May 28, 2002
BOY: I know a lot of people suffering from NIMDA and KLEZ. My firewall apparently stops NIMDA, but as I remarked last week, I get a KLEZ-infested email almost every time I check mail. Is this cyberwar? It certainly seems worse than I’ve ever seen.
Question: I’m about to install the home network. Will my Linksys WAP-11 be sufficient firewalling, or should I put Norton on each computer?
UPDATE: Hey, thanks for all the advice in the comments section (er, except for Richard Bennett’s comments about my daughter. Jeez.) and by email.
Dan Lewis says:
I have a Linksys router up and Norton on my machine, and KLEZ and NIMDA emails make up about 20-50% of my in box. My advice? There’s no such thing as “sufficient.”
May 28, 2002, 9:46 pmBill Long says:
First, if you haven’t already bought the WAP-11, or if you can return it, go for the BEFW11S4–the wireless router/switch with a wirless NIC (WPC11 PC card for a laptop). It has 4 cable ports, so you can attach computers with non-wireless NICs–the best of both worlds. (I don’t have any relationship–except as a customer–with Linksys.)
Plus, you can take the wireless laptop to Starbucks and combine the coffee shop /and/ the blog world.
But to answer your question. I had Norton before I got the router and it caught 5-8 attacks a week (not that many). After I got the router, Norton hasn’t registered any attacks, so I suspect the router is blocking them. But Norton Internet Security is so cheap (compared to getting hacked), why not use the condom and the pill–so to speak.
Good luck
Bill Long
May 28, 2002, 9:56 pmMike Trettel says:
A Linksys is OK, but it’s a toy compared to a real hardware firewall. It’s just doing NAT, and isn’t filtering packets at all-you need something that does SPI (stateful packet inspection) to get that capability. You want something like a Sonicwall SOHO2 or the like. If you don’t fell like spending that kind of money look for a Netgear RO318 or FR314-basically a subset of the SOHO’s abilities at a fraction of the price. It never hurts to run a software firewall on top, but Norton is quite frankly overrated. Go with Tiny firewall or ZoneAlarm Pro.
May 28, 2002, 9:59 pmJoe Admire says:
I actually think the Klez infestation is starting to die down. My website’s mailbox has been hard-hit by Klez-infected messages; there have been days when a full two-thirds of the incoming mail has had some variant of the worm. In recent days, though, the flood has receded; I believe I’ve only gotten one or two a day through that mailbox. My Yahoo! mailbox continues to receive at least two or three a day, and my Earthlink mailbox gets one to two per day. Like I said, I’ve seen it a lot worse. The interesting thing is that Klez seems to be the _only_ email worm/virus currently in wide circulation; I think I’ve only gotten single copies of two or three other virii in the mail in recent weeks. It almost makes one long for a little variety.
Incidentially, I use Norton Antivirus 2002 with the email auto-protect feature turned on.
May 28, 2002, 10:03 pmRay says:
A firewall will protect you from the more stupid attacks, such as CodeRed or Nimda. However, it doesnt stop mail worms or anything that exploits the huge holes in IE, should you visit a malicious web site. It also doesn’t protect you from spyware on your machine connecting out.
ZoneAlarm is good, and has a free version. You might want to run it. I would suggest you DO run a virus scanner, though, and make sure it is NOT Norton. This is for two reasons. 1) I have had very bad luck with it with previous infections. 2) Everyone uses Norton. Monoculture is BAD in immune systems. Be weird. Be eccentric.
I suggest the Kaspersky Antivirus because: 1) It has a reasonable heuristic checker that means you might actually avoid infection by a new virus. 2) Most people don’t know it exists (it’s a Russian program) and all use Nortons or McAfee. 3) I ran it as part of a linux mail server to protect a small company from mail worms and other junk and it worked very well. Infected mail simply never got into the company.
I still hanker back to the old days when Antivirus companies were willing to write really good heuristic scanners. Of course then customers wouldnt need regular updates. :-P The best example (IMO) of that software was TBAV by ThunderByte. I watched it heuristically find and disinfect files infected by a completely new self-encrypting polymorphic virus, with 100% success. Norman has since bought TBAV. It might be worth your time to look at their web page, though I don’t know their products. It’s at http:///www.norman.no
If you want to avoid some of the potential security risks of running IE, I suggest you try Mozilla. It will be hitting version 1.0 within a month, but I have been using it for months now. I actually prefer it to IE. Being able to open new pages in tabs is great. This is also a good anti-malware bet because it avoids the monoculture out there that is IE.
