Should your personal computer be quarantined?

Topic

New Reply

TOP STORY

Should your personal computer be quarantined?

By Robert Vamosi

A hot topic at last week’s RSA Conference in San Francisco was how to stem the flood of botnet-infected PCs.

The controversial solution posed by a Microsoft security executive? Quarantine them.

The full text of this column is posted at WindowsSecrets.com/2010/03/11/02 (opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

Reply | Quote

Replies

A ‘Wild West’ analogy is useful to show how passively awful your stance is.

The anti-spam & security industry is busy selling defences and tools for monitoring attacks. No-one has yet got around to calling in the Marshall, the Sheriff, or anyone else who will mount a good offense. There is no win, in simply counting how many bullet holes we are receiving.

I agree with the Microsoft stance – we need to go onto an active process to hold ISPs and purveyors of spam to account for their anti-social behaviours. If someone is stupid enough to continue to run a zombie computer, then it is entirely appropriate to defend oneself from it with an effective offense.

Reply | Quote

A ‘Wild West’ analogy is useful to show how passively awful your stance is.

The anti-spam & security industry is busy selling defences and tools for monitoring attacks. No-one has yet got around to calling in the Marshall, the Sheriff, or anyone else who will mount a good offense. There is no win, in simply counting how many bullet holes we are receiving.”

Yay! I’m very happy to hear someone echo my thoughts on this! I sure wish our youth would put a little time into helping develop a counter-offense. We’ve been playing “rope-a-dope” with these bozos for too long. There must be some way for our cpu’s to take an attempted hack and turn it into a counter-weapon – sort of like cyber-jiu-jitsu…

But no to quarantines – except in cases of regional or national security. BTW – I’m using a 5yr old mach. running XP; I recommend Eset’s NOD32, which I use in combo with NoScript(free), Ad-Aware(free), WinDefender(free), Firefox(free), and my router. Might be over-kill, but a layered defense is a good defense.

Reply | Quote

To quarantine a PC, your ISP doesn’t need access to it, just the traffic it sends. The ISP already has access to this because it is transmitting and routing the traffic.

Microsoft do this sort of thing all the time at conferences where all network traffic from delegates’ PCs is routed through ISA Server and inspected for signs of infection in real-time. If any signs of infection are detected, requests from that PC for an Internet page is redirected to a page on the ISA Server which says “your PC appears to have a problem – please come to the IT Support booth”. The technicians there then help the delegate clean their machine and install/update anti-malware. This kind of service works very well in a conference environment, protecting all delegates from cross-infection by the infected PC but also protecting the bandwidth from abuse by the malware so it is available for the other delegates.

Scaling this scenario up to the ISP level makes sense and it doesn’t matter that not every ISP in the world is doing it. It would be an extra layer of protection for all the customers of the ISP that does and so a reason to take that ISP’s service over another that doesn’t offer that protection.

Simon Jones

Reply | Quote

My first thought was “good idea”. But then I realized it was simply a MS scam. They peddle bug ridden software and expect everyone else to fix their problem.

The problem I have with it is the follow through. Sure it is easy enough for ISP to identify suspicious traffic and block it, then what. The ISP has to pay the cost of the support call to fix the problem? Works well for the M$ bottom line.

OK, granted MS isn’t the only one with buggy software but they have the market by a long shot.

Reply | Quote

My first thought was “good idea”. But then I realized it was simply a MS scam. They peddle bug ridden software and expect everyone else to fix their problem.

The problem I have with it is the follow through. Sure it is easy enough for ISP to identify suspicious traffic and block it, then what. The ISP has to pay the cost of the support call to fix the problem? Works well for the M$ bottom line.

OK, granted MS isn’t the only one with buggy software but they have the market by a long shot.

I realize this forum is for users running Windows, but if you were to take the second hand smoke analogy to the logical conclusion, then the answer is to ban machines running Windows software from the internet. This would be a great boost for Macintosh and Linux.

However if you take Microsofts prefered solution that the ISP only permits Windows machines with specified patches, what an easy way to kill the competition from Macs and Linux.

I like a machine that just works, and I don’t have to futz with patches and constantly updating ant-malware, and having to babysit to make sure it doesn’t automagically decide to reboot for this excuse or that while I’m in the middle of work. Running Windows does not provide this ease of use experience.

I understand that NOT USING WINDOWS, is not a fix for people trying to run Windows and solving the problems presented with Microsoft’s products, and for that I apologize. But the proposal from a Microsoft executive that tries to force Microsoft policies on all users of the internet for the benefit of Microsoft was just too much.

Reply | Quote

I realize this forum is for users running Windows, but if you were to take the second hand smoke analogy to the logical conclusion, then the answer is to ban machines running Windows software from the internet.

