Having sorted out my problems of a few days ago, I'm now re-assessing my needs in the subject field. I see there is an anti-malware element in Avast! Do I also need Malwarebytes, is it more comprhensive than the bit in Avast!? Should I put in a separate reg cleaner as I've loaded Ccleaner? Is Windows Defender a sufficient firewall? I don't want to load up the system with systems that spend most of their time checking each other. Any help/suggestions would be appreciated.
The Ancient Mariner

Is Windows Defender a sufficient firewall?

Eeeerrrrrrrrrr defender is not a firewall, to quote MS it's:

Windows Defender is software that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer.

If you use a router then windows firewall is probably sufficient unless you visit some really bad sites.

I don't run any of that crap, just gets in the way, causes crashes, and slows things down.

Stealth mode NAT router at the boundary, and don't visit porn or warez sites. That's all you need.

Oh, and an ISP who filters out email viruses on the server, I haven't seen one of those for years now.

And run as an ordinary user, not as an administrator or account with admin rights.

SD

You can have as many on-demand scanners (like the free version of MBAM) as you want. Some of them run a background service, but in general terms, except for when one of them actually is scanning, there is next to no resource usage.
Pretty good idea to have a couple of extra scanners on board, just in case you get something the AV doesn't deal with. And all the AV's can sometimes let something through. (New malware, or some kind of worm that disables the AV etc.)
At one time, while using AVG, it alerted me to a trojan but could not stop the trojan installing its cargo. Don't know why. This hasn't happened to me while using Avast, yet.
If you do get something nasty, you'll be glad you already have the demand scanners installed.

As stated, WD is not a firewall. Vista (like XP) has a built in firewall. There is an application I've read about that sounds pretty good, called Vista Firewall Control (http://www.sphinx-soft.com/Vista/index.html) that is basically a user friendly GUI for the built in firewall, that gives you easier to manage control over anything attempting an outbound connection. To know what should be allowed to connect etc takes a bit of study, but it's not a bad idea. If an as-yet unknown trojan slips into your system, the firewall can be thought of as the last opportunity to prevent it phoning home, gathering reinforcements.
This isn't always bulletproof. I believe there are some types of malware that can inject themselves into a legitimate process, and the change isn't always recognized by the firewall, or if it prompts, by the user.

Avast Home has the same detection and cleaning ability as its paid for version. Includes antispyware (part of the AV engine, so it isn't a separate component), and an antirootkit scan that by default runs 8 minutes after startup. I also use Threatfire, a behaviour blocker, a 3rd party firewall (cause the Windows one doesn't control outbound in XP), a thingy called Secunia PSI, which monitors many many programs on the PC and compares the versions against its own database. Basically it makes sure you're patched. Windows and other programs. It's here. (http://secunia.com/vulnerability_scanning/personal/)

Scanners etc are only of use to clean an infected system. A bit of prevention is wise. Set scripts in all (except, perhaps, trusted) zones of the browser to "prompt" or "disable". Better still, use a browser like Firefox, with the Noscript add-on installed, and you can see exactly what scripts are attempting to run on any web page.
An application like SpywareBlaster, by Javacool is good. Basically blocks known bad sites from connecting. Uses no resource; needs manual updating roughly every week.
I have installed far too many demand scanners and other tools. Doesn't matter; they don't run at start, and occupy a relatively small disk space. I like to play around with these things. It's become a bit of a hobby. I think for the average user, some kind of AV (Avast is great, IMO), a firewall, disabling scripting, and a demand scanner or two is probably quite adequate.

Lastly, with Avast running, the number of times another scanner has actually found a real threat on the PC over the last year, has been zero. Go figure.

SD could you elaborate on your statement please.

I don't have a router far less a "stealth mode NAT router" whatever that is, just an ADSL modem.
The Ancient Mariner

I don't have a router far less a "stealth mode NAT router" whatever that is, just an ADSL modem

The ADSL modem can often have a router / firewall built into it.

If you don't have a hardware firewall, you should. Especially one that allows you to connect multiple devices wirelessly or wired.

