Sign In »
Register Now!
Help
Another great point by another user from another forums today, for Windows 7 folks (VISTA too, & of course, Windows Server 2008), from a fellow named "AlphaAlien" here -> http://www.hardwaregeeks.com/board/showthr...0440#post410440
(LOL! Oddly, it's one I overlooked from my OWN GUIDE here, that I applied to Windows 2000/XP/Server 2003, but had "overlooked" in my tips about Windows 7 just above, specifically... &, it IS a good idea, + one I ended up "expanding on" so, I have to thank AlphaAlien for "getting the ball rolling" in my brain here, lol, once more so I could suggest his point (one I suggested here again, no less, for the OLDER MS' OS of Windows NT-based ancestry) & expand on it even more... probably wouldn't have done it w/out he, so, credit goes, where credit is due imo).
This is a good point too, so... here goes:
Open up gpedit.msc (you can do this from the "Windows Start button" (is it STILL called that now, in Windows 7/VISTA etc. I wonder?) & the RUN or search command). In it, follow its left-hand side pane's tree items down THIS path:
Computer Configuration
Administrative Templates
Network
Network Connections
Windows Firewall
Domain Profile (only use this one IF you are not part of a LAN/WAN or connect to them, & you don't need to do some of what is suggested to turn off there - & you can though, if you don't need to do the stuff we're going to 'crank off' here, especially if you are a single system home user)
Local Profile (this one users with a single system @ home that's not part of a home LAN should do)
NOW, once there? Use the RIGHT-HAND SIDE PANE items of (now quoting our exchange from the URL above, saves me time, & I have programming assignments in JAVA to do so, excuse the use of this DIRECT quote from the URL above):
Prevents administrative remote management services.
Looks good to me, especially for most folks (which, face it, most folks don't have home "LAN/WAN" setups (mainly people who are way, Way, WAY "into computing" do imo & experience)).
Since they're mainly single system users, & @ home (which I found professionally on a job in 2006 that they're the most "abused" typically as well by malware etc. et al) - they're the folks I put this out for mostly, if they want to take the initiative & time to do it is all. They need it the most, from what I've seen, so... here 'tis.
As long as you don't perform remote administration tasks? You should probably turn the ability for "remote administration" off as AlphaAlien points out.
I'd have to add this point of AlphaAlien's now though: This same idea/technique/tip/trick can also be done for the DOMAIN and LOCAL profiles there too, and, it also points out a couple others to remove, possibly too (such as UPnP, Remote File & Printer Access, Remote Desktop, setting them as DISABLED there, & possibly to even ICMP also (ping basically))
The PING & UDP ones may affect other wares though, so, test @ your leisure on those 2.
(Sounds like a good move, as imo @ least, it really supplements cutting off:
A.) Server (allows shares) + Workstation (provides SMB services, in services.msc (& an outbound BLOCK rule in the firewall vs. TCP/UDP for PORTS 139 & 445 (this one mainly, will stall this newly surfaced "bug" noted above in Windows 7 & Server 2008))
B.) Terminal Services/Remote Desktops
C.) Cutting out Client for MS Networks + File & Print Sharing in your local area network connection (clients & protocols sections) & also NetBIOS over TCP/IP in the WINS section of the local area connection too.
D.) Disabling TCP/IP over NetBIOS in services.msc as well
E.) "Stalling out share$", via a batch or .cmd file (possibly even a powershell script as well) & I mean, any shares: Even default ones like in the batch above
F.) Setting secured ACL's on the filesystem + registry as well via explorer.exe OR cacls possibly, & regedit.exe
(Then, your firewall can do the rest, as far as "inbound intrusion attempts" - I don't think there's much other than that to "get ahold of", & even a nullsession attempt ought to be stalled between this, & the secpol.msc work (plus HOSTS & AnalogX's IP Security Policy as well)))
Thanks for the solid point AlphaAlien: It got my "wheels rolling" on a couple of others in gpedit.msc (which I did suggest for Windows 2000/XP/Server 2003 already earlier in this guide), but, I overlooked here, so I added on the rest.
APK
P.S.=> Oh, AlphaAlien: I am going to credit you with this & put your points out, in your name of course, in regards to this setting in Group Policy Editor on the other 20 or so forums I can still edit this post on as well, hope you don't mind (it's a good solid point, & I do credit others where/when/how/why credit is due they, for solid points) - I am not sure if linking to your photo will work or not (depending on where YOU store it that is), so I may have to "expand" the tree items in gpedit.msc manually in text, so... in any event, there you are... apk
HOW TO SECURE Windows 2000/XP/Server 2003 & YES, even VISTA INTRODUCTORY MATERIAL (actual steps in next post)
#61
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 18 November 2009 - 22:10
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#62
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 28 November 2009 - 20:39
Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution:
http://support.microsoft.com/kb/977981
The new bug in IE6 & IE7 can be patched above (allowing IE6/7 to "opt-in" to DEP (data execution prevention)) using the "FIX IT" button noted there (which applies a database of apps to support DEP apparently, inclusive of IE variants).
The original article explaining the nature of the attack is here:
http://www.microsoft.com/technet/security/...ory/977981.mspx
As well as it listing what Operating System versions are affected adversely thus, there.
APK
P.S. => This is the 2nd URL's list of affected IE versions, & on which Windows NT-based OS variants also:
PERTINENT EXCERPT:
Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 on all supported versions of Microsoft Windows are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected.
The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code.
At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.
Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:
• Internet Explorer 8 is not affected.
• Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
General Information
Overview
Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information see the Mitigating Factors, Workarounds, and Suggested Actions sections of this security advisory.
Advisory Status: The issue is currently under investigation.
Recommendation: Review the suggested actions and configure as appropriate.References Identification
CVE Reference
CVE-2009-3672
Microsoft Knowledge Base Article
977981
----
This advisory discusses the following software.Affected Software
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista
Windows Vista Service Pack 1 and Service Pack 2
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1 and Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Non-Affected Software:
Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4
Internet Explorer 8 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2 and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, and Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems
----
... apk
http://support.microsoft.com/kb/977981
The new bug in IE6 & IE7 can be patched above (allowing IE6/7 to "opt-in" to DEP (data execution prevention)) using the "FIX IT" button noted there (which applies a database of apps to support DEP apparently, inclusive of IE variants).
The original article explaining the nature of the attack is here:
http://www.microsoft.com/technet/security/...ory/977981.mspx
As well as it listing what Operating System versions are affected adversely thus, there.
