You forgot to mention to use either Firefox with NoScript installed, or Opera.

Really, all I use is Spybot S&D (with TeaTimer), AVG AV, ClamWin AV, ZoneAlarm Firewall, and Firefox+NoScript. It's all free, and I haven't had a virus (to my knowledge) in over a year.

I do disagree with what you said about ZoneAlarm Firewall. It works quite well for me; it's just a pain to update anything, because it will ask for permission as soon as you run anything for the first time. I've heard good things about Avast! and I intend to download it soon.

Thanks for your time,
Danny

_
Danny | Email | Homepage | 01.14.08 - 10:07 pm | #

Danny,

Thanks for reminding me, I forgot to inset my Firefox pitch.

Also, I expanded the section on why I don't recommend software security clients.
Chris Byrne | Email | Homepage | 01.14.08 - 10:47 pm | #

All of the above means nothing to me as much as that it shows your life returning to ::somewhat:: normalcy.

So far, I've been lucky, and stay safe just by my habits- but I have had some crap just because other, less discriminating people use my computer. When I upgrade I'll be printing this out and going on from there.
og | Email | Homepage | 01.15.08 - 2:43 am | #

I've had luck with freeBSD's ipfw and wipfw on Linux and Windows machines, respectively, but other than that, I really wouldn't advise any of the software firewalls.

An important thing you missed under 'don't be stupid' was to keep everything updated, not just the antivirus and antispyware. Even good firewalls sometimes come out with firmware updates, and even automated backup software can have usability or speed updates.

Backup files, not the system. Backup storage is extremely cheap these days, but it's still limited, and the more stuff you're tossing in with each backup, the fewer backups you can keep on there at once. That's not bad if you can detect a problem right away, but if you end up with a destroyed copy of a document that you use once a month, it's very good to.
You don't need to (or, for that matter, want to) backup your baseline system once a week. If it goes boom, you can go to a baseline from right after your basic installation, and at least know you're clean.
Going from a full Vista backup to just backing up my files brings me from 60 gigabytes to less than 30 gigs, and that includes a lot of large image and movie files for work.

Consider atypical backup systems. I've got a lot of documents 'backed up' onto a revision control server called an "subversion". This isn't a conventional method, but it means that I have access to every single version of those files I've ever made, without require terabytes of space.

If you do financial stuff with a computer, don't do it on one used to browse the net, or even connect to an internal network, unless you're purchasing something [i]right now[/i]. It's overly paranoid, yes, but we're talking less than two hundred bucks for a hell of a lot of peace of mind.
gattsuru | Email | Homepage | 01.15.08 - 8:40 am | #

Chris,

I have a combined cable modem/wireless router from Charter. Does this count as a hardware firewall, or is my system totally pooched?
Jeremy | Email | Homepage | 01.15.08 - 9:16 am | #

Jeremy, it really depends on the router; and how charter has configured it.

The most likely vendor for your home gateway (that's what they call integrated modem/router combos) is Motorola; and while they are crap, they are no more or less secure than most other consumer wireless routers IF they are configured properly (the new Netgear gateway that charter switched to seems to be significantly better)

I have seen instances of service providers configuring their home gateways to simply be open bridges; passing all traffic in both directions.

Obviously, that would be a problem; and if that's the case you can safely assume that any systems on your network have already been compromised.

More likely is that they have at least a basic nat/hide scheme; which will prevent the majority of nasty scanning and random attack traffic.

Most home routers provide limited firewall capability through the aforementioned NAT hiding (network address translation). This prevent outside systems from connecting directly to inside systems, unless the inside system asks first; or unless you define a specific rule to facilitate it on the router. It's not great security, but it's typically enough to get you by.

Now, is the security provided by your home gateway enough... maybe yes, maybe no; unfortunately unless you can put the gateway into bridge mode yourself, and put a real firewall behind it; you don't have much choice.

Stacking NAT routers causes a lot of issues with VPNs, web based applications, and streaming media; and it makes troubleshooting of a connectivity problem almost impossible.

Now if you own the gateway, and have the admin password, you can probably make it as secure as possible yourself; and that's probably enough.
Chris Byrne | Email | Homepage | 01.15.08 - 9:52 am | #

A timely article - thanks!

We have a machine in the shop right now for a virus, and we have a new server coming at the end of the week.

Now if I can just get off my a$$ and implement this advice.
Weetabix | Email | Homepage | 01.15.08 - 12:14 pm | #

Stupidest infection I've ever seen happen: person infects a Windows computer when they download a crack for a Mac program.

They didn't think it was odd that it wasn't a Mac program to crack a Mac program. With users like this, Mac trojans should be fairly effective.

Anyway, most trojans/viruses will actually be in fairly small file sizes (200-800K). That's a tip for the P2P users out there.
Anon | Email | Homepage | 01.15.08 - 6:54 pm | #

Chris, before you go out and buy a new Linksys, you might be interested to know Brainslayer has released an X86 version of DD-WRT, mainly aimed at use with Imbedded computing hardware like Soekris and Routerboard, but also usable with regular PC boards.

Combine that with a older PC and Routerboards 4port Gigabit Ethernet cards...
HTRN | Email | Homepage | 01.16.08 - 1:51 pm | #

I just recently picked up a wireless router and a couple of USB network adapters to make a home network.

The router works (no crashes today, knock on wood).

'Course, then comes the tragicomedic punchline - the basement PC hears the Network, picks it up at a minimum of 83% on all the times I've fought to convince the damned old box to work, but mia poppa! It does. Not. Want. To. Friggin'. Connect!

I even did the smart thing and only used MSIE for a few moments - long enough to download AVG, Firefox, and Spybot. Then... nothing. (I also replaced the old firewall with PC Tools' edition.)

The D-link software won't connect. I tried going through the windows Zero Network whatever. I've tried Network Magic (more like Network Doug Henning's Illusion of working).

Also, what processes should be killed on Windows XP? I've done a good job murdering MSN Messenger until it's a ragged, limp, ineffectual corpse. What else must die, screaming in the electronic void?
browningfan | Email | Homepage | 01.16.08 - 11:36 pm | #

Thanks for the impetus to do a better job with my home network. Too many teenagers who "know it all" to be as safe as I would like.
Could you expand on how to adapt a PC into a good firewall? I run a linksys WRT wireless router now, the linux firmware seems like a decent solution as well, but I have no idea how to do this.
Lastly, what application do you recommend to do the scheduled drive image backup?
I am however all over the antivirus/spyware discipline using those you endorse as well.
I have a lot to learn it seems
sjmld | Email | Homepage | 01.20.08 - 11:42 am | #