You are not logged in.

Sunday, April 20th 2014, 5:13am

Dear visitor, welcome to Avira Support Forum. If this is your first visit here, please read the Help. It explains in detail how this page works. To use all features of this page, you should consider registering. Please use the registration form, to register here or read more information about the registration process. If you are already registered, please login here.

johnyjohn

Moderator

  • "johnyjohn" started this thread

Date of registration:
Mar 28th 2008

Version:
Avira Free Antivirus
Avira Antivirus Premium
Avira Internet Security

Operating System:
Windows 7 SP1 / Windows Vista & 8 on VBox

  • Send private message

1

Monday, November 8th 2010, 10:47am

Basic Guidelines to Avira's Users






:::::::::: Table of Contents ::::::::::

  • Warning: Read this before continue
  • Avira Support Forum
  • 20 most important links for Avira users
  • Renaming for products of Avira Products 2012
  • Potential incompatible softwares
  • Second Layer of Protection
  • Softwares recognized as having a high incidence of incompatibilities with Avira
  • Softwares recognized as having a low incidence of incompatibilities with Avira
  • Softwares recognized as compatible with Avira
  • Avira Firewall
  • Processes to be allowed when using a third party-firewall
  • Hidden objects
  • Autorun, Autoplay and Autorun.inf
  • Before Windows Update KB 971029
  • After Windows Update KB 971029
  • What does Avira help to protect you
  • What is the Hosts file?
  • Where can I found the Hosts file?
  • How can a Hosts file protect me?
  • How a Hosts file works?
  • How can Avira help me from unwanted Hosts file changes?
  • What should I do when a malware modifies the Hosts file?
  • How can I manage the Hosts file to protect me?
  • What are the disadvantages when using the Hosts file as a layer of protection?
  • JavaScripts
  • Java
  • What's SEO
  • What's BlackHat SEO
  • Search Results Poisoning
  • Google Image's Search Poisoning
  • How can you prevent such attacks
  • Shortened URLs
  • Recommended Browsing Safety Tips
  • Browse using
  • How does Avira protect me while browsing?
  • How to keep your browser plugins up to date
  • Recommended Email Safety Tips
  • General Browsing Safety Tips
  • Forums for answering computer help, security and technical questions
  • Increasing the Avira's Protection
  • Realtime Protection (Guard) / System Scanner (Scanner)
  • Web Protection (WebGuard)
  • General Settings
  • Firewall Settings (Version 10 only)
  • How to submit a file suspected to be a false positive
  • How to submit multiple files
  • How to submit files larger than 8MB
  • Submitting files from Quarantine folder
  • Submitting files that were not moved to Quarantine folder
  • What happens after that?
  • What to do when the result is a false positive
  • What to do when the result is not what you expected
  • What to do when your submission failed
  • How to submit false positives from websites
  • Credits
Cordialement - Best regards - Grüße :)
Aucun support par message privé - No support per PM - Kein Support über PN
Une assistance téléphonique en français est disponible pour Avira Antivirus Premium et Avira Internet Security : voici le lien
Tutoriels en français : HijackThis - Rescue CD - Malwarebytes’
English Tutorials : HijackThis - Rescue CD - Malwarebytes’

This post has been edited 20 times, last edit by "marfabilis" (Dec 10th 2011, 6:56pm)


johnyjohn

Moderator

  • "johnyjohn" started this thread

Date of registration:
Mar 28th 2008

Version:
Avira Free Antivirus
Avira Antivirus Premium
Avira Internet Security

Operating System:
Windows 7 SP1 / Windows Vista & 8 on VBox

  • Send private message

2

Monday, November 8th 2010, 10:47am



This tutorial was developed by marfabilis & Farger to summarize and explain in simple language and non-technical, the main aspects to safely use the Avira products and efficiently create layers of protection against the main types of malwares or vulnerabilities. The authors of this tutorial are not employees of any company which are or will be mentioned in this tutorial. The softwares belong to these companies are released due to the authors' knowledge, applicability or functionality by the time they are posted. All softwares are pre-tested, but we cannot say that any updates or any future version of what was posted here may damage your system or not. Always search for information before using any program on your machine. Also, the responsibility for the content of the links posted here, belongs to the respective sites which the links refer to. Good reading!