The router (filrewall) that sits between your cable / adsl modem and your PCs (it may also have a wireless network) must (by definition) be a NAT (network address translation) router.

This means that the router has a single public (routable on the internet) IP address on the "outside" and a private address range on the "inside" to allow multiple devices (your PCs) to connect to it and thence to the internet.

NAT on its own is a good first line of defence, Stealth Mode simply means that the router doesn't reply to incoming requests on closed ports - e.g. ICMP PING requests - originating from the internet, instead of simply rejecting them (i.e. negative response). It's not actually particularly helpful or necessary, and in the case of ICMP actually in contravention of Internet standard RFC 1122.

In addition to NAT, most home firewalls have 2 further levels of defence - port & address filtering and stateful packet inspection (SPI). The first simply means that certain TCP/UDP ports (that support certain services, e.g. Telnet, FTP) are blocked, and also that IP traffic to / from certain IP addresses is or can be blocked. SPI is useful because it helps to prevent "spoofed" packets (e.g. replies to IP packets you never sent) from fooling the system into allowing them through.

This is a VERY cursory skim over firewalls, btw! As you can imagine, it's quite a big topic!

Rule of least privilege!

There are 3 levels of user accounts in Windows XP, User, Power User and Administrator. Running as a standard user means that your account does not have any elevated (admin) privileges, so that when the trojan / virus comes along to try to install some nasty on your system it is unable to do so. If you were running as an admin or Power User, it would be able to install the malware.

In Vista, MS removed Power User, and tried to force everyone into using standard User - howls of protest from the masses.


Lots of software writers were too lazy to code properly for non-admin accounts (legacy from Win 9x where security didn't exist), and hence much software won't run unless you are an admin. It's ludicrous, because all it takes is for the install program to ensure that temp / user files are placed correctly to be accessible to each user, not dump them into the Windows or Program Files folders (where standard users have read-only access).


SD

[RANT]
Lots of software writers were too lazy to code properly for non-admin accounts
Too right. I run so much of such stuff that I gave up running as non-adminstrator within a few days of setting up the new machine. I would be (very slightly) happier running as non-adminstrator, actually. I suppose one of these decades all my clients will stop using this legacy software so I won't have to support it any more.

I agree with alot of what your saying but I would say you dont explain alot to the laymen to understand the acronyms your using.

NAT = Network address translation, each node on the internet has an address which is xxx.xxx.xxx.xxx which is often refered to by a name e.g. www.bbc.co.uk (http://www.bbc.co.uk) (this name known as the ip address is looked up and the real address is always used).

With a router (or ADSL modem/router) that permforms NAT it splits the networks it operates on (local and internet) into two different address ranges - one private and one public.

The whole point of a NAT router is that your private machine may open a connection over the internet which the router will route your outbound traffic to and the router will also know because your talking to that source that any inbound traffic from that remote address needs to be translated to the local address and forwarded to you (this can be gone into much more deeply on port levels but this explanation is sufficient).

I dont agree with the rant on software developers not coding for non administrative accounts. Quite rightly so the operating systems have been restricting what we can do so for some operations we have been required to ask users to login under administrative actions to perform these things. The problem actually is that the end user see's this as an irritation and rather than suffer the account changes decides to just run as administrator all the time for a simple life - which then creates the security risk. It is not something the software developer can either code for, cater for and allow for - its just human nature.

The changes in vista were to give us software developers an avenue to allow the user to temporarily go into administrative mode to perform these functions - which is not dissimilar in linux to drop into superuser etc.

I would say before laying blame on the developer - fully assess and understand the constraints they are working within.

Regards

Jof
p.s. TCP is the transmission control protocol - above that is either IP or UDP it is not TCP or UDP as UDP is over TCP.

After you've done all that - or even before you do it - test your setup to see if it's secure.

Go to https://www.grc.com/x/ne.dll?bh0bkyd2

and Proceed, select Common Ports, and wait.

If you get PASSED - TRUSTEALTH then you're in reasonable shape as regards firewall. If you don't, you need help.

