Slashdot Mirror
How To Avoid Viruses At Windows Install Time?
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
What about a router/firewall?
How do you get these worms? This sounds incredulous...
Small potatoes make the steak look bigger.
Why don't people pay ~30$ for a router with built in firewall? Even if one got only one PC connected to it it's worth it. No worries about worms or hacks.
Well a good way of going about this would be to download the updates from microsoft. They do provide them in binary format which you can install without having to goto the windows update site. I got a XP box as well and I do not even try to connect it to any network before I have patched all I can. Plus a firewall between you and your connection would help as well while at it :) Trying running a gateway using FreeBSD or your fav *nix OS and that would get you well on your way.
Havin' it large, livin' the life, Welcome to the land of the rising sun.
properties of the network connection -> TCP/IP -> properties -> advanced -> options -> tcp/ip filtering -> properties -> enable -> permit only the tcp ports you need for the updates ...
:(
you can figure that out at least, can't you ?
how fitting
1. Install behind hardware firewall.
2. Submit article to Slashdot that amounts to a backhanded slam against XP disguised as a question from somebody who is a novice.
3. Watch the flames on a wasted sunday night.
All you need for a home installation is a NAT firewall connected to your cable modem/dsl. As long as your firewall is properly configured and no other computer on your NAT network is infected, you should be okay.
As of now I have performed only a couple reinstalls in the past couple years but never have had an incident of getting "owned" before installing my patches. I have a Netgear MR314 router that I make sure to turn all port forwarding off before putting a "naked" box on the network. Sure, it isn't fool proof and I would not consider it a firewall, but the nature of NAT does a sufficient job of blocking unrequested packets from coming in. After Windows installs I turn of superfluous services (such as messenger), install anti virus software from cd, plug in the network connection and then update that and Windows.
Of course if your problem is most hardware routers will not work with your ISP, then this tactic is not going to work well.
Like others have mentioned, use a Router (eg. from Linksys, DLink, Netgear) as firewall or get FREE Zonealarm firewall or just turn WinXP's firewall on. You need a firewall or use another box (e.g Linux) as proxy to connect to web.
OR turn on the windows XP firewall under the advanced tab on your network connection's properties before you plug the network cable in.
I dont really understand all the talk of windows being oh so incredibly bad. Norton has detected up about a total of 5 virus's getting anywhere near my PC, all in email attatchments I'd never have opened anyway.
All I do is not be a total idiot when it comes to opening email or clicking links in IRC, run Zonealarm firewall (free and piss-easy to use), head to windowsupdate occasionally and OK, OK, disable a few services that were blatantly unnecessary.
I've never had an infection in about 7/8 years of using windows. TBH, if Linux was the monopolising OS things wouldnt be so much better, there'd be the same ignorant users on an OS even harder to use, and the same people writing viruses for it.
Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
...
Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
reallocate was just following the instructions that Microsoft and Symantec gave him/her.
Figuring out how to do this with only one machine and no installed OS is left as an exercise for the reader.
Show me on the doll where his noodly appendage touched you.
It is not active during startup or shutdown. This window of vulnerability will be fixed in SP2. That said, I wouldn't trust a "firewall" written by people clueless enough not to enable it before the network stack goes up.
The article submitter could just as easily have written "Can a home user install and update Linux without being attacked". It doesn't matter which OS you install, if it's out of date then you're vulnerable. I think the article is almost flamebait!
;)).
There are things the submitter could have done, like stopped all services that listen for connections. Ran Windows XP's firewall on their connection. Unbound Microsoft Networking Client from their NIC, etc. They could have booted up in safe mode with network support.
But the solution you offered is probably the best. I recommend to everybody these days that they run behind a cheap NAT box. It doesn't matter which OS you use, keep your computer off the internet! A NAT box is the simplest and not particulary expensive solution, and it'll leave you much safer and require less effort on the vigilance (note: I didn't no vigilance
We have incompetent IT guys at our place and Sasser is loose on the corporate LAN. We were trying to create a Win2K box but it kept rebooting. We just copied the patch for that over via CDRW, although the submitter could have downloaded everything they needed first from their Linux installation. In carpentry they always say "measure twice, cut once". This person didn't do enough preparation.