  • Keep your profile updated with the following informations:
    • The current version of your operating system, as well as the platform (32/64-bit)
    • Your current Avira version
  • Never disable your Avira, except when requested by Administrator, Moderator or a Community member for a legitimate malware removal procedure;
  • If you have a Community Member status, please read: Code of Conduct for Community Members
  • Never post malicious links or share suspected falses positives links in your post;
  • Never post your email address in Avira Support forum. Whether you do not have choices, please mask the address. So it will cannot be picked up by automated tools used by spammers to gather email addresses from here or from search engines like Google, Bing etc... For example, post "yourname(at)yourdomain(dot)com", instead of "yourname@yourdomain.com". Where (at) = @ and (dot) = .
  • Never send to anyone who calls himself a member of staff or employee of Avira GmbH, your license key file (HBEDV.KEY);
  • Never send to anyone who calls himself an expert, files from your computer. You should only submit the files directly to the Avira Virus Lab;
  • Please read carefully the Forum Rules;
  • Public user's accounts automatically generated by some site or program are not allowed. If confirmed the use of this type of account you will be banned;
  • Remove your personal data in report files (also called as logs) before you post a message. Read this: Remove personal data in report files before you post a message;
  • Whenever you see a strange behavior in your computer and you have something that is being or has been detected recently, please create a new thread in appropriate section of Avira Support forum;
  • Whether someone send you a PM with any kind of promise or any kind of help that has not been publicly requested, please ignore it and report immediately this incident to a Moderator. Otherwise, you’ll be at your own risk;
  • You have the right to complain, if you are infected 'cause Avira was not effective to prevent it. But, keep in mind that no antivirus is 100% effective. Avira is constantly improving its engine to increasingly become the antivirus of your trust.

  1. Are the warnings in the scanner reports dangerous?
  2. Can I exclude files or processes from scanning?
  3. Do I have to deactivate all installed Firewalls, in order to use Avira FireWall?
  4. How can I activate WebGuard in the Avira Toolbar again?
  5. How can I install the new Avira Toolbar later via setup?
  6. How can I remove the Avira Toolbar?
  7. How can I unblock autorun in AntiVir? (Avira 10 version)
  8. Instructions for manual uninstallation
  9. No SSL-connection when using product activation or license renewal of Avira Antivirus Premium 2012 and Avira Internet Security 2012
  10. Release Information for the new Avira products version 2012
  11. Should I deactivate Spybot - Search&Destroy, if I use AntiVir?
  12. Should I deactivate Windows Defender, if I use AntiVir?
  13. Side-effects with the software "Super Antispyware"
  14. Starting AntiVir Scanner from the command line
  15. The Avira icon has disappeared from the tray, next to the clock, in Windows 7
  16. What is the procedure for the manual update (VDF Fusebundle)?
  17. What should I do if the Avira toolbar of the AntiVir Personal edition displays "Avira is not available"? (Avira 10 version)
  18. What to do if AntiVir services are inactive on Windows Vista (same applies to Windows 7)
  19. Why do I get the error message 537 during update?
  20. Why is IPv6 not visible in the configuration of Avira 2012 products on Windows XP?
Please note that this list is not complete, so this means that there are other knowledge base articles.
You can make a search for them using the following link: http://www.avira.com/en/support-for-home…edgebase-search.

Also see the images below:

|

If you're a Premium or Internet Security user, you can also contact Avira Customer Service for Premium Products







When installing Avira 2012 you may see a screen like the image below:



Avira doesn't recommend to install any other antivirus software along with any product of Avira, regardless of developer. The reason for this is that if both products have their automatic (real-time) protection switched on, then those products which don't encrypt the virus strings within them, could cause that other antivirus products to generate "false positives". It can also lead to a clash, as both products fight for access to files which are opened again in their resident / real-time protection. In general terms, the two antivirus softwares may conflict and cause:
  • False Positives: When the antivirus software tells you that your PC has a virus, when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time. Also it could cause some instability, crashing your computer, some slow performance and waste your system resources.
Also read: Would it be wrong to install multiple antivirus programs in parallel?

This is not an arbitrary action of Avira, here are some statements from other companies: CheckPoint, Symantec, Dell, AVG, Avast, Microsoft



It's highly recommended that you create another layer of protection beyond Avira, assuming that you just have Avira Personal or Avira Premium installed. Then, you must have a ‘good firewall’ and should have a second layer of protection. This second layer could be composed with Malwarebytes' Anti-Malware, SUPERAntiSpyware* or any other on-demand antimalware software and a browser with good extensions for a safe browsing. This ‘good firewall’ is your personal choice. Here is a list of free firewalls, that you could use:Although there have been no reports of incompatibilities among the real-time protection of MBAM (Malwarebytes' Anti-Malware) and Avira, the real-time protection of MBAM is not an official recommendation from Avira. Also, please note that you can use any other firewall which is not mentioned in this list that doesn't have an antivirus bundled.

* Side-effects with the software "Super Antispyware"


  • AVS Firewall (Online Media Technologies)
  • Immunet Protect Free
  • PC Tools Firewall (PC Tools)
  • ThreatFire (PC Tools)
  • Malwarebytes Anti-Malware (Malwarebytes) [on-demand]
  • Sandboxie (Sandboxie)
  • SUPERAntiSpyware (SUPERAntiSpyware) [on-demand]
  • SpywareBlaster (Javacool Software)
  • WinPatrol (BillP Studios)
*The listed softwares are recognized as compatible due to the cases already reported to this forum. This list doesn’t mean that only these softwares are compatible with Avira. Also, doesn’t mean that conflicts will not happen. If this happens, please immediately report to the forum. It's important to highlight that "on-demand", means when needed or required, ie, without the real-time protection and used to perform an additional scan according to the voluntary choice of the user.
Cordialement - Best regards - Grüße :)
Aucun support par message privé - No support per PM - Kein Support über PN
Une assistance téléphonique en français est disponible pour Avira Antivirus Premium et Avira Internet Security : voici le lien
Tutoriels en français : HijackThis - Rescue CD - Malwarebytes’
English Tutorials : HijackThis - Rescue CD - Malwarebytes’

