NAVIGATE		NOTABLE
index root-main -- intro -- rules -- principles -- tweaks -- hints -- articles -- software     -- cmdline        security -- links sub-other -- config -- terms -- projects     -- certs -- various -- specs -- events7     -- events6     -- events5     -- y-2005 -- about     -- website ----	As far as I am concerned in case of privacy and security issues and how to protect yourself (when connected to the Internet of course), a good firewall software is the only and trully important thing to run, also see the "software.html" page. Though on the other hand I must say that I already made Internet Explorer pretty safe with disabling many dangerous features (see below), with various security-related modifications with gpedit.msc, and additionally with various registry hacks (policies restrictions and others), but especially with disabling many options under Control Panel - Internet Options, the Advanced tab, and with setting the right settings (to some racional level) under other Internet Options applet's tabs, like Security and Privacy. Note that I do not recommend others to not to use Microsoft's patches (like me, hehe) or not to update/patch Windows at all (again like me), I am just saying that you just need to use some good anti-virus software (not like me, currently running without any anti-virus program), and especially I certainly do recommend to use some well-known, trusted and good configured firewall software (and as the most important), but rather see the rest of the page for details. Also see my posts in these three threads, first here on Winforums:  Do we really need software updates?, then here on Wilderssecurity forums: What is really sensible in terms of PC security?, and finally on Ars Technica forums:  Let's Talk Security, and here:  Is there a Good, Free anti-virus with small footprint Of course, I can play with security, because of my great computing knowledge. I know well, what I am doing and what's going on in the background (processes running, software installed, libraries used etc.), and also because of my particular situation, i.e. single-user PC, dial-up modem connection etc. So I hope, you can imagine that I can afford all this, hopefully you also understand why is it so. Please don't try to take advantage of my un-patched system, and hack me only to "punish" me for not using updates, and to prove my I am wrong. I know well, I can be hacked, but I am also convinced, it's not worth all the bandwidth and reboots, if I would like to keep my sistem "up-to-date".

My various blogs: Here is a list of links to my various blogs; as first a link to my Voljatel Blog, both in Slovenian language, as second there are the links to the two "ad revenue sharing community" blogs Senserely Blog [ add], writingUp Blog [ add] in English language, then there are the three unsorted blogs Kuro5hin Blog, Spread Firefox Blog [ add], and CastleCops Blog [ add] also in English language, and finally the two futile blogs Slashdot Blog (this one doesn't get much attention), Techrepublic Blog (it's inaccessible to non-registered visitors), both in English language too.




/NOTE: From the site's update on 5.6.2006 onwards, this particular site will not be updated anymore. To be honest, I made few additional modifications on 6.6., 7.6., 8.6., 9.6., and 16.6., further on 13.7., 23.7., 23.8., and 26.9. in 2006, and finally on 14.1. in 2007 (which was the absolutely last update), but that was all just fixing old errors and formatting, and no new content was added. Optionally see the last "events-entry" on page "events7.html" (it's a short related announcement), and the first entry on the "events8.html" page (it describes all this in great details), however, the second one is located only on "still-updated" site-variants. Anyway, this notice applies to: Bravenet, Freehost386, Geocities, and Greatnow free-hosts (and from 14.1.2007 this includes also Atspace free-host), so for the current variant with the fresh content, please head on to one of these two main sites: 50webs, Voljatel, which are, as mentioned, the only ones still being updated.


