Slashdot Mirror
How To Avoid Viruses At Windows Install Time?
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
You can get a cd from microsoft(more info here that would have a lot of the updates you are looking for. You could also download it from your linux machine, and then do the whole installation offline.
When I install Windows it is behind a NAT firewall which helps (no open ports from the outside). The first thing I do is install SP1 from CD, next I update from Windows Update.
I recommend downloading SP1 and burning it in Linux, then using that CD to patch up the Windows box before connecting it to the network.
24 beers in a case, 24 hours in a day. Coincidence? I think not!
Do the installation behind a personal NAT/firewall device.
(Or, read all the posts about how you can put together some huge, convoluted update CD that's never completely up-to-date instead of just spending $35 on a little hardware firewall.)
Leave the software firewall turned on if you can, if not, get a cheap Linksys Cable/DSL router, it will block all of those viruses.
:P
I have to reinstall most of my family's computers when I go home, I made all of them have routers.
-Bill
-Bill
Keep the firewalling on, no matter what Microsoft says. I've never had an instance where having a firewall turned on kept windowsupdate from working properly.
We do this all the time where I work.
Use another machine to burn a copy of the latest service pack, and the Sasser worm fix, and whatever other updates you want to include.
After installing, install the updates from the CD, then check windows update for anything else.
Learn it, love it. Free for non-commercial use, KPF rules me.
Bla bla bla long post extra padding blapsux.
Yes, a firewall and/or NAT is all you really need. Evidently Norton Internet Security did not live up to its promise, which comes as little surprise to me, I must admit.
I've had success installing Windows XP and upgrading it with only Microsoft's Internet Connection Firewall enabled.
...all firewalls are turned off.
Why don't you try turning the firewall on? It will block the RPC calls that are necessary to infect your machine with the most recent series of worms and allow you to install whatever patches are necessary worry free.
Plus, it just makes your PC safer in general.
Comment removed based on user account deletion
Even better, I would get a hardware firewall, so that none of the ports that worms travel through are even open.
Basic security from automated attacks isn't particularly hard, you know. Why is this even on slashdot?
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
Download the SP1 Network install before beginning your XP installation. Stick it on a CD or a Samba share and install it prior to connecting to the Internet.
"We can't solve problems by using the same kind of thinking we used when we created them."
This solution seems so obvious to me that I wonder why you even bothered to ask. With your apparent technical knowledge, surely you must've thought of this. I'm inclined to think this question was just a veiled way to start an article bashing Microsoft about all the worms affecting their system.
Just turn on the internal XP firewall (Network Properties -> -> Properties -> Advanced) before you connect to the net. You'll be safe long enough to get SP1/Kerio/etc all downloaded and installed.
When I'm forced to build an XP box on an unsecured network, I leave it offline until the install is done, enable the integrated windows firewall, plug the CAT 5 in, and fetch the updates. The built in firewall is typically good enough to fend off blaster, nachi, etc. After that, I install antivirus then Zone Alarm and disable the integrated firewall. Whenever possible, run behind a hardware firewall and you won't have this problem.
If you have another windows XP box, you can use the corporate windows update to download all the patches and service packs to CD and update the system offline.
FYI, if you do get infected, running "shutdown -a" from the command dialog (windows+R) will abort the 1-minute shutdown timer.
Urgo: "I want to live. I want to experience the universe and I want to eat pie!"
Jack: "Who doesn't??"
You don't believe you can get infected in 20 minutes? The record at the undergraduate department of Computing Science at the University of Alberta is SIX SECONDS from plugging in an installed, unprotected Windows XP system until the time it is infected.
It is highly unlikely that you could run an unprotected XP system with no firewall and no patches, hooked up via a cable modem or ADSL, for even ten minutes before getting infected.
Oceania has always been at war with Eastasia.
I can't believe nobody's posted this yet!
Autopatcher
AutoPatcher was started in October of 2003. It was started by Jason Kelley and was a simple batch program that would install many updates silently. Upon reaching version 2.65, Jason was contacted by Antonis Kaladis, who offered to help make a VB front-end for the program. And thus, the current incarnation of AutoPatcher was born.