APK
P.S. => This is the 2nd URL's list of affected IE versions, & on which Windows NT-based OS variants also:
PERTINENT EXCERPT:
Microsoft is investigating new public reports of a vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.
Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 on all supported versions of Microsoft Windows are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected.
The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code.
At this time, we are aware of no attacks attempting to use this vulnerability against Internet Explorer 6 Service Pack 1 and Internet Explorer 7. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.
Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:
• Internet Explorer 8 is not affected.
• Protected Mode in Internet Explorer 7 in Windows Vista limits the impact of the vulnerability.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
General Information
Overview
Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability. For more information see the Mitigating Factors, Workarounds, and Suggested Actions sections of this security advisory.
Advisory Status: The issue is currently under investigation.
Recommendation: Review the suggested actions and configure as appropriate.References Identification
CVE Reference
CVE-2009-3672
Microsoft Knowledge Base Article
977981
----
This advisory discusses the following software.Affected Software
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista
Windows Vista Service Pack 1 and Service Pack 2
Windows Vista x64 Edition
Windows Vista x64 Edition Service Pack 1 and Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1 and Windows Vista Service Pack 2, and Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Non-Affected Software:
Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4
Internet Explorer 8 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2 and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2, and Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems
----
... apk
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#63
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 23 January 2010 - 20:37
I picked up on some information that you guys MAY wish to know about (especially IF you use Internet Explorer (all models/versions)):
GET THE PATCH FOR IE 5.01 - IE 8.0 (on ALL Windows versions of NT-based origins (2000/XP/Server 2003/Server 2008/VISTA/Windows 7)) FOLKS!
It was issued "Out-Of-Band" (meaning MS didn't wait for "Patch Tuesday" to roll around again (2nd Tuesday of every month)).
(&, you can do that via "Windows Update" of course, but that takes MORE TIME for that to "take" typically, than nabbing it directly, here would do for you, since you can install it yourselves, directly & immediately):
http://www.microsoft...n/ms10-jan.mspx
This isn't a joke people & it's NOT THE SAME BUG IN MY LAST POST ABOUT IE EITHER!
So, please... See here:
Widespread attacks exploit newly patched IE bug:
http://www.itworld.c...-patched-ie-bug
It's seriously being exploited, & that's only what they KNOW about.
APK
P.S.=> AND, "there ya are" - Enjoy!... So, after all? It's YOUR MONEY & TIME folks! (that's all)... apk
GET THE PATCH FOR IE 5.01 - IE 8.0 (on ALL Windows versions of NT-based origins (2000/XP/Server 2003/Server 2008/VISTA/Windows 7)) FOLKS!
It was issued "Out-Of-Band" (meaning MS didn't wait for "Patch Tuesday" to roll around again (2nd Tuesday of every month)).
(&, you can do that via "Windows Update" of course, but that takes MORE TIME for that to "take" typically, than nabbing it directly, here would do for you, since you can install it yourselves, directly & immediately):
http://www.microsoft...n/ms10-jan.mspx
This isn't a joke people & it's NOT THE SAME BUG IN MY LAST POST ABOUT IE EITHER!
So, please... See here:
Widespread attacks exploit newly patched IE bug:
http://www.itworld.c...-patched-ie-bug
It's seriously being exploited, & that's only what they KNOW about.
APK
P.S.=> AND, "there ya are" - Enjoy!... So, after all? It's YOUR MONEY & TIME folks! (that's all)... apk
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#64
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 23 January 2010 - 22:53
IF you are having trouble FINDING the link to the download for this IE 5-8 patch, for most ALL Windows NT-based OS' by Microsoft?
Try this:
MS10-002 Cumulative Security Update for Internet Explorer (978207)
Look for THAT on the page...
(There you go, per FloppyBootStomp, a moderator @ this website -> http://www.pcreview....d-3511888-7.php where this security guide is also hosted, who had noted it was a bit difficult to find there, per the IE security vulnerability I noted above in my last post...)
APK
P.S.=> Well, to save you time? The DIRECT linkage is here -> http://www.microsoft...n/ms10-002.mspx so, "have @ it" folks, & enjoy... apk
Try this:
MS10-002 Cumulative Security Update for Internet Explorer (978207)
Look for THAT on the page...
(There you go, per FloppyBootStomp, a moderator @ this website -> http://www.pcreview....d-3511888-7.php where this security guide is also hosted, who had noted it was a bit difficult to find there, per the IE security vulnerability I noted above in my last post...)
APK
P.S.=> Well, to save you time? The DIRECT linkage is here -> http://www.microsoft...n/ms10-002.mspx so, "have @ it" folks, & enjoy... apk
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#65
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 28 January 2010 - 11:44
A security vulnerability exists in, and has existed in since 1992-1993, the emulation subsystems for DOS &/or Win16 applications under 32-bit versions of Windows NT-based OS:
Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege:
http://www.microsoft...ory/979682.mspx
----
THE "FIX":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
(via removing support for said subsystems by blanking out the files they point to.)
These excerpts will help you identify each component used:
The NTVDM:
16 bit DOS and older 16 bit windows applications are supported by the NT virtual DOS machine (NTVDM) which runs in the Client/Server Runtime (CSR) subsystem. Since each copy of the NTVDM is given its own thread of execution, if it fails, it will not affect the operating system or other programs.
The following components support the NTVDM:
NTVDM.EXE - Starts the NTVDM and emulated the DOS environment.
NTIO.SYS - Emulates the DOS IO.SYS system file.
NTDOS.SYS - Emulates the DOS.SYS file.
Virtual Device Driver (VDD) - Used to allow DOS to interface with system devices on various ports such as the mouse, keyboard, serial ports, parallel ports, and video devices. This component is required since DOS expects to access hardware devices directly, but cannot do so when running on Windows NT.
VDMREDIR.DLL - Redirects file system input/output requests to the Win32 subsystem.
AUTOEXEC.NT - Replacement for AUTOEXEC.BAT.
CONFIG.NT - Replacement for CONFIG.SYS.
NT always loads a PIF for MS-DOS based applications. You can create a PIF to define requirements of the DOS application such as memory needs. In Windows NT 4.0, the PIF settings can be accessed by right clicking on the DOS executable file and selecting properties. On RISC based systems, an instruction execution unit (IEU) works with the NTDVM to emulate I383 Intel processor instruction sets.