NAVIGATE: previous » cmdline.html, software.html

USEFUL SYSINTERNALS PROGRAMS

I consider myself as a some kind of "amateur computing professional", so believe me that I know very well what is currently running on my system (and also which programs I usually use and with which processes they run), what programs and components are installed on my system, what is set to run at system startup etc. First, I would like to mention an APT program (APT means "Advanced Process Termination"): http://www.diamondcs.com.au/downloads/apt.zip that enables you to terminate a running process with no less than 9 different methods and an Asviewer: http://www.diamondcs.com.au/downloads/asviewer.zip, which is yet another "startup programs manager" program; both programs are from DiamondCS site: http://www.diamondcs.com.au (the authors of famous programs like TDS, Port Explorer, Wormguard etc), also see here for other freeware programs: http://www.diamondcs.com.au/index.php?page=products. Then as you might guess (because of numerous references) I use various monitoring tools from Sysinternals site, written by the author Mark Russinovich, and all of them are "non-setups" (just an .exe file, the "form" I prefer), for example the most important programs of all the utilities from Sysinternals; a Windows Taskmanager replacement Process Explorer: http://www.sysinternals.com/Utilities/ProcessExplorer.html. Oh, and if you want to check out the ** FAQ: Common ProcessExplorer Issues ** thread: http://www.sysinternals.com/Forum/forum_posts.asp?TID=4469&PN=1 that mentions me; it's below under instructions for Dependency Walker application, while my username is "Ivan" on Sysinternals forums. Well, there is another programs called Autoruns: http://www.sysinternals.com/Utilities/Autoruns.html which displays several auto-starting locations and what programs are configured to run during system bootup or login including the ones in a startup folder and various registry keys. It is also totally crucial security related program, however, it's not a monitoring programs in standard meaning. And finally with TCPview program: http://www.sysinternals.com/Utilities/TcpView.html I monitor established and non-established active TCP/UDP connections, their endpoints (IP or hostname) and optionally close process which established a connection or only close a separate connection to some server with a line/entry TCPview's UI. Each process usually has many opened/established connections at a same time; for you to imagine what I mean. Regarding other Internet related monitoring programs I also used (but not anymore), there are also programs like TDImon: http://www.sysinternals.com/Utilities/TdiMon.html which monitors activity at the "Transport Driver Interface" level of networking operations in the operating system kernel, and Portmon: http://www.sysinternals.com/Utilities/Portmon.html which monitors and displays all serial and parallel port activity on a system. While regarding non-Internet related monitoring programs I used (but I also don't use them anymore), there are programs like Tokenmon: http://www.sysinternals.com/Utilities/Tokenmon.html which monitors Logon/logoff, Enabling/disabling privileges, Impersonation, Process creation/exit, then DebugView: http://www.sysinternals.com/Utilities/DebugView.html which monitors a debug output on a system, but especially useful ones are Regmon: http://www.sysinternals.com/Utilities/Regmon.html which monitors and displays registry activity on a system and Filemon: http://www.sysinternals.com/Utilities/Filemon.html which monitors and displays file system activity. Not to mention Mark's command-line programs although they are not so security related, rather related to system maintainance in general.

---

ABOUT INFECTIONS AND CLEANING

Well, I must confess that I was in fact "infected" with a Bagle.AF worm back then (with anti-virus programs installed and running, but with its on-access protection/monitoring disabled), and it was certainly all because of me and my ignorance and not because of the lack of knowledge. It is that I often examine viruses/trojans for export functions, and which libs they call etc. So this time, I right-clicked on one of the files containing the trojan-horse (or worm), I recently got by e-mail as usual (before moving it to my "collection of nasties" in the encrypted volume), however, this time I was to quick clicking it, and so I mistakenly chose "Open" instead of "View Dependancies" (to send it to Dependancy Walker), or "SendTo" BinText, to send it to the Foundstone's BinText application, i.e. to see the file's strings/contents. I've mentioned this program many times already (usually together with Enabler from Securitysoftware), but as far as I remember not yet in this thread that's dedicated to mentioning/listing such awesome programs. As mentioned, I am talking about Foundstone's file/binary viewer called that I use as an addition to "Lister" that's built-in into Total Commander file-manager. The Lister plugin is available also as a standalone win32-application, while for other cool related tools see the page "Addons". Here's a link to the screenshot of its interface for better a imagination: http://img199.imageshack.us/img199/1986/bintextwi4.gif. The best feature of this program (i.e. the BinText one) is that it filters some paritcular characters so that there is no need to search through "mess" when viewing the files (this is fully configurable), while additionally it separately displays "ANSI strings" as a green "A", "Unicode strings" (or double byte ANSI) as a red "U", and "Resource strings" that have a blue "R". Anyway, luckily I was running Sysinternals' Filemon and Regmon applications at that particular time, so I later simply reversed all the changes made by that worm/trojan-horse without any problem. I simply deleted the created run registry key, and deleted SYSXP.exe file that was created and executed as process after the "infection" (and noticeably slowing the system), and few other related files. And even if I wouldn't ran those programs - there is a common pattern of few things that almost every malicious software does. In most cases, the file is executed and therefore visible running as a process, and second this process usually creates a registry entry under the HKLM or HKCU branches, one of the Run subkey.