Once you've done that, go for a decent virus protection (AVG, Avast or similar) and Spyware protection.

Thanks a lot to all who have replied. Some of the acronyms still don't actually MEAN a lot. TCP for example, I understand what each individual word means but what does the whole phrase mean? UDP? I don't even know what the individual letters stand for!

At bottom I just want to USE a computer as a means of information, communication, entertainment, news, music and all sorts of other stuff - I don't REALLY care how it does it. Unfortunately the people who create software seem to miss this aspect of what the great mass of folks want a computer for. Sometimes (particularly on the occasions when I've had to resort to the help line in India, I find myself being led through the labyrinths of the computer knowing full well I will NEVER be able to retrace these steps by myself should the problem recur) one finds oneself wondering "why do they make it so bloody complicated?" when trying to do something apparently simple.

Don't get me wrong - I'm truly grateful for the help and explanations I find in this forum. So bear with me if I seem to be asking noddy questions in the future.
The Ancient Mariner

OK Keef

Did as you suggested, and came up "Failed" in big red letters for port 80 and 443. Now what?

I already run Avast! and Ccleaner. Suggestions?
The Ancient Mariner

I dont agree with the rant on software developers not coding for non administrative accounts. Quite rightly so the operating systems have been restricting what we can do so for some operations we have been required to ask users to login under administrative actions to perform these things. The problem actually is that the end user see's this as an irritation and rather than suffer the account changes decides to just run as administrator all the time for a simple life - which then creates the security risk. It is not something the software developer can either code for, cater for and allow for - its just human nature.

The changes in vista were to give us software developers an avenue to allow the user to temporarily go into administrative mode to perform these functions - which is not dissimilar in linux to drop into superuser etc.

I would say before laying blame on the developer - fully assess and understand the constraints they are working within.

Jofm5, I don't think you understand my rant! I am pissed at those developers - mainly of games - who release software that cannot be used unless one is an administrator. I don't mean cannot be installed or configured, I mean will not run unless using an admin account.

I have found that the vast majority of software I have installed for my children over the last 10 years won't run unless they are running with an admin account! I mean FFS - requiring 3-12 year-olds to operate as admins!

I have usually been able to laboriously find out what part of the file system the game is trying to write to, and assign write access there for the kids' user accounts. But that is what I'm talking about - it's sloppy and it's lazy.

On a couple of factual points - a router doesn't split any networks. All it does is connect 2 or more different IP networks.

Also, I think you will find that TCP and UDP sit alongside each other in the Transport Layer, both above IP - the Network Layer. Lots of good reading on TCP/IP and IP networking to be found via google - this (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ap1.htm).
and this (http://www.tech-faq.com/understanding-cisco-tcpip.shtml) for example.

SD

Some of the acronyms still don't actually MEAN a lot. TCP for example, I understand what each individual word means but what does the whole phrase mean? UDP? I don't even know what the individual letters stand for

The IP address specifies the source or destination of the packets being sent. The port number defines which service the packet is destined for - HTTP, SMTP, FTP, Telnet etc.

The packet will either be sent to a port using TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). The former provides error correction and guaranteed delivery but with a reduced speed due to the overhead, while the latter is faster but without error correction. A rough analogy is ordinary snail mail (fire and forget) and recorded delivery (guaranteed delivery but more expensive).

SD

Did as you suggested, and came up "Failed" in big red letters for port 80 and 443. Now what?

Rossian,

I believe that what the "failure" means is that inbound requests over ports 80 and 443 (HTTP and HTTPS - standard WWW protocols) from the internet are being allowed through your firewall - you would normally only allow this if you had your own webserver inside your firewall.

If you haven't got a webserver then these should be closed.

Note that it is not the same as closing the ports for outbound requests - i.e. your PC making requests to webservers on the internet.

SD

If you haven't got a webserver then these should be closed.


If it is a router then grc will be scanning the router not the machine NAT'd behind the router.

These ports are probably open because the router most likely has a remote administration portal - this should be selected off if possible so that the router cannot be configured from the web (from his own confessions of understanding I would imagine he wont want the remote config operability).