Win16 Application support (Windows 3.1 and Windows for workgroups)
The Win16 on Win32 (WOW) subsystem:
It allows 16 bit Windows applications that run on Windows 3.1 and Windows for Workgroups to run on Windows NT 32 bit architecture. This is because the WOW uses a process called thunking to intercept and translate 16 bit system calls to 32 bit system calls. The WOW system components are:
KRNL386.EXE - Modified 16 bit Windows kernel that uses thunking to translate many system service call into Win32 services.
WOWEXEC.EXE - Emulates Windows 3.1 providing the Windows 3.1 16 bit virtual machine.
GDI.EXE - Modified 16 bit Windows GDI.EXE, that uses thunking to translate API calls to Win32 services.
USER.EXE - Modified 16 bit Windows USER.EXE file, that uses thunking to translate API calls to Win32 services.
WOW32.dll - Emulates the DLL portion of the 16 bit Windows environment.
Each NTVDM requires up to 2M of page file memory and 1M of additional RAM.
Applications using OLE and DDE may need to run together if they must communicate. Only one NTVDM may have multiple 16 bit applications running. NT 4.0 workstation loads the WOW when it is booted, but the NT 4.0 Server only loads the WOW when required by a 16 bit Windows application.
----
What this "fix" (hopefully only needed temporarily) does, is remove the subsystem for DOS/Win16 applications.
It is the ONLY "work-around" I am aware of for this until it is fixed, IF ever, and it is very similar to a recommendation that others "tear out" the POSIX subsystem for the same potential reasons: Security vulnerabilities issues.
(The only people that need to be concerned here, are those running 32-bit versions of Windows NT-based OS (NT 3.x, NT 3.5x, NT 4.0, Windows 2000/XP/Server 2003/VISTA/Server 2008/7), because 64-bit versions of Windows OS do not have a 16-bit subsystem emulator present in them)
APK
P.S.=> Many, if not MOST, people today can do without these entries, UNLESS they have legacy applications from DOS or 16-bit Windows applications they need for "mission critical" purposes... those folks will have to leave these in place until a fix is created by Microsoft (the same can go for those who don't need this as well, but you "take your chances" until MS fixes this)... apk
Microsoft Security Advisory (979682)
Vulnerability in Windows Kernel Could Allow Elevation of Privilege:
http://www.microsoft...ory/979682.mspx
----
THE "FIX":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
(via removing support for said subsystems by blanking out the files they point to.)
These excerpts will help you identify each component used:
The NTVDM:
16 bit DOS and older 16 bit windows applications are supported by the NT virtual DOS machine (NTVDM) which runs in the Client/Server Runtime (CSR) subsystem. Since each copy of the NTVDM is given its own thread of execution, if it fails, it will not affect the operating system or other programs.
The following components support the NTVDM:
NTVDM.EXE - Starts the NTVDM and emulated the DOS environment.
NTIO.SYS - Emulates the DOS IO.SYS system file.
NTDOS.SYS - Emulates the DOS.SYS file.
Virtual Device Driver (VDD) - Used to allow DOS to interface with system devices on various ports such as the mouse, keyboard, serial ports, parallel ports, and video devices. This component is required since DOS expects to access hardware devices directly, but cannot do so when running on Windows NT.
VDMREDIR.DLL - Redirects file system input/output requests to the Win32 subsystem.
AUTOEXEC.NT - Replacement for AUTOEXEC.BAT.
CONFIG.NT - Replacement for CONFIG.SYS.
NT always loads a PIF for MS-DOS based applications. You can create a PIF to define requirements of the DOS application such as memory needs. In Windows NT 4.0, the PIF settings can be accessed by right clicking on the DOS executable file and selecting properties. On RISC based systems, an instruction execution unit (IEU) works with the NTDVM to emulate I383 Intel processor instruction sets.
Win16 Application support (Windows 3.1 and Windows for workgroups)
The Win16 on Win32 (WOW) subsystem:
It allows 16 bit Windows applications that run on Windows 3.1 and Windows for Workgroups to run on Windows NT 32 bit architecture. This is because the WOW uses a process called thunking to intercept and translate 16 bit system calls to 32 bit system calls. The WOW system components are:
KRNL386.EXE - Modified 16 bit Windows kernel that uses thunking to translate many system service call into Win32 services.
WOWEXEC.EXE - Emulates Windows 3.1 providing the Windows 3.1 16 bit virtual machine.
GDI.EXE - Modified 16 bit Windows GDI.EXE, that uses thunking to translate API calls to Win32 services.
USER.EXE - Modified 16 bit Windows USER.EXE file, that uses thunking to translate API calls to Win32 services.
WOW32.dll - Emulates the DLL portion of the 16 bit Windows environment.
Each NTVDM requires up to 2M of page file memory and 1M of additional RAM.
Applications using OLE and DDE may need to run together if they must communicate. Only one NTVDM may have multiple 16 bit applications running. NT 4.0 workstation loads the WOW when it is booted, but the NT 4.0 Server only loads the WOW when required by a 16 bit Windows application.
----
What this "fix" (hopefully only needed temporarily) does, is remove the subsystem for DOS/Win16 applications.
It is the ONLY "work-around" I am aware of for this until it is fixed, IF ever, and it is very similar to a recommendation that others "tear out" the POSIX subsystem for the same potential reasons: Security vulnerabilities issues.
(The only people that need to be concerned here, are those running 32-bit versions of Windows NT-based OS (NT 3.x, NT 3.5x, NT 4.0, Windows 2000/XP/Server 2003/VISTA/Server 2008/7), because 64-bit versions of Windows OS do not have a 16-bit subsystem emulator present in them)
APK
P.S.=> Many, if not MOST, people today can do without these entries, UNLESS they have legacy applications from DOS or 16-bit Windows applications they need for "mission critical" purposes... those folks will have to leave these in place until a fix is created by Microsoft (the same can go for those who don't need this as well, but you "take your chances" until MS fixes this)... apk
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#66
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 28 January 2010 - 12:59
To help users automate this fix for the security issue in the NTVDM DOS 16-bit emulation subsystem present in 32-bit Windows NT-based OS (all of them & since 1992-1993 no less) that was noted in my last post above, You can do this far faster/easier/simpler, by using something Microsoft themselves devised to make it easier & simpler than registry editing, see the URL below:
http://support.microsoft.com/kb/979682
(It's easier/faster/simpler than wholesale disabling via renames or deletions of the files the NTVDM DOS 16-bit emulation subsystems components as shown above OR via registry edits, & thus, you can use what's in that URL above instead (and enable it again easily enough when a fix arrives IF you choose to do so as well)).
