Firewalls are essential nowadays. I think that they are even more usefull than anti-virus. It’s because a unique feature that a firewall have: he can detect suspicious acts of any process in a system. Comodo Firewall is specially good at that: not only it can detect when a file is trying to access the web, but can detect registry changes. Very useful in case of autorun threats, it’s even more severe than Vista’s and 7’s UAC!
The how to: theres is no secret there. Just install Comodo Internet Security with the default features, except the Comodo Anti-Virus – it’s horrible at the moment. Every file attempting to access the web, or modify the registry, that is not a normal system or known program process will generate an alert. You can them block the process, if it is a suspicious one. It takes some knowledge to block the right processes, but you will get used to it in no time. Just be sure to not block system processes like system.exe, or the computer will crash.
Here are some common processes in any windows: system.exe, csrss.exe, lsass.exe, svchost.exe, alg.exe, ctfmon.exewmiprvse.exe, explorer.exe, usnsvc.exe, sched.exe, spoolsv.exe, services.exe, smss.exe. Note that some viruses disguise themselves like system processes, but with small differences in the name. An example is the csrss.exe (system process) and the trojan csrcs.exe. Others are very obvious, like the system32.exe virus.
A very effective way to differ one from another is to check the user that started the process. Open the task manager (see previous threads for how to do this), and check. It’s located under the “User name” column in the process tab. A true system process has the User Name set to “SYSTEM”. If you have a Issas.exe started by “Administrator” or “your user name”, it’s most likely a threat. Or, a very common one: a csrcs.exe process under “Administrator”.
Well, that’s it for now.
One Response
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
Continuing the Discussion