Training
Find Training
Manage My Learning
Training Options
Browse by Subject
Guide My Training
Certifications
Certification Overview
Browse by Subject
Browse by Name
Find an Exam
Prepare for an Exam
Register for an Exam
Books
Books Overview
New and Upcoming
Find Books
Where to Buy
Special Offers
What's New
Community
Learning Community
Member Sites
Worldwide Sites
Help and Support




 
Faster Smarter Internet
Author Kathy Ivens
Pages 304
Disk N/A
Level Beginner
Published 11/13/2002
ISBN 9780735618596
ISBN-10 0-7356-1859-3
Price(USD) $19.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Related Series
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Chapter 3: Protecting Your Computer from Invaders

Chapter 3   Protecting Your Computer from Invaders

Here's a formula you should memorize: The Internet = Security Problems. Just like the formulas you learned in school, this one is absolute and unconditional. If you don't protect your computer from the dangers out there on the Internet, I guarantee you'll suffer dire consequences. You must, absolutely must, guard your computer against the following types of Internet security problems:

  • Direct attacks on your computer, over the Internet, which you fight with a firewall

  • Computer viruses, which you fend off with antivirus software

In this chapter I'll discuss both of these menaces, along with the techniques you can use to protect yourself from them.

Barricade Your Computer with a Firewall

When you're on the Internet, your computer has an Internet IP address that is a swinging door between you and all the other computers on the Internet. Data communication packets flow through that door in both directions. It's possible that a malicious hacker can access your computer through that IP address doorway, unless you've prevented that with a firewall.

Although you might have created what you think is an adequate security blockade (perhaps by using passwords to keep intruders out of certain folders or files), once an intruder has access to your computer it's not terribly difficult to break through that puny barricade. Unfortunately, malicious hackers have plenty of tools to assist them in their foul work, and software programs that can reveal passwords are available on the Internet in abundant supply.

What's an Internet Attack?

Internet intruders work by selecting an Internet IP address and then trying to connect to that IP address. Most of the time these evildoers don't head for a specific target; they don't choose you because somebody told them you have a secret map to buried treasure in a file on your hard disk drive. Instead, intruders usually use software that randomly selects an IP address and automatically attempts to access the computer linked to that address.

If the attempt fails, the software moves on to the next IP address. If the attempt succeeds, the intruders have full access to your computer and its contents. You almost certainly won't know that anything is going on, even if you're working at the computer, because all of this occurs in the background without interfering with anything you're doing. Following are some of the common nefarious actions performed by intruders:

  • Send executable files containing viruses to your computer

  • Rename or remove the files that run at startup and are needed to accomplish tasks in software

  • Copy your documents back to their own systems, hoping for personal and sensitive information they can use in some dreadful way

  • Send benign files, enormous in size, or massive numbers of small files, just for the "fun" of filling up your drive

There's more, but you get the idea. Your first line of defense is to block your computer with a firewall.

How a Firewall Works

If you consult a dictionary, you'll find an entry similar to the following for the phrase "fire wall" (every dictionary I own uses two words, not one): A wall made of fireproof material that prevents the spread of a fire from one part of a building to another. Although this definition doesn't provide an exact match with the way firewalls work in computing, if we take a broader view of the definition we can force a fit: A firewall is a device that limits the damage inflicted by an existing menace.

A computer firewall, which can be either software or hardware, works by blockading your computer against intruders on the Internet and preventing the unauthorized exchange of dangerous data. In order to perform this task, the firewall examines every packet of data that moves in and out of your computer.

Understanding Data Packets

The Internet uses a communications protocol called TCP/IP (Transmission Control Protocol/Internet Protocol). TCP/IP has two layers: TCP (the higher layer) and IP (the lower layer).

LINGO

The word protocol means a set of rules that participants (in this case, computers) agree to when they communicate. The easiest way to think about a protocol is to substitute the word "language."

The TCP layer takes on the task of breaking data transmissions into small, manageable packets of information. The sending computer disassembles the original data into these packets, and each packet is sent to the target computer (the recipient). The advantage of a small packet is that as each packet is sent, it can be easily tracked and, if there's a problem, it can be re-sent.

The travel route for each packet is not necessarily the same, so some packets may hop across one set of servers, and other packets may use a different set of servers. In the end, when all the packets arrive at their destination, the TCP layer at the receiving computer reassembles the packets, putting all the data in the right order.

The IP layer tracks the IP addresses involved in the data transmission in order to make sure that each packet gets to the right destination. This means that even if some of the individual packets are routed through different Internet servers, all of the packets land at the correct recipient because the IP layer can see the recipient's IP address. If a packet is damaged or gets lost on the Internet, the IP layer can see the sender's IP address and request a resend of that packet. Because the IP layer has access to the sender and receiver addresses, it can track packet travel from beginning to end.

A firewall looks at every packet passing in and out of your computer. It checks the data in the lower layer (IP) to determine whether or not to pass the packet along. If an unapproved IP address appears, the firewall takes action. An unapproved IP address is one that you haven't specifically approved for incoming or outgoing data packets during your configuration of the firewall software. Depending on the way you've configured the options, your firewall will either display a pop-up message asking whether to move the packet on, or it will just stop the data transmission in its tracks.

If your computer is the sender, most firewalls will ask if it's OK to pass the data packet on to the recipient. This prevents intruders from copying files from your computer while letting you say OK to data that's being sent because you want to pass it to an Internet server. The firewall tells you the name of the program that wants to send the data, so if you see tracert as the program, and you've just entered the tracert command in the command window, you know it's OK. On the other hand, if the program name section of the pop-up says UNKNOWN, you don't want to let it pass through the firewall.

If your computer is the recipient, most firewalls just stop the data packet, although you can configure the firewall to pop up a message asking if you want to receive data from IP address aaa.bbb.ccc.ddd. Most of the time you won't recognize the IP address, so saying OK is a big risk. It's usually safe to assume that the IP address has no business (except dirty business) sending you data. After all, you've already configured the IP addresses you are willing to trust (the IP addresses connected to your network, if you have one, and your Internet service provider [ISP]).

Understanding Data Ports

Computers send and receive data through ports. You already know about ports, because you've probably connected a printer to a parallel port, or attached a modem or a handheld device to a serial port or a universal serial bus (USB) port. However, in addition to these physical ports, your computer has a great many virtual ports. A virtual port isn't visible because it exists as a software service rather than a physical connector on the computer. However, just like a physical port, a virtual port accepts and sends data.

Many processes use ports to communicate, and most types of communication are programmed to use specific ports. Ports are numbered from 0 to 65536, and ports between 0 and 1024 are reserved for use by certain services. For example, Hypertext Transfer Protocol, or HTTP (the protocol you use when interacting with a Web page), usually uses port 80. Ports work by "listening" for data and will usually automatically accept data if it's the right type of data for that port.