OK Keef

Did as you suggested, and came up "Failed" in big red letters for port 80 and 443. Now what?

I already run Avast! and Ccleaner. Suggestions?

Given your comments above about what you want to use your computer for, you won't want to put "security" on those ports: you just want to close them.

How that is done will depend on what kit you have. Specifically, whether it's a modem, or a modem-router, and what sort thereof. The easiest way is to read off the make and model number - or just post a pic of the label. From that, one of us can probably look up how to do that on your device.

If it's a USB modem, the answer may be to install a software firewall like ZoneAlarm, which is very good (but a bit of a pain at first). If it's a separate modem/router, then there is (hopefully) a way to tell it to close those ports.

I could wax lyrical on the philosophy of computer design ("make it able to do everything" ... to which the cynical would add "so that we geeks are always assured of a job sorting it"). It's a pain in the neck for users who don't care how it works, but it's essential for compulsive dabblers like me.

DropMyRights, an unofficial Microsoft tool is your best friend

Security Fix - Windows Users: Drop Your Rights (http://voices.washingtonpost.com/securityfix/2006/04/windows_users_drop_your_rights.html)

DropMyRights - Free software downloads and reviews - CNET Download.com (http://download.cnet.com/DropMyRights/3000-2144_4-10722877.html)

Every Windows XP user should drop their rights | Defensive Computing - CNET News (http://blogs.cnet.com/8301-13554_1-9756656-33.html)

DropMyRights part 2: Installing and configuring | Defensive Computing - CNET News (http://blogs.cnet.com/8301-13554_1-9758770-33.html)

Log in as an Administrator (so games and suchlike work) but run web-facing apps like browsers and email at a lower level of privilege.

Mac

:ok:

I surf in some pretty murky areas....(Not for the reasons you are thinking)....Anyway, I have never had a virus or any Trojans dumped on me that have not been caught....Luck?..Maybe, but, My AV etc catch plenty before they can do any damage.
I use Comodo firewall, Avast anti virus, and Spyware Terminator running Real time Shield.
On tests my system is running invisibly. Periodically scan with Malwarebytes and online virus scan to make sure.
Nothing complicated or too technical done.
I think that people like the OP (and Me!) don't need to be blinded by technology or be too scared to do anything. At the end of the day the best protection for your computer is plain old common sense....

Mac - I leapt at that! Looks great. Installed and running, thanks - BUT - probably due to a surfeit of chocolate (yes, only 10:00 in the UK!!) affecting my brain, it appears to have dropped 'my rights' so far down the pan I cannot change the home page from **MSN** nor stop the 'default browser' check. Switching the icon to 'run as admin' allows this, but it defaults to baby stuff on return. HELP!??

BOAC - not sure if I'm understanding you correctly but what I have done is set up everything the way I want it for the browser and then just precede the command invoking it with drive:\path\dropmyrights /args drive:\path\whateverbrowser.exe

Haven't had any probs. personally - did you look at the setup instructions in the last URL I quoted?

:ok:

PS: The few girls in my office still on MS are set up to work browser and email at lower privilege levels using DropMyRights and are OK.

did you look at the setup instructions in the last URL I quoted? :ugh::ugh::ugh: - nah! Thanks. Due to Chocolateitis I used the first link which had me create a 'new' icon - doh! That should sort it, but it does appear that you will need to 're-create' the icon in order to make any changes above basic levels?

Edit to add : That did not work. I still get a default to MSN even copying the existing icon which had a different home page.

Further edit: If I then run it as 'admin' it has the right home page. I assume the block on changing home page is to stop browser hijack? Are you saying you can change the home page? I cannot even get rid of the 'default browser' query in 'low' access mode.

I had thought that the thread was beginning to fade of its own accord so hadn't looked at it for a couple of days; no ingratitude or churlishness on my part - promise.