APK
http://support.microsoft.com/kb/979682
(It's easier/faster/simpler than wholesale disabling via renames or deletions of the files the NTVDM DOS 16-bit emulation subsystems components as shown above OR via registry edits, & thus, you can use what's in that URL above instead (and enable it again easily enough when a fix arrives IF you choose to do so as well)).
APK
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#67
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 29 March 2010 - 22:05
IF A WEBSITE PROMPTS YOU TO PRESS THE "F1" KEY? DON'T!
Here is why:
http://secunia.com/advisories/38727/
Secunia Advisory SA38727
Microsoft Windows "MsgBox()" HLP File Execution VulnerabilitySecunia Advisory SA38727
Track and eliminate the complete Vulnerability threat lifecycle
Release Date 2010-03-01
Criticality level Moderately critical
Impact System access
Where From remote
Solution Status Unpatched
Operating System(s):
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Description
Maurycy Prodeus (my fellow "polish person") has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the VBScript "MsgBox()" function allowing the execution of arbitrary HLP files. This can be exploited to execute an HLP file from e.g. an SMB share by tricking a user into pressing F1 when viewing a specially crafted website.
Successful exploitation allows execution of arbitrary commands via HLP macros.
The vulnerability is confirmed with Internet Explorer 7 on a fully patched Windows XP SP3, and additionally reported in Windows 2000 and Windows Server 2003.
Solution
Avoid pressing F1 on untrusted websites. Disable Active Scripting support.
APK
P.S.=> I was a "wee bit" slow on posting this one, but, here tis (around 28 days later than I ordinarily would, sorry about that, "busy boy" here is all)... apk
Here is why:
http://secunia.com/advisories/38727/
Secunia Advisory SA38727
Microsoft Windows "MsgBox()" HLP File Execution VulnerabilitySecunia Advisory SA38727
Track and eliminate the complete Vulnerability threat lifecycle
Release Date 2010-03-01
Criticality level Moderately critical
Impact System access
Where From remote
Solution Status Unpatched
Operating System(s):
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Storage Server 2003
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional
Description
Maurycy Prodeus (my fellow "polish person") has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to the VBScript "MsgBox()" function allowing the execution of arbitrary HLP files. This can be exploited to execute an HLP file from e.g. an SMB share by tricking a user into pressing F1 when viewing a specially crafted website.
Successful exploitation allows execution of arbitrary commands via HLP macros.
The vulnerability is confirmed with Internet Explorer 7 on a fully patched Windows XP SP3, and additionally reported in Windows 2000 and Windows Server 2003.
Solution
Avoid pressing F1 on untrusted websites. Disable Active Scripting support.
APK
P.S.=> I was a "wee bit" slow on posting this one, but, here tis (around 28 days later than I ordinarily would, sorry about that, "busy boy" here is all)... apk
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#68
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 31 March 2010 - 12:38
MS Issues Emergency IE Security Update:
http://www.microsoft...n/ms10-018.mspx
----
Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.
----
* This one closes a LOT of "security holes" in Internet Explorer, through ALL of Microsoft's 32 & 64 bit Windows NT-based Operating Systems of "modern variety"...
APK
P.S.=> Well, "have @ it folks", & that's "hot off the presses"... enjoy! apk
http://www.microsoft...n/ms10-018.mspx
----
Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.
----
* This one closes a LOT of "security holes" in Internet Explorer, through ALL of Microsoft's 32 & 64 bit Windows NT-based Operating Systems of "modern variety"...
APK
P.S.=> Well, "have @ it folks", & that's "hot off the presses"... enjoy! apk
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#69
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 07 April 2010 - 15:13
For those of you who are aware of the advantage of using a custom HOSTS file, for both noticeable added speed, AND NOTICEABLE ADDED SECURITY ONLINE (this latter being via the SIMPLE PRINCIPLE of "You can't get burned, if you can't go into the 'malscripted site kitchen'")?
I have just edited my post point #5 here with the list below (of reputable & updated sites that keep lists of KNOWN BAD SITES &/or SERVERS, or entire HOSTS files too) so you can integrate their entries into YOUR CUSTOM HOSTS FILE (as I have been doing for years now, with approximately 814,000 entries of known bad sites &/or servers in it):
RESULTS USERS WHO HAVE USED MY HOSTS FILE ARE SEEING? OK - THIS TESTIMONIAL SHOULD SERVE THE PURPOSE AS A "NUFF SAID":
----
http://forums.thepla...&st=60&start=60
"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK."
- Kings Joker, user of my guide @ THE PLANET
----
So, as you can see?
Someone who used to get HUNDREDS of malware infestations a month, by stumbling into bad malscripted websites or those that serve up malware executable downloads, etc./et al, is now FAR BETTER PROTECTED by the version of my HOSTS file I use, & NO LONGER SEES THAT LEVEL OF INFESTATION, no less!
(He gets it each day from me, via email, because I keep up on it everyday via the lists below (And, via a program I wrote to integrate the entries, alphabetize them (helps with DNS client cache loads, or B-Tree populations in diskcache), & lastly, to "normalize it" via duplicated entries removal (so file is smaller & faster to load/read too))
It just works!
Additionally, Kings Joker above runs Windows 2000, no service packs, no hotfixes, no antivirus, & NO SPYWARE:
For direct reply on his findings & results? Write he here -> walbergerj@yahoo.com
He can "fill you in" on the rest, as to his results &/or findings (which basically state that all you need, is to run a protective custom HOSTS file that's kept current, & be judicious about your usage of javascript (both points are covered in this article/guide, extensively, AND THEY WORK!)
----
ADVANTAGES OF HOSTS FILES OVER BROWSER ADDONS ALONE, & EVEN DNS SERVERS:
1.) HOSTS files eat A LOT LESS CPU cycles than browser addons do no less (since browser addons have to parse each HTML page & tag content in them, while HOSTS files only really consume "CPU cycles" during their loads (a programming data storage construct, which is an analog to a PASCAL record). Then, the IP stack uses the DNS client C/C++ structure, or possibly an object (not sure anymore, I'd have to see the BSD reference code again to be sure) to do the rest (that, or the local diskcache, because if you have a LARGE hosts file, you have to turn off the DNS Client Cache service, or your system will lag badly (I have notified Microsoft of this occurrence in fact, directly))!