Not only does it install all your Windows updates with just one reboot, it can also (optionally) install many other programs such as the Windows XP Powertoys, IESpell, etc. There's even some registry config options such as increasing the max connections per server (IE) to something greater than 2.
Windows XP: Surviving the First Day
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
Here is a fairly comprehensive guide, aptly named: Windows XP: Surviving the First Day
Just click on "NO" and install Linux instead.
That's not true, a worm needs no user intervention in order to infect a computer. Think Sasser .
sasser exploits a vulnerability in lsass.exe, which listens on 445. Some software firewalls leave this open, as it is required for Active Directory logins under some circumstances. If you do that and then go straight to windows update you should be fine.
I have people do this all the time without any problems. I have the WinXP firewall enabled then connect and go to windows update. No one has an issue doing it this way.
1 - Hardware Firewall Only. Software firewalls are for pikers and people waiting to be hacked.
2 - Download SP1 to a CD.
3 - STOP USING NORTON for ANYTHING OTHER THAN ANTIVIRUS
4 - Read 3 again
This
What about using Tiny Personal Firewall? It fits on a floppy (last time i checked atleast)
... or any brand name for that matter. My windows box is behind one of these and I've never had any problems. You can choose to forward any ports you DO care about (it blocks by default), and you can also set up some cool net policy stuff on the later models.
Seriously -- you can pick one of these puppys up for about $50... and they're incredibally functional if you ever decide to start you own little home network (5 ports is the norm for the price).
step 1:
do not connect the pc to any phone or network and no wireless connections either.
step 2: install winxp
step 3: admin password
--at least 8 chars long
--letters numbers AND other charactors
--not a dictionary word
--not easily guessed
step 3: networking setup
choose custom
unselect client for msft networks
unselect file and printer sharing
(you can enable after it's all patched up)
on the 'will this computer coneect to the internet directly...' dialog, select the proper settings as they will be, but it still should not be plugged into the network
don't activate, remind every few days
step 4: user accounts
setup whatever user accounts you need, same rules apply to passwords. also, if your account has no password, it will not be accessable through the network.
step 5: verify network settings
in the network connections dialog, for each connection,
-- make sure client for msft networks and file & printer sharing are STILL off
-- turn on the windows based firewall
reboot now
step 6: windows update pass 1
-- you can now get online, because you should be safe enough with the firewalling set up
step 7: run windowsupdate/reboot as needed until the system is FULLY patched.
step 8: install other software, such as virus checking.
(it's still a bad idea to disable the firewall, but it's much safer now than before)
for the pdf guide that I basically copied here, check
http://isc.sans.org
Go to grc.com and get DCOMbobulate, click DCOMbobulate me! and you are safe from those worms.
While you are at it, get also the UPNP disabler and Shoot the Messenger! to avoid getting popups offering U N I V E R S I T Y D I P L O M A S (yuck)
Dear aunt, let's set so double the killer delete select all
There's a guide called "Surviving the First Day of Windows XP". Google it; I'll abstain. You should do this:
Basically, do this:
1. Install your hardware firewall. Configure it using the guidelines at Gibson Research. If your time's not worth the $30 for an on-sale router, don't bother installing anything and stop reading, since you're not worth my time.
2. Get your fresh install completed. Bring a book.
3. Disable messenger, server, and enable the XP firewall. Check with black viper to see what's safe to disable. (Hint: almost everything!)
4. Install an antivirus program.
5. Update your virus program.
6. Download your critical patches. DO NOT INSTALL ANYTHING BUT CRITICAL PATCHES.
7. Update your hosts file using Mike Skalla's ad blocking file. (Google for Mike's ad blocking)
8. Download Spybot-search and destroy. It has an immunize feature to stop a lot of processes from running.
9. Now you can update your non-critical files. This includes thing like driver updates, DirectX, etc. If you're keen, Spybot will check for registry changes so you can keep your eye out for spyware.