This post has been edited 12 times, last edit by "marfabilis" (Nov 2nd 2011, 10:54am)


Farger

Moderator

Date of registration:
Jul 10th 2009

Version:
Avira Free Antivirus
Avira Ultimate Protection Suite
Avira Internet Security

Operating System:
Windows XP/ Windows 7

  • Send private message

3

Friday, January 14th 2011, 7:36pm



Avira Firewall is not a standalone application, it's a built-in in Avira Premium Security Suite. It’s a robust firewall that lets the user allow or deny Internet access to your applications, allow or deny data traffic, allow or deny incoming and/or outgoing IP, TCP or UDP packets, allow or deny passive listening to the application of ports, allow or deny code injection*, allows creation of rules for your network, prevent modification of the HOSTS file, among other possibilities. Summarizing: It's a complete firewall.

Avira Firewall doesn’t have a built-in HIPS, but since Avira 10 has introduced a new behavior-based detection technology called Avira AntiVir ProActiv in the Avira's Guard (now Realtime Protection). AntiVir ProActiv constantly monitors the behavior of the system in real-time and looks for unusual events. An integrated rule-system is able to decide proactively if a certain event (or a combination of events) indicates that the system is currently under attack from a new or unknown malware. If a rule matches the user is then able to decide what to do with this suspicious file, i.e. to trust it, to block it once, to block it always or to ignore it. More information here. (http://www.avira.com/en/proactiv)

* Code injection is a technique for introducing code into the address space of another process to execute actions, forcing this process to load a dynamic link library (DLL). Code injection is used by malware, amongst other things, to execute code under cover of another program. In this way, access to the Internet in front of the Firewall can be hidden. In default mode, code injection is enabled for all signed applications. - from Avira Help Guide.

Also read: Does Avira Internet Security 2012 detect DLL injections? | Avira Firewall HowTo - Basic information and configuration of the FireWall in Avira Internet Security 2012





Avira Personal 10 / Avira Free Antivirus: alg.exe, apnstub.exe*, avcenter.exe, avconfig.exe, avgnt.exe, avguard.exe, avnotify.exe, avscan.exe, avshadow.exe, avupgsvc.exe, avwebgrd.exe*, ipmgui.exe**, sched.exe, update.exe and updrgui.exe**
Avira Premium / Antivirus Premium & Security Suite / Internet Security: alg.exe, avcenter.exe, avconfig.exe, avgnt.exe, avguard.exe, avmailc.exe, avnotify.exe, avscan.exe, avshadow.exe, avupgsvc.exe, avwebgrd.exe, ipmgui.exe**, sched.exe, update.exe and updrgui.exe**

* When installed Avira SearchFree Toolbar + Web Protection
** When using 2012 products

*Avira Premium Security Suite / Avira Internet Security should not have the Firewall module installed, since you should not use two firewalls on the same machine. It's important to highlight that, so also read: Do I have to deactivate all installed Firewalls, in order to use Avira FireWall? (same applies to the Avira 10 versions).
*If you’re installing Avira 10 / 2012 products, the process called fact.exe should be allowed in your firewall.
Scotty is currently on patrol

This post has been edited 6 times, last edit by "marfabilis" (Nov 2nd 2011, 10:55am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

4

Friday, January 14th 2011, 8:12pm



A hidden object could be a registry entry, a file, or a folder, that is just invisible to the operating system, but this includes rootkits which are used to hide malwares (in this case would be dangerous). A rootkit allows someone, either legitimate or malicious, to control over a computer system, without the the computer system user knowing about it. This means that the owner of the rootkit is able of executing files and changing system settings on your machine, as well as accessing log files or monitoring your activity.

Rootkits are programs with malicious code whose purpose is to hide themselves from security software and also the user, using a variety of advanced programming techniques. Rootkits hide their presence on the system, hiding their keys in Windows Registry (so the user cannot see them) and hiding their processes in Task Manager. They're also used, often as drivers, ie, system files for hardware operation, to hide from antivirus softwares. When dealing with these situations, the antivirus will "think" that the rootkit is a legitimate operating system driver or a service.

However, keep in mind that not all hidden objects are dangerous, as there are legal programs which hide their own files and registry entries. Windows also has many hidden objects, but there is no automatic way to tell which are harmless or not. It's worth highlight here that most hidden objects are harmless and you should not change or delete anything related to the hidden object found, unless that requested to perform some procedure to check them.

Quoted from ""Report file from a scan performed by Avira""

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\381b4222-f694-41f0-9685-ff5bb260df2e [This is just a sample of a harmless hidden object]
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c [This is just a sample of a harmless hidden object]
[NOTE] The registry entry is invisible.