However, it is true that there are also others, which are even more dangerous (as I've heard), for example some of them are preventing, i.e. trying to prevent user to access virus/spyware cleaning pages and similar, and some shutting down anti-spyware reALTed software, when they are executed. And also, I've read of one even more dangerous and scary thing. Some viruses are supposed to change some pointers locations in BIOS (or CMOS, I really forgot), that after infection, they refer to other registers. That could be pretty bad, and I was actually afraid, that this happened to me (see below). One more thing about this Bagle.AF worm "infection". Somehow at that time, my C partition was screwed (containing XP's pagefile and Windows 98/SE OS). The cause was - there was suddenly no File System on C volume (partition), just "raw" disk. I clearly saw data was still untouched. I was already thinking of finally low-level formatting HD (as I plan for a long time now, because of other problems, like two bad-sectors, that were not solved by Windows FORMAT), but again - luckily, I didn't panic, and I first tested the drive with the HD manufacturer's PowerMax utility (for my Maxtor ATA-IDE hard-drive), and huh, it fixed error. and because of PowerMax's warning displayed before fixing it, I was in doubt - maybe if I try, it will screw also all other partitions, but all the errors were luckily fixed by PowerMax utility, although I still don't know for sure what was the actual reason for C partition loosing the File System - the worm, or maybe something else.

And another "virus/worm/trojan story". I was once cleaning my friend's computer, and discovered that he has a Dust.exe virus which integrated into the shell (it attached itself to Explorer), meaning that the virus has put a very obvious "/dust.exe" parameter into the "HCLM\...\Run" registry key like this: Explorer.exe /dust.exe) in form of three instances, i.e. three separate files in C:\ root, C:\Windows\ and C:\Windows\System32\, 300 MB in lenght each he also has on his machine. I even noticed it with Autoruns from Sysinternals before "we" actually installed an antivirus program. Well, finally AVG permanently cleaned it. But during dealing with that virus, I discovered with TCPView another nasty. It was a running process with image-name bot.exe; a worm which was actually worst than a virus (see above), i.e. the thing was that if you terminated it, it was set to *somehow* restart itself, if you attempted to delete the file when process was exited (i.e. not running anymore; and I tried very "strong" methods, however, I forgot to use the "Suspend" method), and you got that Windows warning: "you can't delete file, it is used by another process..." (or something like that), so I just tried to delete the executable file of a process just before it restarted itself, and the third time I succeded. This worm/trojan (or whatever) also used so many TCP endpoints (much more than normal port scanning), that I couldn't even read the IP and port to find out where to it is connecting. Yeah, I didn't remember at that time that I could use a command prompt, and do only one current "shot", or simply log/stream the output into some file. Anyway, I got a lot of experiences by this whole procedure.

---

UNSORTED SECURITY PROGRAMS 1

In this section, I first need to mention the xp-Antispy program, a small "non-setup" application which eliminates many security risks, useless features built-in to Windows etc. If you prefer the "other" way, there is also a command-line version available, currently it is version 3.93, and you can get it here: http://www.xp-antispy.org and also I use two other security/performance settings "tweaking" programs, namely SafeXP: http://www.theorica.net/safexp.htm and GameXP: http://www.theorica.net/gamexp.htm from Theorica site: http://www.theorica.net site. Further there are various Merijin's security-related applications like the famous HijackThis, a crucial BugOff, then CWSShredder, StartupList etc. Here is Merijin's homesite: http://www.spywareinfo.com/~merijn/downloads.html, and if this link above is offline, then try here: http://209.133.47.12/~merijn/downloads.html. I also use a bunch of small, compact "non-setup" applications from Gibson Research Corporation, shortly GRC. They "patch" various security holes, things that can be easily exploited, disable various potentially dangerous OS features and similar, like one disables DCOM, another one disables UnPnP, another one "open" NetBIOS over TCP, then another raw sockets etc. They are mostly 10-30 KB in file-lenght "non-setups", coded in assembler/assembly, the most important are XPdite, UnPnP, DCOMbob, NoShare, Socketlock, ShoottheMessenger etc., here are few GRC's links. First GRC's main/intro site: http://grc.com, then GRC's main/default page: http://grc.com/default.htm, and GRC's site's page with free popular applications listed: http://grc.com/freepopular.htm. And the best thing is that you only need to apply it once, and it's done till next Windows installation (or till someone change this setting, burried deep inside registry) I do recommend them to everybody, ehm, even if there are folks out there, that don't like Steve Gibson and his work. There is actually some sort of "community" out there, see here: http://grcsucks.com, where people are complaning about Steve's position on RAW packets ion Windows XP etc. The rest of the page describes other important applications I use, mainly they are listed and described separately, but there are also others, that I don't describe at all, nor with basic descriptions like Merijn's and GRC's applications.

