WinPatrol Changing of the guard

WinPatrol – Scotty

WinPatrol has been very important over the years. I have several (six I think at least) lifetime memberships of WinPatrol software and I install it on all my Windows installs personally and for my friends, family and clients. It has been a staple in my security arsenal for many years now, and BillP has been a great friend to all of us.

BillP, thank you so much for continuing to look for someone who would fit the bill, as it were, and you certainly found a great choice!

I am very excited about the promise that Bret Lowry made to WinPatrol customers:

My commitment to WinPatrol customers is as follows:

One, your lifetime PLUS licenses are just that, lifetime licenses. That was the easiest topic in our negotiation and is written into the contract.

Two, WinPatrol will not have toolbars or other “add-ins” added to it or its installer. Installers that do that drive me crazy because I’m the guy people call to “fix” their computer after the installer completes its hijacking. I am not going to do that to my customers.

Three, I will be responsible for answering support questions, even more incentive to play nicely and stand-by item two above. And

Four, I use WinPatrol myself and therefore am committed to the continued improvement of WinPatrol. I am honored to have earned Bill’s trust and confidence in his allowing me to purchase WinPatrol. Bill has run WinPatrol with integrity since its inception, as a founder of Ruiware (along with my wife), I promise we will carry on that tradition.”

BillP, after reading your blog posting and Corrine’s Security Garden posting, I was totally thrilled to read about Bret Lowry, Ruiware, LLC being your choice.

Totally awesome! I knew you wouldn’t let us down! Thank you Bill for all the years you have given to us! We totally understand your need to step aside and wish your family all the best and your family is ever in my thoughts and prayers.

Corrine, thank you for letting us know of the change right away!

This must be a bittersweet day for BillP; to let go of his baby, to turn it over to someone else, but sweet knowing he turned it over to a great guy who will care for his customers the way he did.

Hi Bret Lowry! I am excited to meet you in Bits from Bill and from Security Garden Blog. Thank you for putting our minds at ease about the commitment you have given us. Hope you will still do the sales periodically like BillP always did and keep the price economical and the free edition which is so important.

On WinPatrol.com:

I’m very happy to announce WinPatrol’s future will be in the hands of Ruiware founder and former lead at Sunbelt Software, Bret Lowry. If you read today’s post and download our new version later today you’ll understand why I’m confident Scotty is in good hands.
Click here to find out why

And this wonderful note from Bret too:

WinPatrol.com - WinPatrol from Ruiware.

WinPatrol.com – WinPatrol from Ruiware. “When I discovered WinPatrol I knew it was a winner and a program I’d install for my entire family. WinPatrol customers matter. You still won’t find obnoxious toolbars when you download WinPatrol. Instead, we help you get rid of them. Thanks, Bret Lowry — Click on image to go to WinPatrol.com

In closing, I would like to echo Corrine’s thoughts from her Security Garden blog entry:

On a personal note, I have long respected Bill Pytlovany and, because of his honesty and high ethical standards, held him in high esteem.  I know I won’t be losing contact with him but still wish to take this opportunity to publicly thank Bill for providing an excellent product.

I could not have said it any better!

WinPatrol PLUS For Everyone Just $2

Tech gift guide: Gift copy of WinPatrol Plus gives lifetime of PC protection – USAToday

There are a couple of reasons you might want to shell out $29.95 for gift copies of WinPatrol Plus and give them to all the PC users on your shopping list.

WinPatrol may be one of the best kept secrets in computer protection. What’s more, it is the creation of an iconic tech personality, Bill Pytlovany, one-man researcher/developer/distributor at BillP Studios.

Pytlovany has a loyal following of tech geeks who swear by the basic version of WinPatrol, which he created in 1997, graciously keeps updated and continues to make available for free — for the greater good.

I found the above article while reading BillP’s blog posting: WinPatrol PLUS For Everyone Just $2:

About once a year I go crazy and try to introduce WinPatrol PLUS to the folks who have never heard of WinPatrol or have never experienced this small powerful app. For over 15 years WinPatrol has been recommended by friends and family but I never invested in any kind of expensive PR campaign.