I took the advice and that of the free software sticky and downloaded Zonealarm on Friday evening and did a scan with it, which came up clean. However, after that, every single action seemed to take ages to achieve and was accompanied by "security warning!!" with an unintelligible "explanation" in it. Following a link seemed to take forever and eventually I decided I didn't want this to be the future and uninstalled it and it's all working normally again.
Is that what you meant by "it can be a bit of a pain at first" and how long can it go on for?

I/we have an HP Pavilion slimline (mini tower) amd the modem is a Speedtouch 330 supplied by Tiscali. I have read that the catch with this modem is that the system "sees" it as a dial-up connection, but as I shut it down every night after a disc cleanup I don't see this as a major handicap. Owt else? all tips gratefully received.

BTW were you up late preparing your Easter sermon and opted for a spot of pruning after??

TIA The Ancient Mariner

No worries! No, I'm just an owl rather than a lark. I like the Easter Service being at 11 am ;)

ZoneAlarm is like that. At first, it has to be told that each bit of software is allowed to access the trusted zone and the internet. After a while, all the software you use has been checked, and it goes quiet. The critical bit is when something you don't recognise pops up.

I don't know the Speedtouch 330 at all, so can't say if it has any kind of firewall facility or how to close incoming ports on it..
There is a way to do some searching in the modem, but before we do that....

DOES ANYONE IN HERE KNOW HOW TO CLOSE PORTS IN A SPEEDTOUCH 330?

OK, understood, I'll give it another go.

Speedtouch 330 is (probably) a cheap and nasty which is why Tiscali use it. Yeah yeah I know but who to move to that isn't as bad if not worse.
TVM

The Ancient Mariner

The Speedtouch 330 is not a firewall / router - it's a plain old USB-RJ11 ADSL bridge.

Totally reliant on a software firewall for any protection.

If you want a hardware firewall, probably best to go for an integrated ADSL firewall / router - possibly with built-in wireless access also. This will completely replace your Speedtouch 330.

Lots of vendors - Linksys, Draytek, Netgear, Buffalo...

I can't recommend a specific model, as I have cable rather than ADSL, but Linksys and Draytek have a particularly good reputation, with Netgear perhaps a little bit behind.

SD

Saab is correct that a much cleaner and more efficient option would be to go to a proper hardware firewall as incorporated into a NAT Router.

A cheaper option would be to use something like windows firewall which is built into xp (is it sp2 onwards its present from I cant recall) or vista. However it may be that if this is already enabled (which it could well be if all other ports seem shut) then your OS thinks your running a web server and is allowing this through.

At which point you could un-install the web server part of the OS but that would be a whole different thread altogether - it would be easier to just disable the service and leave the port open - but this has the downside of you being visible on the net.

OK - I thought I'd read somewhere about configuring a Speedtouch 330.

If you are worried about being secure (I am), then I'd get onto eBay and buy a one piece modem/router. If you may want to use wireless internet round the home, then for a few pounds more you can get a WiFi one.

Something like a Netgear DG834 is plentiful so there are likely to be lots on eBay. Make sure it's a modem/router rather than a USB device. If it comes with the instruction manual, that'll save some Googling!

Linksys are OK too. Draytek are excellent but a bit dearer.

Check that it's a "telephone" rather than a "cable" modem.

One other thing to check is that the PC has a standard RJ45 network card (or built-in RJ45 network interface), as it will connect to the router this way - at least to configure it.

SD

Keef and SD

Thanks both. I've been considering moving to a router since SWMBO has bought herself a laptop. Ideally I'd like to move away from Tiscali at the same time. The deterrent is the admin flail of tying all this up in a oner, vide moving in to this house two years ago (all of 100 ft from the old one) meant no landline phone for 6 weeks and no internet for eight. PITA only begins to describe it.
The Ancient Mariner

Putting in a combined ADSL modem / router (with or without wifi) is really independent of which ISP you choose. You would be able to use the device with whatever ADSL service provider you go with.

Of course if you are switching from ADSL to cable, you might well want a different router.

It is possible that another provider might include a wifi router / firewall with their package, though. Maybe read up the possibilities and offerings before taking the plunge.