If you would like more information about how to set up a mail server that precleans and despams your email, then feel free to get hold of me via email.
Oh, and avoiding Outlook (aka LookOut) as a mail client is probably a good idea too. I don’t read mail on Windows, but I know there are a fair number of good programs out there.
Hope this helps.
May 28, 2002, 10:07 pmRay says:
Oh. I forgot.. if you don’t want to spend any money:
http://freeantivirus.com
May 28, 2002, 10:13 pmRichard Bennett says:
I think all these virus fears are overblown. Viruses are normal and natural things, and we shouldn’t fear them.
But I’m glad you’re going wireless Glenn – that’s a technology with my fingerprints all over it.
May 28, 2002, 10:15 pmRay says:
Speaking as someone with a good deal of knowledge in this field, viruses and worms are completely avoidable through good software design.
They are natural in the sense that the bubonic plague is natural around people who don’t bath and sleep with fleas and rats.
Don’t get me wrong. I’m not blaming clueless users. I’m blaming software companies that don’t care about good software design.
May 28, 2002, 10:21 pmRand Simberg says:
Belt, suspenders, and hold on to your pants as well.
But the warning about Norton is well-advised. Klez attacks Norton…
The main thing is to avoid Microsoft software as much as possible. Not because the Microsoft programmers aren’t competent, but because they and Norton are the targets. My recommendation: Eudora for mail, Opera for browsing, Agent for newsgroups. Keep IE around for (critical) sites that insist (for whatever misguided reason) on writing uniquely to it.
And yes, the best firewalls are not available off the shelf. If you’re not paranoid, but they’re out to get you anyway, set up a linux box with really fascist rules, that does nothing but filter packets…
May 28, 2002, 10:24 pmKevin M. McGehee says:
Glenn, you might as well ask, “Since we have a Border Patrol, do we still need an immigration service”? Assuming, of course, the latter works worth a dang…
I know that Norton’s latest updates handle Klez just fine on my wife’s computer — I only got Klez because I hadn’t kept my copy of Norton updated. I use PC-cillin now, which will *warn* of Klez-infected attachments but can’t do anything about them when they’re still in Outlook Express.
I wouldn’t dream of ditching good anti-virus protection under any circumstances.
May 28, 2002, 10:24 pmRobin Roberts says:
I’ve got the BEFW11S4, with a cable modem behind it. My only complaint is that the link seems to go stale more often than I think it should, requiring the DHCP ip to be renewed. With respect to attacks, it is important to note that while the router’s network address translation does defeat 95% of attacks aimed at Winblows PC’s, its not a real firewall. Linksys is distributing some form of firewall software associated with it now but haven’t evaluated it.
May 28, 2002, 10:24 pmRichard Bennett says:
We only fear viruses because we associate the name “virus” with biological viruses. In the old days, we just called them “programs” and nobody worried about them.
I wouldn’t mind if my child’s computer had a virus.
May 28, 2002, 10:32 pmMichael Kielsky says:
I get at least 5 Klez e-mails a day, but between the combo of my LinkSys router, Norton Anti-Virus, and ZoneAlarm (free) with its MailSafe script scrubber option turned on, none have gotten through.
Add ZoneAlarm to your set, the price can’t be beat either.
May 28, 2002, 10:36 pmKevin M. McGehee says:
For some blog posts about my battle with Klez, complete with my learning curve for all the world to see, go to http://flyoverblogdom.blogspot.com/2002_05_05_flyoverblogdom_archive.html#76413276 — this is the first of four posts in succession, so after reading it you’d need to scroll up.
May 28, 2002, 10:41 pmKevin M. McGehee says:
P.S.: I begin to see Hillary Carter’s point.
May 28, 2002, 10:42 pmCarter Smith says:
A good free online virus checker is
http://housecall.antivirus.com
To see how vulnerable you are to a hack attack (rather than just bad email), go to
http://www.grc.com
and use the free Shields Up facilities.