As first it is important to mention that I do use famous JavaCool software application called SpywareBlaster, and I am 100% you should use it too. The programs is "spyware preventer" and not "spyware cleaner", meaning that it keeps the dangerous stuff away from your computer. So you see, it doesn't scan and fix problems when malicious stuff (a file or data in registry) is already existing on one's computer like with mentioned spyware cleaners (for instance the well-known Ad-aware and Spybot S&D), but rather see few paragraphs below on what I think about them. Instead it simply adds various dangerous sites to the Blocked Zone in Internet Options, and prevents the dangeruos cookies to become resident files on your hard-disk. Additionally it blocks ActiveX controls known for exploits with the so-called "kill-bits" (a character 0 - zero added into the ActiveX's registry value) etc. It works with Internet Explorer, Mozilla 1.7 and higher, and Firefox 0.9, 1.0, and higher. Here is its homepage with other programs too: http://www.javacoolsoftware.com,however this one requires an installation-procedure.

I also started using Mozilla Firefox as my default browser (and Mozilla Thunderbird as my default e-mail client); one of the reasons for downloading it in the first place was that back then it was still available also in "non-setup" form at that time (zipped archive, no installation routine); however, that unfortunately changed and personally I certainly don't like (actually I kind of hate it) that Mozilla Foundation has discontinued .zip files as a major releases. Optionally see for yourself the banal reason why they did it on chase's blog: http://weblogs.mozillazine.org/chase/archives/2005/03/wondering_why_t.html, then also check the related From the 1.0.2 release on, Thunderbird will NOT be available in zip package anymore thread I opened on Ars Technica forums:  http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=99609816&m=742005342731&r=742005342731 and the other one titled Will be Thunderbird 1.0.2 available in .zip package ?? (also opened by me): http://forums.mozillazine.org/viewtopic.php?t=239047 on MozillaZine forums. Anyways, basically Firefox is much safer than Internet Explorer, because it doesn't use ActiveX controls (also called COM/DCOM components), OCXs, but in addition it even contains a popup-blocker, has powerful Java/JavaScript management etc. Here are Mozilla's main links: http://www.mozilla.org, and http://update.mozilla.org, then particularly Mozilla - Firefox's link: http://www.mozilla.org/products/firefox, and finally Mozilla - Thunderbird's link: http://www.mozilla.org/products/thunderbird, although it is true - personally I don't like (actually I kind of hate it) that Mozilla Foundation has discontinued .zip files as a major releases because of a pretty banal reason, for details please see my events page, the date of related entry/article is 23.3.2005

And as almost the most important thing (at the time of writing this), I am using the ZoneAlarm Pro 4.0.146.029 as my firewall. Check the main ZoneLabs site here: http://zonelabs.com, and also see the Release History of ZoneAlarm here: http://download.zonelabs.com/bin/free/information/zap/releaseHistory.html. For me, this is the best release/version ever released, and surely one of the last non-bloated, and "resources friendly" ones. Check the Why ZoneAlarm sucks vs. why ZoneAlarm doesn't suck ?? thread here:  http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=99609816&m=946004849631&r=946004849631, I opened about Pros and Cons on ZoneAlarm being a personal home-user firewall solution, compare to other firewalls. It is pretty simple, ZoneAlarm firewall's Java/ActiveX protection, cookie, mobilecode, MIME, adds control, and other protection, prevents all undesired things that can happen. Note that I wrote "at the time of writing this" at the beginning of this paragraph; this is because lately I don't use any third-party firewall programs anymore. I get use to stick to Windows XP SP2's in-built one; it's simply enough for my dial-up connection and outbound filtering is just plain stupid.