Internet hackers use ports to fetch and send data between their computers and your computer. In fact, a great deal of software is available to aid hackers who are specifically testing whether a port on a remote computer is vulnerable. Some of the software is very specific, testing only certain ports (by pretending to be sending data of a type supported by that port). This hacking technique is called port scanning, and it's the most popular method of testing whether a computer is vulnerable to attack. Internet vandals scan the ports on computers and determine the services that are currently listening for connections and the specific ports they are listening on. Then, their hacking software uses that information to develop an attack strategy, masquerading the data stream to resemble the appropriate type of service for the listening port.

LINGO

A port that is listening is, in effect, an open port, willing to accept data. If it weren't willing to accept data, it wouldn't be listening.

Firewalls examine the ports to see whether data of a certain type is using the normal port for that type. This process, called stateful inspection, checks the actual data passing through ports to catch data packets that identify themselves as being appropriate for the port, but, when the packets are examined, the firewall discovers they're faking the data type, because the data itself doesn't match the type it pretends to be.

Software Firewalls

A number of software firewall programs are available, with a wide selection of features and price tags. If you're running Microsoft Windows XP, you have a firewall built in to the operating system. I'm not going to recommend a particular third-party program, but I will offer an overview of a couple of very popular firewall applications: ZoneAlarm and BlackIce, in addition to the Windows XP firewall. Because configuration options differ among firewalls, and also because the way you configure those options impacts not only your protection, but also whether or not some of your software works properly, I'll discuss each of these firewall products with a generous amount of detail.

Windows XP Internet Connection Firewall

Windows XP has a built-in firewall, Internet Connection Firewall (ICF), which is available in both Windows XP Professional and Windows XP Home Edition. ICF lacks some of the sophisticated features of third-party firewall applications, but the price is right, and you don't have to perform any complicated installation or configuration chores.

ICF Limitations

One limitation of ICF is the fact that it monitors only incoming data packets. Although this eliminates the majority of damage from Internet-based miscreants, it doesn't prevent your computer from sending packets of data out. Some viruses are programmed to send data from your computer to the virus originator, and ICF won't prevent that. However, if you have antivirus protection on your computer (discussed later in this chapter), that danger is diminished.

Another flaw in ICF is the inability to configure the software to permit data traffic from certain IP addresses, although you can configure it to permit data traffic for certain services and processes (see "Letting Selected Services Through the Firewall" later in this section). However, you'll only notice this shortcoming if your computer is operating in a network and your Internet connection hardware is cabled directly to the network hub. If you have a separate network interface card (NIC) for a high-speed Internet connection, you can enable ICF on that NIC without interfering with network communications. If you're using Internet Connection Sharing with a dial-up modem, or your cable/DSL device is on the same hub as your network computers (and you only have one NIC in the computer), ICF stops data transmissions from the other computers on the network. (The ICF-enabled computer has no problem accessing the other computers on the network; it's the other way around that presents the problem.)

The other computers on the network can see the ICF-protected computer in Network Neighborhood or My Network Places, but any attempt to access the computer produces an error message indicating the computer couldn't be found. You can overcome the problem in either of two ways:

  • Turn off ICF and use a third-party firewall that has a simple configuration process for permitting network communications while continuing to block Internet traffic.

  • Switch your network communication protocol to NetBIOS Enhanced User Interface (NetBEUI) (see the sidebar on installing NetBEUI on Windows XP). ICF will continue to block TCP/IP traffic from the Internet, and NetBEUI will handle the network communications.

Using NetBEUI for Network Communications

You can install NetBEUI as the communications protocol on all the computers on your network by changing the configuration of the NIC to add the NetBEUI protocol. The steps you take to accomplish this vary depending on the version of Windows, but the configuration options are available in the NIC's Properties dialog box. However, when you attempt this task in Windows XP, you'll notice that NetBEUI isn't listed as an available protocol. The Windows XP CD has the files you need to make NetBEUI available. Open My Computer and select the CD drive, then navigate to the Valueadd\MSFT\Net\NetBEUI subfolder. Copy Nbf.sys to Windows\System32\Drivers and copy Netnbf.inf to Windows\Inf. Then open Network Connections in Control Panel, and open the Properties dialog box for the NIC. On the General tab, choose Install, Protocol, Add, and select NetBEUI as the new protocol.

Logging ICF Activity

By default, ICF does not keep track of its work. However, you may find it useful to keep a log so you can look at information—e.g., the sending IP addresses, if you think you may have been victimized by an Internet intruder. Or, you may just want to keep an eye on ICF's doings. To set up a log file, follow these steps:

  1. Click Start, Control Panel, Network and Internet Connections, and then click Network Connections.

  2. Select the connection for which you want to enable/disable ICF.

  3. In the Network Tasks list in the left pane, select Change Settings Of This Connection.

  4. Select the Advanced tab, and then click the Settings button.

  5. In the Advanced Settings dialog box, click the Security Logging tab (see Figure 3-1).

    6. Click to view graphic
    Click to view graphic

    Figure 3-1   Enable ICF logging to keep an eye on intrusion attempts.

  6. Set the options you desire, using the following guidelines:

    • Logging dropped packets means logging the access attempts that ICF blocked. The information in the log file includes all the data that ICF could determine, including the IP address of the computer that initiated the communication and the port the sending computer was trying to access.

    • Logging successful connections means exactly what it says: a history of every exchange of data packets between this computer and the Internet (and other computers on the network). If you spend more than a couple of minutes a day on the Internet, collecting this data brings the log file to its maximum size rather quickly. The information isn't terribly useful, unless you feel the need to take a sentimental journey through your Internet activities.

    • If you don't like the default name or location of the log file, you can change either or both of those settings by clicking the Browse button.

    • The log file has a finite size, and when it reaches its maximum size, the oldest entry is deleted to make room for the new entry.

The ICF log file is a text file, and you can open it in Notepad to read its contents. The contents are formatted for W3C Extended Log format, which is a standard logging format that allows you to import the data into a spreadsheet or database application in order to sort it as you wish. (See the section "Using Firewall Log Files to Play Detective" later in this chapter.)

Letting Selected Services Through the Firewall

ICF blocks all incoming traffic by default, but you may want to let certain types of data through the firewall. To do this safely and efficiently, you need to understand these services, including when and why they're needed. If you don't have the requisite technical knowledge, you should do some homework before attempting this (it's beyond the scope of this book to get into this discussion).

See Also

For more information about letting selected services through your firewall, see Microsoft Windows XP Inside Out, by Ed Bott and Carl Siechert, also from Microsoft Press.

If you think you're up to the task (or if a software support technician is working with you on the telephone), click the Services tab on the Advanced Settings dialog box, where you'll find a list of services you can configure to pass through the firewall (see Figure 3-2). Just click the check box of the appropriate service to place a check mark in the box.

Click to view graphic
Click to view graphic

Figure 3-2   Some unsolicited inbound traffic may be necessary, so select the data type you want ICF to let through the firewall.

