|
On the other hand, google chrome already has a "suspicious website" page with a hidden link to go to it anyway, which will confound 90% of users.
|
#
?
May 25, 2015 00:35
|
|
|
|
| # ? Jun 8, 2024 10:09 |
|
|
It's usually a silly umbrella term for AV plus 1 or more of: - Firewall - Anti-spam - Anti-phishing - Anti-spyware - Parental controls All of which are bound to be superfluous or greatly outclassed by free and dedicated alternatives.
|
|
#
?
May 25, 2015 01:15
|
|
|
Okay. This is probably outing me as an idiot, but I don't remember the last time I had a firewall other than the windows default. Is there a free one worth running?
|
|
#
?
May 25, 2015 01:49
|
|
|
22 Eargesplitten posted:Okay. This is probably outing me as an idiot, but I don't remember the last time I had a firewall other than the windows default. Is there a free one worth running? Not really. Incoming protection is handled by NAT in your router. Most focus on application control with varying degrees of success but are all relatively useless unless you set them to their strictest modes, wherein you'll be bombarded with requests to allow applications.
|
|
#
?
May 25, 2015 11:51
|
|
|
Khablam posted:Not really. Incoming protection is handled by NAT in your router. Most focus on application control with varying degrees of success but are all relatively useless unless you set them to their strictest modes, wherein you'll be bombarded with requests to allow applications. Note that NAT isn't a thing with IPv6. If your ISP gives you an IPv6 address, your router supports it, and your computer has it enabled, you do need to make sure you have a firewall running. However, it should still be running on the router or another device between your computers and the Internet. A good router should have one builtin in addition to NAT for IPv4. If you're connected directly to your modem, you should really invest in a router.
|
|
#
?
May 25, 2015 13:24
|
|
|
Yeah, I'm directly on the modem. A router is on the list of things to save for / buy if I see a decent one at the thrift store.
|
|
#
?
May 25, 2015 16:52
|
|
|
dpbjinc posted:If you're connected directly to your modem, you should really invest in a router. Yeah but these days, if you're directly connected to an ISP's modem it's almost certainly a modem/router combo where there's a firewall in place.
|
|
#
?
May 25, 2015 17:33
|
|
|
Yeah, turns out my Comcast-supplied modem had a firewall. I say had because the wifi poo poo the bed to the point that it was doing <1mb/s on a 50mb/s line, while connecting via ethernet gave 55. So it's a moot point, because I bought a new modem and a wifi router.
|
|
#
?
May 25, 2015 22:29
|
|
|
22 Eargesplitten posted:Yeah, turns out my Comcast-supplied modem had a firewall. I say had because the wifi poo poo the bed to the point that it was doing <1mb/s on a 50mb/s line, while connecting via ethernet gave 55. So it's a moot point, because I bought a new modem and a wifi router. Pretty sure you're still behind a firewall. What IP address does your computer report?
|
|
#
?
May 26, 2015 01:39
|
|
|
Routers supplied by your ISP are pretty much always poo poo, and they may also charge you a rental fee. While I was on AT&T, the router they supplied couldn't even handle DNS without making GBS threads itself, and I had to configure DNS manually to bypass it.
|
|
#
?
May 26, 2015 11:31
|
|
|
MalwareBytes spits this out immediately after booting: Malicious Website Protection, IP, 46.161.41.123, s.girl8349237543.com, 49171, Outbound, C:\Windows\System32\wscript.exe How do I track down what's trying to access that site? MSE, MalwareBytes and AdWCleaner isn't finding anything. Somehow I managed to get three(!) bitcoin miners and a trojan on my machine yesterday, so it's probably related.
|
|
#
?
Jun 11, 2015 08:16
|
|
|
SplitSoul posted:MalwareBytes spits this out immediately after booting: Get into safe mode with networking and starting running some stuff. I like to start off with rkill as it can tell you/stop any any proxies that are running and stop a lot of malware processes from running which can give you time to run scans and nuke it; grab the .com one as I find it doesn't get killed by very bad malware as easily. You can then run junkware removal tool (similar to adwcleaner), tdsskiller, mbar, and roguekiller. On roguekiller just get the portable 64bit version. tdsskiller and mbar are pretty self explantory, just run them and if they find something follow the directions and nuke them. Roguekiller you have to use your brain a little, so check through the tabs and select anything suspicious looking and delete them. I also like the Emsisoft Emergency Kit since it seems to have a large definitions database and can find pups, viruses, etc. If the previous stuff fixes your issues you can skip it, otherwise run it and start with a smart scan if you want, but if you are concerned just do a full scan and let it go. It is usually a couple hours to scan everything on your drive unless you're on a ssd. Find any crap? Delete/quarantine/whatever it. Some other things you might want to do: Check out task scheduler and see if any weird tasks are set. See anything lovely? Disable or delete it. Same with startup and services. In safe mode try running mbam and adwcleaner again. Sometimes in regular windows something malicious is running that keeps these programs from finding it, especially mbam. What OS are you on? Some people might recommend combofix if nothing else works, but it doesn't run on windows 8/8.1 from what I remember.
|
|
#
?
