Spyware Warrior

[amcg]

Hi - I'm looking for advice on how to protect my pc against spyware, viruses and other assorted nasties. After finally ridding myself of the StopGuard problem (thanks Nick!) I'm rejigging the security on my machine. I installed the Windows XP Service Pack 2 and it all went without a hitch. To that I added the following...

Firewall
Kerio 2.1.5

Regarding firewalls, I did a bit of searching around the net and the one that kept reoccuring as one to go for was an old version of Kerio, namely 2.1.5. I've installed it and it's running sweetly thus far. Has anyone here got a preference when it comes to free firewalls? I'm looking for something that will keep things fairly tight and that won't confuse the other users on the machine (who know and use exactly nothing outside Word and email).

Anti-Virus
Norton 2003 (already subscribed)
(+ the various online scanners)

Norton seems to get mixed reviews. I've certainly become annoyed by the fact that the "automatic LiveUpdate" feature only downloads updates once a week - you have to perform a manual download to get daily updates (what am I paying my money for???). I've visited many forums that say Norton's a joke however I've also read a number of articles extoling its virtues! Where does the truth lie? I'm thinking that a decent free backup anti-virus program would cover the bases nicely. Which is the one to go for? AVG? Avast?

Anti-Spyware stuff
Ad-Aware SE (free)
SpyBot (free)
SpywareBlaster (free)
SpywareGuard (free)

I'm pretty happy with the Anti-spyware stuff that I've got on the machine. I've switched to Firefox and Netscape for my browsing so that alone should tighten things up a notch.

Anyone got anything else to add?

[3162]

I prefer ZonaAlarm, but Kerio is good too.

[herbalist]

amcg,
You're using my favorite firewall, Kerio 2.1.5. As you go, you'll learn how to tighten up the ruleset to match what you have and how you use it.
Your Anti-Spyware choices are good. Just keep them updated.
Regarding Norton, you'll run into mixed opinions there. I used it for 6 months, then replaced it with AntiVir, a free German AV. It's available at:
http://www.free-av.com/
I was quite unimpressed with Norton. Had at least one virus get by it. Their customer support leaves a lot to be desired, and it's way overpriced.
AVG has a lot of satisfied users. Not familiar enough with Avast to comment. The truth in the matter is that no AV catches everything. Most do pretty well and it's as much a matter of preference as anything else.
Regarding the use of a second AV, this requires some configuration and some explaining. Most AVs have 2 main parts. One is the resident guard, which AVG calls the resident shield. Other AVs use different names. The other part is the AV scanner. You can't have 2 resident AV guard/shield programs or 2 AV scanners running at once. They interact and generally conflict. You can have one of each and they don't need to be from the same programI have 3 AVs. AntiVir is my resident AV. I also have AVG. It's resident shield component is disabled. I primarily use the "scan with AVG" entry it puts in the right click menu for manual double checking. I also use F-Prot for DOS. It's a command line scanner for DOS based operating systems, not compatible with XP.
I have that one integrated into my download manager and the file transfer components of Instant messenger programs. Also have an entry for it in the "send to" menu.
If you choose to run more than one AV, set it up similar to what I described with your choice of brands. Let the best one run resident and integrate the other one into everything that transfers files. Make sure whatever one you choose for manual and/or integrated file scanning allows you to not run the resident guard/shield.
This cover what you needed?
Rick

[herbalist]

While I'm thinking about it, consider picking up a good "whois" tool. They're very handy when configuring a firewall, especially a rule based one like Kerio. Sam Spade is an excellent program which includes a whois. A whois is literally what it sounds to be. It converts IP addresses to names. Sam Spade does a lot more than that and its help files are an education in themselves.
For firewall configurating, use it on this order. When an application connects out for the first time, your firewall will alert you with something like:
Application XYZ wants to connect to 123.123.123.000. Enter than number into Sam Spade and choose "whois". In most cases, it'll tell you who or what company that IP belongs to. Often it will give a range of what IP addresses they use. An example of a range for this might look like 123.123.123.000 - 123.123.123.255. Generally, knowing who the app is connecting to, or who's trying to connect to that application will decide if you want to permit it. When a range of IPs is returned you can edit the rule to allow that range but deny other ranges. What exactly you need to permit or deny varies widely, depending on your applications and needs, but this gives something of an idea of how to do it, even if I did over-simplify it.
Sam Spade is available at:
http://samspade.org/ssw/ It's free.
Rick