Bingo. Taking Microsoft’s “second-hand smoke” analogy a step further: Microsoft are the tobacco peddlers. They’re the ones who addicted millions of people to this unhealthy software. THEY are the ones who should pay to solve the problem, NOT the taxpayers as MS are suggesting.

Or using the “keep your car in good repair to drive on the roads” analogy: if a car maker produces inherently unsafe cars, they are punished and required to recall and repair those cars at THEIR expense. The same should be true for the OS manufacturer who created the entire Internet security problem.

Since Microsoft seems unable to produce proper secure software, their systems should be quarantined until such time that they can become law-abiding members of the community. Microsoft should be fined heavily for causing this problem, which costs billions of dollars every year, and required to repair the problem as a condition of selling their product.

Force the perpetrators to fix the problems **they caused**, or future perpetrators will just repeat the same offenses.

Reply | Quote

I realize this forum is for users running Windows, but if you were to take the second hand smoke analogy to the logical conclusion, then the answer is to ban machines running Windows software from the internet. This would be a great boost for Macintosh and Linux.

However if you take Microsofts prefered solution that the ISP only permits Windows machines with specified patches, what an easy way to kill the competition from Macs and Linux.

I like a machine that just works, and I don’t have to futz with patches and constantly updating ant-malware, and having to babysit to make sure it doesn’t automagically decide to reboot for this excuse or that while I’m in the middle of work. Running Windows does not provide this ease of use experience.

I understand that NOT USING WINDOWS, is not a fix for people trying to run Windows and solving the problems presented with Microsoft’s products, and for that I apologize. But the proposal from a Microsoft executive that tries to force Microsoft policies on all users of the internet for the benefit of Microsoft was just too much.

Excellent statement !

The fault lies with Microsoft in providing a buggy OS! This is just another case of passing the buck to the ‘small’ person, not big corporation assumption of the problems caused by their inability or unwillingness to provide a properly made product. It’s akin to making the home owner responsible for both suffering the loss and bearing the cost of catching a crook.

Perhaps MS would like to provide all ISPs with their in-house conference scanning system at no charge?

Microsoft do this sort of thing all the time at conferences where all network traffic from delegates’ PCs is routed through ISA Server and inspected for signs of infection in real-time. If any signs of infection are detected, requests from that PC for an Internet page is redirected to a page on the ISA Server which says “your PC appears to have a problem – please come to the IT Support booth”

For an ISP, that could read; “Please contact our technical services for assistance.”

A little too much PC for PC’s is my opinion of Mr Scott Charney’s proposal !

Reply | Quote

My first thought was “good idea”. But then I realized it was simply a MS scam. They peddle bug ridden software and expect everyone else to fix their problem.

The problem I have with it is the follow through. Sure it is easy enough for ISP to identify suspicious traffic and block it, then what. The ISP has to pay the cost of the support call to fix the problem? Works well for the M$ bottom line.

OK, granted MS isn’t the only one with buggy software but they have the market by a long shot.

Again you are not looking at the overall picture. MS makes no more buggy software then anyone else. They have the share of market so why would the bad guys waste time going after small shrimp when they can get lobster tails.

ISP’s already know what you are doing because they monitor the traffic so when they find bad news just isolate that PC, contact the customer and get the PC cleaned. No harm no fault.

Malware is a bigger threat then spam since it takes control of your PC in such a way that you do not know it until notified. Personally I have never had this problem since I am paranoid about the US government so I pay very close attention to what my PC is doing including reading the logs, which I understand but most users do not.

I also disagree with your recommendations (AVG and Zone alarm) on the security (you must be on their payroll) since what you recommended is bloat ware for what it is supposed to do. Get slick, trimmed down versions like Avast, ONline Armor, Comodo etc. AVG and Zone Alarm have lost their way and just continue to add features and making their programs larger and larger. At least Symantec has redone their Antivirus and trimmed it down considerly.

Reply | Quote

I think quarantine is a good idea. YOU are responsible for your computer. If it is not safe, then it should not be allowed to mingle with other computers.

Alternatively, they could charge the computer owner a higher fee that increases regularly until the computer is certified fixed.

And consider the economic benefits – this would increase the opportunities for computer consultants,which would be good given the large number of unemployed people.

Reply | Quote

I think quarantine is a good idea. YOU are responsible for your computer. If it is not safe, then it should not be allowed to mingle with other computers.

Alternatively, they could charge the computer owner a higher fee that increases regularly until the computer is certified fixed.

And consider the economic benefits – this would increase the opportunities for computer consultants,which would be good given the large number of unemployed people.

The thing is that someone could be cut off just when they really needed their connection. Or, now they don’t know what to do about the infection and cannot go download a security program.