My humble opinion on Ad-aware 6, Spybot S&D programs and similar spyware "cleaning" programs (with all the respect to their authors), I used both mentioned (and huh, installed previously) in the line above for occasional scanning on my previous Windows installations, and it is true they are both good and trust-worthy programs, but I actually do not use them anymore (at least I haven't installed it yet, on this Windows installation) , simply BECAUSE IN THE END, THEY DIDN'T FIND ANYTHING for almost A YEAR, except few "spyware cookies, and I can simply manually delete those. You see, I certainly got bored of scanning the machine, and nothing being discovered ever. Also I do not like all this "paranoia" that's around hijackers, spyware, scumware, crapware, or whatever paraniods want to call them. And about all those anti-spyware, not "cleaning-oriented" programs, like already mentioned Ad-aware, or Spybot S&D, but those "real-time" oriented (monitoring programs execution, and other file-access actions), like for instance Spysweeper, or SpywareGuard, that I used both and run them for some period in past - they are completely useless, at least in my case. As mentioned, I ran Spysweeper in past (cause of its real-time monitoring thing), also SpywareGuard and all, but in the end (running for more than few months), I noticed - in all that time, they didn't prevent ANYTHING AT ALL, but why?? Because Spysweeper is not needed at all, because of both, my firewall (cookies filtering) and my anti-virus (worm/trojan execution) has already in-built that kind of protection, while the other program, SpywareGuard, is also not needed, because of anti-virus protection (worm/trojan execution)

---

UNSORTED SECURITY PROGRAMS 2

Further, not so far ago I discovered this amazing Naoko Proximitron software-proxy application; you can download the .exe installer or .zip package here: http://www.proxomitron.info, or http://www.proxomitron.info/files/index.shtml, or http://www.oocities.org/srl_list/index.html (guess what, it's a FREEWARE "non-setup" program), as I was suggested to do on some forum. The last 4.5-j release is just something completely "revolutionary" for me from various reasons. It actually looks like more "low-level oriented" software, but it doesn't even use drivers or something, just one zlib.dll library as a part of program, of course beside those two for SSL. I can already say that Proximitron programs in particular, and "proxy principle" in general just ROCKS. Sadly enough, the author of this amazing programs passed away this year (May, 2004), and therefore software developement is finished. Though filters (the "core" of proxy) are still updated regularly. Like in case of alternative shells, I just can't understand what I was missing all this time, it is whole new world for me. To put it into the inperspective - Naoko Proximitron is FREE, non-setup (no installation required, all required files are in one .zip file, you just extract to somewhere, set proxy settings under: Control Panel -- Internet Options -- Connections, and yeah, all this time I thought that proxy is something you need to purchase (software, or maybe even to buy some special "proxy hardware", like in case of router), make some agreement with some domain to be connected through their IP etc. But as the most important - I thought it is only available for cable, LAN, or whatever high-speed connections (with stacionary IP), and not for analog telephone dial-up modem connections, as with my 56K Win Lucent Modem adapter, but NONE of this is true.

