the router to finally rid me of the personal firewalls tedious configuration ( which btw, you have to do again on each install, with the router it stays with you forever
Not associated with SMC, I just picked up the model mentioned above friday and I am very happy with it.
___
No power in the 'verse can stop me
Just put your computer behind a gateway, that's what I do at home, and none of those worms can reach my machine.
Programming is simply the application of logic to creativity
Most of the agreed advice seems to involve either using a 3rd party product (including routers) or burning the patches on another machine.
Can anyone answer how you could safely install Windows if you don't have another machine and only using Microsoft tools/products?
NOTE : Sending off for a patch CD is not allowed as an answer since you have to be connected to the Internet in order to be able to order one.
Bob
Listen to my latest album here
www.iptables.org
If I have been able to see further than others, it is because I bought a pair of binoculars.
First off you should recommend that the cable/dsl connection have hardware based firewall. These are cheap enought for even grandma to buy. Secondly, you can wrap all the hotfix and service packs into the install of XP by creating an unattended cd and using cmdlines.txt to install the fixes.
ignore norton and just enable the built in firewall then download your patches. leave the firewall on because it will protect you and still let you download the updates. That is how i did it after MSblaster was released I don't know about the new breed of worms though.
It's about the best way of protecting yourself from this crap.. hundreds have said it before me, and it all makes perfect sense. I've been using one ever since I got DSL, and never had any problems with internet worms attacking my machine directly.
You fool! You've given cheese to a lactose intolerant volcano god! Do you know what that means?
Why the heck are you connecting your machines directly to the internet? You should as a minimum have a router/switch inbetween your valuable systems and the outside world. Better yet, set up a firewall between your modem and the rest of your network.
There are several linux distributions that are dedicated firewalls - you can get an old P120 and a few NICs to do the trick.
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
...the microsoft instructions. They actually tell you to turn off all firewalls for the windows update?? What a heap of bull!
The update is, AFAIK, done by HTTP. No reason to turn off your firewall, which should, at this point, block *all* incomming TCP connections (and also *all* incomming UDP except DNS and DHCP ports). It should also definetely ALWAYS block at least the most vulnerable MS ports, ie. 135-139 and 445, from enything outside your local LAN. ALWAYS! Use Kerio (downloaded it using a linux box) for that, it gives you full control. Make sure you have "Microsoft Networking" disabled, and do not register the network card you use to connect to the cable modem as a "safe device".
But it would be much easier and safer to do this through a (linux or BSD) router. Oh, and BTW, the Norton stuff is by itself as bad as a virus: it messes with a lot of stuff, quite frequently screwing up your system, leading to things like, well, continuous reboots, hosed network devices, etc.
I have discovered a truly remarkable sig which this 120 chars is too small to contain.
Don't turn off your firewalls, regardless of what MS says. I leave mine on while updating and have no problems whatsoever. I install Windows, AV, and firewall. Then plug in the NIC and get an IP address, then pull down updates. DONE! What I NEVER EVER EVER do is turn off my firewall.
If you mod me down, I shall become less powerful than you could possibly imagine.
DON'T run with the firewall disabled! PERIOD!
Dork...
Can a home user install and update Linux without being attacked?
Sure. Isn't that the point? These posts talk about using Linux to download the software, writing it to CD, then using the CD to update the Windows install without the network attachment. Simply put, practically any Linux distribution in the past five years is much less vulnerable to network-based attack. Perfect? No, but there have been "firewall-on-a-floppy" projects for a long time now; the kernel (thanks Linus) and network drivers (thanks Don) are solid; and services, in general, only run when you tell them to. This was all defined and working before W2K was ever released.
I understand the argument is that Linux has not been targeted as much as Windows by virus writers, so it's not clear how vulnerable it really is. But Linux has been the swiss-army knife of the IT industry since Windows '95 was released. Of course, there's been little, if any, recognition of that outside of IT. It's kind of like in the movie, Fight Club: we route your packets, we serve your websites, we guard you while you sleep. Perhaps it's time for a programmer or two (or maybe even a virus-writer?) to step up to the plate and give their opinion on Linux vs. Microsoft.
That's easy.
1. Install Windows XP.
2. When your network get's configured, make *sure* you customize the TCP/IP Connection to enable the built in firewall of Windows XP.
