Ditch the malware magnet It is no secret that I have little use for endpoint anti-malware protection apps. In my experience they are all, regardless of vendor, virtually worthless. A well written piece of modern endpoint anti-malware will briefly inform you that you have been infected right before it commits seppuku and vanishes, leaving you to deal …
If you're really paranoid you might do it by mistake then you could always change file associations for PDF files to Notepad or something and right-click "open with" when working on your own documents. Also make similar changes to any web browsers and mail clients so that PDFs are either blocked or saved rather than opened.
Hi Nader, i'm not flaming or anything, but when do you find you actually need Acrobat?
I have it on my work machine here but discovered that Office 2007 has a function to create pdf's (the main function i used Acrobat for previously) and actually does a very good job of it (including all links, etc which i normally got out of Acrobat). Its also significantly faster.
The only function in Acrobat i havent found a replacement for is condensing multiple pdfs into a single pdf file (my work scanner is an old thing which cant manage multiple page scans). For this reason Acrobat is still on my work desktop but it never gets used if i can help it.
So I'm just wondering what other tasks you need it for which you cant find replacement programs?
Condensing PDFs?
Scanning the documents into Word (or as .jpg's and then a bit of "insert picture" action if your scanner software's really thick) and then using the aforementioned PDF output springs to mind as an obvious option here.
That's how I do it. The only difference is that I do this in Office 2k3 and I am using PrimoPDF to produce the PDF file.
As several other commenttards beat me to the answer I can only reiterate their advice: change the default app to open PDFs to something less vulnerable. This allows you to continue to use Acrobat itself for their creation.
Alternately, if you just need a basic PDF printer, try PDF995. I love it; one of the best purchases I made for my company. (Free for non-commercial use.)
> learning to manage application vulnerabilities.
Bzzzt!
The biggest vulnerability this guy has is that he's looking in the wrong place. Though I know that a lot of applications aren't especially secure, the main problem is found just in front of the keyboard, not in the little beige box. Secure your users and all the other problems go away.
Next, he does seem to love creating work. In one paragraph he acknowledges that Adobe reader has problems and goes on at length about how to reduce them. Later, he talks about all the alternative products that come sans security holes WELL INSTALL AN ALTERNATIVE, THEN.
I have a sneaking suspicion the author gets paid on a per-crisis basis - or at least likes the recognition that comes with being centre-stage, rather than rewarded for maintaining a cool, calm, secure and bug-free shop. This is quite a common mistake that IT managers make: "We have lots of problems and disasters, but luckily Fred, here is able to fix them. He's an absolute star and I don't know how we'd manage without him" (hint: probably a lot better).
Thats a pretty unfair delving into the supposed underlying competencies and motives.
If users demand "proper" Adobe, and it is agreed they get it (sysadmins are actually not gods) then disable the java (here.. ) and the spawning of new apps (here..) ... perfect.
otherwise use Foxit - but beware that they have fallen into the same hyper-functional trap, not as secure as you might think. (shame no simple details were offered)
Otherwise use a simple stripped-down reader, and here's a couple worth looking at.
Priceless advice if you ask me. In no way does it disclose the author's policy on his own system, not imply he is keeping himself in a job by ensuring things go wrong.
Is there a similar article waiting, that tells us how to nobble Flash?
keep it up Reg.
For the record, we've been using Foxit on all networks i maintain for about two years now. Also, I don't get paid per crisis, nor do I enjoy being center stage. I get paid a salary from work. I don't paid hourly, I don't get overtime. I have deadlines for R&D, Implementation of that R&D and have to maintain the extant network behind all of that.
Once, I might have been guilty of wanting to be "center stage" on things...but a decade or so of working 12+ hours a day has beaten this out of me. I get all the attention I could ever desire simply from taking my time to comment here on El Reg. They even periodically post an article of mine. Personally, I think that’s grand.
I have to agree with one of the other respondents to your post though: sysadmins aren’t gods. I don’t know how things work where you are sir, but around here I don’t’ get to pull all the shots. There are at least a half dozen people with more power and say in than I have, though I am in charge or all the IT infrastructure.
That individuals who have no IT training or background are ultimately those with the power to set the budget, deny purchase requests or alter what packages/applications get rolled out is maybe a sad commentary on the realities of business. Maybe it’s not. A lot of geeks have a very defensive nature and something of a god complex. Some I know could handle it, some couldn’t. You simply don’t give matches to a child in a tinderbox.