What if ISP make mistakes too? It could cause quite unwanted hassle…

Reply | Quote

Some mixed feelings about this, but overal more favorable than not.
Software makers don’t deserve the full blame for this. If you can’t manage to keep your computer clean for any length of time,
then maybe you should suffer the inconvienience of being singled out and quarentined now and then. Negative reinforcement
can be a good teacher for some folks.
Obviously I don’t have a whole lot of sympathy for those who by ignorance or apathy, help perpetuate botnets on their personal computers.
There ought to rightfully be a way to protect the rest of us from them. Removing the botnet problem can go along way in terms of thwarting many professional attacks.
I don’t like the idea of a draconian style control and regulation of the internet either.

No real solution to this except time, general education, and conscientious software makers.
And most importantly; Open & fair international regulations.
Maybe the next generation will be more tech suave and security concious.
Hopefully.

Reply | Quote

It’s a difficult situation. Since I’m not an expert in the field, just an ordinary PC User. So, I’ll not able to solve the problem. Just to add comment about your suggestion to use ZoneAlarm Free Firewall. AFAIK, the free version of Zone Alarm is the worst of firewall programs based on many reviews. I suggest to use the free version of COMODO Internet Security ( http://download.comodo.com/cis/download/installs/installer_data/binaries/cisfree_installer.exe ). It include the AV. It’s not perfect and for average users often frustrating due to pop up windows. But it’s one of the best free firewall. Or better use Outpost Firewall – the free version ( http://free.agnitum.com/ ). Further, it’s wise to run two AVs in one PC as you suggested “Together, these products can do a good job of eliminating malware without the expense of annual subscription fees”? IMHO, running two AVs in one PC is troublesome. Thanks.

Reply | Quote

It’s a difficult situation. Since I’m not an expert in the field, just an ordinary PC User. So, I’ll not able to solve the problem. Just to add comment about your suggestion to use ZoneAlarm Free Firewall. AFAIK, the free version of Zone Alarm is the worst of firewall programs based on many reviews. I suggest to use the free version of COMODO Internet Security ( http://download.comodo.com/cis/download/installs/installer_data/binaries/cisfree_installer.exe ). It include the AV. It’s not perfect and for average users often frustrating due to pop up windows. But it’s one of the best free firewall. Or better use Outpost Firewall – the free version ( http://free.agnitum.com/ ). Further, it’s wise to run two AVs in one PC as you suggested “Together, these products can do a good job of eliminating malware without the expense of annual subscription fees”? IMHO, running two AVs in one PC is troublesome. Thanks.

Yes, I agree. Those security products recommended (AVG’s Anti-Virus Free Edition 9.0, Checkpoint’s ZoneAlarm Free Firewall, and AVG’s LinkScanner) aren’t that great. AVG and ZoneAlarm have a lot of leaks, and are fairly slow. Most of the infected computers I seen were running AVG.

Use Comodo Internet Security, maybe Norton Internet Security 2010, or Outpost Firewall.

Reply | Quote

Quarantining? Will never happen, too many players IMHO.

I strongly object to “recommending” AVG, ZoneAlarm and so on. I am out working with customer’s computers every day; by far most people have medium old (4 years plus) single cpu machines with limited RAM. AVG bogs such machines down to nowhere.

ZoneAlarm once, many years ago, was a good firewall. But hey, don’t you know that since August 2004 (release of SP2 for XP) the Windows firewall runs efficiently and reliably _without_ bugging grandma/-pa with techie questions they don’t understand? Boy oh boy, reality in the field is so much different from all these office desk chair discussions.

I would not mind my ISP virus checking all my traffic; Google Docs doesn’t even allow me to store a zipped (known virus free) exe file!

I think it is simply a sign of the right hand not knowing what the left hand does that a MS Big shot talks of quarantining zombie computers but Hotmail accounts distribute spam with known malicious links and viral attachments. What a joke.

Sorry for the rant.

Reply | Quote

Pro-active measures to stop the illegal use of facilities, including individual’s PCs, is a laudable effort. Taking measures to stop spam is not. Spam may be repugnant but it is not illegal. One can make the argument that it is a valid form of business enterprise. If the terms of service that the spammer enters into with his service provider allows spam, then it is safe to assume the spammer has paid for the right to send spam. Unless and until spam becomes illegal, nobody has the right to impose a ban because they find it repugnant. It is analogous to the individuals right to use the Post Office to send junk mail provided they pay the postage.

As for the “free” security measures suggested, I suggest they are only appropriate for individuals who have the knowledge and capability to understand how to configure and use them along with a host of other administrative practises that are part of running a sound and safe system. Such capable individuals are likely the type who appreciate how much work is involved and are likely to elect to spend $20 on a comprehensive commercial security package that does everything pretty well automatically in a seamless integrated package. For the huge number of not-so-capable individuals, the appropriate recommendation is to spend $20 for a comprehensive commercial security package that does everything pretty well automatically in a seamless integrated package.