Quoted from ""Report file from a scan performed by Avira""

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NtmsSvc\Config\Standalone\drivelist [This is just a sample of a harmless hidden object]
[NOTE] The registry entry is invisible.
----
Note: The above registry entry is the most common object that appears as hidden in Avira 10 products. This registry entry lists the stand-alone drives that are connected to the computer. The key for removed devices is safe in the backup key (so Windows can remember whether you plugged your removable drive or not). Avira's Scanner can't access this drive because it physically is not there. Due to the design of Avira AntiVir 10, it’s not possible to solve this detecting issue right now, but Avira is looking forward to get a solution with the next versions.

The most important thing you should know here is that through analysis of hidden objects in your log, we can, sometimes, see signs of a rootkit infection, which help us to detect and remove it from your system. If you have any questions about possible hidden objects that appear in your log, you must first click on Search, here in Avira Forum, to look for cases of similar entries that have previously been identified as harmless. If this doesn't solve your problem, open a new thread and post your report file. The support for your case will be appropriately provided.

Often, it's enough to restart your computer 2 or 3 times in Normal Mode. After this, the hidden objects should not occur anymore. If the objects still occur and they're always the same after several scans, the files need a special attention (note that temporary files, for example, usually are changing at least 1 letter/number). In most cases the hidden objects are only "temporary processes" due to update-checks, indexing and so on.
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 10 times, last edit by "marfabilis" (Nov 2nd 2011, 10:56am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

5

Friday, January 14th 2011, 8:14pm



AutoRun is a Windows feature that causes a certain file to open or a certain program to run automatically as soon as a fixed or removable drive is plugged in your computer. The action taken was determined by a file called autorun.inf. The main purpose of AutoRun is to provide a software response to hardware actions that a user starts on a computer. But here will be knocked down a myth. The autorun.inf was read, parsed and instructions followed immediately and silently only on Windows versions prior to Windows XP.

AutoPlay is a Windows feature that was introduced since Windows XP to examine newly discovered removable media (MP3 players, memory cards, USB storage devices etc...) and other devices, based on content such as pictures, music or video files, launches an appropriate application to play or display the content. This feature will show a dialog box (called the AutoPlay dialog box) with a list of options that the user can choose between to handle the contents of the media.

Autorun.inf is just a simple text-based configuration that can be used by the AutoRun and AutoPlay features of Microsoft Windows Operating systems. For the file to be discovered and used by these components, it must be located in the root directory of a drive. This will tell to the Windows, which executable to start or which icon to use. In other words, Autorun.inf simply will tell to the operating system how to deal on the programs or executable files and how the operating will treat the contents of a CD/DVD or any removable disks that is plugged into your computer. Autorun.inf is not a malware, but a virus might use autorun.inf to malicious purposes.



The Basic Guidelines will deal only with systems that are still supported by Microsoft.
Also, keep in mind that what will be described here is just the way it did before the Windows Update KB971029 (this will be discussed later)

When using Windows XP SP3, fixed drives (when the disk cannot be removed from the drive i.e. hard disks) and removable drives (when the drive has removable media (MP3 players, memory cards, USB flash drive etc...) are handled by a feature called AutoPlay. Removable drivers will also use autorun.inf, but in this case any specified AutoRun feature needed to be paired with the mandatory action key to appear as an option within the AutoPlay dialog. Unfortunately, the default action with a CD/DVD drive type is to follow any autorun.inf file instructions without prompts or warnings. So, this makes rogue CD/DVD as possible infection vectors. So, there were also some ways to be infected using Windows XP SP3:
  • Some worms, like Conficker makes its new entry in the Autoplay menu look like the normally safe "Open folder to view files" entry. When plugged in Windows XP SP3, will be added an entry called "Open folder to view files" and on the second line will be written "using the program provided in the device". This is a trick to fool you, since the real safe option, usually, it's the last menu option called "Open folder to view files using Windows Explorer".
  • Some users have disabled the Autorun feature in the past, but Windows XP SP3 and Windows Vista SP2 had a small problem. AutoRun-relevant Registry entries were not handled properly leading to a security vulnerability. Basically, even with the Autorun feature disabled, the autorun.inf was still reading. Although not run an executable and still call for the AutoPlay feature, this led the user open to attack from malware which uses the autorun.inf to modify the double-click and contextual menu behaviours. Double-clicking the drive icon would infect the machine. Right-Clicking and selecting the "Explore" or "Open" options from the context menu could be modified to run a malicious executable.
  • Also, under certain conditions, Windows ran a program on a USB flash drive immediately as soon as the drive was inserted with no visual clue to the user, as happened with U3 flash drives.
What were the most safe options to open a removable drive?
  1. Clicking on "Open folder to view files using Windows Explorer" when opened the AutoPlay dialog box.
  2. Opening the drive directly via Windows Explorer
  3. Implementing Nick Brown's solution to effectively disable the Autorun feature (that also worked for Windows XP Home Edition users).
    Also read: Microsoft Windows fails to properly handle the NoDriveTypeAutoRun registry value
----------
Except for all these conditions, a user probably would end up infected.