2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).
3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).
4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).
5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).
6.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia....wiki/Hosts_file [wikipedia.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)
7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers, as they are NOT code, & because of what's next too
8.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.
9.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE - NOt just a single webbrowser type (e.g. FireFox/Mozilla & its addons exemplify this, such as ADBLOCK)
10.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...
(Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security")
APK
P.S.=> To keep "ontop of the latest known malicious sites" online? See these sites (1 I mentioned here already, this is the rest of the list I use, & others too):
START OF WEBSITES & SOURCES + TOOLS I USED TO POPULATE THIS LIST + MY ORIGINAL LIST OF BLOCKED ADBANNERS SERVERS
http://ddanchev.blogspot.com/
http://www.malwareur...p...urls=off
http://www.malware.com.br/lists.shtml
http://securitylabs....ent/alerts.aspx
http://www.stopbadware.org
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe....r/threat_alerts
http://news.netcraft.com
http://www.shadowserver.org/
https://zeustracker....p?filter=online
http://en.wikipedia....wiki/Hosts_file
http://www.mvps.org/
http://someonewhocares.org/
http://hostsfile.mine.nu/hosts0
http://hosts-file.net/?s=Download
http://www.stopbadware.org/home
Between they, & SpyBot "Search & Destroy"? You have most of, if not ALL of what a "body needs" for these purposes. if you know of others? Please list them, & thanks! apk
I have just edited my post point #5 here with the list below (of reputable & updated sites that keep lists of KNOWN BAD SITES &/or SERVERS, or entire HOSTS files too) so you can integrate their entries into YOUR CUSTOM HOSTS FILE (as I have been doing for years now, with approximately 814,000 entries of known bad sites &/or servers in it):
RESULTS USERS WHO HAVE USED MY HOSTS FILE ARE SEEING? OK - THIS TESTIMONIAL SHOULD SERVE THE PURPOSE AS A "NUFF SAID":
----
http://forums.thepla...&st=60&start=60
"the use of the hosts file has worked for me in many ways. for one it stops ad banners, it helps speed up your computer as well. if you need more proof i am writing to you on a 400 hertz computer and i run with ease. i do not get 200++ viruses and spy ware a month as i use to. now i am lucky if i get 1 or 2 viruses a month. if you want my opinion if you stick to what APK says in his article about securing your computer then you will be safe and should not get any viruses or spy ware, but if you do get hit with viruses and spy ware then it will your own fault. keep up the good fight APK."
- Kings Joker, user of my guide @ THE PLANET
----
So, as you can see?
Someone who used to get HUNDREDS of malware infestations a month, by stumbling into bad malscripted websites or those that serve up malware executable downloads, etc./et al, is now FAR BETTER PROTECTED by the version of my HOSTS file I use, & NO LONGER SEES THAT LEVEL OF INFESTATION, no less!
(He gets it each day from me, via email, because I keep up on it everyday via the lists below (And, via a program I wrote to integrate the entries, alphabetize them (helps with DNS client cache loads, or B-Tree populations in diskcache), & lastly, to "normalize it" via duplicated entries removal (so file is smaller & faster to load/read too))
It just works!
Additionally, Kings Joker above runs Windows 2000, no service packs, no hotfixes, no antivirus, & NO SPYWARE:
For direct reply on his findings & results? Write he here -> walbergerj@yahoo.com
He can "fill you in" on the rest, as to his results &/or findings (which basically state that all you need, is to run a protective custom HOSTS file that's kept current, & be judicious about your usage of javascript (both points are covered in this article/guide, extensively, AND THEY WORK!)
----
ADVANTAGES OF HOSTS FILES OVER BROWSER ADDONS ALONE, & EVEN DNS SERVERS:
1.) HOSTS files eat A LOT LESS CPU cycles than browser addons do no less (since browser addons have to parse each HTML page & tag content in them, while HOSTS files only really consume "CPU cycles" during their loads (a programming data storage construct, which is an analog to a PASCAL record). Then, the IP stack uses the DNS client C/C++ structure, or possibly an object (not sure anymore, I'd have to see the BSD reference code again to be sure) to do the rest (that, or the local diskcache, because if you have a LARGE hosts file, you have to turn off the DNS Client Cache service, or your system will lag badly (I have notified Microsoft of this occurrence in fact, directly))!
2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).
3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).
4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).
5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).
6.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia....wiki/Hosts_file [wikipedia.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)
7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers, as they are NOT code, & because of what's next too
8.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.
9.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE - NOt just a single webbrowser type (e.g. FireFox/Mozilla & its addons exemplify this, such as ADBLOCK)
10.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...
(Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security")
APK
P.S.=> To keep "ontop of the latest known malicious sites" online? See these sites (1 I mentioned here already, this is the rest of the list I use, & others too):
START OF WEBSITES & SOURCES + TOOLS I USED TO POPULATE THIS LIST + MY ORIGINAL LIST OF BLOCKED ADBANNERS SERVERS
http://ddanchev.blogspot.com/
http://www.malwareur...p...urls=off
http://www.malware.com.br/lists.shtml
http://securitylabs....ent/alerts.aspx
http://www.stopbadware.org
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe....r/threat_alerts
http://news.netcraft.com
http://www.shadowserver.org/
https://zeustracker....p?filter=online
http://en.wikipedia....wiki/Hosts_file
http://www.mvps.org/
http://someonewhocares.org/
http://hostsfile.mine.nu/hosts0
http://hosts-file.net/?s=Download
http://www.stopbadware.org/home
Between they, & SpyBot "Search & Destroy"? You have most of, if not ALL of what a "body needs" for these purposes. if you know of others? Please list them, & thanks! apk
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
#70
- Newbie
-
- Group: WF Member
- Posts: 98
- Joined: 22-November 07
- Gender:Male
- Location:A discrete point in the space-time continuum...