[TeMerc]

While all the anitspy apps you listed are good, here are a few more I always recommend, and all free.

WinPatrol

MVPS Hosts

IESPY ADS

Keep track of updates for ALL your security needs here:
Calendar of Updates

Happy surfing!
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog

[amcg]

[amcg]

[amcg]

[herbalist]

You also have what is called "application based" firewalls. There are also firewalls that are hybrids of both. I'll let someone else give a definition for application based firewall. Can't seem to come up with the right terms at the moment. Zone Alarm is basically an application based firewall although it also uses rules. Here's a couple links with info on firewalls.
http://www.wilders.org/firewalls.htm
http://www.chaseandsam.com/firewall.htm
In general terms, you can sum up the differences between application and rule based this way. Rule based are generally smaller, easier on resources, and if the ruleset is good, the more secure. They also tend to be more reliable.
Application based are usually larger programs, sometimes requiring updating. They're not quite as secure as rule based firewalls, not to say that they're insecure. They are easier to configure as most can create their own rules.
The ruleset for a firewall like Kerio can be intimidating until you get the hang of it. I'm running win98 and my ruleset has 80 rules. A firewall like Kerio will ask you every time an app needs to connect to the internet in a manner that there's no rule in place to cover. You've probably seen the check box for "create rule and don't ask...". Every time you check that box and click either "permit" or "deny", you create a firewall rule. This much of the process is automatic. The "edit" button on the advanced menu is where you edit rules. This isn't something you have to be able to do right away. Edit and tighten up your ruleset as you learn it. A couple pointers. Many applications don't actually need all the internet connections they request. Some are "calling home", for who knows what. Others link to adservers. The instant message programs do a lot of this. Parts of the operating system want to connect regularly, but their doing so often serves no purpose for the user. By blocking unnecessary connections, a firewall can actually speed up your connection at times.
Kerio reads its ruleset from the top of the list down. The first rule that it comes to that applies to the connection request is used. Most of the rules are going to be specific for each application. You will also have rules tha apply to your entire system. These will usually be at the top of the list. Such rules include DNS resolving and system blocking rules. Running 98, I can block most of the windows apps from internet access. XP will require a different set of rules here. I have both internet explorer and windows explorer blocked by rules near the top, along with several other system components.
When rules apply to one specific application, the rules that permit certain connections need to be above those that deny connections. For example (an over simplified one), say you want application ABC to be able to connect to only one site. The sites IP is 123.123.123.123. You edit the rule for this app so that this is the only address listed in the "permit rule". Below that, you insert another rule blocking that app from all communication. When done this way, any communication for app "ABC" that does not come from 123.123.123.123 is automatically blocked. You use this type of setup for updaters and other programs that only need to connect to one site. Programs like your browser need to be able to connect out to just about anywhere, but rarely need to accept incoming connections. For this, you use the edit and then the direction drop box. On mine, I have 2 rules for Mozilla. The first permits all outgoing connections. The second blocks incoming connections. Comparatively few applications need to accept incoming connections, also called "server rights" on other brands.
The rules you have will vary depending on your applications and needs. It will take a while to completely get the hang of it. Even though your rules may not be as tight as they could be, your firewall is still making you more secure than you'd be without it. The biggest thing is to be sure what you permit. Know what they are. The rest will come.
Rick

[amcg]

That's very interesting, I appreciate you taking the time to type it all out!

[herbalist]

Not a problem. Hope it helps you out.
Rick