I don't know for you, but as a dial-up user myself, for a better security I use DNSKong program: http://www.pyrenean.com/?page_value=-1, a personal caching/filtering psuedo-DNS server application. It's about those few potentially dangerous sites that I *might* visit, and also for faster web experience (i.e. to avoid all the load of also potentially dangerous banner-ads and other similar "threats"). See the "events1.html" page (the event on 30.3.2005). Further, click on this link to read the article (it's a kind of review) that I wrote for Wikipedia regarding DNSKong program: http://en.wikipedia.org/wiki/DNSKong, then click over DNSKong's homesite and look there for a link to pre-set filters packed to file "taygas.zip"; the link is somewhere on the main-site, and also see this site for a good information and introduction into the DNSKong program: http://accs-net.com/hosts/DNSKong.html. Anyway it is quite similar to hosts-file blocking with few awesome advantages. The main principle is pretty simple - you have two basic configuraton files named.txt and pass.txt, while the named.txt file contains all the bad stuff, I think pass.txt has a self-explanatory name. There is also another file called presets.txt, and this one is the same as common hosts file, i.e. it contains the right/resolved IPs for the respective host-names. To be able to use DNSKong to resolve DNS requests, you need to have Windows "DNS Client" service disabled and set the the "Default and Alternate DNS Server" settings in Internet Options under Control Panel. DNSKong in fact offers to do this automatically in its IP Info configuration dialog (options/checkboxes to "Set DNSKong Server IP on Start" and/or "Unset DNSKong Server IP on Stop"), compare to manually setting it in Internet Options as mentioned above. Further, DNSKong's name requests serving can be conveniently started/stopped with the options in its tray menu. The Stop option prevents DNSKong from serving any name requests and releases the storage used for Named.txt and Pass.txt filter entries (however, this option does not close the DNSKong program and is useful if you want to temporarily stop using DNSKong), while applications may continue to obtain domain names from other DNS IPs configured for your network properties or through a DHCP server. It is possible to configure your system to prevent any other DNS server from being active unless it is a DNSKong proxy. If you do use hosts file already, then you might try the mentioned eDexter program and its "Auto Pac" feature. Oh and yes, DNSKong also supports filtering by the string only (only a part of full host-names), so for instance to block all the doubleclick servers, full host-names are not needed - you can enter only the word doubleclick, or to block all the servers containing the words ad or ads, you would enter them in the named.txt, and pass.txt works in the same manner. Finally yet two more things; as first DNSKong uses an internal memory structure for the cache and filters (the presets are also stored in the same list), and the cache is cleared each time you stop and start DNSKong. As the author wrote in of his friendly responses to my questions: "think of the memory structure as a list of domain names along with the IP, Dnskong looks up the name in the list and then uses the stored value for resolution although it is a bit more complicated than that."; and as second thing, DNSKong also supports the so-called Proxy DNS feature - you can choose up to five preferred DNS servers (ISP's Name Server IPs), and DNSKong will send each proxied IP your domain requests and will use the first successful response. Also ,there are two "modes" or "ways of usage" that are the most commonly used. One mode is to "block-all" the traffic (with adding .com, .net, .org etc. into the named.txt file), except for those few sites that you visit on day-to-day basis, and you've added them to pass.txt file. And another mode is to "pass-all", except for those malicious strings/host-names that you've added to the named.txt file. Optionally also look for eDexter from the same author, which is used to replace the empty boxes, that occur if you use the hosts file to block host-names. For its page, check this link: http://www.pyrenean.com/?page_value=-2, and same as above - for the introduction this one: http://accs-net.com/hosts/eDexter.html, they are both security-related programs both running as a local-only HTTP servers, both are available also in the "no-setup" form.

---

ABOUT ANTI-VIRUS PROGRAMS

As far as anti-virus software, rather see the Pros and Cons of anti-virus software thread on Ars Technica forums (for other related threads, see here: http://users.volja.net/tayiper/script/collection.html):  http://episteme.arstechnica.com/eve/ubb.x?a=tpc&s=50009562&f=99609816&m=936004638631. While any of the three well-known and trusted anti-virus programs, beginning with the letter "A": AntiVir, Avast! or AVG, however, for my needs and computing principles, the AntiVir is far best from these three. It's a FREEWARE and more and more popular and trusted anti-virus programs from H+BEDV company, located somewhere in Germany, Europe; to download the installation package and to get more information, you may check this site here (the main/official program's site): http://www.free-av.com, which turned in the end to be the best for my personal needs. My story with anti-virus programs goes like this. First I used EZ eTrust 6.1.7.0 a SHAREWARE anti-virus programs from Computer Associates for quite some time, but later I discovered that this particular 6.1.7.0 version of EZ eTrust anti-virus program, and probably its driver-level protection was causing an annoying FILE_SYSTEM BSOD on every shutdown/reboot/logon/logoff (see paragraph below for details). Of course, I first blamed other software and it has driven me to countless installations/un-installations, modifications, tests, reboots, etc., before I realised it was EZ eTrust's fault. So I first switched to FREEWARE version of AVG 6, but it was just at the time of upgrading the programs to version 7, and then I somehow didn't like this new AVG 7 version's interface. Therefore I switched once more and started using a Personal Edition of AntiVir program.

Now I just couldn't live without its three crucial features listed below (again, at least crucial for me personally):

1. The "Filters" feature, which enables you to exclude up-to 12 processes from real-time scanning/protection. I think that this one doesn't require further explanation on why it is useful.

