Sunday, April 27, 2008

A Voluble GSD Linkfest!

Ooooh! Guess who found a fun Word of the Day source?

Post XP SP3 Install Details - Not The Usual Hype

If all goes well, on Tuesday I will be able to manually download XP SP3 from the Microsoft Download Center.  I suppose I could also kick off a manual Windows Update session as well and go looking for it, but my thinking is that I can grab it from the Download Center, then copy to USB for quicker deployment of other systems.  While there was a bit of a stampede for Vista SP1, I expect a major server crush for XP SP3, especially considering how many folks have XP installed (corporately and at home).

Here are some more off-the-beaten-patch article concerning what's coming with XP SP3 that sysadmins might find interesting to consider:

Windows XP SP3, What You Can Expect - Bits from Bill - Bill Pytlovany used features in his own WinPatrol product to look for any system changes detected during installation.

Included were some "RunOnce" startup files to clean up registry entries used during the update process, a toolbar extension, and four Vista services ported over to XP.  Bill's blog post goes into details on the items and actions discovered.

Windows XP SP3: Pretty damn good actually. Windows Live Installer: Sucks like a vacuum - Someone Else Blog - Robert Moir, someone I consider to be a pretty balanced blogger on Microsoft and Windows reports a positive post-XP SP3 installation process. He did include it as part of a fresh system installation of his desktop.  Unfortunately, Robert has some choice words to use in assessing his experience with the Windows "Live" component installer. While I haven't had any problems with it, I find it a quirky method for Microsoft to use as the mechanism to install some very good applications.  Come on, Redmond, drop this "suite installer" mentality and just provide some individual downloadable components.  Tastes a bit bitter to some of us.

IE Blog Posts of Note

Yep. Development of IE8 soldiers on. Forecast calls for tweaks, enhancements and improvements, but likely no sexy changes to the browsed used by the masses.

IEBlog : What Happened to Operation Aborted? - Changes in IE 8 will work to cut down a particular error message encountered while loading pages that run some problematic scripting code. The new change allows the error to be logged for review (by hard-core developers or page code explorers) while usual users will just be able to view the main page they had navigated to, blissfully unaware of the hiccup.

IEBlog : Give Your Eyes a Treat - Nice reminder (and How To) of changing the default font for the Command line.  IEBlog recommends using their own font Consolas, and I must say it is world's better than the default raster font used; Lucida Console. Once you get Consolas on your system, just make a registry key change and either reboot or log-off/log-on, then change to Consolas in your Command Prompt properties Font list.

I myself personally choose to use the freeware command line utility program Console hosted over on SourceForge.  A new version 2.00 Beta build 139 has been released last month.  What I really like about Console is that is supports use of multiple tabbed sessions, text-editor like selection of text, window backgrounds, transparency options, quick font-change support, and different window style configurations. Note; for some reason, it seems to be blocked from executing by Sunbelt Software's Personal Firewall program (formerly known as Kerio). I never took the time to troubleshoot out the issue but suspect it might have something to do with the HIPS component of that firewall program.

I use Console almost exclusively now as my command-line window of choice, coupled with the font Inconsolata.  Some folks report having some issue with discerning a difference between the letter "o" and the number "0" in Inconsolata.  One clever user fixed it in the font utility FontForge.  I tend to agree with that assessment and when time allows will give that technique a shot as well.  Looks like a wicked-cool application but requires a bit of work to compile on a Windows system...

Speaking of IE...

Download Squad had a cross-link to a useful reference post by The How-To Geek: Troubleshooting Internet Explorer on Vista Locking Up or Running Slowly 

That post reminds us that IE 7 has a "safe-mode" feature which launches IE without the add-on's running. It also shows how to disable particular add-on's (something I had to do in my initial foray with AVG Free version 8).  You can reset the IE settings to default, and a few more "light" tips are tossed in as well at the end.

From the Toy Box...

WinPatrol 2008 has been released! - A wonderful tool to assist with locking down a system from malicious activity.  Well regarded and highly recommended.  I personally don't run WinPatrol, having other tools that I rely on for my daily use, but for someone starting out or dealing with problematic PC usage in a shared environment (ie, the kids keep messing around on the Web and borking the pc with malware...) it is definitely a well-recommended choice by many, including me.  BillP Studios: WinPatrol - (free/$ versions).

Windows Incident Response: RegRipper Video Posted - I continue to "experiment" with use of the Harlan's RegRipper tool to parse out useful information from registry files. This post links to a great video showing not only how RegRipper is used, but how it can be used "remotely" to capture information out of a registry once teamed up with the F-Response tool.  Cool indeed!

windowless virtual toys - (freeware) - Using a single executable, add one or hundreds of curious little "creatures" to your desktop for fun and amusement.  These are quite fun, and may be the digital equivalent to the Pet Rock.  Must have for any bored sysadmin.  Spotted and reviewed over at freewaregenius.com.

RegToy - (freeware) - A few posts ago I pondered this new registry tweaking tool.  Did we really need another one? Maybe.  Lifehacker has provided a great collection of screen-shots from the utility to help you decide: Featured Windows Download: RegToy Tweaks Your PC Every Which Way.  I added it to my pile of Windows XP/Vista tweaking tools kept at USB ready.

Take Ownership of Files in Vista - (tip post) - Cybernet News reminds us how to, well, take ownership of a file by using one of those tweaking tools to add this option to the right-click menu in Vista.

Free Color Pickers - (software list post) - Cybernet News provides a nice list of "color-pickers" to aid in figuring out just what color (code) is in use in a web-page, image, etc. I use ColorZIlla in Firefox, but grabbed these others just to play with; ColorPic, Color Cop, and ColorMania.  The post also has some links to on-line color tools.  A commenter also suggested a great freeware tool from Veign called Pixeur.  Veign has quite a nice collection of resources worth checking out while you are visiting.

Foxit PDF reader - (freeware) - This little guy has got to be my all time favorite of PDF replacements for Adobe Reader.  The latest version adds a number of clever features, including "tabs".  Always on top of things Cybernet News posts a nice roundup of all the new features, which I must say, are extensive!

10 great free downloads for your network - (list via ComputerWorld) - Nicely composed selection of networking tools that you might want to be familiar with. At the very least a few are actually useful for the average Joe.  What makes this list fun is that it seeks to identify lesser-known free network utilities including RogueScanner, NetBrute Scanner, Network Notepad, and Advanced Net Tools (ANT).

The Best, Free Alternatives to Nero CD/DVD Burner - (list via makeuseof.com) - Another great collection listing seven choice solutions for free CD and DVD burning.

This Week in Firefox Tips (Tinfoil Hats optional but stylish)

Make Firefox 3 Use Windows Vista Glass Like Internet Explorer Does :: the How-To Geek - Sure, Firefox rocks and is even being optimized for Vista visual integration with new icons. However, they haven't added Vista's "Glass" effect just yet.  This post by the How-To Geek shows how to do just that.  I haven't done this yet on my Vista machine, but it is coming...maybe next weekend?

Make Firefox more responsive when loading pages - Browser Tip - Download Squad - Pssst. Want to try a tip to allow you to access the page content a bit faster as it loads up without having to wait? Apparently it comes down to a coding option that (by default) instructs Firefox to ignore user input in browser in favor to concentrating processor priority to page rendering first.  The fix is easy; just go into about:config and change the (should be present) content.switch.threshold key value down to 1000000 from the default 750000 value.  Done!  If you don't like the results, just change it back. If it isn't present for some reason, right-click and add it in as a new "Integer" item.  Comments on both sites linked, while light, have been positive.  My experiences have been as well.

Knock, Knock, It's the FBI - (PC World Business Week post) - Hmmm. When I first saw this post I thought it was more tinfoil-hat in nature.  But after I had re-read it a couple of times from a system administrator's (and parental unit) perspective, there might just be something here to consider.  Grandpa was and commended FBI agent and I have only the highest regard for the field agents of the FBI. Heck, I even applied for a job with them way back when Grandpa was still around and I was a bit younger.  Although I am less supportive of some recent policy decisions, however well intended, that are being made of late over there.

Anyway, I digress.

What is disconcerting is that by accessing a single web page, by purpose or accident, a world of hurt could come knocking down your door; at work or at home.  If this (or other examples) actually become the norm, it may have a chilling impact and strong repercussions across the Internet, and the way we interact with it at home, work and across America.  I'm now deeply ambivalent about this. Sure, those who don't haven't done anything wrong don't need to worry.  Or do they?