10. Check with Gibson Research again, and see if you've got a full green spread on the scan.
That's it. You can now enjoy a year or so of XP use before you have to go through this again.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
http://www.microsoft.com/downloads/search.aspx?dis playlang=en
If you visit the Windows Update site in anything other than IE, you'll get redirected to there-but it works in Firefox. Also easier(because of the non-ActiveX packaging) to just download and burn.
The role of the writer is not to say what we can all say, but what we are unable to say. -Anais Nin
Get either a dumb hub or a crossover cable, and connect the Windows box by that.
turn on NAT via iptables:
- iptables -t nat -I POSTROUTING -s 192.168.1.0/24 --out-interface eth0 -j MASQUERADE
Turn on packet forwardingiptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD --in-interface eth1 --out-interface eth0 -j ACCEPT
# turn off most packet forwarding (other than outgoing connections above) iptables --policy FORWARD DROP
( echo 1 >
This, of course, presumes that ETH1 is facing your windows box with an IP address in 192.168.1.{1-254}.
You can then either set your Windows box IP address manually, or learn how to turn on dhcpd (i'm not going to go there, but it's not too hard.). In any case, this should be enough NAT protection to allow you to get out on the net from your Windows box without opening it up to inbound virus connections. You can then get to places like Microsoft and Norton's without being pre-emptively infected.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Benna, you're ignorant if you think it's bullshit - infected zombie machines are common and infect people quickly.
Want proof these worms are targeting every IP out there - go visit dshield.org, and you'll see what the Internet is dealing with.
My firewall logs a regular blip of hits on port 445, 25, 135, 3127, 1434, 1433.
All of these are various worms looking for an unprotected host. Until then... keep using linux, you're much better off.
It's almost common for a fresh install to be infected on the first few minutes of connection to the Internet - Microsoft made it far to easy.
1. Disconnect machine from net
2. Install XP
3. Before connecting to net, enable XP firewall. (Right click on network connection, properties, advanced, "Protect my computer.."
4. Turn on Automatic Updates (Right click on My Computer, properties, then click tick box on automatic updates).
5. Connect to net.
6. Let it patch itself, or if you want, do it manually via Windows Update.
Really, why this simple simple process seems so difficult to Linux users is beyond me. You wouldn't connect a Linux system running say, an old version of Samba or Apache to the net without IP Tables now would you?
...because obviously you're too stupid to do it yourself.
You say you've been using Linux since 95, yet the obvious solution of using a firewall excapes you! If you're such a linux expert then where's your iptables firewall machine? Or even your $50 router/firewall. I have one for sale for $40 if you want. That's Cdn $$ too! Man, even installing sygate, zonealarm, or any other personal firewall right after winxp is installed would prevent the shit out there from getting onto your machine.
I've been using Linux since 95 too, but I know better to put any machine, Linux or Windows, directly on the net or in the DMZ unless that's my intention. Windows is much worse than other OS's, but I wouldn't even put a fresh linux install of any distribution on the net without doing some work on it first.
Well if you don't trust the built-in firewall, just turn on the IP filter before patching. It's under IP settings->Advanced->Options-> TCP-IP filter
Enable only IP port 80 and you're set. Heh or you can do what Scott Riley down at Redmond recommends and use IPSec to specify rules...
Starbucks, Harbuckle of Breath.
Go to Best Buy and get a Linksys BEFSR41 router / firewall device.
Plug your computer into the LAN side.
Clone the MAC address of your computer.
Change the password on the router to something other than 'admin'.
Plug in your cablemodem into the WAN side.
Enjoy your new worm/virus/trojan free existance.
How many times do we need to spell it out??
Glonoinha the MebiByte Slayer
1. Pull machine off net
2. Install box
3. Configure TCP/IP and enable windows firewall
4. Plug in network cable
5. Windows update
6. Repeat windows update
Job done.
Use a hardware firewall, or a decent router with a firewall built in, instead of depending on something that's software-based. That way, the nasties are stopped before they even get to your computer.
I've not had personal experience with them, but others I've spoken with have had good luck with Linksys and D-Link. For my part, I've always depended on our Watchguard Firebox II to handle things.