3. Continue your install of Windows XP.
If your computer comes with a automagic install of Windows XP, leave your connection unplugged until you can enable the built in firewall.
All you have to do is disconnect your cable modem during install. Once you are done installing and ready to connect through your ethernet you need to go into My Network Places, click on View Network Connections. Then right click your local area connection and click on properties. Once that window opens click on the advanced tab. Then you check the box that says "Protect my computer and network..." That only allows outgoing traffic and incoming traffic that was requested. Now you may connect to your cable modem.
before explaining them how to use this "ZoneAlarm thing" on their computer. Then I put them behind a NAT as well. Next time I come home, the computer is plugged straight into the cable modem, and zonealarm has been uninstalled. WTF!
That's when you shake your head and say, "Okay. You've removed software and hardware that I spent time installing. You've decided that you know more about networking and computers than I do. You don't need my help with your computer anymore." After that, simply refuse to help them with any computer problems ever again. I've cut off my father.
My father is familiar with Windows 98 and Outlook; it's what he had where he worked. I built a machine for him - Windows 2000 with Eudora. Of course, having to enter your name and password to log in was "too complicated". He couldn't handle Eudora (probably because he took a 10 hour employer-sponsored course explaining how to use Outlook).
Now, how difficult will it be to use Windows 2000 if you're already familiar with Windows 98? How difficult will it be to use an e-mail client you've never used before? I likened the whole thing to getting into a rental car. All cars have essentially the same controls, but you should spend the first few minutes in the parking lot, figuring out where the windshield wiper and headlight switches are.
I told him, very simply, to enter his username and password to log in. Using Eudora: click on the little icon of the envelope without the blue arrows to make a new message. Type the message. Send it. Even with a 10 hour training course, he still didn't know how to send attachments in Outlook, so I wasn't worried about him not being able to handle highly advanced features like signatures and spell-checkers.
Anyway, next time I was there, he asked me to check a problem with his computer. It was now running Windows 98, Outlook, and about 50 pieces of spyware and virii.
I shrugged, shook my head, and told him that I wouldn't support the machine if he would no longer trust my judgement in software.
So, he took it to a local electronics chain store which offers computer service. For $150, he lost all the data on his hard drive but got a fresh install of Windows 98 and Outlook. Which were promptly screwed again.
Fire and Meat. Yummy.
HAW HAW HAW...
No such thing dufus...
A cisco pix is an i486sx box with a disk on chip running Cisco IOS (a bsd derivative) with some firewall um... SOFTWARE on it.
If cisco happened to distribute cisco for instalation in any pc, it would make it a "software" firewall and it could run in a HECK of a better hardware than the shitty i486 it does (for 4000 bucks, no less).
So think about what you post once in a while. No such thing as a "hardware" ANYTHING. Hardware is iron, all intelligence is software.
Jerk
NO SIG
My guess is that step 7 is the culprit. You need to be sure that File and Print sharing *never* gets turned on at any interface connected to the outside world. But I wouldn't be at all surprised to find that the automagical network connection setter-upper doesn't bother checking this and doesn't give you the option either.
Any Roadrunner customers know for sure?
Here is my method for updating an XP box which hasn't failed yet (though has plenty of opportunity for failure, people just haven't taken the time to make thier worms pierce the XP firewall).
1) Shut down computer
2) Unplug net cable
3) Boot the install cd
4) complete install process
5) enable the XP firewall
5a) (optional) correctly configure an external firewall to put the XP pc behind
6) Plug in net cable
7) Download all updates
I've done this many times an never gotten a worm before update was complete. If I don't enable the firewall I can guarantee a worm in the first minute.
"You can now flame me, I am full of love,"
I had a similar experience installing XP Pro on my sisters PC.
1. Install XP (reformatted entire drive in process)
2. Install fresh AVG downloaded via my Mac
3. Install SP1a also downloaded via my Mac
4. Install MSN from a disk - the version that came with XP Pro didn't recognize her logon!
4. Sister says - can I check my email now???
5. I say - Heck ya sis - and fire up MSN
6. 2 minutes later - AVG says "XYZ worm found". Don't remember the exact one.