See, that article by Network World writer Mark Gibbs does make two important points that most readers of the article are sure to have missed as they are down near the end past all the "sexy" FBI raid details:

Now, this is interesting for a number of reasons that should worry all of us in the IT industry. First, there's the issue of intent. It turns out that by simply accessing one of these links you are de facto, presumed guilty by your IP address being the proximate cause.

The fact that the action might not have been done by you personally is, apparently, not an issue. This makes running an open Wi-Fi access point completely inadvisable. And when your friends come over and ask to check their e-mail, the answer has got to be "no." And you'd better have in-depth Internet filtering for your kids.

The second issue concerns browser add-ons that attempt to pre-cache the content of links on a page. These add-ons are to improve perceived performance, but imagine that you run a Web search and wind up on a page that links to one of these FBI honeypots: Your browser will access the link and, unless you are masking what you do through something like the Tor network, the Feds will get your IP address. Before you know what's going on, there will be a knock on your door, you'll be hurled to the ground, cuffed, Mirandized, and all of your computer gear, financial records and leftover Chinese food will be en route to the local FBI office.

But what if an employee's browser pre-caches the contents of one of these FBI links, or the employee actually clicks on it? Can you imagine the chaos and insanity that would result from the FBI paying your company a visit? Work would grind to a halt, PCs and other gear would be impounded, records taken and your business would be dead in the water.

What caught my attention was the bit about "browser add-ons that pre-cache the content of links on a page."  Mark didn't call names, but I know at least one browser he is talking about and at least one popular Firefox Add-on that can do that.  Yep, Firefox is the browser and Fasterfox is the Add-on.

As Mark points out, we aren't talking about law-breakers who purposely troll for illegal content off the Web.  We are considering the poor sap who puts in an unfortunate choice of terms in Google Search and pulls up clearly illicit material.  If he/she is using Firefox, Google and Firefox will team up (by default) to do a pre-load of the top search result into the Mozilla browser cache.

While generally handy, this indeed may trigger a "hit" by the FBI honeypot trap. Who knows for sure?

This has been known by some for some time, at least back in March 2005 as this ZDNet article details: Google enhances search for Firefox users - ZDNet.co.uk

Want oodles of details?

It's not limited to just Google, however. Just about any website coder who is familiar with link prefetching can code it to occur to their desire and whim.

As the article and these details indicate, you may indeed end up with cookies and content in your browser cache and on your drive that you didn't even actually click-through to.

And yes, both the article and the MDC FAQ point out, a good and knowledgeable reviewer of pc forensic expert should/might be able to distinguish them from "real" click-throughs based on a special header.  Course, there's no guarantee that's what you will end up with in the courts....

So if you are the tin-foil hat type, or just want to try to do some quick and basic prefetching avoidance, what are you to do if you use Firefox?

Easy: Turn off prefetching. (via MDC)

Easier way via Cybernet News post tip:

If you don’t want Firefox to do this then you’ll have to manually go and disable it:

  1. In the Firefox Address Bar type about:config and press Enter.
  2. Find the option that is named network.prefetch-next and double-click on it.
  3. Change the value to false.

You might actually see some speedup in your web-surfing if you are bandwidth-challenged.

Certainly an issue worth considering.

Cheers!

--Claus

SAC Thought #2: Threat Thinking

Continuing in the SAC concept I started in the last post, here is a Wired commentary post by security guru Bruce Schneier.

Commentary: Inside the Twisted Mind of the Security Professional - Wired

I'm relieved to find I am not alone and others share this same thinking behavior.

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it.

...

Really, we can't help it.

This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems.

I've often speculated about how much of this is innate, and how much is teachable. In general, I think it's a particular way of looking at the world, and that it's far easier to teach someone domain expertise -- cryptography or software security or safecracking or document forgery -- than it is to teach someone a security mindset.

I also find myself thinking this way frequently as I assess responses, projects, and positions at home and work.

It's not a state of paranoia, but one of understanding and risk assessment.  Were I younger I might think it was something about self-preservation.  Were I older I might think it was simple curiosity, spun in an odd form.

However, in my current life-stage, I think it is a beautiful dance between the two.

I got into a "discussion" at work a few months ago on a certain project I am involved in with a higher-level project director.

We were reviewing the project elements for our group's assignment and (in my opinion) spending too much time on the asking the wrong questions and accepting the easy answers so we could move on with the activity.

I posed the point that we needed to spend more time considering failures and more clearly define the conditions they could occur under, as well as what our responses needed to be.  I was met with a light wave-off of these concerns with the justification that that just doesn't happen so I don't need to worry about it.

Contingency planning and pre-exploration of alternative responses is a skill that I excel in and (in my opinion) makes me quite successful at what I currently do.

I dare think that not only can things go wrong, they can go horribly wrong. And am willing to work my way back to recovery (and prevention) from that point.

It get me strange looks when I bring up topics of whole-drive laptop encryption as the rule, rather than the exception.

Or how buyer's names can be found on the temporary tags issued to new-car owners.  Good starting point for identity theft or stalking.

Or anyone who calls up, unsolicited to the house, requesting we participate in a brief "survey" of our thoughts regarding some innocent subject. (No thank you.)  Or that I either use my cell phone or a hard-wired home phone if I am calling up one a company with whom we do business with or to place an order for goods over the phone (in case anyone with a scanner is listening in). Or why I still haven't set up a wireless network at home (I'm sure I could do it securely, but I haven't the time and patience at this moment to do all the configurations needed to my satisfaction) when a wired network connection is just easier and faster to secure at the moment for me for our basic home-networking needs.

Maybe it is simpler yet grander than this, at the same time.

Maybe some folks are just wired to think out of the box, far outside of the social norms of box-thinking.  Some are able to use this for personal gain or great harm. Others are able to use it as a form of leadership to bring new tools and perspectives to the group to (slowly) chart a new course of action or direction.

It is exciting and thrilling journey of thought, but often lonely.

--Claus

SAC Thought #1: One World

For most anime fans, drop the acronym S.A.C. and you will get an instant response: Stand Alone Complex from Ghost in the Shell.  IMHO, one of the watermarks of modern anime animation and storytelling.

Anyway, I'll deviate significantly from the purer philosophical definition of SAC linked above and here simply use it to refer to a singular topic or subject that captured my imagination or thoughts enough to warrant a post by itself; with minimal additional commentary by me.

For this first post, I submit for your consideration:

BLDGBLOG: Earth Evolves

I first saw this post at the end of March and still have been going back and re-reading it.

It has the alternative-history Sci-Fi genre lover in me piqued. Authors like Clive Cussler (where  action, and quasi-archeology hinge on a moment of historical chance), Harry Turtledove, and many others..

The concept posed in BLDBLOG's post is very simple, most school children can recite it by the end of elementary school: The earth's plates float on a sea of molten material and geologic forces cause them to shift and move over millions of years. These changes lead to periods of earth's history when the continents have looked significantly different from today. In other words, continental drift.

The post shows some stunning images digitally mapped by Ron Blakey as he has attempted to capture earth's tectonic evolution.

In the past was Pangaea, in the future we may have Novopangaea, Amasia, or even (and this is the one that I find most beautiful, Pangaea Proximia (all as imagined 250 million years from now).

This is a concept that is amazing to me.

How different would geo-politics be if all of earth's inhabitants were forced to live together on a single super-continent?  Would we be as willing to wage war or consume resources we don't have (or are willing to use) if we were all joined together on a single, shared, continental raft?

Would the few remote islands dotting the planet from underground volcanic sources be islands of competition for nations seeking to flee the confines of the shared world? Or would they be undiscovered, as lacking satellites or other technology, most future-world Christopher Columbus's or Viking explorers would sail off over the horizon never to find land mass again.

Would we see the amazing level of current animal, vegetable, and mineral (not to mention cultural) diversity if the bulk of habitable land-mass was in the same shared longitude and latitudes?

I wonder....

--Claus

Saturday, April 26, 2008

Somebody's Lying to Me!

The other day I ran a Apple Software Update check to see if anything needed to be updated.  I manually run this from time to time as I always delete it from my Auto-Start lists so it isn't constantly running in the background on my systems. It said my Apple software was up-to-date.