In the end, the goal of maintaining a “cool, calm, bug-free shop” is generally a utopian ideal in the real world. Many descisions are made for us; we get paid to adapt to them. Stamping one’s feet and storming off in a huff does nothing but get you unemployed and replaced with a more compliant admin.
In my case, I have learned to pick my battles. My example would be thus: I felt PDF vulnerabilities were such a threat I dug my heels in and now we use Foxit. I did not dig my heels in on browsers because I had alternate means of dealing with that threat. My next two articles actually will be dealing with the rest of the story, so stay tuned…
"A well written piece of modern endpoint anti-malware will briefly inform you that you have been infected right before it commits seppuku and vanishes, leaving you to deal"
No, a well written piece of anti-malware should prevent you from accessing, running or downloading an infected file. Okay it's not the complete solution and won't prevent day-zero vulnerabilities, but most of the infections I see are from old malware, where the users has either disabled or removed the anti-malware, or have clicked past x number of "Do you really want to do this?" messages.
The well written ones squak before they die. The poorly written ones die silently. As far as I can tell, this is the only difference between well written and poorly written anti-malware applications in the real world. (Ideal well-written anti-malware would actually prevent malware and not get casually murdered by it. Sadly, I am pretty sure that there is no such unicorn.)
At the core they are just registry settings so a reg file applied via login script or a group policy could do it. Just remember to disable it for versions 6, 7, 8, 9, 10, ...
From a quick Scroogle:
HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\JSPrefs, you will see a value named bEnableJS. To disable JavaScript in Acrobat 9.0 set this to a value of 0. To Enable it, set it to a value of 1.
If only there was an HKLM\Software\Adobe\AllVersions\DisableEntireProgram.
While I take your points about it not being terribly useful in the case of Adobe exploits, I've seen endpoint anti-virus perform well in many other situations.
For example, that pen drive the user brings in from home. The 'funny' excel file their friend sends to their hotmail account that they try to open on their work machine at lunchtime. The dodgy site they visit that leaves a present in their internet cache.
You can spend as long as you like patching up the holes left by Adobe software, but if you don't have endpoint protection you leave yourself vulnerable to many other vectors of malware attack.
I do have endpoint protection. I generally run the best stuff I can find, and I review it on a yearly basis to ensure that none of the other vendors have pulled ahead. I still maintain that the only thing it's good for is to tell you that you have been infected. Universally, they don't seem to actually PREVENT any of the real nasties.
I'll give you they are good for protecting against some minor, low level stuff like infected excel files, but they don't seem to stop the professionally-crafted worms that power the big botnets, nor anything that creeps in through a browser, infected PDF or flash vulnerability. Basically, extant endpoint security is great for anything that doesn't crawl through your browser...ridiculous when you consider that the browser is how everybody does everything nowadays.
I print out a lot of PDF sheet music (much of it from CPDL), and only Adobe consistently renders it well (I've just tested Foxit, CoolPDF and Sumatra on a motet by Victoria and they were all pretty unreadable).
Furthermore, the latest version of Foxit tries to install a pointless browser toolbar, and by default:
- Sets your default search engine to Ask
- Sets your home page to Ask
- Installs ebay icons on your desktop and in your start menu and quick launch toolbar
That is absolutely unaccetable behaviour from any app, let alone one that sells itself as the low-bloat alternative to a common tool.
Foxit are providing a free app and, if adding toolbars and shortcuts to it keeps it free and them in business, then we can't really complain; if you don't like it, don't use it (or untick the boxes - it's not that tough). On the other hand, if you use www.ninite.com to install your freeware (inc Foxit, AVG, FireFox et al et al) they very kindly strip out all the crap for you, giving you all the bits you want in one handy installer. Genius.
KPDF all the way for me! And if I want to create a PDF, I'll use Ghostscript.
The real question that must be asked is: Knowing the risks involved, why do people -- who would never dream of buying an item of food without the ingredients list and nutritional analysis on the packet -- still buy software without the Source Code? Even if you aren't a programmer yourself, you could always show it to a programmer whom you trust and get them to check it over on your behalf.
I honestly think that the biggest boost to computer security would be a law mandating that software vendors include the full Source Code with everything they supply.