May 28, 2002, 10:45 pmMatt Moore says:
A firewall can’t stop Nimda, unless it is doing something pretty sophisticated. Nimda attacks Microsoft webservers over port 80, and unless you are doing application monitoring at the firewall level, all those request will get through. Your best bet, if you want to run a webserver at home, is to run Apache on a Linux box.
May 28, 2002, 10:57 pmRay says:
Richard, you are right that most of the virus hype is exactly that. Hyping the dangers is a great way to make money for antivirus companies.
For me, it is mainly a matter of aggravation. I don’t want to get hundreds of junk mails a day. This includes spam. When I sysadmin machines on the side at a company, I don’t want to spend all hours of the night scraping vitally important information off someone else’s virus infested hulk. I never catch the things. I just spend my time fixing other people’s screwups.
I also find it aggravating because I know it is completely unnecessary. “It just wastes time”, but that time is MY time being spent because of other people’s incompetence.
Some viruses are capable of trashing your motherboard – you have to get a new BIOS ROM to revive them.
I think the only reason there isn’t a killer mail worm that permanently turns machines into door stops is that malware writers are inexplicably nice. It’s certainly not a difficult thing to do. I would view such a creature with mixed feelings. It would certainly teach some irresponsible people and companies a valuable lesson.
May 28, 2002, 11:06 pmRichard A. Heddleson says:
If I were you I wouldn’t publicize my set up on the net. Too many people know more than I and probably you.
May 28, 2002, 11:10 pmnp says:
Sorry, this is not virus but _your-blog_ related.
Have you noticed this one already? – I could not find your comments related to this article.
http://www.epnworld-reporter.com/news/fullstory.php/aid/255
May 28, 2002, 11:24 pmVincent says:
Firewalls and antivirus software aren’t an either/or proposition. They address different aspects of computer/network protection.
A firewall, especially a hardware firewall (less versatile and harder to update than software-only firewalls), is supposed to stop attack through network protocols. Those are mostly done by trying to find out, first, what network applications are running on your network, and then trying to exploit know vulnerabilities on those applications – e.g. a bug on your web server that enables me to run any program on your computer, or a bug in the security system of the OS that enables me to gain all permissions on a shared folder.
An antivirus software’s job, on the other hand, is to find programs, or scripts embedded in files (like a macro in a Word document or an email) that would harm your computer if ran.
So, bottom line, firewalls protect against network protocol-based attacks, and antiviruses protect against software attacks.
Just get Norton, update OFTEN, and keep that firewall (though a Lynksys box is overkill for a home LAN in my opinion; good salesmen they have at your computer store ;-).
May 29, 2002, 12:20 amRand Simberg says:
I don’t think that a Lynksys box is overkill–it’s a minimum, and probably not enough. There are too many script kiddies out there to be complacent about firewalls. Even if they aren’t mining valuable information about your personal life, they’re easily in a position to use your computer to broadcast spam to half the world.
Too many people don’t understand the implications of being connected to the net 24/7/365.
May 29, 2002, 12:26 amDonny says:
Simply put, avoid Norton products, if at all possible, with the exception of Ghost.
May 29, 2002, 12:27 amVincent says:
The main point of having a hardware-based firewall is to do the protection thing faster, not necessarily better. That’s why I said it was overkill on a home LAN.
A software-based firewall will do the same thing, protection-wise, as a hardware-based firewall, only slower (and cheaper). And even then that would make a noticable difference only if you’re running a server on your machine/network that is accessed by at least more than one user every second (like yahoo or ebay, for instance). Mr. Reynolds said it was for his home LAN, so I’m assuming it’s for logging into his work LAN, and/or sharing data across his home computers (the latter task would anyway bypass the firewall), so I still don’t see the point of a hardware firewall, unless I can be enlightened.
May 29, 2002, 12:37 amThomas B. says:
Vincent is exactly right here, firewalls and antivirus software are designed to defend against different vectors through which you can be attacked. I just wanted to note a few things:
The reason you seen reference to some viruses in both you anti-virus software and your firewall is that viruses these days can have multiple vectors. A year or two ago, this was almost unheard of, and viruses only attacked in one way, but virus creators have grown more adept. What’s important is that you block all the vectors you can.
