 |
 |
After years of cleaning systems and asking about operator behavior just prior to the infection, and at times reading reports of the top 10 AV's averaging between 48-52% effective at blocking *emerging* threats, I've increasingly been convinced operator behavior is far more effective (yet elusive) than AV protection. Multiple times to test this theory I've removed my AV for months (6-9?) and instead run several of the multiple layers of protection you suggest; usually an ad blocker or MVPS hosts file (which could be done at the network level), NoScript or Sandboxie. Web of Trust is also helpful. Of three times doing this test over the last five years, I have yet to get an infection, while those I support continue to become infected at regular frequency while running up-to-date AV. Pair this information with the BeyondTrust 2009 Microsoft Vulnerability Analysis, which strongly advocates removing admin rights (with a better success rate than AV software against emerging threats, I should point out) and I think we've got an interesting case for either replacing AV (radical!) or at least supplementing it and no longer considering AV our only defense at the desktop level. I highly recommend reading BeyondTrust 2009 Microsoft Vulnerability Analysis, if you haven't already : https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CD0QFjAA&url=https%3A%2F%2Fwww.techdata.com%2F(S(5qsgeo45hwjh1on5noga4r45))%2Fbeyondtrust%2Ffiles%2Fwp039_BeyondTrust_2009_Microsoft_Vulnerability_Analysis.pdf&ei=j7kTUempHsfd2QX6kICYBw&usg=AFQjCNFtFkBKWy9fSHud-zZVW30RBgd8vA&sig2=1h3_vug2kvPFnYBPX6yccg&bvm=bv.42080656,d.b2I Brian Hoort College of Agriculture and Natural Resources Technology Services Helpdesk Michigan State University Helpline: (517) 355-3776 http://support.anr.msu.edu -----Original Message----- From: Loren LaLonde [mailto:[log in to unmask]] Sent: Wednesday, February 06, 2013 12:02 PM To: [log in to unmask] Subject: Re: [MSUNAG] JRE 6 Extended Support Either you're lucky, or you may be surprised if you replaced that AV with something that's been updated. It's also likely that other measures you're taking are preventing exploitation. If you have Java and/or Flash disabled on that machine, you're reducing your attack surface. If you have NoScript and/or AdBlock+ on your browser, that might not be grabbing the offending code in the first place. Multiple-layers of security and a reduced attack surface does wonders. On Wednesday, February 06, 2013 11:20:42 AM, David McFarlane wrote: > Hmm. This does make me wonder, then, why I never run into these on > the machines that I run. E.g., I have an old XP laptop that I use for > browsing the web at home with practically no AV (subscription expired > many years ago, never renewed, although it is behind a NAT router), > why has that never been compromised? Am I just doing something > "wrong" (i.e., right)? > > Thanks, > -- dkm > > > At 2/6/2013 09:11 AM Wednesday, David Graff wrote: >> Yep, these kind of things are extremely prevalent and dangerous. This >> isn't the mid-90's where a user would have to do something silly to >> trigger an attack by opening the wrong attachment. In my environment, >> I see 3 to 5 drive-by Java exploits a day, and that's just from what >> I can pick up with the AV definitions and gets past the bad domain >> blacklist. These things are coming in through the advertisement >> banners, usually which go through some kind of ad channel that is >> re-sold to third parties multiple times destroying any kind of >> accountability when something bad gets propagated; Or you have >> hundreds of thousands of webpages using a common framework >> (WordPress, for example) which has a mass exploit and now all those >> seemingly legitimate sites are silently hosting the latest >> JRE/PDF/Flash 0-day exploit. >> >> Even last night Sundance Chevy's website got blocked because it was >> hosting something bad, and a few night before that it was Bible.org, >> the Central Dakota Humane Society, and the National Association of >> State Boards of Accountancy websites. >> >> On Tue, 5 Feb 2013 18:33:43 -0500, Kwiatkowski, Nicholas >> <[log in to unmask]> wrote: >> >> >A better question would be -- how often have the done it already today? >> > >> >These exploits can be through drive-by advertisements on legitimate >> sites. >> They could be from bad sites. They could be from anywhere... >> > >> >-Nick >> >________________________________________ >> >From: David McFarlane [[log in to unmask]] >> >Sent: Tuesday, February 05, 2013 5:29 PM >> >To: [log in to unmask] >> >Subject: Re: [MSUNAG] JRE 6 Extended Support >> > >> >At 2/5/2013 04:02 PM Tuesday, Cooke, Tony wrote: >> >>Since the University recommends/requires out of date/unsupported >> >>software, which has known vulnerabilities, are we not being >> >>required to put ourselves at risk? If so, is it an acceptable risk? >> > >> >My question exactly. Just how dangerous is this JRE to our users? >> >Doesn't one have to be lured to a malicious website to trigger this >> >sort of attack? How likely are our users to do this? >> > >> >-- dkm