No reader here either, but...
"people -- who would never dream of buying an item of food without the ingredients list and nutritional analysis on the packet "
...I think "would never dream" is a little strong. The only people who inspect the packaging for *everything* they intend to eat are people with allergies who might land themselves in hospital if they get it wrong. Most of us just reason that if we buy from a mainstream vendor then *they* will have calculated that the legal cost of putting poison in the packet is too high for them to bear. That means they've checked, so we don't have to.
Sadly, the legal costs of distributing *vulnerabilities* are relatively light, so the reasoning falls down. Despite this, I think most people use the same logic for software that they use for (puffer) fish.
Sorry about the double post, the Mods took a while to release the first and I got impatient.
You are correct about "read-only documents". Modifications can usually be spotted, but that's not the direction I meant the discussion to go.
What I mean is: Why do companies send out 'informational' documents in a format that can only be read in an editor after a 200MB download, when all I need to be sent is a pdf that I can open with a 15MB reader?
What other formats can be used (except plain text) ;-) to accomplish the same goals? There's no need to add multimedia, that's just stupid and is probably the cause of a lot of the vulns. For 'universal' nicely-typeset docs, what options are there?
"Why do companies send out 'informational' documents in a format that can only be read in an editor after a 200MB download, when all I need to be sent is a pdf that I can open with a 15MB reader?"
Because marketing and management have been sold a bill of goods. Same reasoning behind people buying into Win7 and the latest version of MS Office. I can create documents and spreadsheets faster on DOS 3.3 with Wordstar and VisiCalc. Or rather, in my case, I handle 95% or more of my business docs and numbers using vi and sc on a dumb terminal. My businesses are profitable ... and I don't waste time "trying to make it pretty".
"What other formats can be used (except plain text) ;-) to accomplish the same goals?"
What's wrong with plain text? 7-bit ASCII, even, seeing as English is the de facto lingua franca of the Internet (he says, sneaking in a little Latin and Italian).
"There's no need to add multimedia, that's just stupid and is probably the cause of a lot of the vulns."
Drop the "probably" and I'll agree with you 100%.
"For 'universal' nicely-typeset docs, what options are there?"
Considering that very few people[1] know how to create nicely formatted documents, who cares? Seriously ... As a consultant, I get maybe 700 resumes across my desk in the average week. Very, very few of them are not visually jarring ... and of the few, almost universally they are plain ol' left-justified ASCII text. Consider for a moment the readability of this post, now compare & contrast with J.Random page at myspace.
[1] I was in printing for a few years, and still have a Heidelburg Windmill that I use for our stationary, business cards and the like.
I have been using Smoothwall and Dans Guardian in small businesses for a long while now and touch wood, haven't been hit with a virus/malware issue in a long time.
Those (rare) threats that get round the firewall/content filter are usually picked up by Trend Worry Free (not my personal choice but seems to do a pretty good job with central control and reporting), plus you can sit pretty knowing that the firewall isn't going to let them have free reign on the internet while you get the problem under control with a live CD.
not saying that it lacks such vulns, indeed being a full postscript renderer it probably doesn't lack them at all.
However, I only open tech papers, run as non-admin,disable pretty well all fluffy stuff & haven't had a virus ever, despite being without norton/f-secure/etc. for the past few years. But I'm paranoid and most users are anything but --
*** Hey! Click On RootKittens.exe For The LOLs!!! Furry Fun!!! ***
-- and they will.
Windows security is fairly comprehensive as far as I can tell. I get the impression one *can* secure stuff down to a high level of detail but that involves knowing about acls/dacls/sacls + what objects they apply to. I've not found decent docs anywhere on this (inc 1000+ page thick windows admin books by MS themselves), so request for help: can anyone point me to good source on win security, enough to learn (for example) how to control (typically. revoke) network access from a specific program or account?
I ask this because sadly MS still hasn't quite got the 'user account' thing straight in their heads; if you install 2008 reporting services you'd better be running as admin or bits will fail. Sigh.
Tossers.
@lglethal
Perhaps Nader has to work with (i.e. MODIFY) the PDFs that get sent to him.