SD

If you are thinking of changing ISP, and if your telephone is still with "BT" for wires (ie not been local-loop-unbundled) then switching ISP should be relatively simple.

I've changed three times over the years: the first was a nightmare, the second and third relatively straightforward, although Pipex tried to charge me for another six months after I'd left them. A formal complaint to their MD with a promise that the next would be to somewhere else sorted that.

There are several websites that offer customer feedback on how well the various ISPs perform. Tiscali tend to be towards the bottom of the scale with some good reports, some bad.

I used to use DSLZone (http://www.dslzoneuk.net/isp_ratings.php) but their website seems to be unmanned, and the number of reports hasn't changed much of late. I think Thinkbroadband.com (http://www.thinkbroadband.com/) is the main one these days.

Some ISPs do indeed offer a free modem/router/whatever, but they then tie you into a 12 or 18-month contract. I prefer a "quick getout" option and to buy my own device.

You can pick up a Netgear DG834 wireless modem router for around £30 on eBay.

You are one aren't you?

I usually check thinkbroadband.com most days to keep a check on speeds. In the sticks here, BT claim the line will support only 512kbs, but in the mornings I usually get 940/950kbs. For about three days in Feb I actually got 1.3 mbs! Hold me back! But in the evenings it drops frequently to 250/480kbs which makes a mockery of trying to use things like iPlayer.
Inertia is the main reason I haven't moved before, I confess, but I see my daughter in Bristol having the same indifferent level of service from her ISP. My son in Lincoln has had more ISPs than I've hot dinners and also suffers from erratic performance and he can almost spit on the exchange from his place.
I think my general thesis is that ALL ISPs are crap and that occasional adequate performance is a bonus anywhere in the UK outside big cities. It must be my inate Wee Free pessimism coming through. Thanks again, though, for all your helpful suggestions.
The Ancient Mariner

I live in a village, I'm with BT, I get an average speed of 6.5 Mbs
and I have no problems with BT's service.

AhBut Ahbut Ahbut Ah..... Green granite

How far from the exchange? We're at least 3 miles, on a line that is some below ground some above ground lots of patches in the cables and the odd junction box that collects the wet. (I found all this out when Outreach was trying to get me any connection at all during previously mentioned house move).
Now they charge £240/h if you need anything doing. Our neighbour was having a phone problem and the engineer said "I've checked the line to your house and it's OK. If I step inside to investigate further you're looking at £60 per 15 mins plus the call-out charge. I suggest you find a competent electrician to do that bit" and left! It's called enhanced customer service.
The Ancient Mariner

Correct! I'm in a Norfolk village at the moment, and the modem reports
DownStream Connection Speed 8128 kbps
UpStream Connection Speed 448 kbps
The exchange is out of spitting range, but a carefully lobbed stone might get close.

Back in urban Essex, I get 3360k down. That's about 3 km from the exchange.
I tried a variety of modem/routers there, and found that the better quality ones did a better job. Draytek sent me a special firmware set for "poor signal areas" and it did make a significant difference. I "lost" a couple of refinements that I never used anyway, and gained a very rugged connection.

I think some ISPs try harder than others. I have a simple approach these days: if Customer Service is an 0900 number or I get an Indian reading off a set script, that one's off my list. An Indian who knows what he's talking about is fine (I've had one or two excellent experiences in that arena).

Essex is with UKFSN and I have no problems at all. It's a one-man-band, and he's not been to charm school, but he knows his stuff and does a good job. Entanet is the provider behind that, and they seem to have gone astray lately from what I read by others. They tried to change the contracts, and UKFSN got tough with them on his customers' behalf.

Norfolk is with PlusNet, purely because they were cheapest by far at the time and i wasn't too bothered about quality. In practice, it's been excellent. I've not seen any capping or other messing about with the ADSL - but I'm not a heavy user from here.

I think the problem is in part at the interface between BT and the ISPs. When I was having serious problems in Essex, BT blamed Pipex and Pipex blamed BT. In the end, I made a courteous but firm suggestion to both of them that they could try talking to each other. I don't know if they ever did: I gave up and moved ISP and the problems went away.