Posted 08 April 2010 - 11:09
In addition to the results others have seen above in success using a HOSTS file for both added speed & security? I am posting the revised version of the "how/when/where/why" of WHY to use a HOSTS file for better speed AND SECURITY ONLINE today (especially nowadays, lol) since I cannot edit the original post point #5 here anymore. Here goes:
(Reason for this, is Per Kings Joker's quoted testimonial above - which upon my corresponding with he, I found out he runs Windows 2000, no service packs or hotfixes either, no less, & he has done THAT WELL per his quoted testimony to that effect, above)
He uses a SLIGHTLY edited/altered version of my PERSONAL custom HOSTS file (he is my "Lab Rat #1" in fact), & he was out to test just how effective HOSTS files are, vs. malware infestations mainly since he told me he loves the extra speed they gave he (especially when he tried hardcoding his favs. into his version of my personal HOSTS file too above just adbanner blocking), but he values the security more. To test it? He ran an OLDER version of Windows, in 2000, minus service packs/hotfixes, AND with no AntiVirus or AntiSpyware resident running either... (that was for 6++ months now in fact, & he only loaded an antivirus + antispyware recently to see how well this worked for he & apparently per his quote above?? It certainly has!))
I.E.-> He has gone from 200++ infestations a month to almost NONE @ all, just by using a HOSTS file that's current (mine, edited by he though) & being a BIT MORE "judicious" in his use of javascript?
So, again - Since I cannot edit the original post point #5 in this thread on HOSTS files, I am doing its revised & enhanced version here now:
CUSTOM HOSTS FILE USAGE (for speed, AND SECURITY)
5.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 823,891 known adbanner servers, OR sites known to bear malicious code & exploits)
Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.
(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))
For a copy of mine, write me, here -> apk4776239@hotmail.com
And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)
----
An example of WHY you'd want to use one of these for security's sake? Read here:
Why block out adbanners, for security then (not just for added speed)? Well, because they have been found as bearing malware in them, per these articles:
HACKERS USE ADBANNERS ON MAJOR SITES TO HIJACK YOUR SYSTEM -> http://www.wired.com.../11/doubleclick
THE NEXT AD YOU CLICK MAY BE A VIRUS -> http://it.slashdot.o...-May-Be-a-Virus
NY TIMES INFECTED WITH MALWARE ADBANNER -> http://news.slashdot...9/09/13/2346229
MICROSOFT HIT BY MALWARES IN ADBANNERS -> http://apcmag.com/mi...ing_malware.htm
Additionally, there IS the FACT that downloading adbanner content takes up bandwidth you pay for, and CPU time (& thus, electricity) + RAM in processing adbanner code (for animations & the like) within your webbrowser programs also... HOSTS files stop all of these happening, per this list of adbanner "downsides"...
ADBANNERS SLOW DOWN THE WEB -> http://tech.slashdot...09/11/30/166218
ADDITIONALLY, WATCH IT USING JAVASCRIPT "EVERWHERE/INDISCRIMINATELY", per this article:
http://news.cnet.com...99891&subj=news
(OPERA offers native 'site-by-site' preferences for this & other things like cookies, FireFox has NoScript & Adblock addons)
----
ADDITIONALLY, because on Windows Server 2003 (however, no others I have seen @ least so far), sometimes, the HOSTS file precedence vs. say, local DNS servers on a LAN, gets overridden by them? You MAY have to implement this:
http://support.microsoft.com/kb/139270/EN-US"]How to change name resolution order on Windows 95 and Windows NT[/url]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"LocalPriority"=dword:00000005
"HostsPriority"=dword:00000006
"DnsPriority"=dword:00000007
"NetbtPriority"=dword:00000008
(LOWER NUMBERS HERE = GREATER PRIORITY)
As you can see, I give my LOCAL DNS Cache the greatest priority (because it has my HOSTS file loaded into it @ system startup (IP stack startup, actually)), & THEN, my custom adbanner blocking/speedup fav sites (which this post is showing folks how to do, & yes, it works) is next, & then my ISP/BSP's DNS servers, & lastly NetBios/WINS stuff (which I just plain do NOT use, because I have no LanManager style network running here, ONLY Tcp/IP)
----
IMPORTANT NOTE: IF your system seems to "lag" while the HOSTS file is in use (this typically does not occur with 1mb or less sized HOSTS files in my experience), especially IF it is a relatively LARGER SIZED one (in the case I saw where this happened, it was a 12mb sized one I use, & it was applied on a Windows XP Home Edition system w/ 256mb of RAM on an AMD Athlon64 3200mhz system), YOU MAY HAVE TO DISABLE YOUR DNS Client Service!
* This is achieved via going to the START button, RUN command, type in SERVICES.MSC & once it comes to the screen, find the DNS Client Service in the list of services & right-click on it (or, doubleclick) & use the PROPERTIES screen, & use the STOP button (to stop the service) & then set its startup type to DISABLED, & this 'lagging' goes away (reboot is recommended, especially on Windows 2000 systems, for the HOSTS file to reload... otherwise, changes may take up to 5 minutes to take, so reboots make that quicker & assured on ANY Ms Windows-NT based OS (2000/XP/Server 2003 & VISTA).
----
DIRECTIONS FOR USE (also in my downloadable CUSTOM HOSTS file above, with MORE on how to really use them to get even more speed than blocking adbanners mind you is in its internal documentation):
You replace your:
%windir%\system32\drivers\etc
Original version of HOSTS with this one (overwrite it, but, first copy your original OR rename it to keep it around IF ever needed), & have @ it (HBO internet, no commercials + thus MORE SPEED (and, you WILL notice it) by not calling out to ad servers, loading their data, & running it... & certainly NO possibility of being infected by adbanners that bear RBN (Russian Business Network) malware javascripted/FLASH bearing adbanners that infect you as has been seen lately/very currently in fact - between this, and stalling out Java/JavaScript + ActiveX/ActiveScripting globally in your browsers as noted in the last step & why? You are "proof" against MOST attacks today (& consider disabling IFrames too, an oft used attack today as well!)).
Now, like I do? It IS possible to alter the default location of the HOSTS file, & to take away I/O from your main disk to load it by using another one... like a 2nd HDD you may have IF you have one for example!
(E.G.-> I move mine to my CENATEK RocketDrive SSD (solid state RamDisk), for F A S T access since seek times on it are 1000's of times faster than on std. mechanical disks, & doesn't matter WHAT kind - & here I also place my pagefile.sys on its own partition (first) & then webpage caches, %temp% environmental variable ops, logging (even eventlogs, which like HOSTS file, can be moved in the registry to another disk, & applications often have the ability to move their logs in their configuration screens as well)) via this registry key, should you elect to do the same:
In regedit.exe's right-hand-side pane, follow this path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
& in the left-hand-side pane of regedit.exe, you change the DataBasePath path value there to the disk & folder you wish to place your HOSTS file in (which makes for faster OS & IP stack initialization since it is on another drive, in my case an SSD so it is THAT MUCH QUICKER since seeks on them are so fast, to load the HOSTS data into your RAM (local DNS cache)).