Hurrah!

Then I ran the Secunia Software Inspector.

It said that I have Safari for Windows version 3.525.12.0 installed, but that a newer version (3.525.17.0) is available that fixes some insecurities with the version i need.  Thankfully it provided me a download link.

Curiously, the version I need to install is 3.1.1.

2008-04-25_173659

(Pssst. Apple? If you are reading this primarily Windows-centric blog, you need to take your versioning experts out back and beat them with an old Macintosh keyboard around the head to knock some sense into them.  How does any sane person decrypt the fact that I have Safari for Windows version 3.525.12.0 installed, need to upgrade to version 3.525.17.0 by downloading and installing version 3.1.1?)

Clearly, someone's lying to me here.....anybody want to do a Dr. Phil and consult with Mr. Polygraph expert for fun and entertainment?

Don't expect to see this angle on the Mac/Windows ads...

More Reading:

--Claus

In the Semi-Secret PC Tools Lab!

My interaction with PC Tools software products has been limited to endorsements and usage of their free ThreatFire product.

While I know and have heard positive remarks about their PC Tools AntiVirus Free Edition and Spyware Doctor products, I haven't used them. Instead I have just stuck with ThreatFire.

ThreatFire provides a heuristic-based level of anti-virus/anti-malware protection that isn't dependent on DAT file signatures for detection of threats. Instead, it monitors processes and their activity. If suspicious behavior is caught, it halts the activity and alerts the user to assess the threat and then either allow or block the action.   Kinda like having an intelligent internal software firewall.

There are many other programs (free and $) that provide a similar method of protection (AntiHook ($), DefenseWall HIPS ($), WinPatrol (free/$), ProcessGuard ($), and Prevx 2.0 ($) to name just a few).

A number of them are incorporated in other Anti-Virus (AVG Free 8's "Resident Shield" and Comodo Firewall Pro's "Defense+" come to mind).  However, I generally disable these when so "bundled" if possible and rely on a more compartmentalized approach.  My reasoning is based on a tiered security ring model.  If one security application program were to become compromised or shut down, other independent security programs might remain un-breached and able to detect the threat.  It's no guarantee, and puts a bit more strain on my system RAM and CPU cycles, but it has worked well for me to this point.

ThreatFire provides this type of protection to my systems, is very light on resources and not only provides real-time monitoring of threat activity, but also (as I learned this week poking around in it) actually can do manual and scheduled scans of the systems, including detecting rootkits!

But this post isn't about ThreatFire, it is about what I found exploring the public PC Tools laboratory

Hello? Dr. Frankenstein?

My adventure started innocently enough.  I was doing some background research for my post Keeping an Eye on Malware where the PC Tools CEO was alleged to have made some smack comments towards fellow security product companies.

in doing so I was clicking around the PC Tools Software website looking for a press release that might have a company response to the ruckus.

While I didn't find what I was looking for, under the "Company" link, buried amongst the Career and Press Room links I found a little link simply called "Labs".

Hoping just to find a PC Tools blog site that might have some good security-news angles, I instead found a mother-lode of clever freeware security utilities, not quite ready (by PC Tool's standards I guess) for prime-time.

The PC Tools Labs Freeware Offerings

PC Tools describes these Lab Creations of theirs thusly:

PC Tools Labs showcases some of the projects that are currently being explored by our Research and Development teams.

At PC Tools we are constantly researching and creating new technologies and applications with the goal of providing our users the best anti-malware and system utilities in the industry. Some of these creations may only have specific uses or be too technical for every-day use, therefore would normally not be released to the public.

This page previews some of the projects and research that PC Tools is involved with. You can even download some of the tools that have been developed by us and are used internally by our research staff. Feel free to browse through our projects and participate in discussions or send in your suggestions via our Forum.

Before using any of these tools please read the instructions as some of these tools are very powerful and could potentially damage your system if not used correctly.

Downloading and using software from this Web Page is subject to the disclaimer below and the EULA for the software.

Clearly a warning to be heeded....so I immediately decided to play with them!

  • Browser Defender - This is a toolbar (ughh!) that displays ratings for sites as you surf the web. It pre-checks the URL links against their servers and returns a safety rating.  Nice and good in theory, I've already fussed about "security" toolbars as have others, and there are other link-scanners that I think are less intrusive.

  • Threat Expert - It's not so much a software application as a threat-analysis center.  It collects information from a variety of sources and after analysis, provides a report of the object behavior. The website doesn't immediately provide the "utility" to visitors, instead it shows a number of threat categories with items ranked accordingly. You must scroll down to the bottom of the page to find the true gems: the ability to submit samples from your desktop or scan your PC for threats. Also linked are the aforementioned ThreatFire page and the interesting ThreatExpert Blog covering automated threat analysis.  The sample submission tool is actually a mini-app called rightly enough, the ThreatExpert Submission Applet which is a standalone tool to upload files for review and report generation. There is also an online submission form available.

  • Alternate Operating System Scanner (AOSS) - this is a very clever and amazing piece of work!  What the AOSS is is a boot-disk that allows a user to boot a Windows system in an alternative operating system environment. It then runs a scan of the file system off the drive so it can fully check the drive contents for virus signatures, malware, and other baddies without fear of masking techniques.  What is even more amazing is that it also supports the ability to access a USB drive where DAT files used by Spyware Doctor may be updated and stored. This ensures that the boot disk is able to use the most current DAT files available and not static or old files burned on the boot disk itself.  Very clever!  In my tests it worked quite well. It found one false-positive of a Quicken file, and at removal prompted for a license key.  Because I didn't want to remove the file, I was unable to test removal effectiveness or if I really needed a key to remove the file, so my test wasn't fully completed.  While I am aware of other scanning programs that can be run off a boot disk, this is the only fully-integrated model like this that I am currently aware of.  At the very least, a researcher can note down the files encountered then use another PE or Linux based boot disk to capture and/or remove the file(s) previously identified from the system.

  • Startup Explorer - I was able to make a "portable" version of this for my USB stick. After launch, a scary warning appears. Once confirmed, you are able to use a surprisingly useful application to view startup programs, scheduled tasks, system services, loaded drivers, system ini files, print monitors, safe boot "minimal" parameters, safe boot "network" parameters, open command files, view known and shared DLL's, Explorer, Shell Execute hooks, and Shell Service Objects.  Items may be disabled, and some actually deleted. You can also view details of each object and jump to the item's properties and file location in Explorer. Finally, you can save the selection content view in a file for later inspection.  While I much prefer Microsoft Sysinternal's AutoRuns for Windows, Startup Explorer is certainly more "approachable" than this or other well-known startup monitoring utilities.  Certainly worth playing with at the very least.

  • Browser Explorer - I was also able to make a "portable" version of this for my USB stick. Supporting Internet Explorer, Firefox (pre 3.0), and Opera, this tool allows you to view browser program details, settings, cookies, favorites, history, plugins and "zone maps".  It also shows basic "common settings" for system/browser interactions.  Certainly not a heavy-duty utility for browser auditing and tweaking, it nevertheless provides an overview of common browsers and their settings.

  • Patch Scanner - Yep. I put it on a USB stick as well. Contains a single exe and dll pair. This micro-tool does a scan of your system to look for missing Windows updates.  Certainly no replacement for the real Windows Update website for patching a Windows system, nor the more comprehensive web-based security/patch scanner The Secunia Software Inspector or their simply unbelievable and free Personal (PSI) scanner, Patch Scanner quickly does what it promises; checking your system for missing software updates. When ran on my system, it found no security patches, but nine "optional" software downloads available for my system. These matched those offered (and declined by me) from Windows Updates.  Nice backup tool for checking in your Windows Updater is damaged or corrupted.

  • ThreatExpert Memory Scanner - Now this one is simply cool! No other way to describe it.  The ThreatExpert Memory Scanner can be run as a "post-mortem diagnostics tool" to search for high-profile malware threats remaining in system memory.  In concept, an administrator would run this tool (I put it on a USB stick) on a system once it had been potentially cleaned of malware/virus activity to see if any additional threat behaviors are still found resident in the system memory.  Three tabs are present in this "micro-app"; Memory Scan (start/cancel), Submit Sample (to upload suspicious files to PC Tools for review and analysis), and Settings to choose to run a scan for hidden processes or a comprehensive Heap scan.  It runs really, really quick on my systems. Funny thing was that when I ran this tool on the system where I have ThreatFire installed, ThreatFire kicked off an alert! Sibling rivalry?  Once completed, you can view the results in a report format if you desire more than the default statistics view.  No, this tool doesn't remove anything found, but it will bring your attention to suspicious things for additional investigation work using your own l33t sysadmin skillz and other favorite tools. Definitely worth checking out and keeping handy!  In my opinion, the gem-quality find of the bunch.