You can manually add a service you need that isn't on the list, and sometimes this is required when a software program you install needs to bypass the firewall for a specific service. The documentation for the software, or the support personnel you call when you have a problem because of your firewall, will tell you what service is required, which port it uses, and other geeky information you don't have to understand but you do have to fill in. Click Add to open the Service Settings dialog box and enter the following information about the service:

  • A descriptive name

  • The IP address of the computer hosting this service

  • The port number external computers are using for the service

  • The port number on this computer for the service

  • Whether the service uses TCP or User Datagram Protocol (UDP)

Enabling ICMP for Diagnostic Tools

Windows uses Internet Control Message Protocol (ICMP) for some command utilities, instead of using the more common TCP or UDP protocols. This affects two commonly used diagnostic commands, ping and tracert (tracert is discussed in Chapter 1).

ICF disables ICMP functions, but you can enable them in the ICMP tab of the Advanced Settings dialog box (see Figure 3-3). The ICMP tab displays a list of ICMP services, along with descriptive information about each. Select the check boxes for the services you need.

Click to view graphic
Click to view graphic

Figure 3-3   Select the services you want ICF to let through the firewall.

ZoneAlarm

ZoneAlarm, from ZoneLabs, is an extremely popular firewall. It runs on Windows 95/98/Me/NT/2000/XP and is available in two versions:

  • ZoneAlarm, which is free if you use it on a personal computer, or you are a nonprofit organization.

  • ZoneAlarm Pro, which offers more security features and network-wide coverage and is priced on a per-license basis (each computer covered by the software requires a license). If you require a paid version of ZoneAlarm, you can download a 60-day evaluation copy. After 60 days, you must purchase the software or stop using it.

ZoneAlarm is available for download from the ZoneLabs Web site, at the following address: http://www.zonelabs.com.

Click the Download link, and when a message dialog box appears asking if you want to open or save the file, choose Save, and select a folder to house the file.

TIP

It's a good idea to put all your downloaded software (and hardware driver updates) into one folder, and include that folder in your daily backups. Then, if you lose your hard drive, or buy a new computer, your software is available for installation just like all the software CDs you own.

Installing ZoneAlarm

Double-click the downloaded file to launch the ZoneAlarm installation wizard. Follow the prompts, clicking Next to move through the wizard windows. When the software files are copied to your hard disk drive, and you've filled in all the required information, click Finish. A message appears asking if you want to start running ZoneAlarm; click Yes to launch the software.

The ZoneAlarm Getting Started presentation launches, so you can learn about the software and its configuration options. You can work your way through the presentation, or you can click Cancel (the information in the presentation is in this chapter). When the presentation ends or is canceled, the ZoneAlarm software window appears so you can begin configuring the software.

The range of configuration options available in ZoneAlarm is enormous, making it very easy to set up the software to meet your own needs and preferences. Your configuration tasks take place in the ZoneAlarm window (see Figure 3-4), which opens when you double-click the ZoneAlarm icon that appears on the taskbar when the software is running.

Click to view graphic
Click to view graphic

Figure 3-4   A wide range of configuration categories makes ZoneAlarm a useful and powerful firewall.

Configuring Alerts

To specify the way you want ZoneAlarm to notify you of events, click the Alerts button and make the selections you require in the Internet Alerts window (see Figure 3-5).

Click to view graphic
Click to view graphic

Figure 3-5   Tell ZoneAlarm what to do when an outsider tries to access your computer.

The option at the bottom of the window that enables/disables the alert pop-up window refers only to incoming traffic (see the section "Configuring Program Options" later in this chapter for information about controlling outgoing traffic). When a pop-up message appears, it tells you that ZoneAlarm has blocked an incoming data packet, and contains as much information about the source of the data transmission as ZoneAlarm can identify (the IP address is usually noted). There's nothing to do except click OK, so it's a good idea to disable the pop-up message to avoid spending a lot of time clicking OK. If you have a need to know who was prevented from assaulting your computer, you can read the log file.

The log file is named ZALog.txt, and it's kept in the %SystemRoot%\Internet Logs subfolder. You can open the file in Notepad. The oldest event is at the top of the file so you'll have to scroll through the file to see the most recent events. The log file is a comma separated values (CSV) text file, which means you can import it into a database or spreadsheet program in order to sort the file by any category. (See the section in this chapter entitled "Using Firewall Log Files to Play Detective.")

Configuring Locks

You can use the Lock configuration page seen in Figure 3-6 to specify the conditions under which you want to lock all traffic to and from the Internet. The lock is off by default, but you can enable it and specify the conditions under which it engages.

Click to view graphic
Click to view graphic

Figure 3-6   ZoneAlarm's lock feature lets you shut down all Internet traffic.

You can lock down Internet traffic manually by clicking the Stop button; clicking again unlocks the traffic path. The current state of the lock is indicated by the lock icon, which is either engaged or disengaged.

You can also configure ZoneAlarm to automatically lock the traffic paths when you're away from your computer by specifying a lock when either of the following events occurs:

  • Your screen saver activates. Using the mouse or keyboard to get rid of the screen saver also automatically unlocks ZoneAlarm.

  • An amount of time (that you specify) elapses without any keyboard or mouse input (useful if you don't use a screen saver). If you select this option, when you return to work, you must manually unlock ZoneAlarm by clicking the Stop button at the top of the ZoneAlarm window.

You can also specify that certain programs can continue to pass through the firewall, even though you've locked ZoneAlarm. For example, you may have your e-mail software configured to check your ISP's mail server at regular intervals, and you want that process to continue while you're away from the computer. See the section of this chapter entitled "Configuring Program Options" to learn how to designate a program as a pass-through candidate.

Configuring Security Options

Use the Security Settings window to set the general security level for ZoneAlarm. The default settings, seen in Figure 3-7, are usually the best choice, but you may have some reason to loosen or tighten the security for your computer. Just move the slider bar to change the setting; ZoneAlarm displays an explanation for each level.

Click to view graphic
Click to view graphic

Figure 3-7   You can set security levels for your local network and for the Internet.

This window also offers the MailSafe protection option, which is enabled by default. MailSafe checks incoming e-mail for .vbs attachments, but since e-mail viruses arrive in many forms besides .vbs attachments, this isn't a substitute for real antivirus software.

Configuring Advanced Security Options

Click the Advanced button on the Security Settings window to open the Local Zone Properties window seen in Figure 3-8. You can use this window to create a list of trusted computers to make sure traffic flows unimpeded between those computers and your computer. Obviously, if your computer is part of a network, the other computers on the network qualify as "trusted."

Click to view graphic
Click to view graphic

Figure 3-8   Let ZoneAlarm know about computers that the firewall can safely ignore.

If you're on a network, selecting the network adapter (which ZoneAlarm automatically finds) includes all the computers on the same subnet. However, if there's a network computer on a different subnet that you want to include, click the Add button to identify it. You can add an Internet server, identifying it by its IP address, which is useful if you've tightened up the Internet security settings. You can also add a range of IP addresses to include all the computers within that range.

