Malware Bytes and Web Root

Hi All,

I asked Av-comparatives to add Web Root and Malware
Bytes to their list and their answer was maybe next
year.

I had a guy call me who loved his Web Root who got
infected with Ransomware, so I am suspicious. Chris
Titus seems to like it.

Another customer has both Avast Free and Malware
Bytes running and wants to keep both

I have always used Malware Bytes to remove junkware,
but as an Anti Virus ????

I can not find comparison test of these two anywhere.
Anyone have any experience with these two?

Many thanks,
-T

On 11/12/19 8:45 PM, n/a wrote:
2. Install a hardware firewall (ie. pfSense as an example) that covers
all the segments of their network - everything from credit card systems
to HVAC sensors. Anything that has an Ethernet interface is subject to
attack these days.

I adore the Watch Guard firewalls. But it is really hard to
get anyone to up for the cost.

When I am doing internal penetration testing on
customer's networks, I have found that it is
impossible to stealth a Windows computer. You
can easily do that with Linux, but not Windows.
Geez ...

T wrote:
On 11/12/19 8:45 PM, n/a wrote:
2. Install a hardware firewall (ie. pfSense as an example) that covers
all the segments of their network - everything from credit card
systems to HVAC sensors. Anything that has an Ethernet interface is
subject to attack these days.

I adore the Watch Guard firewalls. But it is really hard to
get anyone to up for the cost.

When I am doing internal penetration testing on
customer's networks, I have found that it is
impossible to stealth a Windows computer. You
can easily do that with Linux, but not Windows.
Geez ...


Why is that ?

Why can't incoming packets to a Windows machine,
be redirected to a non-existent network ? That
would prevent the Windows machine from consuming
the packet locally and making a response.

Paul

On 11/13/19 1:41 AM, Paul wrote:
T wrote:
On 11/12/19 8:45 PM, n/a wrote:
2. Install a hardware firewall (ie. pfSense as an example) that
covers all the segments of their network - everything from credit
card systems to HVAC sensors. Anything that has an Ethernet interface
is subject to attack these days.

I adore the Watch Guard firewalls.Â* But it is really hard to
get anyone to up for the cost.

When I am doing internal penetration testing on
customer's networks, I have found that it is
impossible to stealth a Windows computer.Â* You
can easily do that with Linux, but not Windows.
Geez ...


Why is that ?

Why can't incoming packets to a Windows machine,
be redirected to a non-existent network ? That
would prevent the Windows machine from consuming
the packet locally and making a response.

Â*Â* Paul

Hi Paul,

If I get a "REJECT" back, I know they are the
open port, no response and I got you.

Basically, if you are running Windows, I am going to
find you. And I bet you show up in arp tables too.
Windows like to blab about itself on a network.
Fills the pipes with a lot of trash. And the responses
to this blabbing gives them away. I haven't found
a firewall yet for Windows that will stealth them.

I may have some old scans kicking around somewhere.
Would you like me to see if I can find them for you?

-T

T wrote:
On 11/13/19 1:41 AM, Paul wrote:
T wrote:
On 11/12/19 8:45 PM, n/a wrote:
2. Install a hardware firewall (ie. pfSense as an example) that
covers all the segments of their network - everything from credit
card systems to HVAC sensors. Anything that has an Ethernet
interface is subject to attack these days.

I adore the Watch Guard firewalls. But it is really hard to
get anyone to up for the cost.

When I am doing internal penetration testing on
customer's networks, I have found that it is
impossible to stealth a Windows computer. You
can easily do that with Linux, but not Windows.
Geez ...


Why is that ?

Why can't incoming packets to a Windows machine,
be redirected to a non-existent network ? That
would prevent the Windows machine from consuming
the packet locally and making a response.

Paul

Hi Paul,

If I get a "REJECT" back, I know they are the
open port, no response and I got you.

Basically, if you are running Windows, I am going to
find you. And I bet you show up in arp tables too.
Windows like to blab about itself on a network.
Fills the pipes with a lot of trash. And the responses
to this blabbing gives them away. I haven't found
a firewall yet for Windows that will stealth them.

I may have some old scans kicking around somewhere.
Would you like me to see if I can find them for you?

-T

if you get a REJECT back ("NAK"), that's probably a "closed port".

An "open port", returns a response, and is a dead giveaway.

The third possibility, is you re-route the packet, so the
machine makes no response at all (as far as the source
of the ping is concerned). It doesn't look like a NAK.
And the machine does not respond and return a result
to the source.