I heard about WinPatrol many years ago, at least 10-15 years ago … it could have been when it first came out. But I am not really sure. I could have found WinPatrol from Corrine at one of the Anti-Spyware forums I frequented, or FreedomList where she is an admin, or at Scot’s Newsletter Forum where she is also a fellow admin. Or it could have been through Fred Langa‘s LangaList which I subscribed to for many years before Fred merged LangaLIst with WindowsSecrets Newsletter with Brian Livingston who himself retired in 2010, or from an article in WindowsMag (one of my all time favorite magazines. I was very sad that CMP retired Windows Mag on June 25, 1999 but we did have an online version at WinMag.com for a couple more years). WinMag had some great writers and they all knew BillP. WInMag and PCMag were my initial magazines for Windows in the early days. It is where I read great articles from: Scot Finnie, Fred Langa, Mike ElganKaren Kenworthy (1),  and many other great writers (I used to know all their names off the top of my head, now these four I remember the most).  But, I digress…

This is a great time to consider buying WinPatrol PLUS for only $2! Can’t beat it! And BillP’s WinPatrol is a best in class software! Check out the Free version at WinPatrol.com, and upgrade if you like it. Can’t go wrong for $2.

For those who (EEEK!) might still be using Microsoft’s old and long unsupported OSes;  Windows 98 or Win2K, WinPatrol Downloads has something for you as well.

BillP’s  Message to Windows XP users – Very important as the April 2014 retirement of Windows XP approaches.

WinPatrol runs on Windows XP, Vista, Windows 7 and Windows 8 including x64 versions.

USA Today says…

“…best kept secret in computer protection.”

New Metaspoit 0-Day IE7, IE8, IE9, WinXP, Vista, Windows 7

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7 – SecurityStreet/Rapid7

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter). We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures.

Here’s the back story: Some of you may remember that a couple of weeks ago, the Metasploit exploit team released a blog regarding a new Java exploit (CVE-2012-4681), with a blog entry titled “Let’s Start the Week with a New Java 0day in Metasploit“. You’d think the 0-day attack from the same malicious group might cool down a little after that incident… well, you’d be wrong. …

BOLD and COLOR emphasis mine.

I am sure that they only tested IE7, IE8 and IE9 initially on this because those are the only IE browsers in use right now for Windows XP, Vista and Windows 7 and based on the w3Counter, the largest number of IE users at this time.

He also said that if he were to test IE10, he was certain it would fail the test as well.

One can only imagine how miserably IE6, as the highest level of IE that works on Win2K, would do. You would think that most people have moved onto newer versions of Windows, but some have not sadly despite the fact that Win2K hasn’t had an update since I think July 2010 and despite articles like this one from Ed Bott January 16, 2010. Don’t think it’s a big issue? Well according to the IE6Countdown website, IE6 still has an impressive 6% of Internet users worldwide as of August 2012.

Sure the USA’s piece of pie for IE6 is only 0.04% but I know a few of those folks and they are diehard users who refuse to leave a dead OS and browser due to economic issues, or sight issues, or both. Now, to their credit, some of these Win2K users do have a NAT hardware router, a software firewall, and they use Firefox and not IE6, but still, Win2K has not had any updates since July 2010! Not a wise move.

Personally,  I have NO addons allowed to work in IE8 in Windows XP by default on the Installations of Windows XP SP3 that I have still running, or IE9 on Windows 7.

I lock down my other browsers with no scripting type extensions like NoScript on Firefox, Chrome, etc. regardless of the operating system I am using (Windows, Mac, Linux), as well as Adblock Plus.