Configuring Program Options

You can use the Program window seen in Figure 3-9 to tell ZoneAlarm about local software and system services that are permitted to send packets out to the Internet. However, rather than try to determine in advance which processes are likely to send outgoing traffic, you can let ZoneAlarm compile the list for authorized programs by waiting for each program to access the Internet the first time.

Click to view graphic
Click to view graphic

Figure 3-9   Programs listed here are always permitted to send data to the Internet.

When an unauthorized program or process sends a data packet to the Internet (outgoing traffic), ZoneAlarm always displays a pop-up message; there is no option to turn off that notification event. That's because you must tell ZoneAlarm whether to let the outgoing transmission pass through the firewall. You have four choices:

  • Prevent the transmission this time

  • Prevent every transmission by this program/process in the future

  • Permit the transmission this time

  • Permit every transmission by this program/process in the future

Choosing permanent permission automatically puts the program on the authorized list. To help you decide, the outgoing transmission pop-up message that ZoneAlarm displays contains plenty of information about the event, including some or all of the following:

  • The program or process that is attempting to send data

  • The target IP address

  • Whether the program has previously sent data to this target IP address

  • Whether the program is acting as a server or client for this transmission

  • The port being used for the transmission

Sometimes a local software program is accessing the Internet but not really sending data packets from your computer. For example, if you're visiting a Web site and you copy text or graphics and then paste the information into a software application, ZoneAlarm notes the event and asks for permission in a pop-up message.

Click to view graphic
Click to view graphic

What's important about this pop-up message is the target IP address, which is 127.0.0.1. That IP address always means the local computer (irrespective of any other IP address that's been assigned to the computer). Because your computer is acting as both sender and receiver, it's safe to permit the transmission.

If you're using the ZoneAlarm Lock feature (described earlier), be sure to select the Pass Lock check box for programs that should be able to continue to access the Internet when the firewall is locked.

Configuring Startup Options

To set startup options for ZoneAlarm, click the Configure button to open the window seen in Figure 3-10. You should also register your software and choose the option to check for software updates.

Click to view graphic
Click to view graphic

Figure 3-10   Set basic behavior options for ZoneAlarm in the Configure window.

BlackIce

BlackIce, from Internet Security Systems, Inc, is another popular firewall application. It runs on Windows 98/NT/Me/2000/XP, and you can buy it at the company's Web site: http://www.iss.net. No free versions of the software are available, but you can download an evaluation copy to see if you like it. The evaluation version is one version earlier than the current released version of the software, and after the evaluation period elapses you must purchase the current version of the software.

BlackIce has firewall capabilities similar to those in ZoneAlarm but is a bit more complicated to configure and use. In addition, BlackIce monitors the state of all the executable software files on your system in order to make sure that files aren't changed by some rogue program that has made its way into your system (which is actually an antivirus activity). These additional services add to the complexity of running and configuring the software. However, if you think these added features are valuable, you'll probably feel that the additional efforts to set up and use the software are worthwhile.

Installing BlackIce

After you've downloaded the software, double-click the downloaded file to begin the installation process. BlackIce uses the popular InstallShield wizard (which you've probably encountered many times), and you must click Next to move through each wizard window. After the Welcome window, you must accept the terms of the BlackIce license, and then specify the folder into which you want to install the software.

After showing you the menu item that BlackIce will create when the installation is complete, the wizard displays the window seen in Figure 3-11. The baseline inspection referred to in the message results in the creation of a database that BlackIce uses to make sure no executable files change.

Click to view graphic
Click to view graphic

Figure 3-11   BlackIce keeps detailed information about executable files on your system in order to make sure viruses or other rogue programs change these files.

When you click Next, the wizard first installs all the software files on your hard disk drive and then begins inspecting your computer. This can take a while, especially if you have a lot of software installed on your computer, so you should probably find something interesting to do (watching the progress bar move during software installation is among the least interesting things you can do; even cleaning your closets is more interesting).

When BlackIce has collected all the information it needs, the final wizard window appears, announcing that setup is complete. Click Finish. The BlackIce icon appears in your taskbar and is always there while the software is running. To set configuration options, double-click that icon, and choose Edit BlackIce Settings from the Tools menu.

Firewall Tab

The Firewall tab, seen in Figure 3-12, is where you set basic firewall protection options.

Click to view graphic
Click to view graphic

Figure 3-12   Configure the type of barricades BlackIce sets up to protect your computer.

The Protection Level is a measure of the intensity of the security settings. By default, the level is set at Cautious. You can make the setting more restrictive or looser, depending on the level of risk you think exists. Here are some guidelines to help you decide on the appropriate level:

  • Paranoid means that all unsolicited inbound traffic is prohibited. This may interfere with some of the features available when you work with interactive Web sites.

  • Nervous bars all unsolicited inbound traffic except traffic required for interactive Web sites you've chosen to work with.

  • Cautious stops unsolicited inbound traffic that is trying to access Windows operating system services, including network services.

  • Trusting permits all inbound traffic to come through the firewall.

In addition to the Protection Level settings, the Firewall tab offers several other configuration options. Select or clear options by clicking the check box to insert or remove a check mark.

  • Enable Auto-Blocking Selected by default, this option automatically blocks incoming data packets. If you clear this option, traffic isn't blocked, but BlackIce will record the event in a log file.

  • Allow Internet File Sharing Permits file sharing among computers, including computers on your Local Area Network. If your computer is on a network, select this option.

  • Allow NetBIOS Neighborhood Means that this computer appears in Network Neighborhood/My Network Places of the other computers on your network. If you don't select this option, users on other computers won't see this computer's listing. Users on other computers who want to access your computer must do so manually, usually by entering the computer's UNC in the Run command box.

    • LINGO

    UNC means Universal Naming Convention, which is the format for entering the path to a shared resource on a remote computer. The format of the UNC is \\ComputerName\ShareName.

If you make changes to any of the options in the Firewall tab, click Apply to put the changes into effect and move to another tab. If you're finished with your configuration efforts, click OK to close the dialog box.

Packet and Evidence Log Tabs

BlackIce offers to track information about events in log files. This means you can examine the details about previous events, giving you a historical perspective if something untoward occurs. Both the Packet Log tab (see Figure 3-13) and the Evidence Log tab contain the same configuration options. The logs, however, contain different types of information:

  • The Packet log file notes all traffic, not just intrusion attempts. The log is disabled by default, and unless you suffer from terminal curiosity, I can't think of any reason for enabling this feature. The log files are filled with tons of information you'd have to winnow through in the hope of finding something that can help you track attempted intruders.

  • The Evidence log, which is enabled by default, is where BlackIce tracks activity the software deems suspicious or dangerous. The logs contain information about the data packets generated by suspected intruders, in addition to information about the IP address of the source computer. This means the logs have detailed information about everything an intruder tried to do.