May 29, 2002, 12:39 amRand Simberg says:
Here’s the enlightenment. A hardware firewall not only does the job faster, but it is a literal “firewall.” It’s a separate machine, with its own security systems, and its own passwords that have to be cracked.
People who are truly fanatical about security (like me, because it’s part of my job description) have yet another machine that does nothing but logging, because this makes it much harder to spoof the logs (which is standard procedure for crackers).
Even if someone figures out how to breach it, they still have to deal with the actual target computer. Think of it as a moat around the castle. What you’re proposing is doing away with the moat (defense in depth) and simply having guards inside the walls.
Now all this may be overkill for a typical home user, but Glenn is not just a home user–he’s a net celebrity, and, if nothing else, there’s coup to be gained from his cyberscalp. A Linksys is by no means overkill–it’s a bare minimum, and IMO probably inadequate.
May 29, 2002, 12:57 amRossz says:
I have my own mail server and have it configured to block dangerous files (exe, vbs, scr, pif, bat). Legitimate files will be archived up properly. With this simple configuration, my reaction is “what klez virus?”
BTW, the number one defense against email viruses is DON’T RUN OUTLOOK! There are many excellent free email programs available that aren’t virus magnets like MS Outlook. Microsoft products aren’t targets because they are popular. They are targets because they are completely vulnerable.
May 29, 2002, 1:25 amAndy says:
The comments along the lines of don’t fear the virus are misguided. While many viruses do not do anything locally harmful to a client computer other than fire off a bunch of e-mails to think the problem only stops there is solipsistic. E-mail servers and routers can have their performance compromised by these messages and any end-user who blithely thinks that everything is okay because they don’t see a direct problem should be tossed by their ISP. Now A/V comapnies do overhype threats but for every Klez there is a Chernobyl or MyLife and as I have already said Klez can bork key upstream systems from our solipsistic user. As others have said, there are quite a few choices for A/V but use something unless you are prepared to at least closely look (without opening) at each incoming message and kill previewing. As I am sure Instapundit gets a lot of messages from new people, an anti-virus program just makes sense. Those who think viruses are overhyped and especially those who don’t feel to bothered by being compromised better be mighty sure of the technical ground they have made their stand on.
May 29, 2002, 1:37 amTony B says:
Does anyone else think Richard Bennett is an idiot (even if he is just trolling)?
May 29, 2002, 1:43 amRichard Bennett says:
Sure, Tony – lots of people do, and they fact that they’re generally illiterates taking their opinions from a dyslexic shouldn’t bother anybody. I know it doesn’t bother me.
May 29, 2002, 5:51 amDaniel Harnden says:
I am a network tech guy. Yesterday I had to fix 6 PCs infected with the KLEZ worm. They all had Norton running on them, but Norton didn’t stop the KLEZ (I don’t the think the definitions had been updated recently). I download McAfee’s product and cleaned them all up. Go to http://download.mcafee.com/eval/evaluate2.asp
May 29, 2002, 6:52 amDave Anderson says:
Vincent is the man! The problem with firewalls is you can’t just buy them and feel safe; they need to be configured properly. And THAT takes time and effort. (And remember to set OE5 for “restricted zone” so emails can’t phone home using port 80.) I use Norton AntiVirus w/ email protection and Sygate Personal Firewall (it’s free for home uses) and Sygate Home network (~$40 for a 4 computer network) for my firewall/router.
My home network uses only NetBEUI for the Windows networking/printer sharing stuff; TCP/IP is used only for Internet access. I’ve found that the stateful inspection and application whitelist for Internet access capabilities of SPF/SHN, together with the email script scanning of a good AV program screens out most attacks.
May 29, 2002, 7:24 amTom Reynolds says:
Believe all the folks who tell you about using layers of protection. NAT, firewall, antivirus.
Remember too, you’ll sometimes take that laptop outside of your protected environment. It needs a software firewall and whatever antivirus software you have faith in.
Selecting antivirus software is a religious issue, I’m not going to argue it here– My wife and I don’t even use the same AV software on our personal machines, never mind what my employer has installed on the laptop.