Another great little program for Windows that can help you keep a handle on what is happening on your Windows computer is BillP Studio’s WinPatrol Plus and FREE WinPatrol. I use it on my WinXP SP3 as an added protection since I have a laptop that can only run WinXP (SP3 of course), I use very intermittently for special use tasks such as setting up routers, or downloading music using Amazon Downloader, or sites that use OverDrive Media Console, etc. which won’t run on Linux on my laptop. This is when I am on the road using Library or Starbucks, or other public wifi hotspots due to our bandwidth limitations here at home on Verizon Wireless.

And I have found it to be wise to use a different browser (locked down of course as much as you can tolerate), rather than the ‘ubiquitous’ browser (IE in Windows, Safari on the Mac, or whatever the default browser is in a given GUI in Linux) in any given operating system.

One can not leave this to chance these days, IMHO.

 

EDIT: Added articles – one more about the exploit and the link to information on Microsoft’s workaround:

Update: Hackers exploit new IE zero-day vulnerability – Computerworld

Customers can use the Enhanced Mitigation Experience Toolkit (EMET) 3.0 to harden IE enough to ward off the current attacks, said Wee, of the company’s Trustworthy Computing Group, in an email late on Monday.EMET 3.0 can be downloaded from Microsoft’s websites.

Microsoft issues workaround for IE 0-day exploited in current attacks – net-security.org

Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate – but not yet remove – the threat:

  • Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
  • Set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

These steps could bring additional problems to the users, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7’s advice and switch to another browser for the time being.

Again BOLD emphasis mine.

New, sneakier Flashback malware infects Macs

New, sneakier Flashback malware infects Macs – Computerworld

A new, sneakier variant of the Flashback malware was uncovered yesterday by the French security firm Intego.

Flashback.S, which Intego described Monday, uses the same Java vulnerability as an earlier version that has infected an estimated 820,000 Macs since its appearance and still plagues over 600,000 machines.

But unlike Flashback.K, the variant that first surfaced last month and has caused consternation among Mac users, Flashback.S never asks the victim to enter an administrative password for installation, but instead relies only on the silent exploit of the Java bug to sneak onto the system.

“The differences are very subtle,” Peter James, a spokesman for Intego, said in an interview Tuesday. “There’s no password request [by Flashback.S].”

Much more in the two page article.

Apple will likely need to update their seek and destroy tool very quickly to help users stay free of this new variant.

If you think you are beginning to need an antivirus/antimalware solution, there are quite a few out there. Below are just a few:


Sophos Anti-Virus for Mac Home Edition
– Sophos has a worthy product out there and it is nice that they make their money on corporate/business computers and offer the home version for free.

ClamXav The Free Anti-Virus Solution for Mac OS X It uses the popular open source ClamAV engine as it’s back end and has the ability to detect both Windows and Mac threats.

There are other options as well for the Pay to Play crowd.

ESET Cybersecurity for Mac

And others from Intego Virus Barrier for Mac free and Pro versions available in the Mac App Store. Intego as noted above found this newest FlashBack in the wild). Other Mac antivirus firms Symantec/Norton, and many more.

Many of these come with a heavy CPU usage hit that is very annoying considering the small number of actual threats out there for the Mac. Of course some users may feel that the ones that provide real time protection are the way to go, some may feel it is worth it if their Macs are speedy enough and they have enough RAM.

For those who don’t think they need a Mac antivirus just yet, if you don’t use Java or none of your programs use Java, you could go to the ~/Applications/Utilities/Java Preferences.app and disable Java until you actually need it and then re-enable it as needed. It’s a very easy thing to do really.

Or you could set up AppleScript to monitor areas where malware might inject itself so it will alert you.

Monitor OS X LaunchAgents folders to help prevent malware attacks – CNET

Some additional locations to add can be found at MrAnderson.info here.

Also installing Piriform CCleaner for Mac is a great idea and can be run as needed very quickly every day even.

Certainly less of a system resource hit and one could still have a non-resident antivirus and scan at your convenience and respond if the Applescript tells you something is going on that you didn’t instigate by installing a program, etc.