Click to view graphic
Click to view graphic

Figure 3-13   Specify the way BlackIce manages log files.

The logs are kept in the folder into which you installed BlackIce, and the following configuration options are available:

  • File Prefix determines the prefix of the log filenames. By default, the prefix for a packet log is LOG, so that log files are named LOG0001, LOG0002, and so on. The default prefix for an evidence log is EVD. You can add a time/date stamp to the evidence log filename by inserting %d after the prefix. The time/date stamp appears in the format YYYYMMDD.

  • Maximum Size (kbytes) indicates the maximum size you want to permit for a log file, after which BlackIce starts a new log file.

  • Maximum Number of Files determines how many log files BlackIce will retain. You can rename old log files or move them to a different folder to make sure the system continues to create files.

Back Trace Tab

Back tracing means tracing a connection back to its origin, and BlackIce performs this action when it appears that a malicious intruder is trying to access your computer. In order to back trace, BlackIce moves backwards through the path the external computer used to reach your computer, documenting each hop it took. In effect, a back trace is the reverse of a trace route, which you can perform at the command line by entering tracert target (substitute an Internet location, such as Microsoft.com for target). Read Chapter 1 to learn how to use the tracert command.

Use the configuration options available on the Back Trace tab, seen in Figure 3-14, to specify the way a back trace works.

Click to view graphic
Click to view graphic

Figure 3-14   Set the scenario for tracing an intruder across the Internet.

You need to configure the options for both an indirect trace and a direct trace, each of which works differently, as follows:

  • An indirect trace collects information without accessing the source of the intrusion, which means the intruder can't detect the fact that a trace is in progress. However, indirect traces don't provide as much information as direct traces.

  • A direct trace gathers information by accessing the source of the intrusion, which might be detected by the intruder. Some malicious hackers have software that can detect and block direct traces.

The severity threshold specification is a number invented by BlackIce to determine how serious a threat is. BlackIce uses the following severity threshold definitions:

  • 0 means an event has occurred that does not seem to threaten your computer. The software takes no action.

  • 1-3 means an event has occurred that is suspicious but does not appear to be threatening. For example, an intruder may be searching for open ports but has not yet attempted to access the computer.

  • 4-6 means an attempt has been made to access information on your computer.

  • 7-10 means an intruder has made an attack and tried to damage a data file, extract data from your computer files, or crash the computer.

In addition to specifying the threshold, two other options are available for back tracing:

  • For an indirect back trace, DNS Lookup means BlackIce queries Internet DNS servers for information about the intruder's point of origin.

  • For a direct back trace, the NetBIOS Nodestatus option means BlackIce performs a NetBIOS lookup on the intruder's system. If successful, this gives you specific information about the source computer.

Intrusion Detection Tab

This tab is misnamed; it should be called Intrusion Non-Detection or Non-Intrusion Detection. You use this tab to specify the computer traffic and application events that BlackIce should trust and therefore ignore:

  • Trust means that BlackIce should exclude an IP address from its list of "places to watch."

  • Ignore means that certain events (e.g., port scans or queries) from those trusted sources don't have to be investigated, nor should they trigger a log entry.

If your computer is part of a network, this is the place to indicate that it's OK to let the network computers access your system. Click Add to open the Exclude From Reporting dialog box, and then enter the IP addresses of the computers on your network. BlackIce ignores all events from these computers.

Notifications Tab

The Notifications tab (see Figure 3-15) lets you specify the way you want BlackIce to alert you when a significant event occurs. For event notification, you can specify the circumstances under which you want to receive a video alert, an audio alert, or both.

The level of severity is indicated by the number of colored circles; the more circles, the more severe the event. By default, the system issues a video notification (a pop-up message) when the most serious event occurs. You can lower the severity level that produces the pop-up, and you can also add an audio notification for any level.

Click to view graphic
Click to view graphic

Figure 3-15   Establish the settings for alerts about important events.

The tab also contains an option to check the BlackIce Web site to see if any software updates are available. If you enable this option, also specify how frequently you want to check the Web site.

Prompts Tab

Use the Prompts tab to specify whether or not you want to see a confirmation dialog box when you perform certain actions in BlackIce. For example, you might want to turn off the confirmation message that appears when you clear the event list, or when you are notified that BlackIce has blocked an intruder. The Prompts tab also lets you configure the way tooltips display in the BlackIce software windows.

LINGO

Confirmation dialog boxes are those little messages that pop up asking "Are you sure?" when you perform certain tasks, such as deleting files.

Application Control Tab

The settings in this tab go beyond firewall protection. This tab offers options that let you control applications and processes that attempt to open on this computer (see Figure 3-16).

Click to view graphic
Click to view graphic

Figure 3-16   Specify what BlackIce should do if an unknown or changed application tries to run.

When you installed BlackIce, the software made a list of all the applications installed on your computer. Those applications are allowed to run without interference, unless they've been changed since the original investigation. Remember that not all changes are the result of a virus or other rogue program messing around with the executable file; updating a software application changes the executable file.

If any application that's not on the list tries to run (including applications you installed after you installed BlackIce), you can specify what BlackIce should do about that.

Communications Control Tab

The Communications Control tab, seen in Figure 3-17, specifies the circumstances under which this computer can send data. The Enable Application Protection check box, which is selected by default, tells BlackIce to monitor your computer for unauthorized outbound transmissions of local data. You need to decide what BlackIce should do when those monitoring efforts detect outbound data from an unauthorized application.

Click to view graphic
Click to view graphic

Figure 3-17   Protect your computer from rogue programs that ask for local data.

Configuring Advanced Firewall Settings

BlackIce provides configuration options for its firewall activities, and you can review those options by selecting Advanced Firewall Settings from the Tools menu. As you can see in Figure 3-18, BlackIce can block or permit data from certain ports or addresses.

Click to view graphic
Click to view graphic

Figure 3-18   A circle with a line through it means the port or address is blocked; a green light means access is permitted.

If you're on a network, you should add the addresses of computers on the network by clicking the Add button to open the Add Firewall Entry dialog box. Enter a name for the entity (e.g., MyNetwork) and then enter the IP address or the range of IP addresses. For networks, be sure to specify the Accept option under the Mode section of the dialog box. On the other hand, if you're trying to stop a particular IP address from accessing your computer, select the Reject option.

You can apply the Accept/Reject mode to all ports accessed by this IP address or clear the All Ports check box and specify particular ports. You can also specify the duration of this Accept/Reject condition. When you've finished configuring this entry, click Add to return to the Firewall Settings dialog box, where your new entry appears in the list.

You can modify the configuration of any entry in that list by selecting its listing and choosing Modify, to open the Modify Firewall Entry dialog box, which offers the same options as the Add Firewall Entry dialog box.

NOTE

Clicking the Options button opens a dialog box that lets you clear the option to warn you when an entity's settings are about to expire; it's not a good idea to clear the option.

