Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Avoid Viruses At Windows Install Time?

Posted by timothy on from the good-luck-with-all-that dept.

reallocate writes "Can a home user install and update Windows without being attacked by a virus or worm? I'm a Linux user; have been since 1995. Recently, I needed to install Windows XP Pro on a home desktop machine with a Roadrunner cable connection. I tried twice. Both times, the machine was attacked and rendered unusable before I was able to pull down the first update from Windows Update." Read on for more details of what went wrong and when.

Here's a synopsis of my install method:

  1. Put the Windows XP CD in the drive;
  2. Disconnect the cable modem from the network card;
  3. Reboot and install Windows;
  4. The box remains off the net during the entire install: no registering, no setting up an ISP, no activation, no network configuration, no nothing. (BTW, the only networking component that I install is tcp/ip. All the other MS stuff never gets on the machine.)
  5. Reboot; Windows runs and all is well;
  6. Install the current version of Norton Internet Security Professional from a shrinkwrapped CD (firewall, anti-virus, etc.);
  7. Configure the Roadrunner net connection and reboot to pick up a DHCP lease;
  8. Launch the Norton update facility (per Norton's recommendation, the built-in XP firewall is turned off);
  9. Complete the Norton update and reboot;
  10. Launch Windows Update;
  11. Start to pull down Service Pack One; per Microsoft's instructions, all firewalls are turned off.

That's as far I got. During the first attempt, I acquired a virus or worm before I could finish the Norton update (machine powered down). On the second attempt, I got as far as Windows Update and SP1(continual rebooting).

So...how would you do it?"

25 of 833 comments (clear)

  1. If you can stand waiting... by foidulus · · Score: 5, Informative

    You can get a cd from microsoft(more info here that would have a lot of the updates you are looking for. You could also download it from your linux machine, and then do the whole installation offline.

    1. Re:If you can stand waiting... by XaviorPenguin · · Score: 5, Informative

      There is another way. If you go to Autopatcher.com, you can download all of Service Pack 1 and pre-Service Pack 2 updates with all critical and recommended updates. It is a hefty download (300MB +) but it is worth it. It comes with:
      -Direct X 9.0b + Updates
      -XP Powertoys
      -SP1 Critical and Recommended Updates
      -Pre SP2 Critical and Recommended Updates
      - + More

      I use it and it is updated every month. Get it while you can!

      --
      Friends help you move...
      REAL Friends help you move dead bodies... ^_^
    2. Re:If you can stand waiting... by LoneIguana · · Score: 5, Informative

      You can access the windows update catalog here: http://v4.windowsupdate.microsoft.com/catalog/en/d efault.asp There you can get secruity updates for all versions of windows. You actually download them to your computer rather then installing them. You could download them on another computer burn them to a CD, then install before connecting to the internet. The only problem is you need a computer with IE. Maybe get a friend to burn it for you?

    3. Re:If you can stand waiting... by TPS+Report · · Score: 5, Informative

      You can (with just a few mouse clicks) automatically create an up-to-date ISO of Windows XP/2000/2003 with XPCreate. It's a really nice utility.

      --
      I was told that I could listen to the radio at a reasonable volume from nine to eleven...
    4. Re:If you can stand waiting... by zoloto · · Score: 5, Informative

      DUDE THIS ROCKS!
      Actually, what you can do is use Wine or WinEX and install Internet Explorer 5.5 from an old 5.5 installation CD on Linux,... download then burn to CD and you'll be great. I did that just now and i have to say thank you for the link.

      It seems that any useful links, MS hides behind a rediculous naming scheme for some odd reason.

      Thank you again, if I had MOD points, I'd certianly give them to you.

    5. Re:If you can stand waiting... by BollocksToThis · · Score: 5, Informative

      The only problem is you need a computer with IE.

      If you go to the Microsoft download center, you can download every patch with (almost?) any browser. I downloaded service pack 1 and every patch after that using nothing but Opera.

      It was less convenient than using WindowsUpdate/IE, but it would still have worked on a linux machine. The best part is, when friends give me their computers to reinstall XP, I don't need to spend four hours downloading patches from scratch.

      --
      This sig is part of your complete breakfast.
    6. Re:If you can stand waiting... by Condor7 · · Score: 5, Informative



      Autopatcher.com also has a Lite version and an UltraLite version.

      The UltraLite version contains only Critical and Recommended updates, along with IE and Outlook patches, and weighs in at 89MB.

    7. Re:If you can stand waiting... by jonfelder · · Score: 5, Insightful

      That's not too different from the amount of patches you have to download after a fresh install of linux. Hell, when I loaded Suse 9.1, there were at least 100mb of updates already. If I installed a distro that was as old as XP I could very well see 300mb of updates.

    8. Re:If you can stand waiting... by Anonymous Coward · · Score: 5, Insightful

      Friends? XP? You got some pretty dumb friends. Why do you Linux people help these losers?

      My friends help me, I help my friends. It's not my decision what software they put on their computer, and when their courses dictate software that only runs under Windows, it's not my place to say "forget that, ditch your courses and use a MAN'S operating system".

      Basically, I don't tell my friends to fuck off because I quite like having friends. I know how to fix their computer in a tenth the time or cost it would take them, they know how to do the same for my car, or my plumbing, or any of a hundred other things.

  2. Easy by daveschroeder · · Score: 5, Informative

    Do the installation behind a personal NAT/firewall device.

    (Or, read all the posts about how you can put together some huge, convoluted update CD that's never completely up-to-date instead of just spending $35 on a little hardware firewall.)