  • Finally, there is Pocket Guardian.  This tool is actually for Windows Mobile devices and works to "detect and block changes to sensitive settings and load points" on your device. From the description, it is HIPS-based and not DAT based. Alas, I don't have any Windows Mobile devices on which to test it on. Were I to do so, I would so.

PC Tools has some certainly remarkable toys in their semi-hidden lab for those who like to play with such things.

Hope they continue to offer, improve, and expand the lineup.

I myself always enjoyed lab-work.

--Claus

You want me to put it where?

The other day was almost like Christmas-come-early at work.

I had been reaching the 100 MB or less system RAM level on my primary laptop-based system for quite a while.  It shipped with just 1 GB of system RAM.

So I requested--and was approved for--a 2 GB system RAM purchase for my Dell D610 Latitude.

When it came in I was really excited.  You know you are dealing with a real geek when they get excited about a 2 GB RAM purchase.

Anyway, I set about at once swapping it out.

I powered off the system, removed the laptop battery, and ensured I was nicely grounded.

I opened up the bottom hatch where the memory is kept and found a single DIMM.

I popped it out and underneath there were no additional slots for memory chips.

Panic struck.

Did the Crucial Memory Advisor steer me wrong?  It clearly said I could upgrade this system to two 1 GB RAM DIMMs for a 2 GB maximum.

I looked, prodded, poked and assessed. Nope. Just one slot for memory down there.

Ain't that strange.

All the other notebooks I've ever been issued or owned had two slots at the bottom.

What gives?

Not knowing if I should laugh, cry, or just blew the RAM order for nothing, I did some quick searching on the web for anything that could help me.

Fortunately, I found the answer.

Memory Module, Modem, and Devices: Dell Latitude D610 Service Manual

Turns out there are two DIFFERENT locations where the RAM DIMMs are located on these Dell laptops. Who knew?

DIMM B (which I had located) was under a plate at the bottom of the laptop.

DIMM A (which I had not) was secreted away under the keyboard on top.

Wow.

So with much trepidation and following of the guide, i gingerly popped off the slim cover between the keyboard and display hinges to access they keyboard mounting screws.  It creaked and popped like I was snapping it in half, but it held and I soon had they keyboard removed.

From here I gently folded the keyboard back on its edge to access DIMM A.

With both DIMMs seated I tightened everything down, replaced the battery and booted.

Hmmm. No BIOS "system memory" change was seen.  Once it got fully up and I was logged on, only 1 GB of the RAM was found.  I rebooted and checked the BIOS.  only 1 GB was recognized.

Oh bother.

So I shut down, and repeated the steps to inspect the DIMMs.  All looked good.

No, wait, the RAM DIMM under the keyboard looked like it wasn't fully seated after all.

Grrr.

One done I reassembled and rebooted.

This time....no boot.

I felt like Charlie Brown trying to kick that !*#@^$*#@%$&* football!

Was one of the DIMM's really bad? Not like Crucial but anything was possible.

One more time I repeated the process and fully removed and reseated both RAM DIMMs carefully taking my time now.

Reassembled, I booted up.

Hurrah!  The BIOS alerted to the system RAM amount change, then once logged on I used my tools to confirm all the RAM recognized.  (CPU-Z and MemStat XP)

Now I'm running at 2 GB of system RAM and can fully support the virtual machines I use for testing images as well as multi-task without concern.  I had previously set the Centrino CPU for full throttling at all times with no power conservation allowed (accomplished simply by setting the power scheme setting on the laptop from "Portable/notebook" to "Always On") .  It really likes the extra RAM.

It now hovers in the 1100 KB range during normal activity and multiple files of my heavily object-filled Visio floorplans can be opened quickly at once.

Ahh, bliss....

And now I know where to put it.

--Claus

Taming AVG Free version 8

I've now had the change to spend additional time with the latest version of AVG Free 8.

Overall I am pretty impressed.

The other day I made an initial foray into AVG Free 8 and walked away pleased, but with a bit of sour taste in my mouth: AVG Free Version 8.0 Released...First Thoughts and Complaints.

My biggest complaints initially, inclusion of the "AVG Security Toolbar" in all my system's web browsers, location of the "AVG Safe Search" feature embedded into the browsers, and a permanent "error-state" icon for AVG down in the system notification area if this feature was disabled. Otherwise, I was very impressed, both with the overall performance and GUI design, as well as the installation process.

In my previous post, I pleaded with someone to provide the following guidance:

I am also bummed that I had no global way in AVG to disable the AVG Security Toolbar (and AVG Safe Search) from all my system browsers. I was forced to manually set the toolbar to not be viewed in each web browser installed on my system...even when it was otherwise "disabled". Major points off for this. If anyone finds a global setting IN AVG Free to disable/hide them all at once, please leave a tip in the comments. Otherwise, you are left to do the "light" method like I first proposed, or the "heavy" method as AVG outlines in the FAQ.

Fortunately, a brilliant anonymous commenter dropped an almost perfect solution for ridding your AVG Free 8 installation of these (to me) unwanted security features; and as a bonus, the method results in a non-error state AVG system tray icon!

The solution? It was buried in the AVG Free FAQ's #1338

You must run the AVG Free 8 installer from the command-line using a set of specialized switches/arguments/parameters.

How to install AVG without LinkScanner

If you wish to install AVG 8.0 Free Edition without the LinkScanner component, or uninstall this component from your program, please proceed as follows:

  • Download the AVG 8.0 Free Edition installation package from our website.
  • Run the installation with the parameters /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch. One way to achieve this is to:
    • save the AVG Free installation file directly to disk C:\
    • open menu Start -> Run
    • type
      c:\avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch
  • The installation will be started, and AVG will be installed without the LinkScanner component.

If you have already installed AVG Free 8 like I did, here is what I did:

I opened a command-line session and browsed to the location where I had downloaded the installation file.

Then I ran the following command on my Vista system (all on one line):

c:\Users\Claus\downloads\avg_free_stf_*.exe /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch

If running on XP, your default download location might be different than above.

It might be best to follow the FAQ suggestion and just copy the download file to the root of your C: drive (or the root of another partition if you are so equipped) and run the command from there.

Note, there is a space between the ...exe and the /REMOVE_FEATURE... parts, as well as a space between the ...SafeSurf and the second /REMOVE_FEATURE... part.

Once the command is run, a new installation wizard will be seen and you can see that the "Remove/modify" components option is checked by default. Just keep hitting "next" and the AVG program will reinstall. No reboot is required and when you go back in to the AVG Console view, the AVG Link Scanner component is now removed.

Additionally, I found that all your settings and logs were preserved and exploration of the browsers shows that neither the Link Scan or Safe Search components are in IE 7 or Firefox Add-on lists any longer.

And the AVG System Tray icon is back to it's normal state.

Sweet!

Unfortunately, unless someone does some good search-engine work before installation, or reads the correct AVG Free FAQ page prior to installation, there is no other documentation or options pre-installation to tell users of this "advanced" technique.

And I suspect many user's of AVG Free 8 might not be comfortable to correctly locate and perform the simple command-line kung-fu to clobber these features out of the AVG Free 8 product. No matter for most, I suppose. They might actually need these features and find them valuable.

Other Post AVG Free 8 Installation Observations

Installation on my XP systems went smoothly. I didn't know about the above tip when I did my XP installations either so I had to go back and re-do that.

On my XP system, it took about 5 hours and 30 minutes to perform a full-scan on my 500GB drive. I actually have about 100 GB of files spread across the four partitions I configured on it. I generally just configure my system to do a scan on the primary system drive and then I manually scan the other partitions every few weeks. That cuts down on the scan time.

While scanning the system did seem very responsive with the scan priority in AVG set to the default "medium" setting.