Using Firewall Log Files to Play Detective

The fact that firewall log files are designed for easy import into spreadsheet or database software is a significant advantage. For example, you can sort by IP address to see which address is probing your ports most frequently. Then you can find the Web site for that IP address and complain to the Webmaster. Finding a Web site name from its IP address is called reverse lookup, and a number of reverse lookup sites are available on the Internet for this purpose. One popular reverse lookup site is Eons, which you can access by entering the following URL into your Internet Explorer address bar: http://eons.com/iplookup.htm.

Most of the time, you'll discover the IP address belongs to an ISP, so the IP address was temporarily assigned to the evildoer who tried to break into your computer when he logged on to his ISP. But because your log file has a date and time, the ISP may be able to track down the miscreant by checking the user who was connected under that temporary IP address at that time. All ISPs ban people who use their Internet connection to do harm.

Hardware Firewalls for Networks

If you want to share a cable/DSL connection across a network, the easiest, most efficient, and most powerful way to accomplish this is to install a hardware device that has firewall software built into it.

The most commonly used device for this purpose is an Internet router (sometimes called a gateway router) that includes firewall protection. A router sits between your Internet connection device and the rest of your network, effectively separating the Internet and your network into two independent unconnected networks (or, two armed camps, which is the way I see it when I'm setting up a firewall). The only device that's seen from the Internet is the router; all the computers on the network are invisible. Talk about the proverbial brick wall!

In fact, even your ISP only sees the router, because your ISP exists in the other camp (the Internet network). Since some broadband ISPs (especially cable modem ISPs) have a rule against sharing the connection among multiple IP addresses, the fact that the router presents only one IP address to the other camp means you've overcome the inconvenience of that rule. Please don't tell them I told you; just pretend you didn't learn that here.

NOTE

Installing a router also means you don't have to put two NICs in the computer that's attached to the cable/DSL device.

Several router manufacturers offer routers with firewall protection, and the equipment is available with a wide variety of options. Some routers can handle the technical functions that all the computers on the network need in order to obtain an IP address automatically. You can even buy an all-in-one device that has the cable/DSL hardware included, as well as ports for all the computers on your network, eliminating the need to buy a hub. In addition, most manufacturers now offer routers for wireless networks. Here are a few of the manufacturers who offer hardware firewall devices:

How to Test Your Firewall

I'm not willing to assume that my firewall is doing what it's supposed to do just because I haven't had a weird or disastrous event occur on my computer or network, and you shouldn't be, either. Luckily, there's a Web site that tests firewall effectiveness. The Web site, Gibson Research Corporation (GRC), is at http://www.grc.com.

NOTE

There are other firewall tests available at other Web sites, but my experiences with Gibson Research have been incredibly good for many years. This company has been around forever, and computer consultants have learned to trust and rely on these experts for many technical tasks when they face potential disasters at a client site.

To test your firewall, click on the Shields Up! link and then scroll down the page and click Test My Shields. GRC attempts all sorts of tricks to break into your computer and then posts its results. Figure 3-19 is the report on my system.

Click to view graphic
Click to view graphic

Figure 3-19   My firewall is doing its job.

Because the majority of intruders use port-scanning software to break into computers over the Internet, you should also specifically test the way your firewall is protecting the data ports. Click Probe My Ports and wait for the results. GRC reports the status of every port it tests, and the goal is to have a status of "stealth" (see Figure 3-20, which shows the status of the ports on my system).

Click to view graphic
Click to view graphic

Figure 3-20   Scroll through the report to check the status of every port that was tested.

If your firewall doesn't produce reports like these, either get a better firewall or check any configuration options you've changed (that you shouldn't have).

Inoculate Your Computer Against Viruses

Computer viruses have become an enormous and costly problem for all users and business enterprises. The number and variety of viruses that are traveling from computer to computer present a serious danger and an enormous amount of economic loss. Most viruses arrive by way of the Internet, although you may occasionally find infected floppy disks or CDs. Here are the 10 important rules for preventing virus infections:

  1. Run an antivirus software program all the time.

  2. Configure your e-mail software for maximum antivirus security.

  3. Run an antivirus software program all the time.

  4. Update operating system and e-mail software whenever a security update is available.

  5. Run an antivirus software program all the time.

  6. Use common sense when opening e-mail attachments—don't open attachments from strangers.

  7. Run an antivirus software program all the time.

  8. Don't download files from the Internet unless you know the Web site has an irreproachable reputation.

  9. Run an antivirus software program all the time.

  10. Last but not least, did I mention you must run an antivirus software program all the time?

Incidentally, if you're totally unfamiliar with antivirus software, you might want to start by investigating two of the most popular antivirus software companies: McAfee (http://www.mcafee.com), and Symantec (http://www.symantec.com). Both companies offer a variety of antivirus software tools (the Symantec products are called Norton Antivirus). Also, check the reviews of antivirus products in computer publications, and ask your geeky friends for their recommendations.

Try This!

To help you decide on the antivirus software solution you want to use, look for reviews at the following Internet sites (just another way to prove that the Internet is a great research tool):

What's a Virus and How Does It Work?

A virus is a program, although it's frequently disguised as something else (even as a screen saver). The code in the program is designed to cause an unexpected, and usually harmful, event. In addition, the code is designed to replicate the virus to other drives on your computer, or to other computers by means of a network, or e-mail.

Viruses can only exist, spread, and operate as programs. I can hear some of you saying "Oh yeah, well I got a virus from a Microsoft Word document, and a document isn't a program, so viruses must also exist as documents." Yes, you certainly can receive a virus with a Word document (probably attached to an e-mail message). But the virus wasn't in the document, it was in the Visual Basic Script (VBS) programming code that was used to create a macro. Macros are linked to the document file, and they travel with the document file, and because they use VBS, which produces executable code just like any other programming language, they qualify as programs.

TIP

If you don't use VBS and don't need to run .vbs files, change the file association for .vbs files to Notepad. Then, if you accidentally double-click a .vbs file (which might contain a macro virus), it won't run its code; it'll open as a text file in Notepad. Check your Windows help files to learn how to change file associations.

Viruses do damage in many ways, and the severity is dependent upon the viciousness of the programmer. Viruses erase data, change program files, change system files, or cause enough damage to the operating system files to render the computer useless. Some viruses go to work as soon as their code is executed; other viruses wait until preprogrammed circumstances cause their code to be executed (usually a certain date).

Viruses arrive in many constructs, and within each category of viruses there are many subcategories. Covering all of these variants and explaining how they perform their evil deeds would fill a very thick book. However, I think it's a good idea to present a brief overview of some of the basic types of viruses—the ones you hear about (or are victimized by) most frequently.