    1. Re:Easy by Josh_Borke · · Score: 5, Informative

      or install zonealarm. and don't turn off the firewall. I've never had to turn off my firewall when doing any windows update.

      I would update windows before updating the firewall, that way you don't have to worry so much about being shutdown while the firewall is down.

      my .02

  3. Firewall by jpaz · · Score: 5, Informative

    Keep the firewalling on, no matter what Microsoft says. I've never had an instance where having a firewall turned on kept windowsupdate from working properly.

  4. Easy by Masami+Eiri · · Score: 5, Informative

    We do this all the time where I work.
    Use another machine to burn a copy of the latest service pack, and the Sasser worm fix, and whatever other updates you want to include.
    After installing, install the updates from the CD, then check windows update for anything else.

  5. Odd by The-Bus · · Score: 5, Insightful

    What about a router/firewall?

    How do you get these worms? This sounds incredulous...

    --

    Small potatoes make the steak look bigger.

  6. Get a router. by Anonymous Coward · · Score: 5, Insightful

    Why don't people pay ~30$ for a router with built in firewall? Even if one got only one PC connected to it it's worth it. No worries about worms or hacks.

  7. External firewall? by pilkul · · Score: 5, Informative
    You say you're a Linux user; why not plug one of your Linux boxes to the 'net, use it as NAT-routing firewall using iptables, and download the updates from behind the firewall? It's always worked for me. Or if you only have one machine, you can buy a cheap NAT router for 50$ nowadays.

    This solution seems so obvious to me that I wonder why you even bothered to ask. With your apparent technical knowledge, surely you must've thought of this. I'm inclined to think this question was just a veiled way to start an article bashing Microsoft about all the worms affecting their system.

  8. i'm installing right now... by phrasebook · · Score: 5, Interesting

    I'm putting XP on my laptop next to me right now actually. I think it is pretty safe because a) it is connected to the net using NAT, not directly to the modem and b) I slipstreamed SP1 into my XP CD, so that when I install it I'm already at SP1 level. See here for instructions (that's win2k, but same for winxp of course). And I dunno why you'd bother with Norton Anything quite frankly. Maybe you can just buy a cheap router doing NAT and put it between the modem and computer while you get updates.

  9. Found at isc.incidents.org: by BandwidthHog · · Score: 5, Informative

    Windows XP: Surviving the First Day

    --

    Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
  10. but if you can't.... by Mydron · · Score: 5, Informative
    There are a few guides out there explaining what to do. Most of them involve shutting off windows services (such as file sharing and the windows network client) and using the firewall included with Windows XP before connecting to the internet.

    Here is a fairly comprehensive guide, aptly named: Windows XP: Surviving the First Day

    1. Re:but if you can't.... by dknj · · Score: 5, Informative

      This is a pretty poor Ask Slashdot article, IMHO. Here is how I do it within an hour and have nothing to worry about:

      1. Unplug network cable
      2. Install Windows XP
      3. Upon first boot turn on the Windows Firewall and reconnect network cable
      4. http://www.windowsupdate.com
      5. Wait for patches to download, then remove network cable and reboot after patches have installed
      6. Return to http://www.windowsupdate.com and download the remaining patches
      7. Reboot (no need to unplug network cable this time) and install a Virus Scanner/Firewall Suite.

      This takes an hour and isn't rocket science.

      -dk

  11. February? by wcbarksdale · · Score: 5, Funny

    Windows Security Update CD: February 2004

    Updated Date: April 16, 2004

    This CD includes Microsoft critical updates released through October 2003

    Well, as long as that's clear.
  12. Re:RTFQ by SirCrashALot · · Score: 5, Insightful
    As for software firewalls, well those are trash so I won't even bother.

    That depends entirely on what software you are talking about. All a hardware fireall is, is a firewall from a company that realized people won't pay $$ for a piece of software. I.e its a software firewall, just running on some different hardware.

  13. Re:SP1 From CD by Malc · · Score: 5, Insightful

    The article submitter could just as easily have written "Can a home user install and update Linux without being attacked". It doesn't matter which OS you install, if it's out of date then you're vulnerable. I think the article is almost flamebait!

    There are things the submitter could have done, like stopped all services that listen for connections. Ran Windows XP's firewall on their connection. Unbound Microsoft Networking Client from their NIC, etc. They could have booted up in safe mode with network support.

    But the solution you offered is probably the best. I recommend to everybody these days that they run behind a cheap NAT box. It doesn't matter which OS you use, keep your computer off the internet! A NAT box is the simplest and not particulary expensive solution, and it'll leave you much safer and require less effort on the vigilance (note: I didn't no vigilance ;)).

    We have incompetent IT guys at our place and Sasser is loose on the corporate LAN. We were trying to create a Win2K box but it kept rebooting. We just copied the patch for that over via CDRW, although the submitter could have downloaded everything they needed first from their Linux installation. In carpentry they always say "measure twice, cut once". This person didn't do enough preparation.

  14. If you play a Microsft CD... by Spoticus · · Score: 5, Funny

    backwards, you can hear satanic messages. But even worse, if you play it forward, it installs their software!

    Thanks, I'll be here all week... try the veal...

  15. OP: The 100% best answer by Glonoinha · · Score: 5, Informative

    Go to Best Buy and get a Linksys BEFSR41 router / firewall device.
    Plug your computer into the LAN side.
    Clone the MAC address of your computer.
    Change the password on the router to something other than 'admin'.
    Plug in your cablemodem into the WAN side.
    Enjoy your new worm/virus/trojan free existance.

    How many times do we need to spell it out??

    --
    Glonoinha the MebiByte Slayer