I kept all the scan settings on the defaults. It netted about 50 or so "tracking" cookies, about 23 "potentially unwanted applications" which turned out to be made up of my trusted and faithful system logging and key-finder utilities, and three copies of a WinPE Builder included application called Mark Editor. Virus Total and Jotti were mixed on if it was really a virus or not. I strongly suspect it will turn out to be a false-positive based on PXE packing methods, rather than a real threat. I must confess that the scan was very thorough, and was able to get into the other user profiles when looking for browser tracking cookies.

I was able to restore the PUP's quickly and set them to be ignored at next scan (more on this in a moment). I was able to delete the tracking cookies directly, and the others were left in the "Virus Vault" as AVG refers to the quarantine zone. I'll go back to sort and research these later.

I've noticed that when I downloaded emails in Thunderbird with attachments, they are still scanned automatically. I've also noticed that files downloaded off the web in Firefox or IE are also scanned automatically. These are welcome carryovers from AVG Free 7.5.

Advanced AVG Settings

All of the components can be reached from the menu bar under "Components" for quick action, though these don't differ any from just clicking on the corresponding element Overview icon.

To run a quick scan I found it easier to use the "Tools" menu bar and just select "Scan Computer" or "Scan selected folder..." or "Scan file..." to kick of a particular scan type. Hunting these down in the GUI view was a bit tedious.

Management of AVG Free 8 options proper seems to me best accomplished from the "Advanced AVG Settings" window. This can be reached from the menu-bar by going to "Tools" then "Advanced Settings...". The main icons are useful for quickly checking status, but I find using them to configure AVG itself were not nearly as useful as I would have preferred.

There is a lot of stuff you can do in here, so program tweakers will be quite pleased with the options, for the most part.

Appearance: Here you can set the language as well as a number of system-tray notification options.

Maintenance > Virus Vault: Here you may set the Virus Vault (quarantine) size and enable "automatic file deletion" after a number of days or files in the vault are reached. I disabled that option in case I need to go back and recover something mis-identified or research is needed on.

PUP Exceptions: Here you can edit which PUPs (Potentially Unwanted Programs) that you wish to exclude from identification and alert by AVG. The Good? This lets me keep a number of my sysadmin utilities safe (key finders, loggers, etc.) from alerts and removal. The Bad? they are maintained on an individual file-level basis. You cannot set an exclude rule for a folder. The Compromise? You may enable an option to exclude the file from any location, not just a specific patch. The Save? Monitoring is based on a checksum value for the file, so any malicious files that attempt to mask an allowed file name are likely not to sneak by and be excluded! Nice!

LinkScanner: Curiously, even though I had "uninstalled" this component as outlined, this section remains and is still "Enabled" by default. Were a user to keep that component, you may manage the AVG Search-Shield, Active Surf-Shield, and reporting of exploited websites to AVG for study. I have all these disabled.

Scans: Three sub-groups here. Settings for whole computer scans, shell extension scans, and scans for specific files or folders. I've left all the default settings for whole computer scans in place which involves automatic healing/removal of infections, searches for PUPs and spyware threats, cookies, archives, use of Heuristics, system environments (processes, registry keys, memory, etc.), and infectable files. Rootkit scanning is not enabled in the Free version of AVG 8. You may set the scan process priority using a slider bar. The Shell extension scan mimics the same options as does the specific file/folder scan. However under each one you can customize the tick-box options.

Schedules: Three more sub-groups. Scheduled Scan, Virus database updates, and program updates. I've set my scans to run daily at a specific time, but you may also base your scans to run on an hourly frequency or at a certain action (like startup). You can run scans if previous tasks were missed (due to the system being off) or in low power mode. Not immediately obvious is the fact that this window view is tabbed and you can also access the "How to scan" previously covered as well as "what to scan" where you can select the entire system, or specific drives, folders or special locations. I am really pleased with this element design but wish the tabs would have been more visible as some users might miss their presence. The update schedule window mimics the one for scans, but without the tabs as does the program update. I tweaked these a bit to ensure that program and DAT file updates occur every four hours as Grisoft frequently issues micro-updates throughout most days.

Email Scanner: Here you can set up how AVG interacts with your email application. I use Thunderbird and AVG Free 8 integrated perfectly with it. I have the settings configured here to check both incoming and outgoing emails, but to not "certify" the mail. (That means it adds extra text to your emails indicating the message/contents have been pre-scanned.) Some recipients might like seeing that, but I don't trust such messages and would res-can anyway. You can go with the default message for viruses found in emails, or change to a custom one. You can set the scanning properties here to use heuristics, for PUPs and spyware, and look inside emailed archive files. (I've enabled all these.) Finally you can optionally have AVG Free 8 report to you if passworded attachments are found, files with macros are found, files with hidden extensions are found (I've enabled this) and move any reported attachments to the Virus Vault. Under the Certification window, you can modify the message attached to your emails if this option is enabled. Finally, under Mail Filtering, you can set AVG to strip out email attachments, or do so for just executable files and/or documents. Finally you can filter out files with specific extensions.

Resident Shield: This feature provides "real-time" protection against malware and virus/trojan threats. Event though I primarily use ThreatFire from PCTools for my HIPS protection, I have left this enabled so it will also scan and monitor for PUPS/spyware threats, scans boot-sectors of removable media, and uses Heuristic properties for scanning. I have disabled cookie scanning, auto-healing, and scanning of files at close. The Advanced Settings sub-window allows you to either scan all files or those for specific files and document extensions. I've kept the defaults which are very extensive. Lastly, you can set Exclude Rules for monitoring. You can set multiple excludes based on paths, files, or a list of items. Handy!

Update: Under the main window here, you can control AVG's behavior for setting of update application on computer restart, update immediately (with some options for confirmation), and require AVG to confirm with you if a particular application must be closed before update can be applied. Wow, it has manners! Finally you can set proxy locations for updates, dial-up settings, and finally add or change URL(s) used for retrieving the updates.

Whew!

Lots under the hood that isn't obvious at first glance.

Welcome to the Virus Vault!

Once a scan has been completed, you are presented with a tabbed list of groups of items; Results overview, Infections, Spyware, and Warnings (mostly tracking cookies). These items may be clicked on for a bit of detail, however it isn't much of of minimal use for security minded folks seeing details on the items found.

If a scan is running and you wish to view the progress, you can select the AV scanning component, then on the side-bar click on the scan-task under the "Computer scanner" bar on the left-side of the window view. Curiously, I decided to run a manual full-scan when I started this blog and when the scheduled auto-scan time kicked off, it also began, thus I had two concurrent AVG Free 8 scans going at the same time! Seems to me the program should give an alert and allow the user to proceed, cascade the scans to run after each other, or cancel one of them. I just manually canceled the auto-scan myself.

Once the scan was completed I saw the results were displayed under the "scheduled scan" line item, and not the manual scan list item, even though I canceled the auto-scan and kept the manual scan running. Not a big deal but confusing.

Now it gets interesting. Either while the scan is running, or after it has completed, you can click on the menu-bar and select "History" to view the scan results and details.

Furthermore, you can also use that location to go to the Virus Vault to inspect any items found and moved here for quarantine.

The Virus Vault allows you to view the Event History of scan results for the system as well as items in the Virus Vault proper.

Here is where the product shines for AVG Free 8 users who are security proactive.

Items in here can be managed in a number of ways; you may restore the item (and add it to your excludes if desired (for PUPs, items identified by AVG as a virus/trojan may be restored but cannot be excluded automatically). If you do restore a file so identified, it will be put back, but if Resident Shield is enabled, you still cannot access it for transmission to a third-party security source (Jotti or Virus Total). I understand this, but it is frustrating to have to disable components of AVG to accomplish this easily. You can also delete the file entirely, rescan the file (to sf new DAT updates pass the file now), and--this is the best part--directly transmit the file to AVG for analysis from within the program. This is useful for reporting potential false-positives. I'm thrilled to see this feature added.

If desired, you can also provide an email address to get results of your submission. However, that is not required to complete the transmission.

Finally you can empty the vault entirely.

To delete the cookies, you must go back to the scan results, click the "warnings" tab, and select the cookies to remove (individually or multiple items).

Regarding Alerts and Restorations

I did notice two interesting behaviors of AVG Free 8 here.