File Infector Viruses

The oldest type of virus is the file infector virus, which attaches itself to program files. When you launch the program you also launch the virus, which proceeds to do its work. These viruses can use any executable file type, although they most commonly use .com and .exe files. However, other executable file types, including .sys, .ovl, .prg, and .mnu are known targets. Some viruses arrive as discrete, fully contained programs (sometimes as scripts) instead of attaching themselves to other programs.

People who know that these virus types are connected to executable files are frequently surprised when their computers become infected. After all, they examine the file names of e-mail attachments, looking for a file extension that indicates an executable file. They see an attachment with the file extension .txt and stop worrying.

Unfortunately, Windows doesn't display file extensions by default, so a file that seems to be named readme.txt could really be named readme.txt.exe. I always advise users that the first thing to do when they bring home a new computer is change the default setting for viewing files so that file extensions are visible. To accomplish this, follow these steps:

  1. Open My Computer or another system folder such as Windows Explorer or Control Panel.

  2. Choose Folder Options from the Tools menu (or from the View menu in Windows 98).

  3. Move to the View tab.

  4. Scroll through the Advanced Settings list to locate the item Hide File Extensions for Known File Types, and click the check box to remove the check mark.

  5. Click OK.

Macro Viruses

Macro viruses are usually programmed to do the same damage as file infector viruses, but their method of transportation differs. They don't attach themselves to an executable file, nor arrive as a self-contained executable file. Instead, they launch when the document file to which they're attached is opened, at which point they carry out their damaging tasks and replicate themselves into other documents.

Boot Sector Viruses

A boot sector virus places its code in the boot sector of a floppy disk, or the Master Boot Record of a hard drive. During startup, when the computer reads and executes the programs in the boot sector, the virus launches and goes into memory. From that position, it can control basic computer operations and replicate itself to other drives on the computer, or even on the network. Some boot sector viruses are designed to destroy the computer's ability to boot; others permit startup and then perform whatever nefarious acts they're programmed to accomplish.

Trojan Horses

A Trojan horse does the same malicious work as a virus, but it's not a true virus because it doesn't replicate itself. Since self-replication is part of the technical definition of a virus, many people use the term Trojan horse (or just trojan) to make the distinction. To a victim who's looking at the damage, however, there's not much difference.

One serious problem with Trojan horses is that it's sometimes not as easy to remove the damage they do from your system; you almost always have to contact an antivirus software company to get a list of instructions. You may have to undo changes to the registry, replace system files, or perform other manual tasks to rid your system of the damage, even after your antivirus software has deleted the Trojan horse file. See the sidebar "Trojan Horse Specialists."

LINGO

The name Trojan horse is derived from Homer's Iliad, in which he described how the Greeks faked out the Trojans during a vicious war. The Greeks pretended to retreat and offered a giant wooden statue of a horse to the Trojans as a peace offering. The statue was hollowed out and within it hid armed warriors. That night, while the Trojans celebrated victory, the belly of the statue opened, and the armed warriors emerged and defeated the Trojans. Since the rogue code in a Trojan horse program disguises itself as a normal, safe, program, somebody (who obviously read Homer) applied this name. However, all viruses arrive looking like normal programs, so I've never understood this particular distinction.

Trojan Horse Specialists

Most antivirus programs can identify and delete most Trojan horses, but if you find yourself facing continual attacks by Trojan horses, you may want to install software that's dedicated to this type of malicious code. I've looked at many reviews of these products from reviewers I trust, and the following two companies offer products that consistently receive high recommendations: PestPatrol (http://www.safersite.com), and Tauscan (http://www.agnitum.com).

Worms

A worm is a self-contained program and never has to attach itself to any other program in order to launch its damaging code. Instead, a worm must be manually opened, at which point it does its damage and replicates itself (sometimes by mailing itself to recipients in a Microsoft Outlook or Outlook Express address book). In fact, one of the characteristics of a worm is its incredibly powerful ability to propagate itself across drives and computers. The fact that they don't need to attach themselves to other programs makes worm propagation easy and rapid; after all, with no need to find a host file, they can just plop themselves down anywhere they wish and clone themselves all over your drives. Sometimes each clone has a slightly different assignment, so when all these copies blast into action, they can do the maximum amount of damage. Worms almost always arrive as e-mail attachments.

How Antivirus Software Works

Antivirus software is very complex, because it operates with multiple components. It's impossible to get specific information about the way the programming code works, because companies don't discuss those details (for obvious reasons). However, if we look at the broad view, most antivirus programs operate similarly. The software has two main components:

  • The engine, which runs the processes and is itself a two-part program:

    • The on-access component, which runs all the time and automatically checks files as you open them

    • The scanning component, which checks all the files on your computer

  • The virus information data files, which contain information about known viruses and also contain markers that are found within infected files, making it possible for the software to spot them

Antivirus software works by intercepting certain operations, like reading files or e-mail messages, and then scanning the data in the file before allowing the operating system to continue with the operation. The scanning process involves several steps:

  • Matching the contents of the file against the information in the virus data information files, looking for a known signature (a string of characters or bytes that's found in every instance of a particular virus); see the section "Data Information Files," later in this chapter

  • Looking for suspicious file attributes, such as an unexpected change in the size of an executable file

  • Looking for suspicious behavior by using heuristic scanning, which is a method of analyzing code to sniff out suspicious behavior (see the sidebar "Heuristic Scanning" for more information about this process)

When the software finds an infected file, it displays a message, which usually asks you how you want to handle the file. The choices vary depending on the software, but generally one of the following three choices are available:

  • Clean the file This choice is only viable for a virus that has infected an existing file. The software will attempt to clean the virus out of the file, reverting the file to its original safe condition. If the attempt to clean the file fails, the software notifies you of that fact, at which point you should delete the file (use the Delete option in the antivirus software window; don't open Windows Explorer to delete the file). If the file you delete is needed by the operating system or an application, you'll have to replace it with the original.

  • Delete the file The file is not sent to the Recycle bin; it is permanently deleted.

  • Isolate the file Some antivirus software programs offer some method for isolating infected files, usually in a folder it creates, maintains, and isolates to prevent any file from working outside of that folder. Later, you can delete the contents of the folder or send them to the software company (if you're participating in a program that asks you to do this).

The software almost always identifies the virus it found, and you should note the name and travel to the antivirus software company's Web site to learn more about that virus. You may have to do more than just delete the infected file to clean up your computer, and the company has instructions for any other steps required to rid your system of the effects of the virus. This is especially true of Trojan horse viruses.

Heuristic Scanning

Heuristic scanning is behavior-based analysis of an executable file in order to try to identify whether it's a potential threat. Antivirus software companies use this method to try to catch viruses that are new to the computer community, and therefore have not yet been analyzed to determine the information needed to add them to their virus information data files. Each antivirus software company has its own method for determining "suspicious" behavior during heuristic scans. In some ways, heuristic scanning is a guessing game, but at least the conjectures are educated guesses, and this isn't a "throw a dart and see if it hits the bull's-eye" technique.

