Slashdot Mirror
How To Avoid Viruses At Windows Install Time?
reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.
Here's a synopsis of my install method:
- Put the Windows XP CD in the drive;
- Disconnect the cable modem from the network card;
- Reboot and install Windows;
- The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
- Reboot; Windows runs and all is well;
- Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
- Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
- Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
- Complete the Norton update and reboot;
- Launch Windows Update;
- Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.
That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).
So...how would you do it?"
What about a router/firewall?
How do you get these worms? This sounds incredulous...
Small potatoes make the steak look bigger.
Why don't people pay ~30$ for a router with built in firewall? Even if one got only one PC connected to it it's worth it. No worries about worms or hacks.
All you need for a home installation is a NAT firewall connected to your cable modem/dsl. As long as your firewall is properly configured and no other computer on your NAT network is infected, you should be okay.
OR turn on the windows XP firewall under the advanced tab on your network connection's properties before you plug the network cable in.
If ANY piece of software ever lists "disable all firewalls" as a part of the instructions, toss it and run away. There's no reason to ever disable a hardware firewall on a properly written piece of software. As for software firewalls, well those are trash so I won't even bother.
That depends entirely on what software you are talking about. All a hardware fireall is, is a firewall from a company that realized people won't pay $$ for a piece of software. I.e its a software firewall, just running on some different hardware.
It is not active during startup or shutdown. This window of vulnerability will be fixed in SP2. That said, I wouldn't trust a "firewall" written by people clueless enough not to enable it before the network stack goes up.
The article submitter could just as easily have written "Can a home user install and update Linux without being attacked". It doesn't matter which OS you install, if it's out of date then you're vulnerable. I think the article is almost flamebait!
;)).
There are things the submitter could have done, like stopped all services that listen for connections. Ran Windows XP's firewall on their connection. Unbound Microsoft Networking Client from their NIC, etc. They could have booted up in safe mode with network support.
But the solution you offered is probably the best. I recommend to everybody these days that they run behind a cheap NAT box. It doesn't matter which OS you use, keep your computer off the internet! A NAT box is the simplest and not particulary expensive solution, and it'll leave you much safer and require less effort on the vigilance (note: I didn't no vigilance
We have incompetent IT guys at our place and Sasser is loose on the corporate LAN. We were trying to create a Win2K box but it kept rebooting. We just copied the patch for that over via CDRW, although the submitter could have downloaded everything they needed first from their Linux installation. In carpentry they always say "measure twice, cut once". This person didn't do enough preparation.
300mb+? At what point does it stop being just updates and gives out the entire damn OS?
All the linux update tools I know (apt, red-carpet, urpmi) run perfectly with the firewall up and at maximum paranoia level. So I could install, set my firewall to reject all incoming connections, and update; that would leave me vulnerable only to very basic level exploits (like some hypothetical hole in ICMP).
I've not used windows update, but the poster said it asked to lower the firewall, and I think that's a weak point.
That depends entirely on what software you are talking about. All a hardware fireall is, is a firewall from a company that realized people won't pay $$ for a piece of software.
You're fucking kidding, right?
So, what you're saying is, a majority of Fortune 500 companies can throw their Cisco PiX firewalls away and just install ZoneAlarm? Think of the money they'll save!
So that's what the second step to profit is...
WTF? Over?
That's not too different from the amount of patches you have to download after a fresh install of linux. Hell, when I loaded Suse 9.1, there were at least 100mb of updates already. If I installed a distro that was as old as XP I could very well see 300mb of updates.
Linux's updates shouldn't be more than a few megs, considering there are floppy-based distros where the whole distro fits in a meg or two.
Of course if by "Linux" you're counting Wine & MSFT-office-warez & more, you'd have more security updates than a core Linux distro.
1) Hide behind a NAT router - Install windows disconnected from networks. Find someone with DSL and a NAT router. Intall all the patches from the safety of their home network.
2) Before installing windows, format the disk to have a FAT partition. Boot Knoppix Linux from a CD. get on the internet and download the patches to the FAT partion. Boot Windows - install patches.
Religion is the main cause of atheism.
Right click on a Microsoft update, then choose properties, then digital signatures.
I think you'll find they went one better and digitally sign every update with their private key.
Friends? XP? You got some pretty dumb friends. Why do you Linux people help these losers?
My friends help me, I help my friends. It's not my decision what software they put on their computer, and when their courses dictate software that only runs under Windows, it's not my place to say "forget that, ditch your courses and use a MAN'S operating system".
Basically, I don't tell my friends to fuck off because I quite like having friends. I know how to fix their computer in a tenth the time or cost it would take them, they know how to do the same for my car, or my plumbing, or any of a hundred other things.