When using Windows Vista SP2, the Autorun feature is no longer automatically and silently executed on any drive type. So, all drivers are handled by AutoPlay which, by default, will present an AutoPlay dialog box to the user. Nevertheless, Windows Vista users also had the Autorun feature issue that was not really disabled. Some entries were added to the AutoPlay dialog box like "Open folder to view files" followed by "Publisher not specified" or "Published by Microsoft Windows" to disguise the installation option as an open folder action.

When using Windows 7, the support for the Autorun feature has been very much reduced, since it's not possible to use the action command and the open command together for USB flash drives and other non-optical removable media. There is no way to start a program automatically or add a program to the AutoPlay action list if the media type is a USB flash drive or a non-optical removable media. For an optical media as CD/DVD the support is still as before. Actually, the only things you can do, when using the Autorun feature, is to change the drive label or change the icon (these changes will be shown in AutoPlay dialog box), but the rest of the functionality has been disabled. Microsoft has removed this support for security reasons.

There are only two ways to autorun a program on a USB flash drive in Windows 7: when using a U3 smart drive or similar, since these USB drives have a firmware, that presents them as CD drive when they're plugged into a computer. So, these kinds of USB flash drives are not affected by the changes in Windows 7. Autorun will work as it was a CD. Also, creating a program that scans for USB sticks inserted in USB ports. Under normal conditions, a Windows 7 user would not be infected by a malicious autorun.inf. Read more: Engineering Windows 7 - Improvements to AutoPlay | AutoRun changes in Windows 7



Let's see the timeline:

August 25, 2009: Microsoft Knowledge Base Article 971029 describes an update (KB971029) to Autorun that restricts AutoPlay functionality to CD and DVD media. This update is intended to stop AutoPlay functionality from working on USB drives, external hard drives, or network shares. This update was originally available only for supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 from the Microsoft Download Center. Read more: Microsoft issues XP, Vista anti-worm updates

February 8, 2011: The update to Autorun described in Microsoft Knowledge Base Article 971029 is now available via automatic updating. Customers who have already installed the 971029 update manually will not be offered the update and do not need to take additional action. Read more: Microsoft Update Trims USB AutoRun For Security | Deeper insight into the Security Advisory 967940 update

February 22, 2011: Change to the deployment logic for updates described in this advisory. This change in deployment logic is intended to minimize the user interaction required to install the updates on systems configured for automatic updating. With the change, typically no user action will be required to install the updates because automatic updating detects the configuration of the target system, downloads the updates, and installs the updates automatically or on a schedule specified by the user. Customers who have already installed the updates previously will not be offered the updates and do not need to take additional action.
Read more: Microsoft pushes anti-AutoRun update at XP, Vista users

June 14, 2011: Microsoft credited a February security update for lowering AutoRun-abusing malware infection rates on Windows XP and Vista by as much as 82% since the start of the year. Read more: Autorun-abusing malware (Where are they now?) | Windows XP, Vista AutoRun update reduces malware infections by 82%

This means that users of Windows XP SP3 and Windows Vista SP2 that keeps their systems up to date are safer now than before.
Keep in mind that USB flash drives can still get infected also without Autorun feature or a malicious autorun.inf. So, always keep your Avira updated and take all possible care to your external hard disks or USB flash drives.



Beginning from the 10th version, Avira presented a new feature in their products – “Block autostart function”. It means that when this option is enabled in Avira AntiVir the execution of the Windows Autostart function is blocked on all connected drives, including USB sticks, CD and DVD drives and network drives. By default, this is enabled, but CD / DVD drives are excluded (presented in another option). As you know, with the Windows Autostart function, files on data media or network drives are read immediately on loading or connection, and files could therefore be started and copied automatically under some conditions. This functionality carries with it a high security risk. So, malwares and unwanted programs can be installed with the automatic start. The Autostart function is especially critical for USB sticks as data on a stick can be changed at any time. Also, only disable the Autostart function for CD and DVD drives if you're sure that you're only using trusted data media.

Some users may have some headaches with this function. If you're one of them, please disable this extra protection in your Avira AntiVir. So, make sure your system is properly updated and stay tuned to the actual behavior of your drives. Keep in mind that this is not a detection is only a blocking action from Avira products.

See a image below on how to disable this feature in Avira 2012 products:



Avira Free Antivirus 2012, Avira Antivirus Premium 2012 and Avira Internet Security 2012: Go to Configure Avira (...) > enable "Expert Mode" > [+]General > Security > uncheck "Block autostart function" under Autostart > Click Apply > Click OK

See some images below on how to disable this feature in Avira 10 versions:



Avira Antivir Personal: Go to Configure AntiVir > tick "Expert Mode" > [+] Guard > Action on detection > Uncheck "Block autostart function" > Click Apply > Click OK
Avira Antivir Premium & Avira Premium Security Suite: Go to Configure AntiVir > tick "Expert Mode" > [+] Guard > [+] Scan > Further actions > Uncheck "Block autostart function" > Click Apply > Click OK

Also read: How can I unblock autorun in AntiVir?
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 7 times, last edit by "marfabilis" (Nov 2nd 2011, 10:59am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

6

Wednesday, February 16th 2011, 10:22pm



When using the Internet, most people connect to websites by connecting to a domain name, as www.avira.com. Your web browser and other softwares which have some access to the Internet, though, don't understand this access directly through domain names, but rather using IP addresses, such as 62.146.210.52. Therefore, when you type a domain name in your web browser, it must first convert the domain name to an IP address that it will be used to connect you to that domain name. You don't see it happening, but it happens all the time. The way that these domain names (also called host names) are resolved to their mapped IP address is called Domain Name Resolution (DNS). The DNS server will then query other servers on the Internet that know the correct information for that domain name, and then return to the device the IP address.