Heuristic scanning has a few undesirable side effects, but none of them are serious enough to turn off the feature (some antivirus software lets you turn it off). It makes the scanning process slower, it can occasionally produce false alarms when a perfectly good program is coded to behave the way a virus might behave, and once in a while it can miss a new virus that doesn't behave in typical virus fashion. Still, I think it's best to err on the side of safety (OK, paranoia), so even though the technology for heuristic scanning is not as advanced as it probably will be in the future, I think you're better off using the feature.

Data Information Files

All antivirus software comes with a data information file, which is a separate file. This file contains information about known viruses, and the software engine uses the data in this file as a reference when it scans files to check for the presence of a virus. The information about known viruses is collected when viruses are discovered and inspected, and the unique markers for every known virus are recorded in the data information file.

All antivirus software companies provide the latest version of their data information files on their Web sites. These files are updated constantly, sometimes even hourly. You should check for a new version of the data information file frequently; in fact, I recommend checking daily. Downloading this file is not the same as downloading an update to the software; all antivirus software companies offer an option to download only this data file, which is then automatically linked to the software files.

NOTE

When you download an update to antivirus software, the latest version of the data information file is always included.

Getting the Most Out of Antivirus Software

You have a wide range of choices for antivirus software applications, but no matter which package you choose, the way you configure your software determines its level of effectiveness. Like most applications, antivirus software is configurable, so you can make it perform in a manner that suits your own computing needs. Most of the antivirus packages offer some basic configuration options during the installation process, and all of them have configuration pages in which you can tweak the settings after the software is installed. Since the configuration options, and the resulting behavior, are so similar among all antivirus software applications, I won't cover specific software in my discussions.

Startup Options

All antivirus software configures itself to start its on-access component (the engine that checks every file as it's opened or received in e-mail) when you start Windows. However, it's always possible to change that default setting, configuring the software to open only when you select its listing from your Programs menu.

Don't change the default setting; always start antivirus software during Windows startup. Yes, it makes the Windows startup process a bit slower. So what? If you have to wait another 10-20 seconds to start working in Microsoft Excel, or to start playing FreeCell, it's not the end of the world, and the risks are too high to think otherwise.

Update Options

Antivirus software can be configured to check with the software company's Web site on a regular basis to see if any updates to the software, or to the virus data information file, are available. In fact, that's usually the default setting. The checkup procedure involves checking the date of the software files and the data information file that are on your hard disk drive against the date of the latest revisions to those files on the company's Web server.

If you have an always-on Internet connection, you probably won't even notice the update checks, because they take place in the background. If you connect to the Internet manually, you may notice a small delay before your browser or e-mail program begins its work, because your antivirus software checks for updates when you connect to the Internet.

If an update is available (a file newer than yours exists on the Web server), one of two events occurs (depending on the software company, or the way you've configured your software, or both):

  • A message appears to tell you that a newer version of the software, the data information file, or both is available; click the Update button to fetch the new files.

  • The update is automatically downloaded and installed, and when the process completes a message appears to tell you your software has been updated.

TIP

If your antivirus software is capable of automatically installing updates and also provides configuration specifications to check for updates at a certain time, and you have an always-on Internet connection, set the update check for the middle of the night. When you return to your computer in the morning, it's all done and the process didn't interfere with your work. Don't turn off your computer at the end of the day, of course.

Scanning Options

OK, you start your antivirus software during Windows startup, which means the on-access component of the software is checking every file you open. Sorry, but you're only taking care of half of your responsibilities. You must also periodically scan your drive(s) for viruses. This is the only way to catch those viruses that are attached to files that weren't opened, or otherwise slipped through the cracks during the on-access virus check.

You can configure your antivirus software to perform a full scan automatically on a regular basis, or you can start the scan manually. You must perform a full scan at least weekly, and more often is better. Before you scan your drive(s), be sure you've downloaded the latest virus information data file from your antivirus software vendor.

Stupid Virus Hoaxes

The threat of viruses is real enough to make all of us nervous about safe computing, but having to deal with virus hoaxes heightens anxiety. In addition, people who fall for these hoaxes can end up damaging their systems if they follow the advice or instructions they receive. (I've seen many messages that tell me to look for a certain file and delete it immediately—it's almost always a real system file.)

We've all received e-mail messages warning us about some new deadly virus that will destroy our computers, ruin our social lives, and generally change life as we know it. Although I know that most people fall for this stuff because they don't have enough technical knowledge to recognize that most of the information doesn't make sense, I'm afraid I'm lacking in some important human sensitivity measurements. Instead of feeling sympathy ("oh, you poor thing, if you knew anything about computers you'd know this couldn't happen"), I find myself thinking "this gullible fool will believe anything, what can I sell him?" Then I always feel a sense of annoyance (OK, anger) that this person would waste my time and my disk space by including me in his recipients list. To help you avoid becoming known as a gullible fool, here are some guidelines for recognizing fake virus scares.

Don't Take Technical Advice from a Chain Letter

Some virus hoax messages aren't warnings, they're advice. The most famous example of one of these advice hoaxes is the "Add !0000 to your address book" chain letter that periodically travels around the Internet. This e-mail message includes a tip that involves adding the recipient "!0000" to your address book, explaining that when a virus tries to send itself out to everyone in the address book, the mail client will falter on the bogus address and the mass e-mail attempt will fail. Some variants of this hoax include the information that this recipient will always appear first in your address book because of the way computers alphabetize lists. Computers do alphabetize by starting with numbers, and moving on to letters. But that's the only fact in the message.

Check the Facts

Most of the time, virus hoax messages are warnings, and hundreds of them are circulating at any given time. If you get one of these messages, do your friends, acquaintances, relatives, and all the other people in your address book a favor—don't click that Forward button on your e-mail software window. Check the facts first, using any of the following resources:

How to Spot a Virus Hoax

Virus hoax messages have some things in common, so here's an overview of how to spot one.

Look for the soap opera plot. These messages always have a long, drawn out story about somebody's brother whose sister-in-law works at a frammis manufacturer, which was working with a foot doctor, who visited an Internet site, and so on. Somewhere in the cast of characters you'll find somebody with computer expertise; he works at Microsoft, or IBM, or is the IT (Information Technology) director of a major technical company.

Look for the chain letter instructions. The message includes an urgent plea to distribute this information (frequently in capital letters to promote a higher sense of urgency), e.g., SEND THIS TO EVERYBODY ON YOUR E-MAIL LIST, IN FACT, SEND THIS TO EVERYBODY YOU KNOW, HAVE EVER MET, OR WOULD EVER LIKE TO MEET.

Look for a link to a URL of a company that has expertise in viruses (e.g., an antivirus software vendor). You won't find one.

Key Points

  • You need to protect yourself against vile Internet users who try to attack your computer.

  • You must use a firewall to protect your computer against intruders.

  • Many types of viruses exist, and they're all dangerous. You must protect your computer from becoming infected.


Last Updated: October 30, 2002
Top of Page