Of course, the single most important aspect to secure windows, is to secure
your own computing habits. "Safe hex" can almost(*) make all tools
presented here superfluous. Unfortunately, safe computing practices are very
much a matter of common sense and consideration. To spell some of it out in
detail requires covering so many aspects of your computer setup and of your
habits, that this I am going to do it at a later time, on another page. Just
do not click on everything wihtout thinking about it, in particular don't
execute programs of sources you don't trust (but think about how many things
could be a program and how many things can amount to executing it), use another
browser than InternetExplorer (how about MozillaFirefox or Opera) and another
mailer than Outlook(Express) (how about MozillaThunderbird, TheBat! or
Becky).
(* There are people who say that safe hex involves ditching MS Windows. Well,
while there is something to it, that is beyond our scope here, so I suggest a
compromise by saying that safe hex "almost" makes all the other stuff
superflous. But do consider the contention and if you have the time, try to
browse the net for more information, or even for alternatives. I have migrated to
linux for quite some time now and I'm really happy I don't have to worry every time
another windows worm makes it to the headlines. (Which is not to say that one
needn't be careful on other platforms as well, but you get the idea...))
As for which Windows versions I can recommend, I'd say both Windows98SE and
Windows 2000. While Windows98 is somewhat outdated, it is an operating system
that is not designed to be used over a network. In other words, while an attacker
could exploit all sorts of flaws, he can never gain "remote administration"
- with on-board means, that is (which means that he still can try to get some remote
administration software (backdoor) on your Win98 box, but he will not be able to do
it with the Software delivered with Windows98 alone).
Windows 2000 on the other hand is somewhat right in the golden middle between NT
and XP: By design, all the NT lineage (i.e. from NT 3.5 up to 2003) offers many ways
to be accessed via some network. The ambition of every attacker will be to exploit
some feature exposed to the net, in order to gain administrative privileged. Without,
of course, sitting on the keyboard. (That's the critical security threshold for the
Win95 lineage. In fact, even attackers sitting right at the keyboard of the WinNT
machine will have to overcome considerable obstacles in order to elevate their
privileges.
Now, Windows 2000 (W2k) has plugged many of the gaping holes that weve been present in
the older NT (3.5, 3.51 and 4.0) versions, but it has not the spooky,
not-to-be-so-easily-trusted "features" of XP and newer.
That's my personal view and other people will probably tell you differently. Maybe it
is possibly to make sure that one need not worry about those hidden aspects of XP, only
I can't be bothered to spend the effort necessary to make it sure.
ProcessGuard
I'm currently reworking this section - because of the imminent release of ProcessGuard's version 3.000 - and I have decided to put it onto a separate page. For now, the old version (2.000) has its review still here, and the new one - which is being reviewed based on a private beta build - is discussed here.
Firewall
Since there is a page with general information about firewalls at this site already, I will focus on a particular product, Look'n'Stop, that I recommend as personal firewall.
(A separate firewall (and NAT) router is a great thing to have, too, and not much more expensive than some piece of software anymore. I will try to find some more information about it to refer you to... ###FIXME###)
Antivirus Scanner
If you ask me, a good antivirus scanner is a must-have as well:
While a firewall and/or an anti-trojan scanner can prevent malicious
programs from sending valuable and confidential information out to somewhere,
or to have your computer "0wned" and remotely controlled,
and while ProcessGuard (see above) can prevent your running windows system from
being hijacked, they all will help you very little when a virus is coming your
way, which simply wants to infect all other possible files it finds, and then bomb
i.e. have your computer just crash and possibly delete everything on a certain date.
(There are also File Alteration Monitors, but they should be regarded as an addition,
not as a replacement to a virus scanner.) Additionally, good Antivirus scanners also
cover other malware to some extent, so, depending on how you assess your threat level
and the sensitivity of your computer, it might spare you a dedicated Anti-Trojan
Scanner.
When you then ask, if there are special things to keep in mind, here's my two cents:
You should have a resident virus scanner that does scan every file (maybe only files
of a certain type) as soon as it is accessed (i.e. downloaded, opened, executed etc.).
You should not have two such resident scanners active at the same time, since they tend
to compete for something like "Who scans it first?" (that's what called a
race condition), a situation where almost inevitably problems occur, the least of which
are "Couldn't scan file xy, because no access was possible"-Warnings.
On the other hand, it does not hurt to have an additional set of scanners in the drawer
that you can use to scan your system "on-demand", i.e. when you're in doubt
about a possible infection. (Regular scans of your download directory or a quick
right-click-context-menu scan of a single file or directory are further options you probably
want to have.) In real life, you also like to get a second opinion from time
to time. As there are a couple of scanners available for free - and a couple more of them
if you are using them only for private purposes, there's nothing that speaks agains keeping
some of them available. Only - again - don't scan with two scanners at the same time (and
while you're on-demand-scanning, temporarily disable the resident on-access scanner).
Here's a list of good AV scanners (in no particular order):
First, the two most recognized commercial ones:
More tools, for more specific tasks
- SpyBot S&D
- Javacool SpywareGuard & SpywareBlaster
- Privoxy
- YAW
- HiJackThis
- ASViewer
- RegRun || sg
- sneakers
- XP-AntiSpy
- Sysinternals ShareEnum
- streams
- OpenPorts/PortExplorer
- InCtrl & e3
- CryptoSuite
- spike samspade
- x-frame || ethereal
- NTIDA
- BACKUP (Arconis, Backup4All, PolderBackup)
Anti-Trojan Scanner
As noted above, in my humble opinion, whether or not you need a trojan scanner
depends on how sensitive the information on your computer is, how easy you can refrain from
working with it for a couple of days (say, when you need to re-install everything), and how
your "threat level" should be assessed (which means how likely and how attractive
are you as a target for a hacker? If you're a bank, SCO or Microsoft (just to name two
arbitrary examples) then you can assume there are a lot of people after you. But if you're a
flatrate surfer and file-sharer with any of the larger ISPs or simply an AOL'er, that does
mean that you're on the default "look-for-easy-targets-here"-list of most hackers.
As with Antivirus scanners, there are a few - although not as many - Antitrojan scanners
available for free (maybe only for private use, maybe only a "lite" version with
a restricted set of features). Generally, if you want strong anti-trojan protection, you
are going to have to pay for it.
So, until I can work more on it, here's a list (again, in no particular order - or let's
say no simple order, but I won't explain it until later) of very good Anti-Trojan scanners,
the last two of which have a free "lite" version.
TDS-3
Ewido Security Suite
A2