Is there a 100% foolproof way to avoid drive by viruses?

R

Red Squirrel

[H]F Junkie
Joined
Nov 29, 2009
Messages
9,211
I am looking for some way to prevent browser drive by viruses. The ones where simply loading the web page infects you because they use flash or other junk like that which is allowed to do whatever to the computer if it's scripted in. To me it should be trivial for browsers to be coded in a way not to allow this crap, but they arn't...

Is there a way or a program or something I can do to prevent it.

Basically, a browser should never need to write any data to the system, ever. Only place it should be writing data to is it's profile/temp folder, and perhaps have a designated folder for file downloads. Period. It should not be touching c:\windows or c:\documents and settings (outside it's very own folder) etc...

Is there some way to block it from writing to these system folders? So if ANY browser based process tries to, it will just fail.

I use noscript, but I'm tired of every site out there using javascript just for the layout and I'm always allowing sites just so I can even use them. This kinda defeats the whole purpose as I'm constantly enabling JS for every site I go to anyway because it's the only way to actually see the site. If a trusted site gets hacked and they put a drive by virus on it, then I'm still screwed. So I'm looking for something better.

I'd also like to setup my parents like this, as they always get viruses. So it needs to be easy to use.

I'm thinking, I could run the browser in a VM, but it seems a little excessive. Is there a way to do something like that, but more seamlessly?
 
:D Unplug in the computer and place it in a secure location..... Zero chance of infection.
 
Is Sandboxie free or some kind of trialware? It's hard to tell from the site. That may work well for them.

And unplugging it does not work, they still need to be able to use it. :p

One of these days I actually want to code a browser that is secure. I'd probably take Firefox and just make all disk writes pass through a function and that function would deny the write if it's in an illegal area. Same idea with registry edits. That's all they really would need to do.
 
For administration purposes, this is why I set my users to be limited users on their workstations. Sure, it doesn't stop the infections, but it DOES make clean up easy; wipe the profile.

For home support situations, I just set them up with a good AV and opendns. As much as I rail against opendns, they do provide a good service for situations like these. In extreme cases, I'll set the default user account to be a limited user, but most of the time openDNS + MSE do the trick.
 
So does Opendns block these malicious domains? what about if a trusted site gets hacked? I guess for 99% of situations even a hacked site they'll just hotlink the virus off their own site so guess it would still work.

I find limited/admin makes nearly no difference in this case. The browser will just allow the virus to write wherever it wants no matter what the user's group. It just bypasses all of that. When I worked in a corporate setting everyone was a limited user but we still had tons of infections. If you have to get to the point of wiping the profile it's almost as much work as reformatting. Have to restore all their stuff such as emails from backup, reconfigure everything etc...
 
Firefox w/ AdBlock/NoScript combined with MSE and OpenDNS are an awesome tag team for keeping that stuff at bay. Oh...and let's not forget patching Flash and Java. :D Acrobat in a way too. How many users have been infected that route?! :eek:
 
Red Squirrel said:
So does Opendns block these malicious domains? what about if a trusted site gets hacked? I guess for 99% of situations even a hacked site they'll just hotlink the virus off their own site so guess it would still work.

I find limited/admin makes nearly no difference in this case. The browser will just allow the virus to write wherever it wants no matter what the user's group. It just bypasses all of that. When I worked in a corporate setting everyone was a limited user but we still had tons of infections. If you have to get to the point of wiping the profile it's almost as much work as reformatting. Have to restore all their stuff such as emails from backup, reconfigure everything etc...
Click to expand...
Wow, no, not at all. If a user is limited, they have limited access to the system. They can not write to critical areas of the OS, that's kind of the point. Short of a privilege escalating malware package of course, which is actually pretty rare.

As far as wiping a profile; it would take me 15 minutes to reboot, log in as admin, nuke it, and have the user log in and restore their shortcuts/desktop/documents.

All opendns does is, essentially, blackhole hostnames that are known to be malicious. This will catch a large chunk of the crap out there.
 
XOR != OR said:
Short of a privilege escalating malware package of course, which is actually pretty rare.
Click to expand...

Actually most of em are like this. They will just bypass most of the security measures in place, that's what they're designed to do. Windows has new privilege escalating vulnerabilities almost every day that are found. So these take advantage of those is my guess.