Jun 11, 2015 09:23
|
|
|
Thanks, I'm gonna run all that poo poo just to make sure.
|
|
#
?
Jun 11, 2015 11:15
|
|
|
SplitSoul posted:Thanks, I'm gonna run all that poo poo just to make sure. I do basically what cactus does, but I always run combofix first after rkill, because it seems to own like a motherfucker
|
|
#
?
Jun 15, 2015 07:52
|
|
|
Fair warning, though, one of those things clears out your hosts file apparently.
|
|
#
?
Jun 15, 2015 13:11
|
|
|
So, is that a good way to clean out any malware-riddled computer? My father wants me to clean up his old laptop for his ladyfriend because I'm "good with computers." I haven't ever really needed to clean a computer up like that because I'm careful, which prevents 90% of problems, and I keep an antivirus with an autoscan going.
|
|
#
?
Jun 15, 2015 22:35
|
|
|
22 Eargesplitten posted:So, is that a good way to clean out any malware-riddled computer? My father wants me to clean up his old laptop for his ladyfriend because I'm "good with computers." I haven't ever really needed to clean a computer up like that because I'm careful, which prevents 90% of problems, and I keep an antivirus with an autoscan going. Remove as much personal info as you can to be backed up, then format the hard drive/ssd and freshly reinstall Windows.
|
|
#
?
Jun 15, 2015 22:48
|
|
|
SplitSoul posted:Fair warning, though, one of those things clears out your hosts file apparently. Yeah, that was probably Roguekiller. I've seen malware block things through the hosts file, such as remote connection sites like LogMeIn, so I consider this a good feature. 22 Eargesplitten posted:So, is that a good way to clean out any malware-riddled computer? My father wants me to clean up his old laptop for his ladyfriend because I'm "good with computers." I haven't ever really needed to clean a computer up like that because I'm careful, which prevents 90% of problems, and I keep an antivirus with an autoscan going. It is truthfully easier to just to backup the files you want, format the drive including MBR if you are worried about rootkits, and then reinstall the OS and move the files back. Unfortunately, you can't always do that since some people have convoluted setups or you are doing it remotely. On the plus side, doing it this way you can learn about virus/pup removal and maybe not have to nuke something in the future because it got some malware on it.
|
|
#
?
Jun 16, 2015 06:12
|
|
|
Yeah, I have a thumb drive with a (legal) copy of 7 professional here. That's what I did the only time I can remember I got a bad virus, don't go to new sites while deliriously ill. It worked out well because I had been wanting to upgrade from Vista anyway. That would also solve the general clean out all of the bloat problem. Is defragging still a thing to do on platter drives, or do newer OSes do that for you? I probably will just flatten it, re-install, and get Chrome, Bitdefender, and some other malware removal stuff on there.
|
|
#
?
Jun 16, 2015 16:03
|
|
|
22 Eargesplitten posted:Yeah, I have a thumb drive with a (legal) copy of 7 professional here. That's what I did the only time I can remember I got a bad virus, don't go to new sites while deliriously ill. It worked out well because I had been wanting to upgrade from Vista anyway. Win7 should handle detecting if the drive is solid state or not. If its not an SSD it should auto defrag when there is free time to do so.
|
|
#
?
Jun 16, 2015 20:32
|
|
|
Okay. I thought I remembered something like that. I'm pretty sure my parents still manually defrag, but that's just one of those learned habit things. Like how some people still think having too much on your desktop will slow it down.
|
|
#
?
Jun 16, 2015 22:02
|
|
|
Cactus Jack posted:Check out task scheduler and see if any weird tasks are set. See anything lovely? Disable or delete it. Same with startup and services. You can also use Autoruns for this
|
|
#
?
Jun 17, 2015 14:03
|
|
|
myron cope posted:You can also use Autoruns for this Comodo has a really good version of autoruns as well and CCleaner also has a bit of this functionality under tools>startup. The Comodo ones seems to be a bit more thorough than the MS Autoruns in my experience, just takes longer to find everything.
|
|
#
?