2. The "Write / Read only", i.e. an option for its real-time scanning that enables you to monitor only file-write or only file-read file-system operations (of course; or both)

3. The "Activate/Deactivate" feature through the system-tray icon; compare to for instance first invogking the GUI and then un-checking all the real-time scanning options in AVG. Generally I disable the real-time protection when I am offline (quite often as a dial-up user), before defragmenting hard-disk, before software installations, driver-updates and all the similar "low-level" procedures.

4. The "Scheduler" feature, another awesome AntiVir's feature that is not only an "internal one" (updating its virus-definitions), but it actually works as a "full Windows scheduler", i.e. it's capable to execute arbitrary programs.

In regard to which programs to exclude from the on-access/real-time protection (i.e. to exclude them from an on-access scanner driver's filtering of the file-system operations); I exclude processes from those programs, for which I know that under normal circumstances are not "affected" by viruses; for instance DNSKong programs (a caching, filtering and blocking "local-only" DNS server, for details see the pages "software.html" and "security.html"), Folding@Home programs related processes, AntiVir's updating-feature related process are few programs/processes of this "type". And further, programs for which the above is true (i.e. they're not "affected" by viruses), and additionaly for which I know that they write to files a lot (so to put some stress of the AntiVir's kernel-mode filtering driver); for instance again the DNSKong program, which constantly writes to its "dnskong.log.txt" log-file and to its "presets.txt" config file (IPs resolved to host-names), then similarly Folding@Home "core" processes etc.

Here is a complete list from my "Avwin.ini" file (I splitted it because of the width so that it wouldn't ruin the page's outlook):

"OnAccessExcludeProcessNames=blackbox.exe,Contig.exe,DNSKong.exe

FahCore_65.exe,FahCore_78.exe,FahCore_82.exe,Inetupd.exe,slsk.exe,Sync.exe,thunderbird.exe,totalcmd.exe,WGET.EXE,"

While for my p2p application Soulseek ("slsk.exe" process) with which I only download very huge multimedia files, i.e. .mp3s, .avis and .mpgs, then for WackGet programs ("WGET.EXE", it's a WackGet's sub-process, beside the main WackGet.exe one), with which I download only setup files from known programs (my favorite ones) and occasionally .pdfs, and for other programs too; I could simply scan those files with an on-demand scanner (I wrote "could" because I don't), and also I am not as paraniod as I was, and that is of a great significance here.

So now I use it for more than half a year, and I have no complaints at all. Infact I've never got any BSOD since running it and there were various "stressful" situations where I might have expected it. While its VDF files (virus definitions/signature patterns) are updated on almost daily-basis and the best thing is that other programs files (like scan-engine library, shell-extension libraries and main-program files) are also updated/patched by this online procedure, so you don't need to download full package too often. AntiVir is simply the best anti-virus programs for my personal needs. If anyone is interested; I wrote more "extended" review about AntiVir titled "AntiVir PE Review" for the CastleCops site (a shorter one):  http://castlecops.com/reviews-241.html, and the second one for The Geek Culture forums titled "Review: H+BEDV AntiVir program" (a longer one): http://www.geekculture.com/cgi-bin/ultimatebb/ultimatebb.cgi?ubb=get_topic&f=8&t=000635.