7. Computer crashes
8. Restart, run AVG, worm is purged.
9. Try MSN again - another worm installs itself, computer crashes.
10. Purge worm again.
11. Download Zonealarm via Mac
12. Install on XP Pro machine
13. Try MSN again - all seems well now.....
14. Scratch head - MSN is worm ridden???
I thought it was a good idea
the safest way is to download the updates for administrators who distribute updates from their server. burn that to a Cd, etc. baring that
I'd say try updating windows first, with the firewall on.. once you've fully patched windows, then move on to installing/configuring norton with the firewall off. you won't have the vulnerabilities that you need the antivirus software for when you update it. and you won't need it while you have the firewall.
Within the arms of tragedy, there is little comfort in being right.
Get a $50 NAT box to protect you until you get it patched and secure.
I wouldn't use Windows on the internet without one.
Alternative: If you are too cheap to invest in the NAT, turn off all those services, network dcom (dcomcnfg), and turn on the XP firewall and you will probably be able to last a few minutes to get the patches.
#6495ED - cornflower blue
Enable the built-in firewall in Windows XP before going online. This will resolve a lot of your problems.
Also go into the widnows update site (on another connected computer) and click the update options to the right. There is an option to turn on the catalog view (or something like that... in Linux right now). This will allow you to search for all the updates of a particular Windows platform.
Use this to download the patches and burn them to a CD... Use this CD to patch your system.
Jim
just buy a hardware firewall. do the install with the network cable unplugged, then plug in from behind the firewall to get the updates.
alternately, you could download all the service packs, patches, etc., burn them to a CD, and do the install completely disconnected from the internet, then run the patches, then connect.
turn it on and you won't get jack shit.
I didn't say NAT isn't useful for some things - I've also got most of my PCs behind a NAT firewall, because they need some kind of firewall and because it's the lazy approach to DHCP support (otherwise I'd need to program the static addresses into all the machines, including the ones that really are client-only.) NAT's not the best kind of firewall, but it's a start, and I can hang any reasonably-safely-configured servers off the DSL directly.
But it still breaks the model that lets the Internet work well.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The services affected by some of these worms have default action of shutting the system down. If you change the default action while the system is not on the network then when you do get infected you can keep working because the system won't shutdown in 60 seconds (which is what happened with Blaster).
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
i know there is a way to download the updates as a install file so you can go to a friends and download them burn to cd and install from cd
Install and configure the firewall FIRST, BEFORE you establish the first connection. Doh!
As a only slightly geeky computer guy, I have managed many many times to install, reinstall, update, etc... Winxp win2k win98 on several machines with no virus or trojan attacks while on broadband connections. This entire thread is a retarded troll. M$ may be the evil empire but if you can't even the install software successfully you should unplug all your computers, give them away, and instead go back to playing Risk with your incompetent geek buddies. You are a complete dumbass!
Using TCP/IP may have been a mistake. It was, after all, the vector by which the malware installed itself to begin with.
A better approach may be to do this with two computers, where one is the machine onto which you need to install XP and the other is already up & running with whatever operating system you like.
This second computer will act as a bridge to the internet, speaking TCP/IP only on its WAN interface, and speaking a non-routable protocol like NetBEUI to the XP machine on the LAN interface.
This way, the XP machine can only speak to other local machines.
With a setup like this, you can download the necessary service packs and other updates to the gateway machine -- people have already explained this in some detail elsewhere in this discussion -- and then the XP box can access the updates by regular old fashioned Windows file sharing.
Once you have the minimal updates, then and only then does it make sense to turn on TCP/IP support on the XP machine.
DO NOT LEAVE IT IS NOT REAL
is to forget about software firewalls and get a decent hardware router. Most wired only routers sell for about the same price as Norton Personal Firewall if not less. That way you're at least protected from viruses like Sasser, etc. until you can get your Antivirus of choice installed and updated. Just be sure to change the default password on it to prevent someone trying to remote admin your router.
ChodaBoy
- The preceding statement is the product of a deranged mind and the sole property of the voices in my head.
During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down)
I understand that for Linux users, unaccustomed to The Marvelous World of Windows (TM), a machine powering down could look suspicious, but don't worry, it's part of the standard MS strategy of rebooting after every update. You'll find that a powered-down machine is very soothing.
purchase a home router (Dlink/Netgear/Linksys etc...) and make sure you are behind that when you connect up.