Turn the machine on. Turn the firewall on. THEN plug in the ethernet cable. Or just use Windows catalog on another machine to download the service pack and all the security patches (there's a rollup for most of them), burn to Cd, and install them before plugging in the ethernet cable. Me, I just install behind a router with all the ports off. (Conveniently, my home Windows box is running through my Airport, and only my Mac is exposed to the outside world.)
"Windows XP: Surviving the First Day"
How ironic! Wern't Windows 2000 and Windows XP supposed to be the most secure Microsoft OS's ever?
And I remember a certain Microsoft CEO of a previous era saying something like, "Windows NT is going to be so easy to use, all point 'n click, that you will be able to hire sysadmins off the street."!
And I still use Windows 98. At least it is far easier to reinstall. OK, OK, I grant that it may need to be reinstalled a little more often.
As I like to say, "Funny like a rubber crutch!".
But, I guess that this is just "Microsoft progress", which is becomming just as big a joke as "Microsoft innovation".
Leave the software firewall turned on if you can...
Look, that is just not enough! The software firewall is the last service brought up by XP (currently, M$ has promised that SP2 will fix this [not holding my breath]) so there is a 20 to 30 second window (every pun intended0 when the machine reboots between the time the system brings up network services enough to do a DHCP request and when the firewall is active. Looking at my firewall logs, I am still getting hit every 10 to 60 seconds with various Windows vulnerability probes.
So, unless you want to play CAT5 shuffle every time Windows wants to reboot during the update process, a seaparte firewall is the only way!
300mb+? At what point does it stop being just updates and gives out the entire damn OS?
All the linux update tools I know (apt, red-carpet, urpmi) run perfectly with the firewall up and at maximum paranoia level. So I could install, set my firewall to reject all incoming connections, and update; that would leave me vulnerable only to very basic level exploits (like some hypothetical hole in ICMP).
I've not used windows update, but the poster said it asked to lower the firewall, and I think that's a weak point.
I have a linksys wireless router between my DSL modem and my computers. I've gotten malware and spyware on my main computer (I found out later when I ran a checking program) but never got a virus or a worm. When I later installed Apache locally on a Win 98 machine and put in a .hosts file with a list of all the adware companies and their servers routed back to localhost, (which causes the local copy of Apache to try to serve them and report no such page) it also stopped almost all popups and a lot of in-line ads.
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
I would follow the recommendation of our friends at thebroken.org and burn your computer from the inside out.
That's not too different from the amount of patches you have to download after a fresh install of linux. Hell, when I loaded Suse 9.1, there were at least 100mb of updates already. If I installed a distro that was as old as XP I could very well see 300mb of updates.
So I should reinstall my OS and depend on some third party tool to remove crap installed on it?
What you are saying is that it is impossible to install Windows cleanly?
Try using a firewall/router instead.
If you can't afford a hardware router you can't afford Windows. Add $50+ to the TCO of Windows.
Or if you can't afford that, use another free OS, such as any BSD or Linux.
If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
Linux's updates shouldn't be more than a few megs, considering there are floppy-based distros where the whole distro fits in a meg or two.
Of course if by "Linux" you're counting Wine & MSFT-office-warez & more, you'd have more security updates than a core Linux distro.
1) Hide behind a NAT router - Install windows disconnected from networks. Find someone with DSL and a NAT router. Intall all the patches from the safety of their home network.
2) Before installing windows, format the disk to have a FAT partition. Boot Knoppix Linux from a CD. get on the internet and download the patches to the FAT partion. Boot Windows - install patches.
Religion is the main cause of atheism.
I tell every person I know who gets a broadband connection to buy a hardware firewall device. If they invest in a wifi router for about $80, then they not only get a built-in firewall but also wifi a hub/switch as a bonus. As far as I am concerned, this is an absolute requirement these days.
The NAT that is setup by default for all such routers is just the ticket to avoid viruses like blaster.
Why should the poor guy waste money in order to install WinXP?
Doesn't Microsoft want people to install/update their product?
And yes, they can do something: let pirated copies of WinXP update.
Also, they should try this thing... What's its name... Oh, QA!
I had the same problem: I am a linux user and I tried to install WinXP.
After I installed it, I went to "windows update" right away.
But while doing it, I got popups, I got "your computer will shut down in..." (I know, I know, shutdown -a, but still...).