Reply | Quote

Time warner Cable has been doing this for years, at least in the South Eastern U.S. You send out enough malware and they will send you a letter giving you 30 days to clean up your act. Listen, computers have been around long enough for people to know how to take care of them responsibly. I would use the car anology. You have to maintain your vehicle to a certain minimum saftey standard in order to drive on the public roads. Brakes, emissions, lights, etc. 99% of the drivers cannot maintain their automobiles themselves so they go out and hire a mechanic.

Computers are no different. They are just as vital today to our lives, and the lives of others. They can also cause just as much harm when not maintained properly. Just ask anyone who has ever had their identity stolen. We all pay for cyber crimes one way or another, even those of us who maintain our systems.

Also would everyone stop recommending people use free protection software! AVG AV is a great prodcut but it does not provide real time protection from spyware. As computer professional we need to alert computer users that there are more threats than just viruses. There are whole catagories of Malware that virus scanners do not protect from. People need to get into the mind set that computer ownership is serious and that owning a computer has an ongoing cost to it.

Reply | Quote

As a computer user:

* I am an adult.
* I use linux.
* I don’t need babysitting.
* the freeware you mention is bloated beyond recognition. I suggest Comodo FW and Antivir AV.
* the idea of a tax is unthinkable.

As a long-term computer professional:

The problem, as I see it, is education. Even going so far as to babysit the voluntarily stupid is only putting a bandage on the problem.
People *need* to learn the very basics about their computers or the problem is only going to get worse. If they can learn the basics about their automobiles, they can learn about their computers. It’s a responsibility that goes along with a privilege (we’re not big on responsibility these days). Maybe Americans Idle can do a special on computer use.

This begs the question of who is going to teach them and we’re back to Nanny State again.

This is one tough problem.

Reply | Quote

RE the link in the column for AVG’s free version, I followed it through about 3 or 4 pages of advertising to upgrade to a paid version, finally reaching a download to download the download and after following the setup through more options to upgrade I received an error message that I had no internet connection. Windows Secrets would do well stop recommending AVG for this and the other reasons cited. I now recall using AVG before and it is a bloated performance killer.

Reply | Quote

It sounds just so easy. ISP’s give away antivirus software and all will be well with the world.

NOT…..

The problem is not the spyware/malware. The problem is that windows (including windows 7) is very easy to drop a rootkit into. 95% of rootkits will NOT be caught by any antivirus solution on the market. They currently require manual removal including booting to a live CD to kill the progenitor files off. The rootkits do everything from hiding the malware from scanners, to stopping scanners from even being able to run. In fact I spend about 90% of my time as a tech cleaning systems that have been rooted. Until windows is secured against rootkits this problem is never ever going to go away.

Sorry but the buck in my opinion stops in redmond. Until they change the most basic design element of their architecture that allows software to access the windows directory and core files, this problem will not go away.

Reply | Quote

I have wondered for some time why action is rarely taken against infected systems. One need only look at firewall logs, SPAM filter logs or various blacklists to see the IP addresses of systems that are misbehaving. For example, I can look at my firms firewall log and often see a particular IP address scanning the range of addresses assigned to me attempting to gain access to certain well known ports that I have blocked. That in itself is proof, to me, of a problematic system since it has no business trying to access my network. And if it is a human doing the scanning then they too should be booted until they learn to behave.

Yes, we do quarantine individuals who are suspected of carrying a contagious disease and we should do the same for computers as well.

Reply | Quote

Truck drivers are not allowed to travel 90MPH on our highways because it’s unsafe to other people using the roadway and it’s against the law. So let’s ban all trucks from the highway until it is proven that truck driver(s) and/or trucks will never speed and that no truck driver will ever operate a truck unlawfully.

Highschool kids have been known to sell and/or use drugs in their school. Don’t allow high school kids to go to school untill it is proven that they will never use or sell drugs.

Neither MicroSlob nor millions of other entities are permitted to make laws. Only government is allowed to make laws and you’d think in the thousands of years experience they have that they would no longer screw it up so bad! Maybe we should ban govenment.

MS creates the operating system that has bugs in it and/or allows hackers, worms, virii, etc to infect my computer. Ban MS and others from selling OS’s untill they can prove that that operating system will never have bugs and will not allow future hackers, worms, virii, etc to infect computers. I guess that MS might begin by de-implementing cookies and not have code in email attachments that could fire off an attack!

From re-reading this it sounds like the problem on computers might be MS! Perhaps government should fine MS $1,000,000 for each bug on each computer that ends up with bugs on it!