"The natural progress of things is for liberty to yield and government to gain ground." - Thomas Jefferson
What kind of insecure networks are you people using. I've been installing Windows XP since RC2 and I have never gotten a virus while trying to do an installation. I'm curious as to how the original poster came to the conclusion that he had a virus when it doesn't sound like he was even able to get his virus/security software installed.
I suggest to use ZA free firewall, just download the executable with linux or somethink and install is instead of norton. You won't get any virus (I tried).
Wasn't the original concern.... "Can a home user install and update Windows without being attacked by a virus or worm?" I agree with the issues you brought up about the routers, but aren't those vulnerabilities to an active hacking attack, vs. viruses like Sasser being propagated by infected machines? I've never had a problem as long as I did my updates from behind NAT. I also use SUS, and that helps avoid having to worry about going outside my lan with a fresh, unpatched install. I just update from my local SUS server.
Install from behind a firewall. Problem solved.
Must-not-watch TV!
Here is the solution for expanding the amount of time it takes before your computer reboots due to the Sasser worm. Keep in mind that you will have only about 20 seconds to complete the steps, and you must already know the system's name before beginning this process:
1. Disconnect from the Internet.
2. Restart.
3. As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
4. At the DOS prompt, enter shutdown -i and press [Enter].
5. This command opens the control panel for remote administration of other systems, but for this process you will just need to enter the name of your computer.
Click Add, enter the name, and then click OK.
Now modify the warning message delay setting from the standard 20 (seconds) to a large number, such as 9999. After patching, you can reset the warning message delay if you wish.
That should temporarily disable the shutdown sequence long enough for you to log on to the Internet and download the patch.
Alternative solution: An alternative method for stopping the reboot cycle on XP-only systems is to enter shutdown.exe -a at the command prompt. That aborts the shutdown process completely and is obviously much faster for XP systems.
I have now added a second anti-virus scanner to my newly installed copy of Windows 2000 and it is giving me different results. I ran the Avast virus scanner and it did not find any worms or viruses. That contradicts what WinClam said about having found the Lovgate.W-2 worm. I now think that my virus scanner was probably wrong about there being a worm on my computer. Apparently, after I download the critical security updates, one or more of those changed files must have been misidentified by WinClam as a worm. WinClam is still just an early beta version of after all.
I will look into this problem further. I book marked a web page that describes what changes that the worm makes. I will check to see if those modifications exist in my copy of Windows or not. I will also download and run the disinfection utility and run it just to make sure.
I still plan to only check my e-mail while running Linux. I suppose that a very conscientious Windows user could avoid problems if they were careful. They would need to keep their patches and virus signatures up to date and use a firewall. Even then they would need to warn every member of the family of the dangers of clicking on attachments. If they send out attached MS Word documents they also should understand what unexpected information they may be sharing hidden in the metadata of the MS Word document. Personally, I would not put up with all this nonsense. For the majority of the time, I just use an operating system that has almost no problems with worms, viruses and spyware. I have both Windows and Linux installed but I wonder if I should have even bothered to re-install Windows. I hope that service pack II for Windows XP will bring Windows security up to minimally acceptable standards when the update becomes available. I would not switch back to Windows as my main operating system even if they do fix the virus/worm/spyware problems. Sorry about the error in what I said.
i forgot i had installed all available updates from behind a firewall before bringing it over to his house
"He's a real midnight golfer"
1. Leave everything on (firewalls / AV)
2. download the service packs that you need (DONT INSTALL) just download, it takes a little more looking but they can be found.
3. disconnect the netowrk cable
4. disable the AV/Firewall
5. Install
6. reboot.
7. turn firewall & AV back on
8. connect network cable
9. send me $10
...was installing the norton internet firewall which advises you to turn off the xp firewall. Don't install that until you are all updated. The xp firewall is good enough for when you need to install patches. For sp1, just download the full network version and you can then disable your internet connection to install it. Reboot and it's still disabled but the xp firewall is active. So you then re-enable the xp firewall and then go download all the updates on the windows update site. Before rebooting you disable your network connection again, reboot. Then enable it again and check to be sure you have all updates installed by going to windows update again. That's it. Btw, I don't think you need to disable the xp firewall to be able to install sp1. Remember the first lesson, ALWAYS have a firewall active on your internet connection. You broke that rule the moment you disabled norton's firewall and didn't enable xp's firewall to install sp1.
My Gawd WTF...