I know, I know, there are other alternatives and we use them here, but for some reason, Adobe keeps jacking with their document spec (PDF) in order to make it difficult for other Editors to work. Editors is capitalized, because chief among them, would be the ability to MODIFY EXISTING PDF DOCUMENTS. Ecopy9, and PDF Converter Professional by Nuance are what are used in my neck of the woods.
As far creating new PDFs go, I second Van Buren's mention of PDFCreator. Be careful here, though you want to do a custom install if you don't want another Internet Explorer Toolbar installed. But I'm interested if any of the known PDF Printer apps that exist in the wild will make URLs clickable in the created output, does anybody know?
Now, to the meat of it, reading PDFs.
I've tried Foxit, and was dismayed by their recent sways towards the dark side with toolbars and bloatware.
And, it couldn't handle displaying our online pay statements.
Sumatra PDF, couldn't either, and took a little bit longer to load.
I've downloaded PDFExchange, but haven't tried it yet.
Evince seemed quicker than Sumatra, but still couldn't handle the paystatement web site. That website is controlled by a vendor who can't be convinced to code it any differently. That, in itself, is a real PITA, but not entirely due to the PDF coding.
I've also downloaded the fine GhostView, and heartily recommend to use it, even though it doesn't handle the paystatement web site. Why? Simply put, IT BREAKS DOWN THE SECURITY OF (YOU CAN'T PRINT THIS PDF DOCUMENT.) Whoever at Adobe who came up with that particular security setting should be drug out to the streets, and shot for the dog that he or she is.
So, how did I end up fixing the paystatements thing for myself?
I grabbed a hold of an earlier, less bloatier version of Adobe Reader, Adobe Reader 5.1
It loads quickly, but I was slightly worried about how many vulnerabilities it may have.
I will take the article's suggestions to heart, and change my preferences post-haste. The disconcerting thing, is with every vulnerability Adobe discovers, those w*nkers use it as an excuse to make it even bigger, and bloatier.
OTOH, does anybody know if the Mac Preview app is also prone to as many vulnerabilities?
I guess, what would be nice, would be a simple chart- PDF Reader app vs. vulnerabilities discovered.
About two years ago I installed kubuntu on the all the users pcs where I work- about 11 boxes. Never had a virus or any sort of security problem with them. We deal with a lot of email based comms from the public, and the email addresses we have are published on the web. Specifically, we use okular to view PDFs. I'm not sure what vunrabilities it has, but we have never been the victim of any. I had to install Linux acrobat reader the other day to read someones cv(I think the fonts were missing in okular)! But other then that I have never needed it (and have since removed acrobat).
For creation we use open office built in PDF export, which works fine, other then for some reason, by default, it saves PDFs in presentation mode!
I guess it depends on what you need to do, for the vast majority of users, acrobat is overkill, all they want to do is read a doc, and copy text out of it. Any extra features which are uneeded are a vunrability or bloat, in my opinion.
Actually, most anti-malware suites WILL prevent the nasty consequences of infection. When they tell you you've been infected, they simply mean that a file containing malware has been found on your machine (i.e. it's infected). If they're any good, however, they will have prevented that malware being accessed so that it can execute itself. The consequences of this are:
1) It won't actually steal your password, or whatever.
2) You can clean up by simply removing the files/registry settings/whatever.
If the malware does get to execute itself, however, then things can get a lot worse.
For example, I keep a couple of virus-infected files (that I've caught in the past) on one of my machines just so I can check that my AV scans are actually working OK. That doesn't have any bad consequences, as they never get executed. I can check that the AV suite is blocking access by trying to copy them. It always stops me.
Of course, nothing is 100% effective, and new threats can always slip through. But my experience is that most brands of AV software (for example) will make your life better - if you run Windows anyway.
Getting rid of risky apps is also common sense, obviously.
Any anti-malware that isn't 100% effective against unknown threats is useless. The whole concept of anti-malware is a unicorn dangled in front of people's faces so they feel secure, whilst cheerily trusting in "the technology" to absolve them of the duty of properly securing their systems. IF that technology does not in fact protect the unknowledgeable or lazy from the various and myriad threats that exist, then the promise of the technology may be more risk than reward. (At least if they didn’t have this unicorn to believe in, they would be faced with the reality that they have to actually secure their systems.)
A popup that says "this document has been infected with a 10-year-old virus. Would you like to clean/quarantine/delete" is great...but bloody ClamAV or AVG can do this! Hell, Microsoft Security Essentials will cheerily tell you that it discovered a well-known piece of malware in a file.