Just remember, any time you have unprotected data exchange with someone, you’re having data exchange with everyone they ever had data exchange with.
May 29, 2002, 8:03 amJim McCormick says:
You might want to consider a software program such as MailWasher that allows you to filter your email before you see it. There are several good ones out there. The one I”m using will catch viruses like Klez and an added feature is that you can also filter most spam and unwanted emails. Setup and configuration is also rather easy and user friendly; and as shareware is rather low in cost.
We use different virus checkers and firewalls at the office and have found each have their strengths and weaknesses. None are yet perfect.
May 29, 2002, 8:29 amTony says:
ou should use Sophos AV instead of Norton. It stops all variants of the Klez virus, including Klez-H, and was proactively blocking Klez-H type variants 2 months before Norton. They email out (or allow FTP access into) their fixes, usually before the announcements come out. I get 3-4 new virus definitions every day. They send out monthly software updates, they don’t charge for their network admin tool (like Norton does), and their licence allows corporate users to take a copy home and install it on the home PC! I was once a big Norton AV evangelist (I think I calculated about $20,000 in revenue for Symantec came directly from me since I started working as a tech, and about triple that indirectly), but a series of conversations I had with their senior tech staff led me to move away from them permanently. Basically, they refused to guarantee that they’d block the FBI’s Magic Lantern virus… in fact, they said they’d definitely NOT block it, even though the FBI said they hadn’t requested any cooperation with Symantec.
IMHO, a virus is a virus. Anything the FBI can come up with, 16 million 31337 d00ds can exploit with their l33t scripting haxx0r sk1llz. It’s dumb to let viruses into your network, and it’s dumb to use a product which promises that it’ll be incomplete by design. The CTO of Sophos gave me unequivocal answers to all my questions re: Magic lantern, whereas McAffee and Norton either dodged the questions or refused to make firm statements. The guys at Sophos have guaranteed that they will never willingly let a virus into my network, FBI-spawned or otherwise, and if they are forced to by law, they will disclose this information to their customer base.
That’s a damned sight better than McAffee’s “We have not been contacted by the FBI re: Magic Lantern” (which was a lie) and Norton’s “We will not block Magic Lantern if we find it.” which IMHO means Norton AV is fundamentally broken and completely untrustworthy from a network admin POV.
Just as an aside, the FBI claimed it didn’t exist anyway, until somebody in LA found a copy on their PC. I’ve got the block on my network, but I rather doubt you’ll find a mention of it at http://www.sarc.com.
May 29, 2002, 8:33 amJim Loan says:
Bill Long’s post concerning the BEFW11S4 is right on – don’t do the WAP, go for the switching hub too. I have had one running for many moons (since it came out) and works fine. Any problems, drop a line. Keep up to date on firmware, though.
Second, I also use Norton on all of the computers, wired or wireless, plus Zone Alarm pro, plus Ad subtract pro, (plus IDCide, plus Bugnosis, neither of which are AV stuff, but very useful). I never see any kind of virus, etc. maybe no one is aiming at me, either. You have a higher profile. Add everything up, and is is Not bulletproof – nothing is – but probably more of a pain for a hacker/cracker or whatever than most others. Keep up to date on the updates (once a day doesn’t hurt)
A real hardware firewall would be the next step. Kind of expensive, but it depends on what you are protecting.
Note that using a wireless network exposes you to other kinds of malicious behavior – you are broadcasting your networks traffic. It would be advisable to change the default username, the default password, and the default ESSID.
Try the WEP, see if it works for you. Use the four ports on the hub for hard wired high speed access and the wireless for less demanding, less critical apps.
I have had good luck with both the USB wireless adapter and the PC card wireless adapter. I know some people who had no luck with either.