Jun 17, 2015 22:03
|
|
|
sanity check. is there a way to have a user log in automatically on a machine in a domain environment on boot? I know you can do it in win 7 home if you only have one user and no password, but I'm talking like windows server environment. I have a dumb legacy application that won't run unless an interactive user is logged on, this loving server keeps going down, and users keep complaining to me that the server isn't working until I remote in and log on as an interactive user. it is the dumbest thing.
|
|
#
?
Jun 18, 2015 09:09
|
|
|
mindphlux posted:sanity check. is there a way to have a user log in automatically on a machine in a domain environment on boot? I know you can do it in win 7 home if you only have one user and no password, but I'm talking like windows server environment. http://superuser.com/questions/28647/how-do-i-enable-automatic-logon-in-windows-7-when-im-on-a-domain
|
|
#
?
Jun 18, 2015 14:51
|
|
|
Does anyone have any reccomendations on an a malware sandbox or something that spits out pretty reports and analysis of viruses? My current employer is very security conscious and I think we do have a pretty solid secure environment all things considered. But at least once a week someone will get a suspicious email that get's blocked by our spam filter and they stop by to ask about it in more detail. I'd love to be able to run it through something and give them a breakdown of what the virus was attempting to do, where it's coming from, files modified, etc. This isn't a need, but it would be a nice feather in IT's cap and make us look good. I briefly looked at Cuckoo, but the reports it generates dont seem to be "pretty" enough to grab peoples attention.
|
|
#
?
Jun 18, 2015 15:39
|
|
|
There's a lot of expensive things that will do this. The most popular is the FireEye AX sandbox, that will automatically take malware that is uploaded and spit out an email with the stats of the email. Other than that, you're looking at something like a Cyphort or others. I've played around with Cuckoo, but its a little limited for what it can do. And you're right, its reports are not pretty. Honestly, your best bet is to upload that poo poo to Virustotal and show them its report. Example: 
Mustache Ride fucked around with this message at 16:11 on Jun 18, 2015 |
|
#
?
Jun 18, 2015 16:07
|
|
|
BaseballPCHiker posted:Does anyone have any reccomendations on an a malware sandbox or something that spits out pretty reports and analysis of viruses? My current employer is very security conscious and I think we do have a pretty solid secure environment all things considered. But at least once a week someone will get a suspicious email that get's blocked by our spam filter and they stop by to ask about it in more detail. I'd love to be able to run it through something and give them a breakdown of what the virus was attempting to do, where it's coming from, files modified, etc. This isn't a need, but it would be a nice feather in IT's cap and make us look good. I briefly looked at Cuckoo, but the reports it generates dont seem to be "pretty" enough to grab peoples attention. https://malwr.com/ is a pretty fun site for that sort of thing.
|
|
#
?
Jun 19, 2015 02:20
|
|
|
Don Lapre posted:http://superuser.com/questions/28647/how-do-i-enable-automatic-logon-in-windows-7-when-im-on-a-domain fuckin magic m8 thx
|
|
#
?
Jun 19, 2015 06:46
|
|
|
mindphlux posted:fuckin magic m8 thx You can encrypt the password (and enable autologon) with another sysinternals tool: Autologon Mark Russinovich is a warlock
|
|
#
?
Jun 21, 2015 02:22
|
|
|
I'm sorry if my question is terrible and pointless but I cant really find any indepth info. I accidentally ran cryptowall ransomware but I killed it and cleaned it away before too many of my files were encrypted. Im pretty sure I memory dumped the right process before doing so. Im wondering if there's a chance I'll be able to find their decrypting key in my dump files. I'm hoping their keys were created on my end and not serverside; no analysis I found was really detailed about that at all. Does anyone happen to know if I am right in hoping both rsa keys were made on my end?  I want to run it again to check for myself, but I dont have anything to really do so cleanly set up r now. treasured8elief fucked around with this message at 08:51 on Jun 22, 2015 |
|
#
?
Jun 22, 2015 08:49
|
|
|
tentative8e8op posted:I'm sorry if my question is terrible and pointless but I cant really find any indepth info. I accidentally ran cryptowall ransomware but I killed it and cleaned it away before too many of my files were encrypted. Im pretty sure I memory dumped the right process before doing so. The private key (the one you need to decrypt) never leaves their server.
|
|
#
?