First, if you decide to manage the items added to the Virus Vault in the middle of an ongoing scan, you can do so. However the changes are not reflected in the scan-results listing. Example, a PUP is found, you decide to restore it from the Vault. When the scan is completed, it is still listed there in your logs.

Secondly, when you decide to restore an item, you don't have any options to "exclude" it immediately from future scans. What happens is that the item is restored, then the Resident Shield will (eventually) re-alert the finding of the restored file, and now you are able to either move it back to the Vault, add it to the exceptions list, or ignore it. Finally, you do have the option to remove any threats caught by Resident Shield as a "Power User."

Note, when I selected multiple PUPs to restore at once, I was not given the option button to add the item to the excludes list. So keep that in mind that if you want to add PUPs to the exclude list during restoration, don't select multiple items but restore them one at a time.

This alert window forces itself to remain visible above all other windows on the desktop so it cannot be ignored or minimized. You see it and must deal with it. Not a bad decision by Grisoft.

There is a section at the bottom of the alert where you can select "more details." This provides the Process Name responsible for triggering the file alert as well as the Process ID. Curiously, many of these "restoration alerts" were triggered when ThreatFire was caught scanning the file as it was being restored by AVG!

There is a link to find more info about the threat identified, but it is a bit clunky. The link takes you to an AVG Virus Encyclopedia link, but instead of providing you direct details of the threat found, you are required to manually look up the threat by name yourself. Not so useful. Details of the threat once found are fairly useful. This may be bound to cause some user confusion. For example, it identified the NirSoft application ProuKey (used to look up Microsoft product keys on a system) as a PUP. When I enter AVG virus encyclopedia, no results were found. However when I tried using the AVG Threat Name as displayed in the alert box (HackTool.DHQ), it also was not located.

Final Odd Performance Thoughts

Lastly, I've been composing this post in Windows Live Writer back on our Gateway laptop while running a manual AVG full system scan. The system processor is pretty strong and set to run at full-on power with no laptop power-saving configurations. It has the full 2GB RAM allowed. It is running Vista SP1. I'm not running any other applications except WLR, Firefox 3.0 (Minefield) and AVG Free 8. I've noticed that the system continues to seem to "pause" from time to time. Opening Microsoft Sysinternal's Process Explorer found that the AVG scanning process (avgscanx.exe) frequently jumps to over 50% of the CPU process capacity. These are when the system "pauses."

Strangely, I didn't notice that behavior at all last night on my Shuttle desktop system that has XP Home SP2 with only 1 GB of RAM and multiple more applications open at the same time of a full system scan. I don't know if this is because AVG Free 8 behaves differently under Vista or there is just something about my particular Vista system that leads to that behavior. Memory usage of that process while scanning is around 80,000 K. I do wonder if AVG Free 8 is fully "Vista optimized".

Once the scan completed, things returned back to normal.

Claus Remains Impressed

Overall, I am growing more amazed at the fullness of features and options offered by Grisoft in AVG Free version 8. I really liked and was quite satisfied with AVG 7.5 but version 8 really knocks my socks off.

Sure there are a few items here and there that are frustrating, starting with the AVG Security Toolbar and the SafeSurf and SafeSeach features needing a special command-line install technique, and lack of ability to directly add items to the exclude list from the Virus Vault, high CPU utilization under my Vista system (at least) but not under XP, inability to add multiple PUP restorations at once to the exclude lists for scanning, and finally the lack direct alert matches to the AVG Virus Encyclopedia.

Those quibbles aside, Grisoft has delivered an outstanding consumer security product in AVG Free 8.

Very nicely done, Grisoft!

--Claus

Thursday, April 24, 2008

AVG Free Version 8.0 Released...First Thoughts and Complaints

There has been substantial discussion IF and WHEN Grisoft might get around to releasing the next version of AVG Free; version 8.0.

I really love AVG Free. It has done a great job with regular scanning of my systems in general. It scans attachments in emails. It is low in system resources, and hasn't bogged down any my systems like some of those "other" major-name security suites offered to consumers.

My only complaint (if any) is that a number of false-positives have occurred with legitimate files and utilities I depend on. I try to submit them as I encounter them to AVG so they can update their database and my experience is that they have been fast to respond once the files are verified by them.

So it was with excitement that I saw via Download Squad, notice that AVG Free version 8 has been released to the masses by Grisoft.

AVG Free 8 is out - Grisoft

Putting in on Vista

Our Vista laptop just happened to be already out in the living room so it got first dibs on the update.

The new file downloaded quite quickly from the Grisoft servers.

AVG Free v8 now incorporates anti-malware protection along with the anti-virus protections. So I went ahead and uninstalled AVG Anti-Spyware (free) and AVG Free 7.5 from my system. This required a mandatory system reboot.

Once back up I ran the installer. No errors or issues were encountered during the installation process. No UAC elevation prompts were seen.

During the installation process, I was presented with a prompt to install (pre-checked--ugh!) the AVG Security Toolbar which offers to protect against malicious websites, scams and other web-danger. It incorporates a link-scanner. Because of various personal reasons and other applications and methods I use personally, I chose to un-tick the box and not install this component.

2008-04-24_185611

A few more screens and the installation had completed.

I then needed to step through a "setup" wizard. It had some prompts to set up scheduled scans, register, download available updates, etc. Nothing out of the ordinary. I did disable the link scanner component.

When done no reboot was required.

The interface is very nicely laid out. Very Web 2.0 in design which is the way many consumer security products seem to be going. It is a real step-up from the interface in version 7.5.

2008-04-24_193330

Navigation to the different elements is direct.

Although not obvious, more "advanced" settings and tweaks are possible under the "Tools" menu-bar drop-down.

Scanning of email-attachments is preserved in AVG Free v8.0. Thank goodness!

Performance? Good!

Anti-virus and malware scanning is included in this version, although you need to pay for the $ version(s) to get root-kit scanning and higher-end security features. As I said, I've got other tools I use for that so to me, AVG Free v8.0 should continue to meet my AV protection needs quite nicely.

Best I can tell, AVG Free 7.5 was using a total of six processes and a total of just under 60,000 K in system RAM to protect my system.

Under AVG Free v8.0 all I see is running just three processes (avgsx.exe, avgtray.exe, and avgwdsvc.exe) under normal conditions for a total of just over 72,000 K in system RAM. So on first blush it does seem just a bit larger in memory than the previous version, but is using fewer processes to get the job done (and then some).

I haven't had a change to see the system impact under scanning, but I expect with the new scan engine, performance should be no worse than before, and hopefully faster and better.

I haven't seen any performance issues so far with it running in the background and multi-tasking. No conflicts have occurred between AVG Free v8.0 and ThreatFire although ThreatFire did display a few alerts during the install process, no doubt triggered by the installation of key security components of AVG. I allowed these and the installation has kept up fine.

Two Serious Gotchas! that just couldn't be ignored.

I have observed just two other issues so far that have "irked" me a bit.

First, despite my unchecking the "AVG Security Toolbar" option during installation, I was shocked to find that when I opened all my browsers (IE 7 and both Firefox versions (2.x and 3.0-Minefield) that the AVG toolbar was prominently in place.

OMG!

2008-04-24_190154-c

2008-04-24_190438-c

All attempts to check the options to remove this toolbar from each of my browsers was met with failure. Despite all my attempts and AVG option fiddling, I could not locate (at this time) a way to remove the toolbars from the browsers within AVG.

So I had a hunch. In IE 7 I right-clicked on a blank-space on the browser bar to look at the toolbars loaded. Sure enough, there it was listed with a "check" mark. I simply unchecked the AVG Toolbar from showing and when I returned to the browser, it was gone. (I could have also gone on the menu-bar to "View" > "Toolbars" to accomplish the same thing.) Firefox was the same process.

2008-04-24_190937-c

2008-04-24_191024-c

Hurrah!

However, I had to repeat this process for every browser I have installed on the system.

Definitely a turnoff of serious proportions. I would have expected a global option in AVG Free itself to turn off and/or remove the toolbar.

Amazingly, I have already climbed on a soap-box and posted on this very issue when I reviewed for myself a beta version of AVG 8.0 back in March: Thoughts on the AVG 8.0 "Toolbar" Francaise...

Back then I conceded that the features this toolbar provides were generally "positive" in helping folks who might not be as security minded as some of us (friends/parents/non-geeks) keep safe in web-surfing. But I (and others) were very turned off with the idea from our perspective of seeing most toolbars covered in the ilk of malware/toolbar drive-by installs. We just don't usually like them. Period. And a toolbar, however well-intended, provided by a security company usually grates against our better feelings of good-will.