Noscript is what I use at home, but I'm actually getting tired of having to allow every single site I visit. I don't even know how effective it is these days because of how terribly most sites are coded now days and rather than use html/css they use javascript for layout, so I end up always having to click allow. I can't imagine expecting my parents to keep doing this.

Noscript would be more effective if it had definition files where it automatically allow known good sites instead of relying on the user to do it. Or if it simply blocked specific types of javascript that are actually malicious rather than all or nothing.
 
Red Squirrel said:
Actually most of em are like this. They will just bypass most of the security measures in place, that's what they're designed to do. Windows has new privilege escalating vulnerabilities almost every day that are found. So these take advantage of those is my guess.

Noscript is what I use at home, but I'm actually getting tired of having to allow every single site I visit. I don't even know how effective it is these days because of how terribly most sites are coded now days and rather than use html/css they use javascript for layout, so I end up always having to click allow. I can't imagine expecting my parents to keep doing this.

Noscript would be more effective if it had definition files where it automatically allow known good sites instead of relying on the user to do it. Or if it simply blocked specific types of javascript that are actually malicious rather than all or nothing.
Click to expand...
Sorry, I just haven't seen a whole lot of the priv escalations. In fact, I've only ever seen one.

Large or small corp, government or private, they just aren't that common.
 
noscript....


but do you really want to surf the internet that way?

it's like not taking road trips because cars are unsafe... if you're not an idiot driver (safe browsing) then you'll be fine....

i've never gotten one of those things ever, and i'm probably online 10x more than most of the people who's computer i clean that off of...
 
goodcooper said:
noscript....


but do you really want to surf the internet that way?

it's like not taking road trips because cars are unsafe... if you're not an idiot driver (safe browsing) then you'll be fine....

i've never gotten one of those things ever, and i'm probably online 10x more than most of the people who's computer i clean that off of...
Click to expand...

It depends how much browsing you do. With the way browsers are so insecure now days, you just need to land on a bad page to immediately be infected. It's not like before where it would try to sneak you to download a exe and you'd get prompted. For some reason AV software does not catch spyware, only viruses, but these days it's the spyware that does the most damage.

You can be searching for programming related stuff for example, or a place to go on vacation, some fake vacation site pops on on google, the description and text looks like an ordinary site, you click it, boom, virus. Those fake antivirus apps are the worse.

This is mostly for my parents, so noscript just does not make sense for them. Even I'm getting sick of using it and want something less intrusive but still effective. I already use openDNS at home.

I'll try openDNS for them and see how that works out. At least it's a start. I've personally only gotten hit with one of these once and caught it right away when something flashed fast and a new icon showed up in the systray. If you are fast enough you can rip it out before it starts doing nasty stuff like changing the file association of .exe and such. I've had to remove one of those from someone's computer before, very nasty. Thankfully it had only changed .exe and not .com, .pif, .scr etc so I ended up just renaming regedit.exe to regedit.com and was able to remove the bad entries.

As for the profile, it's not removing it that's long, it's reconfiguring everything. Favorites, bookmarks, emails, settings for these things etc etc, restoring all their files (GBs worth, they don't have a central server like I do). The profile is a big part of the install and holds lot of info that makes things work. A virus that infects the profile is just as bad as one that infects the rest of the system.
 
Red Squirrel said:
Is Sandboxie free or some kind of trialware? It's hard to tell from the site. That may work well for them.
Click to expand...

It's free, kind of. You can use it for free, forever, but some features (I'm not sure which ones) are disabled in the free version, and after using the free version for 30 days, there will be a pop-up asking you to buy it at start-up, but it doesn't force you to buy it. It's kind of like the pop-up when you start mIRC or WinRAR.
 
On systems I care about I use Firefox with adblock and noscipt along with Sandboxie. I also don't install Adobe products or Java.
 
I've also found OpenDNS + limited privileges + MSE + AnythingButIE to be a pretty good combo. I'll also use Sandboxie when I'm doing something... "risky".
 
i use chrome and scripts and plug-ins turned off. If i deem a site trustworthy, i turn them on, chrome makes it pretty easy to do this.
 
You must log in or register to reply here.
Back
Top