Reply | Quote

I am for the idea. A lot of analogies have been used. The one I think most appropriate is taking your friend’s keys if he’s had too much to drink. He is a danger to himself and everyone else on the roads, My ISP (Rogers Cable in Canada) actually did cut my service when my son’s computer got bit by a bug. I called tech support and told them I had identified and removed the virus and my service was restored while I was on the phone.

Mind you, I wish we could apply the Highway Traffic Act to the internet; a basic competency test before you can “hit the road” and regular safety and emission tests on your hardware.

Reply | Quote

I think that you should give http://www.avast.com security a try. I use it and find that it does not hog so much of my drive

Reply | Quote

In general I agree with the “you should take care of your own computer — including paying someone to remove errant software if you choose not to do it

You wrote:

Will the majority of foreign ISPs support a quarantine system — much less provide free security software? Doubtful.

So, to take your analogy one step futher —— BAN THE FOREIGHN ISPs from the INTERNET!! Doubtful

As ususual, the devil is in the details.

Reply | Quote

Let’s see now, some 50% or more of all email traffic is supposed to be spam, depending on whose numbers you believe. And some 25-50% of all PCs are supposed to be running zombie software which is using them for malware and spam, again depending on whose numbers you believe.

WIth a problem that large, sapping perhaps 25-50% of all bandwidth on the web and email servers and creating all sorts of mischief, Mr. Vamosi does not think the folks who are either:
1-Too naive
2-Too stupid
3-Too  inconsiderate

shouldn’t be held responsible for the problem they are hosting, they are ignoring, they are dumping on everyone else?

This is basic common courtesy and basic social skills. If these folks can’t or won’t understand why they need to “practice safe hex” then by all means, drop their internet connections, censure them, ban them, charge them double to open a new account and make them wait six months before they are even allowed to get that.

Come on, Vamosi, get real. Punish the guilty, not everyone else. Give ’em one warning because maybe they are naive and don’t understand the problem, but one warning only, and then let them know fast and certain that if they’re going to create problems for everyone else because they can’t be bothered with security–they can play by themselves, offline forever.

Reply | Quote

I find it hard to believe I am saying this but I think I agree with Microsoft’s position on this as long as it is properly managed and not abused by the regulating authority.

I have been a broadband user for a long time and used to monitor the hits on my firewall router. I could not believe the amount of virus traffic my router stopped. I used to report some of the constant offenders to my provider at the time (Comcast) and ask why they permitted it. I also wondered why they did not stop most of it (what they could) at their routers. I found it rather ironic some time later when the sent me a letter stating they were going to start charging customers based on how much bandwidth they used. I replied saying that the first bill I got for extended use would be the last one I paid and that if they cleaned up there network they probably could provided higher speeds and more bandwidth for all. At that time I decided to get another provider. Since then they now offer free (ahem – included in the cost) anti-virus, something Verizon still charges extra for. And as far as I know they have not implemented surcharges for heavy users. I think all of this is coincidence, I am not claiming to have affected a change at Comcast, I think good business sense just prevailed.

Implemented correctly blocking could easily be treated like any other utility, you get a warning, then a notice, then you are offlined or DMZ’d until you are cleared.

The ISP is a private network not a public trust, I get to use it because I am willing to pay and they are willing to sell. From a business perspective I believe they would within their rights to block malicious traffic. If I don’t like that I can take my business elsewhere. If/when wireless access becomes ubiquitous and companies like AT&T struggle to meet the demand of their customers we should expect, maybe even require them to make sure they block those users who are being abused by the botnets or allow their systems to be infected with malware.

hr

Reply | Quote

This quarantine Idea is actually in use by Telus – my ISP in Alberta Canada, who also provides free Security Services (anti-virus, firewall, parental control, etc) as part of your subscription.

LOTS of problems though:

1. It doesn’t identify which computer is infected. I have seven computers on my LAN connected via a DLink router. The Telus Abuse e-mail which informed me that BotNet traffic had been traced to my connection identified only the MAC address of the router – no help at all to identify which computer. Their message advised that further BotNet traffic would result in suspension or cancellation of my account. BAD NEWS for my small business which is run from my home, so I went looking for the culprit immediately.

All computers are protected by anti-virus (which I keep up to date), anti-spyware (also updated regularly), ZoneAlarm firewall (which I try to block all outgoing traffic that I deem not necessary – but how do you tell with so many programs that ask for Internet access? e.g. why should a stand-alone accounting program such as Simply Accounting need to have Internet access – I don’t need or want payroll tables & their updates, and ALL the data should be ONLY on my computers! But Simply Accounting will NOT run unless it has full Internet access, and it will not disclose what info it is sending out.

Alas, our daughter who recently moved back home, brought her infected computer with her – she hadn’t kept her anti-virus up to date while living away from home. So her computer was physically disconnected for about a week until Telus Security Services could be installed, activated and a full depth scan run on it.