Almost every operating system that communicates via TCP/IP has a file called the HOSTS file. The hosts file is a computer file used in an operating system that contains the mappings of IP addresses to host names. Keep in mind that under Windows operational systems this is named HOSTS. So, this file allows you to create mappings between domain names and IP addresses. This file is also loaded into memory (cache) at Startup. Then, Windows checks the HOSTS file before it queries any DNS servers. The local HOSTS file overrides the DNS resolution of website URL to IP address. Here is where the danger lies.

Modifications to the HOSTS file can cause access to certain host names to be redirected or denied and this may prevent the computer from connecting to them.

We have some conditions such as the following may be signs that your HOSTS file has been modified without your consent:
  • You're unable to access some websites that you trust, such as a site that provides security softwares, like Avira or security forums.
  • Your browser connects to a website that does not appear as it should, given the web address that you've typed.
So, the HOSTS File can become a security risk.



The HOSTS file is located at %WinDir%\system32\drivers\etc\HOSTS

%WinDir% is an environment variable that points to the Windows directory (it's also identical to the %SystemRoot% variable). This means that you have installed Windows in C: drive %WinDir% the default value will be C:\WINDOWS, so the complete path to HOSTS file is C:\WINDOWS\system32\drivers\etc\HOSTS. The HOSTS files will be also located there, even under 64-bit systems. Also read: Where is the Hosts File on Windows x64?

It may be necessary to display hidden system folders if Windows Explorer is used to navigate to the HOSTS folder. If so, please follow these procedures (according to your Windows system version) to show hidden system folders and files and unhide protected operating system files.



It's important to highlight that the primary intention of the HOSTS files is not to protect you, since this file was originally designed for other purposes. Also this is used in some systems to override such naming systems for testing purposes and some special situations. So, keep in mind that the use of HOSTS as a layer of protection is just an extended application to the HOSTS file. It should NOT be rated as a great protection. It can help you, but there are a number of implications and possibilities to be affected by something malicious even using the HOSTS file (this will be discussed later).

As an end-user, you could use a HOSTS file to block malicious URLs (websites engaged in malware distribution, in the selling or distribution of bogus or fraudulent applications and in exploiting your browser), grass roots marketing URLs, phishing URLs, domains used for advert or tracking purposes, etc. So, to do this, you would have to manually add the entries in the HOSTS file or download lists from trusted and known security websites, adding them into your HOSTS file (this will be discussed later).



Let's see a overview some entries for HOSTS file:



* This comment simply means that the resolution of the name "localhost" is done in the IP stack. In other words, Windows system understands that "localhost" is the local system and doesn't need to be looked up in DNS.
** Windows 7 users should add "#" (without quotes) before 127.0.0.1 localhost and ::1 localhost as shown in this image below:



localhost is specified where one would otherwise use the host name of a computer. For example, directing a web browser installed on a system running an HTTP server to http://localhost will display the home page of the local web site, provided the server is configured to service the loopback interface. Then, a loopback is a communication channel with only one endpoint. Any message transmitted through such a channel is immediately received by the same channel.

For IPv4 communications, the virtual loopback interface of a computer system is normally assigned the address 127.0.0.1 with subnet mask 255.0.0.0. Depending on the specific operating system in use (notably in Linux) and the routing mechanisms installed, this populates the routing table of the local system with an entry so that packets destined to any address from the 127.0.0.0/8 block would be routed internally to the network loopback device.

For IPv6 communications, the loopback routing prefix ::1/128 consists of only one address ::1 (0:0:0:0:0:0:0:1 in full notation), the address with a one at its least significant bit and zero otherwise, is explicitly defined as the loopback address, though additional addresses may be assigned as needed to the loopback interface by the host administrator. Read more at Wikipedia, the free encyclopedia.


  1. Under normal conditions, for a single home user, whenever a computer attempts to connect to ::1, 127.0.0.1 or 0.0.0.0, it's really attempting to connect to itself, so nothing will be displayed.
  2. When editing the HOSTS file under Windows Vista / Windows 7, you should follow these instructions.
  3. When using a third-party software (like HostsMan) to manage your HOSTS file, you should run the main executable as Administrator.
  4. It's important to highlight that a large hosts file could cause system slowdowns. This is usually fixed by turning off (clicking on Stop button) and disabling (Startup type as Manual) the DNS Client service in your Services under Administrative Tools from Start Menu. The DNS client caches previous DNS requests in memory to supposedly speed this process up, but it also reads the entire HOSTS file into that cache as well which could cause a slowdown. This service when using a large hosts file, under normal conditions, for a single home user, is unnecessary and could be disabled.