Jun 22, 2015 10:07
|
|
|
Khablam posted:The private key (the one you need to decrypt) never leaves their server. Whoa, it really does asymmetric encryption over gigabytes of data? I'd have thought that to be prohibitively slow, even if they used something faster than RSA. Do you know what cryptosystem is typically used?
|
|
#
?
Jun 22, 2015 13:57
|
|
|
Zamujasa posted:https://malwr.com/ is a pretty fun site for that sort of thing. Thanks for all of the recommendations. I think malwr.com will work alright. This site from JoeSecurity.com: http://www.file-analyzer.net/ gives the "prettiest" output of anything that I've come across so far and even includes a map with IP addresses, that will really get the bigwigs going once they see a map with Russia on it.
|
|
#
?
Jun 22, 2015 14:16
|
|
|
Subjunctive posted:Whoa, it really does asymmetric encryption over gigabytes of data? I'd have thought that to be prohibitively slow, even if they used something faster than RSA. Time usually doesn't matter, from what I've seen users don't realise until the "Ransomware" HTML prompt is shown. Encrypt with public key decrypt with private, job done. Ransomware skips over larger files too, PST's have been safe if they are large enough. RSA is simply the key exchange/generation mechanism, AES256 seems to be the cipher of choice. ElZilcho fucked around with this message at 16:11 on Jun 22, 2015 |
|
#
?
Jun 22, 2015 16:03
|
|
|
BaseballPCHiker posted:Does anyone have any reccomendations on an a malware sandbox or something that spits out pretty reports and analysis of viruses? My current employer is very security conscious and I think we do have a pretty solid secure environment all things considered. But at least once a week someone will get a suspicious email that get's blocked by our spam filter and they stop by to ask about it in more detail. I'd love to be able to run it through something and give them a breakdown of what the virus was attempting to do, where it's coming from, files modified, etc. This isn't a need, but it would be a nice feather in IT's cap and make us look good. I briefly looked at Cuckoo, but the reports it generates dont seem to be "pretty" enough to grab peoples attention. It may be worth having a look at Check Point's threat emulation service. You'll need to create an account but usage is free, I can't remember the file types they allow though. https://threatemulation.checkpoint.com/teb/
|
|
#
?
Jun 22, 2015 16:16
|
|
|
Khablam posted:The private key (the one you need to decrypt) never leaves their server.  Thank you very much! I tried undeleting my original files too, but it neatly prevented me from getting anything useful from most of them. I'm super grateful and lucky I didnt let it run all the way, I lost some sentimental pictures but nothing else too terrible. Please keep backups, everyone!
|
|
#
?
Jun 22, 2015 16:51
|
|
|
tentative8e8op posted:I'm sorry if my question is terrible and pointless but I cant really find any indepth info. I accidentally ran cryptowall ransomware but I killed it and cleaned it away before too many of my files were encrypted. Im pretty sure I memory dumped the right process before doing so. You can try Kaspersky's no ransom site: https://noransom.kaspersky.com/ I know a few others are floating around, but yes, definitely good to have backups on hand and only test viruses on unused non-network machines to be safe. I found another tool a while back that would let you use Windows VSS to recover files but that could take a while to do, can't recall the name of it but I've used it a handful of times and it works pretty well. BOOTY-ADE fucked around with this message at 17:00 on Jun 22, 2015 |
|
#
?
Jun 22, 2015 16:58
|
|
|
ElZilcho posted:RSA is simply the key exchange/generation mechanism, AES256 seems to be the cipher of choice. But AES is symmetric, so the decryption-capable key then has to reside in process memory during the locking process, rather than only on the attacker's server. I don't understand how or why you would use RSA to generate a key for AES, though I'm not really even an amateur cryptographer. By exchange I assume you mean the usual encrypt-symmetric-key-with-asymmetric-cipher sort of bootstrapping protocol?
|
|
#
?
Jun 22, 2015 18:42
|
|
|
|
| # ? Jun 8, 2024 10:09 |
|
|
I assume it goes something like this: 1. ransomware creates random AES key on your computer, keeps it in RAM 2a. ransomware uses RSA to encrypt the AES key with the ransom guys' public key. ransomware still keeps the unencrypted AES key in RAM 2b. ransomware encrypts all your documents with the AES key 3. ransomware wipes key from RAM, presents nasty popup (2a and 2b might happen in opposite order, not really relevant if the ransomware works as intended) Not sure what happens if the process is interrupted, but unless they messed up there's no way they'll let the AES key touch the disk. You might get lucky and find it in the page file, but I think the chance of that is small.
|
|
#
?
Jun 22, 2015 21:03
|
|