2. Telus Security Services reported it had found and removed some infections on her computer so that “clean” computer was reattached to the router and Internet. WRONG – the next day, I receive another “BotNet traffic detected” e-mail from abuse@Telus – same warning and same useless MAC address ID which referred only to the DLink router.

So her computer was disconnected again -and has been for another week now as I don’t have any more time to throw at this and she doesn’t know enough to troubleshoot this further. I do understand her frustration – if Telus Security Service anti-virus and firewall isn’t good enough to detect and disinfect a BotNet infection, why do they even bother offering it? Shouldn’t the security software offered by an ISP be able to deal with an infection that the same ISP reports is on your computer?

I’m pretty sure that the infection is only on her computer – all the other ones reported no problems from regular complete deep scans of all files by the a-v software and the BotNet traffic occurs ONLY when her computer was turned on.(three of the others are running 24/7 so if they were infected, I’d see BotNet traffic all the time)

So now, it appears the only solutions available that do not cost her more than her computer is worth are:
(1) experiment with various A/V software until she finds one that works (not acceptable to me – I don’t need or want any more “BotNet traffic detected” messages from Telus; and one of these times, they WILL suspend or cancel my account – crippling my small business); or
(2) reformat her hard drive and start over with a fresh clean install of all software.

Reply | Quote

Sorry Mr. Vamosi, but I must respectfully disagree with your position on how to stem the flood of botnet-infected PCs. To your point regarding how we traditionally thought of security in terms of defense; I would point out that our current or traditional catch-the-perpetrator approach is failing dismally… we need to do better. I can think of lots of problems we have addressed with a combination of addressing the perpetrator and the perpetrated-upon sides of the equation. Yes, the Microsoft proposal will specifically affect anyone who owns and operates an infected computer. I fail to see how you would propose to effectively address the problem without addressing the vast majority of the infected computers, regardless of who owns or operates them.

I also have a couple of points that don’t necessarily oppose your position: 1. there are more than a few Windows PCs on the Internet that are both infected and running pirated saftware. 2. Microsoft limits the availability of updates to computers running pirated copies of Microsoft software. 3. Under Microsoft’s proposal, those infected computers running pirated Microsoft software would be effectively permanently taken off the Internet… that should create some sales for Microsoft! 4. The Microsoft plan will only be effective if it is broad-based enough to include the vast majority of infected computers – globally… that will be no small chore in some areas of the globe where there is less respect for Microsoft’s copyrights.

Microsoft seems to believe that only pirated software is modified to the point that it cannot readily accept Microsoft’s patches… I fail to see the connection that they appear to assume, and believe this to be a thinly-veiled attempt at coercing compliance with their ever-changing, considerably over-the-top and unilateral terms of use. Nevertheless, if we are to address an effective majority of the infected computers, we need to make a GLOBAL eyes-open decision as to whether we should enforce Microsoft’s terms-of-use or co-incidentally force Microsoft to make their patches equally available to all regardless of terms-of-use issues.

Personally, I think we should negotiate a global deal that 1, standardizes all software terms-of-use to make them reasonable, readable and permanent; 2, makes all software vendors and web application owners responsible to quickly provide effective patches via a unified distribution system, that effectively repair their own product and update it to address newer (patched) versions of any software that is either incorporated into or depended upon by their product. (I am sick of my banks requiring me to use out-of-date & insecure software to conduct my online banking, and ditto to Cisco regarding the software environment required to use their network management software); 3, requires that all software (and hardware that incorporates software) is sold with a clearly labeled expiration date, so we can know whose competing product will serve us the longest before requiring us to use out-of-date & insecure software on our machines; 4, Institutes a globally-coordinated law enforcement initiative against the Internet criminals; and 5, once the previous four provisions have been in place long enough to life-cycle the pre-existing hardware and software, show no mercy toward those who continue to put infected machines on the Internet.

Turn that in to your short order cook!

Reply | Quote

The technology is already available to monitor the network traffic of an individual PC and determine if it is infected with malicious software spewing out SPAM and other nasty stuff. There is no need to “completely” cut off an infected computer, but an ISP could drastically reduce that computer’s access until the problem is resolved. If ISP’s are going to do this they need to provide a mechanism to help the client resolve the problem, not just leave them out there blowing in the wind. Nobody’s rights are violated if this action is clearly stated in the EULA used by the ISP.

As Comcast has determined, there is an economical point when a program to reduce the traffic by botnets becomes viable. Until the economics are there for the big providers, no action will be taken to reduce the wasted band width these problems cause. Forget about the fact that the company is helping individual clients and focus on the economics of recovering band width and reducing the cost of expansion. .