Granted, such a unit is well beyond the cost range of most home setups (unless you get a phenomenal deal on it used, as I did). However, before I had the Firebox, I was part of the Beta testing team for the Zyxel 'Prestige 312' combo dual-Ethernet router/firewall. The 312 has been discontinued for some time now, but it performed like a champ for me.
If I were going to pick another unit today, I would look at Zyxel's ZyWall 100 series, or something similar. They're quite a bit less expensive than Watchguard's products, and I see no reason they shouldn't work just as well.
If the 100's a little too costly for you, the entire ZyWall series comes in a variety of sizes from 1 on up. The number usually designates the number of VPN connections the unit allows.
If you're a DIY'er, you can, of course, just get hold of a spare PC, stick a couple of NICs in it, load it up with FreeBSD or some such, and turn it into a router/firewall.
The bottom line is that I don't believe any purely software-based firewall can ever be as secure as one that's hardware-based, and dedicated to the purpose of just being a firewall. I certainly don't trust Uncle Bill or Symantec to do it right (witness the problems you've already had).
Happy hunting.
Bruce Lane, KC7GR,
Blue Feather Technologies
NAT is an evil abomination that breaks the Internet's end-to-end model, but for machines that will really never receive incoming connections (VOIP, games, IM, etc. as well as web servers), it's cheap insurance, and for machines that aren't ready to connect to the net, like unpatched Windows, it's pretty much essential. And once you've got your machine patched, you can then open up whatever ports you want on your firewall, if it's bright enough to do that.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
There are reasons for choosing a dedicated firewall over a add-on software to a general purpose computer.
Having worked for a firewall company, you are correct, there is no inherent difference between the software in a firewall that runs on your computer and one that runs on separate hardware... a so called "hardware firewall" (the correct term I would use is "dedicated firewall")
Hardware firewall are just dedicated computers. They don't generally implement hardware state machines, or whatever. They are typically an embedded OS and TCP/IP stack with stateful packet inspection, NAT, application level gateways, etc. No sane person would try to implement that in silicon, and certainly not silicon that can be kept up-to-date. It's software, plain and simple.
HOWEVER. You should not run your firewall on your general purpose computer.
A dedicated firewall defaults to being "safe" out of the box, unlike your typical operating system. It doesn't have a lot of crap running on it that could be compromised. The amount of software on there is minimal (depend on that... the economics of mass producing hardware enforces that rule for you).
Another way to think about it is: if the hacker is battling to get into your network, would you rather have him hacking away at a little box on the edge of your network that will probably trip alarms and if compromised just fail closed, or would you rather have him on your desktop hacking away directly trying to get in, where, when he defeats your desktop firewall, he's inside the gates?
This is a 100% true story. Any time this year I tried to reinstall a machine at school (UC Santa Cruz) that was connected to the network, it would immediately be attacked by blaster. No warning, the system would get the RPC death knell and die. This was with a copy of XP that I made that had SP1 slipstreamed into it. The answer, however, is very simple. 1) Download the SP2 network install ahead of time and burn it on a CD (throw on your chipset drivers too) 2) format and reinstall with the network unplugged 3) install chipset drivers (for DMA) 4) install SP2 5) plug into network and run windows update etc... volia. If you can't get ahold of SP2 ahead of time, use any decent software firewall (Zone alarm and norton both work pretty well) or a hardware firewall preferably. They aren't really necessary though, SP2 will save your life.
You should always use a router between your PC and the cable modem. My PC is safely hidden behind the router and has never been hacked.
Cert/CC has an article called "Before You Connect a New Computer to the Internet"
Like many others said: Get a cheap "internet router" that does NAT (Network Address Translation). If the attackers can't get to the fresh XP machine, they can't kill it. Easy, isn't it? Just turn OFF UPNP support and all DMZ / port forwarding stuff on the router.
If you still have a spare PC (minimum 486SX-25, 8 MB RAM, Floppy, two ethernet cards), give fli4l (or any other small Linux router software) a try. Download size is a few MBytes (ask your friends / neighboors), complete boot floppy is created within a few minutes on any Windows system. No linux knowledge required.