The Applescript monitoring locations that you can set up is built with Mac OS X which is light on resources and free. The Applescript monitoring does a similar thing as WinPatrol does in Windows – but of course in a very small area comparatively. WinPatrol does so much more but the key similarity is the monitoring for changes to areas that malware can hit a Windows PC.

What we need for people who are not very savvy about these things is a MacPatrol app like WinPatrol.

Call Starkist

How to Defeat Lizamoon in One Easy Step

[tweetmeme source=”franscomputerservices” only_single=false]Lizamoon is a social engineering trick. Don’t fall for it.

PCWorld’s David Murphy, has the best solution for users surfing the Internet with this Lizamoon crap out and about on websites and posted it in an article entitled, “How to Defeat Lizamoon in One Easy Step“:

The simple solution: Don’t install unknown files! The more complex solution: Know what antivirus programs already exist on your system, and know what they look like when they scan for and find files. If something says you have malware on your system, and this something looks nothing like applications you already have on your system, be suspicious!

Much more in the article. Must read.

Yep, we are the biggest defense against many malware infections from websites, including this one. Just say no. 😉

And of course immediately run your temporary Internet files (TIF) cleaner, such as CCleaner, etc. as soon as you close your browser to remove anything that might have copied itself to your temporary Internet files. And run your security software to make sure nothing has gotten a foothold on your system right away.

If something like this happens, do yourself a favor and make a preemptive scan with your antimalware program, such as a great one called Malwarebytes Antimalware. Just because your antivirus didn’t pick up on it, doesn’t mean you don’t have a problem. No single program can pickup on everything.

Another great program option to help prevent this sort of thing would likely be WinPatrol, which can alert you to changes in your HOSTS file, items that are injecting themselves into your system through placing them in the auto run on boot, or other system changes that may be injected that you may not know are happening otherwise.

An ounce of prevention is worth a pound of cure.

Scot’s Newsletter Forums Celebrating their 8th Year!

[tweetmeme source=”franscomputerservices” only_single=false]Hard to believe that it has been 8 years since Scot Finnie — who is now the Editor in Chief of Computerworld — started a little experimental forum, Scot’s Newsletter Forums! Eight years later, it is still going strong.

I remember when the forums first started. Many of us were there from the beginning, or very nearly so. We were subscribers of Scot’s Newsletter when Scot announced to his subscribers.

I had been reading Scot Finnie’s articles since the old, now defunct WinMag days, and was saddened when they no longer published it. I lost track of Scot Finnie and a host of other writers for a time. I was very excited to hear about Scot Finnie and others who used to write for WinMag going on to have their own online/email newsletters and websites and finding them all over the place on the Internet.

The Scot’s Newsletter Forums has turned out to be a great place to gather, and help each other with various computer related issues, problems.

It’s a place where we SNF (Scot’s Newsletter Forums) “Highlanders” share our joys of success, and get help and understanding for our computer woes, and we have gained a level of friendship and community that is quite special, even among forums. I know that the SNF community literally reached out after the devastation of Hurricane Isabel, and physically and monetarily, as well as just emotional encouragement, helped us fix our roof — And I do mean physically. Some of the members who lived ‘near by’ actually traveled to our house with tools, materials and a willing spirit to help us put our roof back together. For those that wanted to help, but couldn’t come, they helped with providing funds to buy materials. It was a great blessing to us! And showed that even an Internet based community can be as real as any other community of neighbors, friends and family.

And all this while we work together with our various operating system situations whether it be Windows (ATW), Mac (ATM), and Linux (BATL) and other areas.

To help us celebrate the 8th year of Scot’s Newsletter Forums, ESET and WinPatrol have teamed up to help make the celebration all the more special by offering licenses to their great products in two different contests!

We really appreciate their generosity!!

Check out Corrine’s Security Garden posting about SNF 8th Anniversary as well; with even more information.

Happy 8th Anniversary Scot’s Newsletter Forums! It has been a wonderful thing to be a part of such a great ‘experiment’. 🙂

Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!

Bill