Jim Loan
May 29, 2002, 8:45 amMike Trettel says:
After my comment yesterday I spent a little time looking around for decent and cheap hardware firewalls. Personally, I do not consider a Linksys to be more than a rudimentry firewall, and it doesn’t help that they’re as common as dirt nowadays. As someone stated earlier, a monoculture is bad-there are a lot of Linksys routers out there, and once exploited that knowledge will spread quickly through the black hat community. Anyway, it turns out that one can pick up a Webramp 700s for as little as $25-it’s basically a rebadged Sonicwall SOHO with a differing license scheme. You can even flash it with the latest Sonicwall firmware. The catch is that Webramp was bought up by Nokia last year and the 700s was discontinued-which makes support iffy and license upgrades near impossible. Check on E-Bay or the computer surplus resellers for these routers if interested-you would have to add a wireless hub to make a wireless network out of it but the firewall inside that thing is absolutely top notch-its a real SPI firewall with rule sets, logging of everything, port blocking/rerouting, VPN, and so forth. I know what I’m getting via UPS shortly…. :-)
May 29, 2002, 10:19 amJohn Jorsett says:
I recommend against the Linksys WPC11 PC Card (incorrectly referred to as a ‘PCMCIA’ card by some) for wireless networking. I and at least two other people I’ve had net discussions with have had difficulties with it; for whatever reason, it seems to have serious reception problems. Signal strength with the WPC11 just feet away from the Wireless Access Point (WAP) in the same room was at the ‘barely usable’ level. Using it much further away was out of the question. Switching to an Avaya Orinioco Silver PC Card took care of the problem, and I can go anywhere in my house now.
May 29, 2002, 2:44 pmJohn Jorsett says:
Let me add to Mike Trettel’s comments: if you do go with a Linksys router, for heaven’s sake change the administrator password! Many people put these things in and then leave the factory default password, which is nuts.
May 29, 2002, 2:48 pmStefan Sharkansky says:
Whenever I get a virus-laden email which is caused by Microsoft Outlook, I forward the email to the following parties, attaching the note at bottom:
support@microsoft.com
billg@microsoft.com
steveb@microsoft.com
abuse@the_customer’s_ ISP
“this email seems to have come from one of your customers, apparently due to defective Microsoft Outlook software. please
help your customers replace their defective software. please note that there are many commercially alternatives to Outlook,
such as netscape and eudora, that are not associated with problems such as these”
May 29, 2002, 2:56 pmBrian says:
WAP11?
Yah I would suggest getting the wireless router, it makes more sense. piece of advice don;t combine the wireless PC card with the PCI adapter card, it does a number on windows.
as for whether linksys is okay — its more than okay. I know some people seem to think that you would need a stateful firewall, you really don’t. Windows is not vulnerable to those types of attacks where it would matter on whether it would be stateful or not.
as for an email client, disable HTML mail if you want, or even scripting. or better yet, have outlook filter out exe’s and script files, then you will be pretty safe.
Its all good. if you know what you are doing a virus program is not even neccessary. though a firewall would be a good idea, although troubling at times. And quite frankly, if you really needed a serious firewall, you would not being using a prepackaged solution, you would be setting up a computer to do your routing/firewall crap for you (like mandrakes all in one firewall http://www.linux-mandrake.com)
alright later
May 29, 2002, 4:01 pmJoe Admire says:
I stand by Norton Antivirus, as I said earlier. The key is to UPDATE YOUR DEFINITIONS REGULARLY. In fact, I’m set up to _automatically_ update definitions via LiveUpdate – and in further point of fact, I just right now downloaded the latest update to the virus definitions. I do agree that AutoProtect (except for email) uses more system resources than it’s worth, but I just disable that except for the email function and run full system scans manually at frequent intervals.
May 29, 2002, 6:47 pmAndy says:
I just wanted to also recommend the use of something like Ad-Aware as spyware is as bad as viruses.
May 29, 2002, 8:01 pmJuanita Greenlee says:
I have a virus on my computer & need help to get rid of it. Can not afford antivirus programs. Even if I could My cd drive is broken.
October 20, 2002, 4:55 pmtina spiers says:
I have a worm can you help me .
November 2, 2002, 2:50 pmDewormer says:
Worms suck.
November 2, 2002, 5:31 pmperryman says:
I can get my D-Link ap 900 or Linksys WAP 11 to see a Avaya silver PCMIA card any ides
November 11, 2002, 6:08 amApril says:
I wouldn’t mind getting an antivirus but when i try to it alway show that you have to have a credit card and thats soming i don’t have unless i get the info. in the mail.
afriend
April
April 20, 2003, 11:47 pm