Keep the NAT router between the XP machine and your internet connection even after you have completed the XP setup. Though the router may not help against using IE and Outlook, it will help against all TCP and UDP based attacks. All viri and worms that spread by connecting to any TCP or UDP port on your machine will fail to infect your machine thanks to the NAT router.
Tux2000
Denken hilft.
why anyone would put a Windows machine directly on a cable modem in the first place is beyond me. who in th geek crowd doesnt have a POS computer sitting around to load openbsd and configure as a firewall/NAT??
now, for the tech-challenged community, I think the responsibility should fall on MS and cable companies. MS should definitely be allowing pirated copies to update, and cable companies should encourge customers to NEVER hook a windows box directly to a cable modem.
A year spent in artificial intelligence is enough to make one believe in God.
Pick up a router from SMC ( I can recommend the 7008/4 ABR series). Even if you don't want to setup a home network, this is the best way to go I think. Even with the sygate firewall it could ( in theory) happen that the software silently crashed, leaving the icon still in the system tray until you move the mouse cursor over it. Also I wouldn't rely on Windows Update to keep your computer safe. If your unpatched version can get infected, your updates will not prevent infection when someday an exploit gets releases sooner than the patch. When using a router, all incoming connections will be refused by default since the router itself is only running the administration tool. Add a personal firewall for save measure in case the router gets compromised and you are set to go. Also you can seamlessly add computers to your network, all sharing the same internet connection and printer. As a side note, the Norton firewall has crappy configuration options and its all in baby talk. I didn't like it very much. Zonealarm doesn't work well with edonkey, overnet, emule, also, if you forbid all the notorios windows applications (explorer.exe, alg.exe, svchost.exe) all access to the network, you are in for a very unstable windows expierence. Sygate is still the best of the three. ;)
I bought the router to finally rid me of the personal firewalls tedious configuration ( which btw, you have to do again on each install, with the router it stays with you forever
Not associated with SMC, I just picked up the model mentioned above friday and I am very happy with it.
___
No power in the 'verse can stop me
I work part time for a cableco, and while it is our official policy that we do not support, endorse, or have anything to do with routers, I still recommend them. I explain that the cableco cannot support them, etc, first. Then I explain the benefits of getting one; few people bother unless they have multiple computers, but I feel better whenever I convince someone that its a worthwhile investment.
People get irritated at the cost of cable modem service, at the cost of the cable modem itself (whether buying or renting). Telling them to go spend even more money afterwards doesn't go over well. Cable modem manufacturers should start following linksys and making 'all in one' units, with DOCSIS compliant cable modems and a cable/dsl router built as one box; the configuration was a bit weird, but it seemed infinitely more secure by default.
http://thechubbyferret.net - Ferret pictures and informative links.
Enable the built-in firewall in Windows XP before going online. This will resolve a lot of your problems.
Also go into the widnows update site (on another connected computer) and click the update options to the right. There is an option to turn on the catalog view (or something like that... in Linux right now). This will allow you to search for all the updates of a particular Windows platform.
Use this to download the patches and burn them to a CD... Use this CD to patch your system.
Jim
just buy a hardware firewall. do the install with the network cable unplugged, then plug in from behind the firewall to get the updates.
alternately, you could download all the service packs, patches, etc., burn them to a CD, and do the install completely disconnected from the internet, then run the patches, then connect.
Using TCP/IP may have been a mistake. It was, after all, the vector by which the malware installed itself to begin with.
A better approach may be to do this with two computers, where one is the machine onto which you need to install XP and the other is already up & running with whatever operating system you like.
This second computer will act as a bridge to the internet, speaking TCP/IP only on its WAN interface, and speaking a non-routable protocol like NetBEUI to the XP machine on the LAN interface.
This way, the XP machine can only speak to other local machines.
With a setup like this, you can download the necessary service packs and other updates to the gateway machine -- people have already explained this in some detail elsewhere in this discussion -- and then the XP box can access the updates by regular old fashioned Windows file sharing.
Once you have the minimal updates, then and only then does it make sense to turn on TCP/IP support on the XP machine.
DO NOT LEAVE IT IS NOT REAL