I did eventually find this information in an AVG Free v8.0 Link Scanner FAQ page:

How to disable the AVG add-on in my Internet Browser?

AVG 8.0 Free Edition contains a plugin for scanning of search results in Google, Yahoo and MSN search engines. This plugin (AVG SafeSearch) is designed for MS Internet Explorer and Mozilla Firefox Internet browsers. If you would like to disable it kindly proceed as follows:

1. Internet Explorer:

  • Run Internet Explorer.
  • Choose the Internet Options from the Tools menu.
  • Switch on the Programs tab.
  • Click on the Manage add-ons button.
  • Select the AVG Safe Search add-on.
  • Tick in the Disable option at the bottom of this window.
  • Confirm changes by clicking on the OK button.
  • Close Internet Explorer and run it again.

2. Mozilla Firefox:

  • Run Mozilla Firefox.
  • Choose the Add-ons option from the Tools menu.
  • Select the AVG Safe Search add-on and click on the Disable button.
  • Close Mozilla Firefox and run it again.

Note: AVG add-ons cannot be used with Mozilla Firefox 3 (beta) at the moment.

Note: When I followed this under IE 7, I found "AVG Security Toolbar" listed twice, as well as an entry for AVG Safe Search which I also disabled here. The result is that the AVG toolbar item is still displayed as I mentioned previously, but it is now grayed out and inaccessible. Same was basically found for Firefox. I also found not only the AVG Security Toolbar listed as an Add-on extension in Firefox but also the AVG Safe Search component. Like IE, these can be "disabled" but not uninstalled.

2008-04-24_204414

Complaint #2?

Well, remember that I had disabled the "Link Scanner" component?

Not a problem, but the result is that the system-tray icon now permanently displays an ugly "error" state with a gray icon covered up by a nasty red exclamation mark.

2008-04-24_191122

Again, all attempts to find an AVG option to allow this state to be ignored were futile. As far as I can tell, if I choose to leave a component of AVG Free disabled, then I get the 'pleasure" of seeing an ugly "alert-state" AVG icon running in my system tray.

My solution (because I refuse to enable "Link Scanning" for my web-surfing) was only to right-click on the system-tray bar, select "Properties" click the "Notification Area" tab, click the "Customize..." button, and set the AVG Anti-Virus Free system tray icon behavior to "Hide".

The AVG icon is still present if I expand the < to the left of these icons were I to need access to it, but otherwise the ugly "error-state" AVG icon remains hidden.

Too bad, it's kinda pretty. (I temporarily enabled "Link Scanning" to get the "good" AVG system-tray icon state seen below.)

2008-04-24_201027

Conclusions

I've still got to get it on my other two XP systems and see if anything different is found, but I don't really expect to find anything.

I am very pleased with the enhanced protection of AV and anti-malware provided by AVG Free v8.0. Only time will tell how the definitions work as well as the new engine under the hood. I expect not to be disappointed.

Installation was fast, easy and quick. Configuration was simple to set up.

I am disappointed to find my request to NOT install the AVG Security Toolbar feature was not honored (as well as the fact that it is "checked" by default).

I am also bummed that I had no global way in AVG to disable the AVG Security Toolbar (and AVG Safe Search) from all my system browsers. I was forced to manually set the toolbar to not be viewed in each web browser installed on my system...even when it was otherwise "disabled". Major points off for this. If anyone finds a global setting IN AVG Free to disable/hide them all at once, please leave a tip in the comments. Otherwise, you are left to do the "light" method like I first proposed, or the "heavy" method as AVG outlines in the FAQ.

Finally, while I understand that AVG designers saw value in showing an "error-state" icon in the system tray if a component is disabled (by user-choice or failure) to alert users of the condition, I find it curious to not be able to find an option to hide (or override) that error state if that state was manually selected by the user. Now we are left with that ugly icon unless manually set to "Hide" as outlined above. Again, if someone finds a way to do this in AVG Free v8.0, please leave me the tip in the comments.

I'm otherwise very impressed at this early stage and hope that Grisoft continues to provide the outstanding security product features in AVG Free that we fans have become accustomed to.

For more information regarding AVG Link Scanner, the AVG Security Toolbar, disabling AVG Search-Shield, and Grisoft's method for removing the AVG Add-on component from your browser, see this Grisoft AVG v8.0 Free Link Scanner FAQ Page.

For other details on AVG Free, consult this Grisoft AVG Free v8.0 FAQ page.

AVG Free v 8.0: Still Highly Recommended (but with a few reservations).

--Claus

Sunday, April 20, 2008

Sunday Link-Ka-Bobs

Ahhh.

I've been working hard on catching up on my Zzzzz's.  It was a hard week as we ramped up and delivered a new phone system at another of our offices Friday night.  As the local project-lead, I'm very lucky to have such an incredible team of telecom specialists and a great vendor helping pull this thing off.

I'm pretty good with keeping track of the project elements, doing the groundwork and data collection, drawing floorplans in Visio, catching critical details that others overlook, stuff like that.  But when it comes to tracing out the wires and learning how all the phone system components get hooked together, I have to lean very heavily on these professionals.  What's even better, is just how willing they are to let me get in the middle of them and show me what they are doing and help me understand and learn better techniques.

Each deployment I learn something new and (hopefully) become a better project-lead for it.

I value new information and perspectives and am willing to admit when I'm in over my head. However, that just drives me stronger to learn and master what I find I don't know.

So this weekend I've been sleeping in until at least 9am each morning, catching up on household chores, and restocking the pantry.

Oh for a Dead Cow past Midnight

I usually see Houston by daylight.  The traffic jams in the commutes, the street flooding, the daily grind of the city.  However it is amazing to me these past late-night returns home, just how vibrant and alive Houston is way past midnight.  Lots of restaurants open, the lights aglow in neon.  Office towers with lights still on, steady traffic on the freeways.

I skipped past most of the Houston joints early Saturday morning, nursing a heavy craving for a burger at 1 AM.  When I got back to my suburb, I drove around for twenty minutes looking for something, anything open that served dead ground cow.  The only other place I knew of was another twenty minutes across town from where I lived. Even all the nearby fast-food places had long-since closed up.

I ended up at home unsatisfied and ate a leftover Schlotzsky's deli Thai chicken pizza Lavie had gotten the night before, a Weight Watcher's TV dinner buried in the freezer, and two bowls of Captain Crunch Peanut Butter cereal.  Still would have enjoyed a dead cow better.

Bullwatching in the 'Burbs

The other week I was driving home a back-way to our subdivision and came across an odd sight.

There were three middle-aged guys standing about fifteen to twenty yards apart, kind of at the points of a rectangular pattern in a front yard.  Each had their shirts unbuttoned and were in jeans.

In each of their hands appeared to be a canned beverage.  I assume of a beer or lager form.

In the middle of their posse was a guy, similarly attired, sitting atop a John Deere riding lawnmower doing slow circles of mowing.

It was the funniest thing I had seen.

Surely there had to be a story behind this.  Maybe the cable was out?  Maybe they were seeing how well the mower performed prior to buying it?  Maybe there was something deeply evocative to them about watching a man subdue a lawn astride a loud and mean beast in a ring.

Or maybe the ribs hadn't quite reached doneness yet but the beer intake had.

Oh my.

Software Link Ka-Bobs

The great free screen capture shootout for Windows! - Confessions of a Freeware Junkie blogger maximillian_x runs down a great comparative assessment of screen capture tools including Donation Coder Screenshot Captor, EasyCapture, FastStone Capture, Gadwin PrintScreen, Greenshot, and MWSnap.

The verdict?  Donation Coder Screenshot Captor.  I've always loved and recommended FastStone Capture, but after downloading and playing with Screenshot Captor, I must say it is an impressive application.

LIfehacker has hosted a Battle of the Notepad Alternatives poll.  The comments are jammed-packed with suggestions.  Quite a few I've already covered and enjoy including NOTEPAD++, flo's freeware - Notepad2, and PSPad. Others suggested were TextPad, ConTEXT, EditPad Lite, Crimson editor, metapad, LopeEdit, and EmEditor.