/UPDATE: As I wrote in the Top Antiviirus Start Of 2006 thread:  http://episteme.arstechnica.com/groupee/forums/a/tpc/f/99609816/m/614003567731 on Ars Technica where I linked the A note on why I don't use AntiVir anymore thread:  http://castlecops.com/t146389-A_note_on_why_I_dont_use_AntiVir_anymore.html thread that I've opened on CastleCops forums, I started using an Avast anti-virus program instead of AntiVir one. However, I can already say that it's definitely MUCH more resources unfriendly (of course, this applies only to "On-Access Protection") than AntiVir that I've used before for quite some time. For example opening my most used files like various .doc and .html documents (even .txt ones), takes-up up to two seconds more than previously with AntiVir running as a resident anti-virus software. It's of course the same when launcing .exes, and there are many other similar cases; for example opening a "Process Properties" sub-window in Sysinternals Process Explorer causes various Windows system files to be checked by the Avast's main service "ashServ.exe" process (I assume this is its "Standard Shield" provider's fault), while additionally, I also noticed that Avast is also MUCH more unfriendly to the hard-disk, i.e. again, compare to AntiVir program it writes and reads stuff into/from various files. Namely into/from its own configuration and various database files, as well as Windows system files. I too discovered that it causes that "svchost.exe" process (the one hosting RPC service) writes constantly *smething" into the files (namely "OBJECTS.DATA", "OBJECTS.MAP", "INDEX.MAP", "INDEX.BTR", "MAPPING2.MAP" etc.) located under the "D:\WINDOWS\system32\wbem\Repository\FS" directory. I clearly see all this hard-disk related stuff with the Filemon program from Sysinternals; also see these two posts (i.e. the link points directly to the post); one in the Best NON-OBTRUSIVE antivirus software. thread:  http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/720006558731/r/942005858731#942005858731, and the other in best antivirus for XP? thread:  http://episteme.arstechnica.com/eve/forums/a/tpc/f/99609816/m/698009867731/r/881009377731#881009377731 both on Ars Technica forum. And also, as I wrote in the Avast and excluding processes/paths thread: http://forum.avast.com/index.php?topic=19808.0 on Avast's official forum, I am also thinking about something for a long time. The thing is that I've started using the free variant of Avast anti-virus program instead of also free AntiVir PE; however, AntiVir had a feature that was crucial to me, i.e. an "Exclude processes" option (called "Filters"), which is used in a way that you exclude and so any files that this program read from/writes into are not scanned by real-time/on-access protection engine. You see, that way I was able to exclude a Buzzsaw program that I use to "on-the-fly" defragment my D:\ partition, excluding a set of paths doesn't help in this case, since this program monitors/defragments the whole D:\ partition, and so it's almost imposible to predict which separate paths to exclude under Standard Shield's settings; and even if I would, then those directories would be vunerable to viruses. So my "mission" is to achive at least similar results with Avast; of course, if it is possible at all.

But why switching in the first place?? As mentioned, I previously used SHAREWARE Computer Associates EZ eTrust anti-virus 6.1.7.0, see this site here: http://www.my-etrust.com, the one that suited me the best for a long time. It basically offers scanning with "on-access", or also called "real-time" protection (opening, closing, even only browsing through directory, which contains a worm), and includes also normal scanning, called also "on-demand" scanning, i.e. scanning of drives, like Ad-aware or Spybot S & D, not real-time kind, it includes boot-sector scanning, heuristic scanning etc. It was all because I found-out that this particular 6.1.7.0 version of EZ eTrust anti-virus (that has driven me to so many modifications, tests, reboots etc.) was causing that damn FILE_SYSTEM BSOD, on every shutdown/reboot (and usually not when logging-off, but sometimes also...), after the "Saving your settings", and also few seconds after the "Windows is shuting down" popup window appears at least on my computer, which is set to "classical logon". First I thought it is hard-disk, IDE or some other device causing the error. And I especially speculated at that time, it is probably a hard-disk related problem causing it in the end, particularly the bad clusters on my D:\ partition. Then I also thought, it is some software conflicting or interfering with it, and I actually "blamed" (and un-installed) so many other "low-level" applications that were using/installing drivers, and similar (apparently non-problematic in the end), but as mentioned, I was wrong. It didn't stop appearing. But then, after I un-installed Computer Associates EZ eTrust anti-virus, it stopped appearing imediately, and I haven't seen them ever more since then.after un-installing it. But it was a really big mistery anyway all that time. Though it is true, CA EZ eTrust anti-virus, I was using for the past few years, is pretty strong anti-virus software. It's actually enough to browse through some directory that contains a virus, trojan or worm, and it catches it (alerts me, cause I've always set it to deny access, and not to clean/desifect, or delete it automaticly), so you see, no need for actual execution of that particular malicious file. And in the end, I must mention that I am actually seriously considering not to use any anti-virus software at all, since "great" developement of my knowledge. It is because, I haven't got any virus, trojan or worm (except those, I saved from e-mail attachments to encrypted directory for "personal archive"), or whatever malware thing in all the time using my computer. And seriously, who would want and dare to attack me a dial-up home user?


NAVIGATE: previous » cmdline.html, software.html




Disclaimer 1: The opinions expressed at my web site and in my files are mine, or belong to other individuals/entities where so specified. Each product or service is the trademark of their respective company. All the registered copyrights and trademarks (© and ™) referred in this site retain the property of their respective owners. All information is provided as opinions only. Please, also see the "Disclaimer 2" on the page "about.html".