What they don’t do is protect you from any of the really popular, highly mutating stuff. They don’t protect you much if your operating system/browser/adobe product/whatever is vulnerable nor is you are dumb enough to open an infected executable. (Mac users are particularly vulnerable to this last one; they are virtually universally and arrogantly mistaken in their belief their operating system is impervious to infection.)
What users need isn’t protection against the malware of yesteryear that has mostly died out. What they need is protection against nasties that crawl through the browser, flash, pdfs and other vulnerable applications. They need protection against new e-mail trojans that are not in the database. This is where the concept of heuristics comes in…something every payware anti-malware application claims to be the bee’s knees at, but is in reality completely worthless at pulling off.
/IF/ you are lucky, (and that’s a big if,) then your super-awesome $150/year heuristic uber-anti-malware program might bleat plaintively as the malware crawls through your browser. This /might/ occur in the few moments before the thing unpacks itself, murders your anti-malware and establishes a connection with the command and control server. It will then download a dozen friends, all of whom will run rampant and unchecked throughout the system, digging themselves in such that it is either impossible to remove the little blighters without nuking the system or simply far more effort than rebuilding from scratch.
Nobody will ever convince me that there is such a thing as “not worthless anti-malware” until I have seen it in the field for a year on the systems of complete numpties without them getting pwned by some Facebook flash ad.
Now that’s not to say there aren’t ways to mitigate the complete abdication of usefulness by the anti-malware industry…but hey, that’s what my articles are about...not my comments…
The fewer infected computers to deal with, the better. This is why I use anti-malware endpoint protection despite my general lack of faith in it. It is good at catching the easy stuff, but I think the important message is that it is only one small part of proper defence.
My personal opinion is that anyone who relies solely on anti-malware to save them from the big bad internet is a fool. The fallibility of anti-malware and most especially its complete inability to promptly and effectively deal with high-profile or rapidly mutating strains means that defence-in-depth is required.
It is for this reason that I believe it important to inform people about vulnerabilities in applications like Adobe Flash, various PDF readers etc. I also find it important to install appropriate browser extensions and perform DNS blacklisting. (More on those in future articles.)
To simply hand the inexperienced or lazy an anti-malware program and tell them they will be fine is in my mind the digital equivalent of telling someone that condoms are infallible. Maybe they work 90% of the time, but that 10% where they don’t can ruin lives.
You won’t get AIDS if your computer’s anti-malware doesn’t work, but you well could get infected with some nasty that steals away sensitive corporate documents, banking passwords or apparently even threatens SCADA systems at power plants and the like. I don’t meant to be tinfoil-hat and paranoid…but I have to maintain that anti-malware alone will not save you.
I was under the impression that neither Firefox nor Safari had ActiveX capabilities. yet I still see quite a few machines coming in with infections that have crawled in through Flash or PDFs. These folks are not using IE, it having been carefully hidden and disabled from being the default anything.
I suspect there are for more things to be worried about than ActiveX….
Adobe is NOT the problem. When you get right down to it they have provided a great deal of control over security via the UI (acknowledged) and registry keys - but most people (sys admins included) usually use default software installs and rarely customize user software settings.
Instead we rely upon boundary firewalls in hardware/software, use IDS/IPSes, install anti-viral/anti-spamware. Our networks look like a scoop of ice-cream covered in a semi-hard chocolate shell, even if there are no openings, the shell is crunchy and thin with a soft and mushy interior. Once inside the "walls" malware frequently runs rampant.
Sometimes we can be our own worst enemies.
Let's stop blaming all the vendors, there has not been a piece of code written to date (Apple included) that does not have deficiencies. Face it, the stuff today is too complex and too large to be flawless, it happens. And the more you tighten things up the harder the system becomes to use. The best you can do is to perform due diligence given the acceptable level of risk for your organization.
Furthermore, I think a carrot/stick approach should employed - shameless plug for all of us. IT is rarely rewarded for "keeping things up," businesses should provide incentives for keeping systems "healthy" and available, write those into a KPI/contract. And proportional penalties should be meted out to those responsible for malware, e.g. if you infect 100,000 PCs, you get charged with a 100,000 counts of trespass, data-theft, etc. and are looking at serious time.
Steve
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