----
ADVANTAGES OF HOSTS FILES OVER BROWSER ADDONS ALONE, & EVEN DNS SERVERS:
1.) HOSTS files eat A LOT LESS CPU cycles than browser addons do no less (since browser addons have to parse each HTML page & tag content in them)!
2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).
3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).
4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).
5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).
6.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia.org/wiki/Hosts_file"]http://en.wikipedia.org/wiki/Hosts_file[/url] [wikipedia.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)
7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers, as they are NOT code, & because of what's next too
8.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.
9.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE - NOt just a single webbrowser type (e.g. FireFox/Mozilla & its addons exemplify this, such as ADBLOCK)
10.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...
(It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security")
APK
P.S.=> To keep "ontop of the latest known malicious sites" online? See these sites (1 I mentioned here already, this is the rest of the list I use, & others too):
START OF WEBSITES & SOURCES + TOOLS I USED TO POPULATE THIS LIST + MY ORIGINAL LIST OF BLOCKED ADBANNERS SERVERS
http://ddanchev.blogspot.com/
http://www.malwareur...isting-urls.php
https://zeustracker....p?filter=online
http://www.malware.com.br/lists.shtml
http://securitylabs....ent/alerts.aspx
http://www.stopbadware.org
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe....r/threat_alerts
http://news.netcraft.com
http://www.shadowserver.org/
http://en.wikipedia....wiki/Hosts_file
http://www.mvps.org/
http://someonewhocares.org/
http://hostsfile.mine.nu/hosts0
http://hosts-file.net/?s=Download
http://www.stopbadware.org/home
Between they, & SpyBot "Search & Destroy"? You have most of, if not ALL of what a "body needs" for these purposes. if you know of others? Please list them, & thanks! apk
(Reason for this, is Per Kings Joker's quoted testimonial above - which upon my corresponding with he, I found out he runs Windows 2000, no service packs or hotfixes either, no less, & he has done THAT WELL per his quoted testimony to that effect, above)
He uses a SLIGHTLY edited/altered version of my PERSONAL custom HOSTS file (he is my "Lab Rat #1" in fact), & he was out to test just how effective HOSTS files are, vs. malware infestations mainly since he told me he loves the extra speed they gave he (especially when he tried hardcoding his favs. into his version of my personal HOSTS file too above just adbanner blocking), but he values the security more. To test it? He ran an OLDER version of Windows, in 2000, minus service packs/hotfixes, AND with no AntiVirus or AntiSpyware resident running either... (that was for 6++ months now in fact, & he only loaded an antivirus + antispyware recently to see how well this worked for he & apparently per his quote above?? It certainly has!))
I.E.-> He has gone from 200++ infestations a month to almost NONE @ all, just by using a HOSTS file that's current (mine, edited by he though) & being a BIT MORE "judicious" in his use of javascript?
So, again - Since I cannot edit the original post point #5 in this thread on HOSTS files, I am doing its revised & enhanced version here now:
CUSTOM HOSTS FILE USAGE (for speed, AND SECURITY)
5.) The use of a CUSTOM ADBANNER BLOCKING HOSTS FILE (my personal one houses, as of this date, 823,891 known adbanner servers, OR sites known to bear malicious code & exploits)
Custom HOSTS files work in combination with Opera adbanner blocks & the usage of .PAC filering files + cascading style sheets for this purpose.
(As well as speeding up access to sites I often access - doing this, acting as my own "DNS Server" more or less, is orders of magnitude faster than calling out to my ISP/BSP DNS servers, waiting out a roundtrip return URL-> IP Address resolution. It may take some maintenance for this @ times, especially if sites change HOSTING PROVIDERS, but this is a rarity & most sites TELL YOU when they do this as well, so you can make fast edits, as needed (and, on Windows NT-based OS since 2000/XP/Server 2003 & VISTA? A reboot is NOT required upon edits & commits of changes in the new largely near fully PnP IP stacks!))
For a copy of mine, write me, here -> apk4776239@hotmail.com
And, I will send it to you in .zip or .rar format (with sped up sites # UNIX comment symbol disabled, enable the ones you use AFTER you 'ping' them first from my list, & add ones YOU PERSONALLY USE to it as needed after determining their IP address via a PING of them)
----
An example of WHY you'd want to use one of these for security's sake? Read here:
Why block out adbanners, for security then (not just for added speed)? Well, because they have been found as bearing malware in them, per these articles:
HACKERS USE ADBANNERS ON MAJOR SITES TO HIJACK YOUR SYSTEM -> http://www.wired.com.../11/doubleclick
THE NEXT AD YOU CLICK MAY BE A VIRUS -> http://it.slashdot.o...-May-Be-a-Virus
NY TIMES INFECTED WITH MALWARE ADBANNER -> http://news.slashdot...9/09/13/2346229
MICROSOFT HIT BY MALWARES IN ADBANNERS -> http://apcmag.com/mi...ing_malware.htm
Additionally, there IS the FACT that downloading adbanner content takes up bandwidth you pay for, and CPU time (& thus, electricity) + RAM in processing adbanner code (for animations & the like) within your webbrowser programs also... HOSTS files stop all of these happening, per this list of adbanner "downsides"...
ADBANNERS SLOW DOWN THE WEB -> http://tech.slashdot...09/11/30/166218
ADDITIONALLY, WATCH IT USING JAVASCRIPT "EVERWHERE/INDISCRIMINATELY", per this article:
http://news.cnet.com...99891&subj=news
(OPERA offers native 'site-by-site' preferences for this & other things like cookies, FireFox has NoScript & Adblock addons)
----
ADDITIONALLY, because on Windows Server 2003 (however, no others I have seen @ least so far), sometimes, the HOSTS file precedence vs. say, local DNS servers on a LAN, gets overridden by them? You MAY have to implement this:
http://support.microsoft.com/kb/139270/EN-US"]How to change name resolution order on Windows 95 and Windows NT[/url]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"LocalPriority"=dword:00000005
"HostsPriority"=dword:00000006
"DnsPriority"=dword:00000007
"NetbtPriority"=dword:00000008
(LOWER NUMBERS HERE = GREATER PRIORITY)
As you can see, I give my LOCAL DNS Cache the greatest priority (because it has my HOSTS file loaded into it @ system startup (IP stack startup, actually)), & THEN, my custom adbanner blocking/speedup fav sites (which this post is showing folks how to do, & yes, it works) is next, & then my ISP/BSP's DNS servers, & lastly NetBios/WINS stuff (which I just plain do NOT use, because I have no LanManager style network running here, ONLY Tcp/IP)
----
IMPORTANT NOTE: IF your system seems to "lag" while the HOSTS file is in use (this typically does not occur with 1mb or less sized HOSTS files in my experience), especially IF it is a relatively LARGER SIZED one (in the case I saw where this happened, it was a 12mb sized one I use, & it was applied on a Windows XP Home Edition system w/ 256mb of RAM on an AMD Athlon64 3200mhz system), YOU MAY HAVE TO DISABLE YOUR DNS Client Service!