In dealing with many computer individuals I find most get into trouble not because they don’t care. They lack the knowledge and resources to help themselves. The computer industry as a whole does a terrible job with the smaller customers. The corporate customers have IT experts to protect the company and the company has resources in place to protect their investments. The individual is bombarded with too many choices for protection and often make the wrong choices or fail to properly implement the resources they have purchased. Hey, we are over twenty years into this venture. It is time for all the major players from OS companies, to software companies, to ISP’s, and to hardware manufactures to get together and come up with a blanket protection for new computers. If an individual experienced user wants to turn off these protections, that is their choice and they have to deal with the consequences, even if it mean loosing their connection to the Internet.

Currently, some vendors have reacted to customer complaints and have tried to build some kinds of protection into their products. Mostly, this has failed because of the annoyance factor. The customer immediately switches to a different product or starts finding ways to turn off the annoyance. Good protection must work without being seen. Most users do not want to grant permission for every little thing they do when they do not have a clue what they are granting permission for.

I am all for safer computing and safer Internet even at the expense flexibility. Eliminate the opportunities for botnet groups and they will go away. No money, no interest.

My ISP currently provides decent antivirus and firewall software included in the monthly fee. Now they need to react to clients’ unusual behavior when it comes to Internet traffic. The systems are in place. All the ISP’s need to do this at the same time so no individual company feels threatened by the action they take.

Reply | Quote

I am not sure about the solution that Microsoft proposes. What I did notice is a ready stance on your part to downplay the slution proposed without offfering anything in return. I would expect to see some alternative ideas in an article of this nature.

Reply | Quote

First, let me point out that Microsoft offers perfectly adequate free security software, which is Native 64-bit compatible, unlike many third-party offerings. It is called Microsoft Security Essentials. But this good start on fixing their own problem is hampered by the fact that MSE is not offered even as a Optional Update, through Microsoft Updates Services. This needs to be fixed. Just an Optional Update — no implication that it is a mandatory or “critical” update. Kind of like Silverlight.

Second, let me point out that the WindowsVista/ Windows Firewall does offer adequate protections, but the Outbound Firewall controls are very difficult to set up and alter if a particular program needs more outbound access than the firewall defaults allow it. Some companies, most notably Sphinx Software, have developed Vista/ Windows 7 Outbound Firewall control GUIs which greatly simplify the process of tweaking what Microsoft already offers. But Windows XP does NOT have an outbound firewall! For XP diehards to remain connected to the Internet, we would have to obtain adequate third-party firewall protections, or else use a security router with a hardware firewall.

I agree that whatever firewall we use, those popup alerts are way too cryptic to be of any use to home users. Something needs to be done to simplify or remove from end-users’ hands the decision process. And proactive defenses, like PC Tools Threatfire, could help with zero-day threats.

It isn’t hard to test a computer’s defenses, no matter which Operating System it uses. ISPs have access to security testing tools which would show weaknesses in any PC’s defenses, on a machine-by-machine basis. Weekly testing would quickly reveal who does maintain their security baseline and who does not. The delinquents can and should be warned to update and scan, or else have it done for them via Remote Assistance. Refuse RA, and you lose access to the Internet from that computer.

The testing introduces administrative and direct costs; hence, the need for a tax or fee structure to offset the real costs. Probably not a large fee, but not one which will be very popular.

Test, warn, cajole, and as a last resort cut off: this is the best solution to on line security I can think of. But as long as Russia and China actively encourage botnets and spam servers, I cannot see any practical benefits to this system. It just will not work.

And then there’s the case of my 92-year-old father, who refuses to update anything. He is still using Windows ME and Eudora 5.1 and Cute FTP 3.1. And no antivirus or firewall. I can’t even upgrade our router to WPA, because Windows ME does not support anything higher than WEP. And he would scream murder if anyone — much less the Government — ever tried to force him to patch or upgrade. There are millions of people worldwide just like him. Good luck fending off the lawsuits they all will generate!

-- rc primak

Reply | Quote

First off, I firmly believe nobody should pay for protection of their computer systems.
Thankfully, there are a number of available options out there with the wonderful cost of “free”.

However, one of the biggest problems is the manner in which the software is designed to detect malware.
Currently, most of the Antivirus/antimalware software is definition-based.
Unfortunately, that entails playing catch up pretty much all of the time.
So the crackers are usually a step or two ahead of the security companies.

What we need is behaviour-based detection.
There are not many that do this, but I read an article stating that Panda Cloud antivirus operates using this type of detection.
I’ve been using it ever since and have yet to have any problems with it.

Hope this helps someone.

Reply | Quote

What we need is behaviour-based detection.
There are not many that do this, but I read an article stating that Panda Cloud antivirus operates using this type of detection.
I’ve been using it ever since and have yet to have any problems with it.