On my home router, I port forwarded incoming IDENTD to "the vacuum
of space", so that the router would not make a response.
The Shields Up scan could then give a stealth rating
(even though at the time, the Shields Up scan wasn't
as good as it could be, and it was triggering the
hammering detection on the router). To do valid testing
on a router, you can't be feeding it a pattern that
trips any defensive mechanisms of that sort, or it will
invalidate your test. The incoming packets need to have
random port numbers (out of the pool you want to test),
and the rate or port numbers, can't trip the defenses.

The log on the router can tell you, whether you've
triggered the defenses, and then your test is rendered
invalid. My router had a particular name for whatever
that defense mechanism is called. If you test port numbers
in order 1,2,3,4,5 and so on, the router can actually
notice that... and just clam up. Now your scan is rendered
worthless, because it does not represent the real exposure
of random port testing. The way the script kiddies will be
doing it.

Paul

"T" wrote in message ...

On 11/13/19 1:41 AM, Paul wrote:
T wrote:
On 11/12/19 8:45 PM, n/a wrote:
2. Install a hardware firewall (ie. pfSense as an example) that covers
all the segments of their network - everything from credit card systems
to HVAC sensors. Anything that has an Ethernet interface is subject to
attack these days.

I adore the Watch Guard firewalls. But it is really hard to
get anyone to up for the cost.

When I am doing internal penetration testing on
customer's networks, I have found that it is
impossible to stealth a Windows computer. You
can easily do that with Linux, but not Windows.
Geez ...


Why is that ?

Why can't incoming packets to a Windows machine,
be redirected to a non-existent network ? That
would prevent the Windows machine from consuming
the packet locally and making a response.

Paul

Hi Paul,

If I get a "REJECT" back, I know they are the
open port, no response and I got you.

Basically, if you are running Windows, I am going to
find you. And I bet you show up in arp tables too.
Windows like to blab about itself on a network.
Fills the pipes with a lot of trash. And the responses
to this blabbing gives them away. I haven't found
a firewall yet for Windows that will stealth them.

I may have some old scans kicking around somewhere.
Would you like me to see if I can find them for you?

-T



I've never really had any reason to try and make a system totally stealth
within a network - but you can achieve some isolation by turning off Network
Discovery. Does that make it totally stealth - I have no idea because of
all the variables involved in a business network and the other hardware
involved. For instance, a NAS needs to be able to detect the systems on a
network that are part of it's backup scheme. Or if you have a smart switch
on the network and query it's logs - you'll find it.

When I do need to isolate a system from others on a network (e.g. credit
card systems, security systems etc.,), I use a segmented network which can
be a virtual LAN or hardwired to a switch/firewall to achieve that
isolation.

So why would you try to make a system stealth on a business type network
when it's part of an Ethernet technology network that by design enables
system level communications / control and monitoring of traffic and the
discovery of all connected assets? There certainly are good reasons for
isolating systems but achieving true stealth status on a network of systems
would be very difficult. Just unplug it - done...

If you want stealth, disconnect the system from any network (air gapped
system) or setup a VM on the networked system and air gap the VM.

--
Bob S.

This is about Internal penetration testing as requested
by the customer for PCI (Payment Card Industry) compliance.
No one get their hackles up!


On 11/13/19 12:28 PM, Paul wrote:
ifÂ*youÂ*getÂ*aÂ*REJECTÂ*backÂ*("NAK"),Â*that'sÂ*p robablyÂ*aÂ*"closedÂ*port".

Hi Paul,

A REJECT or a closed port tells me I have found a device/computer. That
is initially what I am after.

AnÂ*"openÂ*port",Â*returnsÂ*aÂ*response,Â*andÂ*is *aÂ*deadÂ*giveaway.

Even worse.

After I find a computer, then I start running all kinds of weird sh*t at
it look to find any vulnerabilities that
are unpatched/unprotected.

If you are running a Windows computer, I am going to find you.
Does not mean I can break into you. I haven't broke into
one yet, but then again, I am the one doing the hardening
before doing the penetration testing, so that would be a
total embarrassment. My point-of-sale computers are locked down things
of beauty.

I also find anything unauthorized someone has added, such as
a wireless router under their workbench so they can get
wireless on their cell phone.

I recommend that companies use a segmented network leg
with wireless capability for folks to surf with their
cell phones and stay off their point-of-sale computers
for surfing. Like distracting a dog with a toy. You
can only push the hard ass stuff so far.

And, LISTEN UP TARGET!!! Point-of-sale computers must
ALWAYS be on segmented network legs ALL BY THEMSELVES.
NO COMPROMISES!

-T