* This is achieved via going to the START button, RUN command, type in SERVICES.MSC & once it comes to the screen, find the DNS Client Service in the list of services & right-click on it (or, doubleclick) & use the PROPERTIES screen, & use the STOP button (to stop the service) & then set its startup type to DISABLED, & this 'lagging' goes away (reboot is recommended, especially on Windows 2000 systems, for the HOSTS file to reload... otherwise, changes may take up to 5 minutes to take, so reboots make that quicker & assured on ANY Ms Windows-NT based OS (2000/XP/Server 2003 & VISTA).
----
DIRECTIONS FOR USE (also in my downloadable CUSTOM HOSTS file above, with MORE on how to really use them to get even more speed than blocking adbanners mind you is in its internal documentation):
You replace your:
%windir%\system32\drivers\etc
Original version of HOSTS with this one (overwrite it, but, first copy your original OR rename it to keep it around IF ever needed), & have @ it (HBO internet, no commercials + thus MORE SPEED (and, you WILL notice it) by not calling out to ad servers, loading their data, & running it... & certainly NO possibility of being infected by adbanners that bear RBN (Russian Business Network) malware javascripted/FLASH bearing adbanners that infect you as has been seen lately/very currently in fact - between this, and stalling out Java/JavaScript + ActiveX/ActiveScripting globally in your browsers as noted in the last step & why? You are "proof" against MOST attacks today (& consider disabling IFrames too, an oft used attack today as well!)).
Now, like I do? It IS possible to alter the default location of the HOSTS file, & to take away I/O from your main disk to load it by using another one... like a 2nd HDD you may have IF you have one for example!
(E.G.-> I move mine to my CENATEK RocketDrive SSD (solid state RamDisk), for F A S T access since seek times on it are 1000's of times faster than on std. mechanical disks, & doesn't matter WHAT kind - & here I also place my pagefile.sys on its own partition (first) & then webpage caches, %temp% environmental variable ops, logging (even eventlogs, which like HOSTS file, can be moved in the registry to another disk, & applications often have the ability to move their logs in their configuration screens as well)) via this registry key, should you elect to do the same:
In regedit.exe's right-hand-side pane, follow this path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
& in the left-hand-side pane of regedit.exe, you change the DataBasePath path value there to the disk & folder you wish to place your HOSTS file in (which makes for faster OS & IP stack initialization since it is on another drive, in my case an SSD so it is THAT MUCH QUICKER since seeks on them are so fast, to load the HOSTS data into your RAM (local DNS cache)).
----
ADVANTAGES OF HOSTS FILES OVER BROWSER ADDONS ALONE, & EVEN DNS SERVERS:
1.) HOSTS files eat A LOT LESS CPU cycles than browser addons do no less (since browser addons have to parse each HTML page & tag content in them)!
2.) HOSTS files are also NOT severely LIMITED TO 1 BROWSER FAMILY ONLY... browser addons, are. HOSTS files cover & protect (for security) and speed up (all apps that are webbound) any app you have that goes to the internet (specifically the web).
3.) HOSTS files allow you to bypass DNS Server requests logs (via hardcoding your favorite sites into them to avoid not only the TIME taken roundtrip to an external DNS server, but also for avoiding those logs OR a DNS server that has been compromised (see Dan Kaminsky online, on that note)).
4.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).
5.) HOSTS files also allow you to not worry about a DNS server being compromised, or downed (if either occurs, you STILL get to sites you hardcode in a HOSTS file anyhow in EITHER case).
6.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://en.wikipedia.org/wiki/Hosts_file"]http://en.wikipedia.org/wiki/Hosts_file[/url] [wikipedia.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)
7.) HOSTS files aren't as vulnerable to "bugs" either like programs/libs/extensions of that nature are, OR even DNS servers, as they are NOT code, & because of what's next too
8.) HOSTS files are also EASILY secured well, via write-protection "read-only" attributes set on them, or more radically, via ACL's even.
9.) HOSTS files are a solution which also globally extends to EVERY WEBBOUND APP YOU HAVE - NOt just a single webbrowser type (e.g. FireFox/Mozilla & its addons exemplify this, such as ADBLOCK)
10.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own, & this? This stops that cold, too! Bonus...
(It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock, &/or NoScript (especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security")
APK
P.S.=> To keep "ontop of the latest known malicious sites" online? See these sites (1 I mentioned here already, this is the rest of the list I use, & others too):
START OF WEBSITES & SOURCES + TOOLS I USED TO POPULATE THIS LIST + MY ORIGINAL LIST OF BLOCKED ADBANNERS SERVERS
http://ddanchev.blogspot.com/
http://www.malwareur...isting-urls.php
https://zeustracker....p?filter=online
http://www.malware.com.br/lists.shtml
http://securitylabs....ent/alerts.aspx
http://www.stopbadware.org
http://blog.fireeye.com/
http://mtc.sri.com/
http://www.scansafe....r/threat_alerts
http://news.netcraft.com
http://www.shadowserver.org/
http://en.wikipedia....wiki/Hosts_file
http://www.mvps.org/
http://someonewhocares.org/
http://hostsfile.mine.nu/hosts0
http://hosts-file.net/?s=Download
http://www.stopbadware.org/home
Between they, & SpyBot "Search & Destroy"? You have most of, if not ALL of what a "body needs" for these purposes. if you know of others? Please list them, & thanks! apk
This post has been edited by APK: 08 April 2010 - 11:17
"I'm REESE: Sgt. TechComVN38416, assigned to protect you - YOU'VE BEEN TARGETTED, FOR TERMINATION!"