PC Tools Threatfire is designed to do exactly what you are asking. However, Threatfire does force the end user to make decisions based on inadequate information. This defeats the purpose of predictive heuristics. Block by default, quarantine or”sandbox” if allowed, and release from quarantine only when proven safe. And limit popup alerts to only serious threats. Threatfire also does scans, but these are unreliable.

Comodo Firewall has Defense+ which does these things, and now (in Version 4) there is a sandbox for testing suspicious applications until they are proven safe. The Threatcast Community also helps determine when an action has been allowed or disallowed by the majority of Comodo users. But only Norton seems to actually track outcomes (infections after allowing) for zero-day attacks. This is the Norton Sonar technology (or is it Canary?). Avast currently has some heuristics as well. When scanning, Malwarebytes also does heuristics-based scan routines if you select them.

So Panda Cloud AV is not alone in trying to get more advanced heuristics into scanning and web shields. You just have to read up and choose which solution keeps your computer safest. As far as I know, my laptop is clean, and I use Avast, the new Comodo Firewall and Defense+, and scans with Super Antispyware and Malwarebytes (Complete Scans), as well as THOROUGH scans with Avast weekly. Last I checked, Threatfire is incompatible with Super Antispyware, so I do not use Threatfire. I use Windows XP Pro, SP3, 32-bit.

Windows Vista and Windows 7 users could be just as well protected by simply using the built-in Windows Firewall, Microsoft Security Essentials, and if you insist on heuristics, Threatfire. Both 32-bit and 64-bit systems would be well protected with just these security programs, perhaps using Malwarebytes for a second-opinion scan. Just remember to do deep scans once in awhile, especially before making Image Backups and before going to MS Updates. Deep scans usually do include advanced heuristics scanning.

And you do use Firefox with NoScript, don’t you? That’s a much better solution than trying to catch the malware which Internet Explorer lets through. Not that there are no 0-days in Firefox; they are simply nowhere near as common.

Still, your best defense is still common sense. Don’t just allow actions which cause security popups. Security programs, even with the most advanced heuristics, only catch about two-thirds of new attacks before definitions are developed. Go onto Google if you are in doubt, and use the named process as the keyword. Most of the time if it’s anything you need, there will be a link identifying it. Otherwise, sandbox, quarantine or disallow and see if anything stops working. That is the only way to know for sure if the process is necessary. If it is not necessary, disable it. This attitude also cuts down on “phone-home” components (I notice that Woody Leonhard’s favorite word for these processes is censored here in the Lounge!) which are found in most commercial software, as well as a lot of freeware these days. If disallowing doesn’t break something, always block as a default action.

I have mixed feelings about heuristics, as I used to use Prevx. This program was installed inside the Windows kernel as a driver, and it used to block any program which ever changed itself due to normal updates. Then the Prevx local database had to be reset manually in Windows Safe Mode, which really defeated the entire purpose of heuristics detection. If you update frequently, even through MS Updates, Threatfire can cause similar problems. Comodo Defense+ and the Avast Web Shields do not have these problems anywhere near as frequently. But when heuristics messes up, it does so spectacularly, often requiring a full Windows reinstall to fix the errors. I would not rely on the current generation of heuristics to keep anyone safe. Certainly not on any mission-critical computer system. Too many false positives. An analogy is when you buy a pitbull for protection, and awhile later it attacks your child. Not worth the risk, if you ask me.

-- rc primak

Reply | Quote

In reply to the main question of this thread, quarantine is not the solution preferred by IT professionals and ISP owners. They have all given truly underwhelming reactions to Scott Charney’s (Microsoft security guru) quarantine suggestion, and EFF (The Electronic Freedom Foundation) and taxpayer groups are never going to accept a tax levied on well-behaved Internet users (those of us who do secure our own computers, and clean them up if anything goes wrong) for the ignorance, laziness, and nonchalance of the “my computer is just an appliance” crowd. Everybody wants an instant-on computer which never crashes, never gets infected, and is self-cleaning. We are simply not there yet. And sales people do no favors by promoting Remote Assistance as a panacea for all that can go wrong with a PC.

The answer is user education, which is what Windows Secrets is all about. Informed users can take matters into our own hands, and we do not need Miss Polyanna Nannystate holding our hands (or our computers) when we go on line. Charney and his kind are just as bad as the “what me worry?” crowd, in that a quarantined comoputer cannot get on line to get cleaned up. Remote Assistance could help in these cases, but without an ISP, how does one get connected for Remote Assistance or a Cloud AV scan and cleanup? Boneheads, that’s what these security wonks are!

Keep the Internet free — Just Say No to Scott Charney and his crowd.

-- rc primak

Reply | Quote

No internet access needed to fix a computer, ever.
If your computer has been compromised by being part of a malicious botnet network then
the best solution for the average non technical user is a clean instal.

Telephone tech support is more than sufficient for this endeavor.

Reply | Quote