That's the most user-unfriendly experience I ever had with a computer/software.
If you want to be constructive, tell us how to do the same (download all updates and burn a CD for installation offline) for GNU/Linux distros: Debian, Gentoo, Mandrake, Red Hat, Suse...
Usually you can download ISO images of release-time distros. But for updates you have to be online.
AFAIK, no Linux distro proposes a 'Update CD' updated after every new vulnerability fix published.
Right click on a Microsoft update, then choose properties, then digital signatures.
I think you'll find they went one better and digitally sign every update with their private key.
Friends? XP? You got some pretty dumb friends. Why do you Linux people help these losers?
My friends help me, I help my friends. It's not my decision what software they put on their computer, and when their courses dictate software that only runs under Windows, it's not my place to say "forget that, ditch your courses and use a MAN'S operating system".
Basically, I don't tell my friends to fuck off because I quite like having friends. I know how to fix their computer in a tenth the time or cost it would take them, they know how to do the same for my car, or my plumbing, or any of a hundred other things.
But seriously, the Linksys hardware isn't that expensive. While a slow PC would be more versatile and probably perform better, you're talking about losing some convenience.
A Small PC would:
Be Louder
Use More Electricity (cost more)
Generate More Heat
Take Up More Space
Probably Be an Eye-Sore
Harder to use / configure for the less tech savvy
Sure, if you're a geek and don't mind, then sure, go for it. But really, you can find a good Linksys Router / NAT for really cheap if you look in the sale ads. While it might not be as good, I think the convenience far outways the monetary costs and geek-factor.
I've *NEVER* applied a security patch to my home linux machine, and it is no doubt vulnerable to tons of exploits. My home linux security practices are comparable to diving into a cesspool with an open wound, however, I have NEVER had a virus/worm/whatever on that machine.
The windows partition by contrast, requires 'sterile technique' to avoid immediate contamination, and still gets sick from time to time. Windows is like an OS with AIDS, or maybe it's more like the 'boy in the bubble'. To install, first you have to build a plastic firewall with HEPA filters and autoclaves for everything entering or exiting, and then the OS will only survive if you maintain positive pressure inside the bubble to keep out 'germs'.
Potato blights can wipe out entire crops of cloned potato plants, but non-cloned heirloom varieties are not suceptible. You can grow them, and have a better defense against disease than any remedies or blight epidemic control techniques ( like burning crops ) could ever provide. Sure some disease might be able to kill your strain of potatos, but you aren't likely to catch it from the clone-growing farmer next door. You aren't likely to catch it at all.
Eat at Joe's.
The one thing I'd love for MS to do is to actually improve it's update process so that installing a patch doesn't require additional patches after the fact. Example: Installing a fresh MS Win2000 system and going to the MS Windows update site initially requires 17 patches. After installing these patches, you recheck the site and you must now get an additional 35 patches. Why can't they consolidate patches? I can understand leaving patches as being available (incase a user has requirement for a particular level), but make some of the older ones obsolete. Doing so should reduce the size of the patch downloads significantly.
MS also needs to deliver product CD's at a particular patch level so that newly built systems by default have many of the patches. PC vendors handle this somewhat by generally providing a "system restore" disk that is at a certain patch level, but MS really should consider quarterly releases of their supported operating systems. By this I don't mean a patch CD, but an actual OS CD with all the patches built in (sort of like "WinXP (Q3 - 2004)" or something like that).
As for patch sizes, I agree that you have to look at patches beyond the kernel when considering the size. While these may be more critical, you certainly want to update everything typically on the system. While you may patch the core patches first, your likely to secure the entire system.
Out of curiosity I checked the Solaris 8 & 9 recommended patch sets and they were at 138MB and 122MB respectively. I'm sure MS could get to this size if they started to obsolete patches more regularly instead of holding back to the all encompassing service pack.
Maybe someone in the embedded business can answer this, but why don't the cable modems that we all have to buy or rent for broadband COME WITH basic TCP drop functionality for incoming connenctions. You could make it port 80 configurable from the inside or even require that it be configued via the USB port to be more secure. that way, the 90% of folks who ahve no need for incoming connenctions would be fine, and the other 10% of us could figure out what settings we'd like to use.