Do we really need yet another utility to tweak XP and Vista settings? Guess so.  Welcome RegToy to the party, folks.  Via Download Squad.

If you decided to go to the bleeding edge of beta Java SE builds, then be aware that Java SE 6 Update 10 Build 22 is now available.  I've been running these on all my systems and haven't had any issues as well as find that Java in Firefox seems a bit "crisper".

Finally, DownloadSquad announces Ad-Aware 2008 Beta released...Vista compatibility. I strongly recommended LavaSoft's Ad-Aware SE Personal to home users in the past. With Ad-Aware 2007, the GUI got a redesign, the engine was improved, and support for additional web-browsers was folded in.  Unfortunately, now it requires a service to run to work. That results in the Ad-Aware 2007 version not being "portable" on USB like the SE version was.  Bummer.  However, it is still a very consumer-friendly product and I still recommend it for home users looking for a freeware malware scanning tool.  By the way, if you still like the old Ad-Aware SE Personal, auto-update downloads of the DAT file ended a long time ago. But if you do a bit of work and and clever, you can still manually download and install compatible DAT files for your SE version a bit longer.

For the Forensics Fans

Harlan Carvey, author, blogger and computer forensics guru has been hard at work behind the scenes at his Windows Incident Response blog.

His Free Analysis post leads us to a number of additional free tools of benefit not just to the forensic guys who tool around in black tinted-window Tahoe's, but also us common Joe Sysadmins who love tools to help carve up a system we are assessing.  I really liked the Event Log Explorer utility Harlan mentioned.  Great tool for sorting through Windows system event logs.

Harlan has also updated his remarkable RegRipper utility that helps will (off-line) registry hive file analysis and review.  I've been playing with it at work and it is simply amazing.  This version is the "basic" release.  I can't wait to see what the "advanced" version he mentions from time to time is capable of.

Thanks for sharing your candy with us, Harlan!

Yumm.  It's all good and tasty.

Now...to get that Dutch Apple Pie out of our oven for dinner dessert.

--Claus

Keeping an Eye on Malware

Major Server Malware Seeding Break

SANS-ISC Handlers Diary has a must-read article regarding The 10,000 web sites infection mystery solved.  If you recall, back in January, there was a rush of web sites being compromised with malware.  Visitors to these sites, who had vulnerable browsers or systems, would risk malware download and installation onto their systems.

Turns out the detectives finally got a break in the case.  Not only did they find yet another server infected, this one contained the actual executable file being used to compromise the sites.

The article goes into depth looking at the utility and methods used.  Really fascinating dissection.

heiseSecurity provides a summary:

It's a Windows tool with a user interface in Chinese, and it uses the Google search engine to hunt for vulnerable servers on which it then carries out an SQL injection attack. This inserts an iframe that pushes the attacking code on visitors to the web pages affected.

The crafted iframe in the tool contains the link that turned up on a great many manipulated web sites in January. The attacks appear to be tailored to Microsoft SQL Server and Internet Information Server. According to the analyses by the ISC, the tool also contacts another server in China before attacking, apparently to trigger a payment procedure.

Top Threat Lists

One other story I found interesting was a quick dialog that got stirred up regarding the usefulness and end-value of "threat-lists."

These lists provided by many anti-virus/anti-malware fighting companies attempt to rank current security threats seen in the wild.

Aussie security company PC Tools CEO Simon Clausen is credited in a Techworld story by John Dunn with the following statement:

"Threat analysis is highly complex. There was a time when volume alone was an acceptable indicator of the level of threat. But the threat landscape has changed significantly, and there are a number of additional parameters, besides volume, which are equally, if not more important in identifying and classifying top threats," said PC Tools CEO Simon Clausen.

Somehow, in what seems like a otherwise straightforward and brief article discussing the merits and value of "threat-lists" for risk-assessment, it appears an over-eager copy editor chose the following angry and baiting title: "Malware threat lists slammed as 'useless'"

"Slammed?" 

I didn't catch that tone in the comments.  Sure, there was the only other un-attributed quote from PC Tools in the article that I could find where these lists were referred to as "of no practical use for the security industry or consumers."

In my hood, calling someone's stuff "of no practical use" isn't even close to "slamming" them.  Sounds like a call for dialog down at the local Dairy Queen.

Other Opinions

And I have to generally agree with the statement. Seems pretty fair.  Knowing rankings of malware that various security product vendors discover and track is interesting, but for a desktop support guy like myself, my focus remains on patching operating systems, and updating versions of software that have vulnerabilities and patches to correct them.  While good for discussion at our lunch-table and certainly valuable to computer security researchers and labs, the lists otherwise don't shape our responses very much.  And were I to sample a collection of home-users on the value of the lists and their weekly contents, I have little doubt eyes would glaze over.

Sunbelt Blog-er Alex Eckelberry bit on the story and responded: PC Tools slams "top threat" lists.

I do agree with his statements from an security company insider position:

They have a point. But irritating pieces of malware, like Srizbi (315,000 bots active) and Storm (85,000 bots active), have great exposure in security circles but aren’t nearly as widespread as, say, fake codecs. Fake codecs are a plague, and frankly, probably provide a lot of bread and butter money to security companies.

So what do we do? I suppose categorizing based on complexity is a reasonable idea. But these “top 10” lists are useful, to gauge prevalence, and they should not be thrown out. Look, would we want Billboard Magazine to list “most complex or interesting bands” rather than “most sold bands”? There’s room for both.

Agreed! But not really so much at the average pc consumer level.

Microsoft MVP Donna Buenaventura wades in as well on the "pro-threat-list" side on her SecurityFlash blog: I like Top threats list.  She also highlights that different vendors will often see things differently; thus resulting in different list rankings.

Again, the average consumer (who even takes the time to look) is likely to be confused and depending on the data presented, find it overwhelming and of little use.

An Example of Effective Threat List Presentation

I recently found a vendor, SRI International, that actually did present a series of lists that could be darn useful to consumers and researchers alike. 

Take a look at their SRI Malware Threat Center.

Here's what I like:

  1. Each list subject area present is clearly explained and defined up front.  Examples

    • Most Aggressive Malware Attack Source and Filters: rank = 30-day importance ranking (1 to 100) of most aggressive infection sources

    • Most Effective Malware-Related Snort Signatures: detects = 30-day signature detection rates based on exposure to 1268 malware infections.

    • Most Prolific BotNet Command and Control Servers and Filters: domain names and IP addresses clearly provided.

    • Most Observed Malware-Related DNS Names: embeds = number of malware binaries in which this DNS name was discovered, lookups = number of observed infections in which this DNS name was looked up, rank = 30-day importance ranking (1 to 100) of most prolific malware-related DNS names.

    • Most Effective Antivirus Tools Against New Malware Binaries: detects = Antivirus system overall detection rate based on exposure to 1030 malware binaries

  2. The lists are updated daily (if not more frequent than this).

  3. The lists all have "more" links to display deeper detail and list content numbers, if so desired.

As a system admin or even a home-pc user, I can use the IP addresses or domain names to drop into HOSTS files to block these sites if I see a threat.  If I find a potential threat that my AV protection didn't, I can generate an MD5 string and compare it against the list provided by SRI.

Finally, and of the best value as a consumer, I can monitor their Most Effective Antivirus Tools Against New Malware Binaries page and see just how well various anti-malware/anti-virus vendor's products stack up against a set list of 1030 malware binaries.

That is valuable information from a consumer standpoint.  Granted, depending on what the binaries are (undisclosed by SRI) some vendors may feel that this comparison may not be fair or representative of their product's strength, but as a consumer, if I monitor this list over time, it might just give me a good gauge on the relative effectiveness of such security product vendors.

If PC security vendors and "threat-list" makers aren't careful, they may run the risk of ending up like the DHS - Homeland Security Advisory System which has become quite maligned in its true value and worth.

I like the lists, I would just encourage all security vendors and organizations which publish them to work hard to make a difference by presenting them in a way that has the consumer or daily system administrator tasked with cleaning and protecting systems from this junk in mind, and not just a sterile list for list-making sake.

To the Threat-Lists

OK, if you do like these "threat-lists" or you just want to see what the fuss is about and draw your own conclusions, here is a sample list of "threat-lists" presented in alphabetical order.  If you know of any others that might be valuable, please feel free to leave tips in the comments.

Cheers.

--Claus