    Procedure:
    • Click on Start > Administrative Tools > Services;
    • Scroll down to "DNS Client", Right-click on it and select "Properties";
    • Click on Stop button and click on drop-down arrow for "Startup type", selecting Manual;
    • Click on Apply, then OK and reboot.

  5. When is needed to keep the DNS Client service enabled (when you're a part of a domain), when you're noticing a slowdown while browsing, you could flush your DNS cache following these instructions: How To Flush The DNS Cache In Windows (Windows XP, Windows Vista / Windows 7).
  6. The HOSTS file only affects DNS requests. When your browser requests http://avira.com, the computer does a DNS lookup on avira.com. When your browser requests https://aavira.com/, it also does a DNS lookup on avira.com, and the result will always be the same for either, 'cause they're the same. So, even when using HTTPS the access will be blocked.


Beginning from the 2012 versions, Avira presented a new feature for Avira Free Antivirus and Avira Antivirus Premium (home users). The hosts file (which is used by some malware to prevent antivirus products to update) will be protected from alteration by unauthorized programs. This feature is added in all Avira solutions now (since this feature is already known to the old Avira Premium Security Suite users) and it's actived by default. Keep in mind that Avira Internet Security users have this security option too (before it was associated with Avira Firewall settings). Now, all users find this option in General > Security as shown in the left image below:

|

The right image is a warning that is displayed as a slide pop-up above the Avira's systray icon, when a software make a request to overwrite your HOSTS file.
If you know the program or process that is requesting this access (like a third-party software to manage your HOSTS file), you should disable the security option from Avira before use the software. Go to Avira Configuration (Configure Avira...)> tick "Expert Mode" > General > Security > uncheck "Protect Windows hosts files from changes" under System protection > Click Apply, then OK. You should be able to manage your HOSTS file now. Then, you could check this option again later.

Currently, there is no way to know through Avira which process could be requesting this access to modify your HOSTS file.
Whenever you have any questions, please feel free to contact us.



First of all, whether a malware has modified your HOSTS file or some program maliciously modified this file without your consent. You should first remove the infection and then deal with your HOSTS file compromised. Usually, some infections change the permissions of the HOSTS file, so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop: hosts-perm.bat. When the file has finished downloading, double-click on the hosts-perm.bat file (Windows Vista / 7 users should run this file as Administrator, right-clicking on it and choosing "Run as Administrator") that is now on your desktop. If Windows asks if you're sure that want to run it, please allow it to run. Once it starts, you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.

You'll need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it ' deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below, then right-click on the appropriate link and select Save Target As... (Internet Explorer users), Save Link As.. (Mozilla Firefox users), Save link as... (Google Chrome users) Saved Linked Content As... (Opera browser) to download the file.

Windows XP HOSTS File (download link)
Windows Vista HOSTS File (download link)
Windows 7 HOSTS File (download link)

You could also reset the Hosts file back to the default automatically downloading the Microsoft Fix it 50267.
Please note that the this may be in English only. However, the automatic fix also works for other language versions of Windows.
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 12 times, last edit by "marfabilis" (Nov 2nd 2011, 11:01am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

7

Tuesday, May 24th 2011, 12:21am



Well, this is not as hard as it sounds. You could download HostsMan + HostsOptimizer in order to download third-party lists (updating your HOSTS file) that allows an additional layer of protection against access to ad, tracking and malicious websites. You could use the lists from MVPS and HpHosts (which provides partial update, many times per day, for you to be constantly protected against malicious domains analyzed and rated by HpHosts).

Keep in mind that the best way to improve your HOSTS file, should first disable the Avira Hosts protection, then overwrite your HOSTS with the list from HpHosts (Overwrite your Hosts), performing a partial update, but this time choosing Merge with current Hosts. Then, you could optimize your HOSTS with HostsOptimizer (that is also included in Hostsman) up to 9 entries per line (keep in mind that if you have to disable some line, it will disable all that 9 entries, so if you need to remove some entry, edit the line just to remove the a single entry). Windows 7 users should NOT check the option localhost in Hosts Optimizer. Save the file and check again the security option in your Avira product.

Some screenshots of HostsMan software:



Screenshot of Hosts Optimizer software:





Please note some conditions when using the HOSTS file as a layer of protection to block malicious URLs

  1. The HOSTS file will block just the host names listed in the file.
    Let's see just a sample (Do NOT use this sample):

    127.0.0.1 microsoft.com

    The above entry will block the access to microsoft.com, but will NOT block when you type www.microsoft.com
    Then, you must add another entry to cover the "www", as you can see below:

    127.0.0.1 microsoft.com
    127.0.0.1 www.microsoft.com


    As you can imagine the HOSTS file will NOT block sub-domains from microsoft.com, like technet.microsoft.com or windows7.microsoft.com.
    Then, you must add these two entries to cover each sub domain, as you can see below:

    127.0.0.1 microsoft.com
    127.0.0.1 www.microsoft.com
    127.0.0.1 technet.microsoft.com
    127.0.0.1 windows.microsoft.com


    or optimizing it as you can see below (up to 9 entries per line):

    127.0.0.1 microsoft.com www.microsoft.com technet.microsoft.com windows.microsoft.com

  2. The directories and files at a site are not supported. So, you can NOT add an entry as windows.microsoft.com/en-US or res1.windows.microsoft.com/resbox/en/Windows%207/main/27218b6e-c605-499a-a54c-e15ded4ebe55_8.jpg. Note: Do NOT use "http://", "https://" or "/" when adding a host name;
  3. IP addresses are NOT supported to be mapped, only host names.
  4. You can NOT “block” only Internet TLDs, as *.com, *.net, .org etc.
  5. The access to a malicious URL “blocked” in the HOSTS file, will be allowed when using a proxy in your browser / internet applications.
Anyway, the HOSTS file is a valid protection to help you protect yourself from malicious URLs.
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 6 times, last edit by "marfabilis" (Nov 2nd 2011, 11:02am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

8

Tuesday, May 24th 2011, 12:22am



JavaScript can often be confused with Java due to the similar name. However, these are two different technologies.

JavaScript is a browser-interpreted language that was created to access all elements of HTML and the browser. The processing is done entirely by the client-side browser which makes it very useful tool to handle processing which would have otherwise been checked server-side, thereby reducing overhead. JavaScript is also used to increase user interaction, animate objects, create drop down navigation, grab data from databases, and more. JavaScript effects are much faster to download than some other front-end technologies like Flash and Java applets.

However, JavaScript code is also used to carry out attacks against the user’s browser and its extensions. These attacks usually result in the download of additional malware that takes complete control of the victim’s platform, and are, therefore, called “drive-by downloads”. Another form of malicious use of JavaScript is to redirect users to phishing sites or so infected sites. Unfortunately, the dynamic nature of the JavaScript language and its tight integration with the browser make it difficult to detect and block malicious JavaScript code.

Below are some links related to the malicious use of JavaScript over the years:

JavaScript-opens-doors-to-browser-based-attacks | Attack injects malicious JavaScript into e-commerce sites | Obfuscated javascript malware making a comeback | YouTube-Spam-Emails-Carry-Malicious-JavaScript | End of the Line for the Bredolab Botnet | Storm botnet returns part new years attacks | WikiLeaks Botnet Continues Attack On MasterCard Site | Spammers abuse free hosting sites javascript redirects

Malicious javascripts are currently one of the main vectors of infection in the Internet. So you should always make a safe browsing, protecting yourself against the automatic execution of javascripts in your browser, running them on demand (it's only a suggestion)

How could you do that? That depends on which browser you use.

Firefox or other Mozilla-based browser users could use a browser extension called NoScript. The NoScript Firefox extension provides extra protection for Firefox, Seamonkey and other Mozilla-based browsers: this is a free and open source add-on that allows JavaScript, Java and Flash and other plug-ins to be executed only by trusted web sites of your choice (e.g. your online bank, your webmail etc..), and provides the most powerful Anti-XSS protection available in a browser. NoScript's unique white list based preemptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet) with no loss of functionality. You can enable JavaScript execution for sites you trust with a simple left-click on the NoScript status bar icon or using the context menu in pop-up status bar. The images below will give you an idea about it (click to enlarge and open them in a new tab).



Keep in mind that many sites will host contents from multiple third-party sites, and novice users who prefer to selectively enable scripts may have some kind of difficulty to use NoScript and find out which scripts will be needed to enable a particular site to work properly. The intention of the Basic Guidelines is not to create a guide on how to use NoScript but tell you the basics of this add-on. Read more here and also watch this video created by CNET on Youtube for more details.

Google Chrome users could enable the option "Do not allow any site to run JavaScript" in Option > Under the Hood > Privacy > Content Settings > JavaScript. Then when you'll need to enable the JavaScripts for some site, just click on that appears in the address bar and select Always allow JavaScript on ... . Press F5 to reload the page with JavaScripts enabled.

The disadvantage is that Google Chrome doesn't have a temporary option to allow these JavaScripts and all those features provided by NoScript extension for Firefox.

Internet Explorer 8 (Windows XP) and Internet Explorer 9 (Windows Vista / Windows 7) users must be pay attention on Active Scripting. This is Microsoft’s name for its own implementation of JavaScript, which is widely used on the Internet to provide interactivity on web sites. Active Scripts are programs written in JavaScript, or sometimes Microsoft's VBScript and ActiveX, that enable websites to add specific functionality. Open your Internet Explorer 8 / 9, click the Tools menu > Internet Options > Security tab > Internet zone > Select Medium-High and then click on Custom Level > Scroll down to the Scripting section and change the following settings:
  • Check the box next to Disable for Active Scripting.
Click OK and click on Yes when prompted to confirm these security setting changes.
The disadvantage of this procedure is that you'll must need to add domains that you want to allow the content to be fully displayed in the Trusted Zone.

Instead of choosing Disable, you could check the box next to Prompt, but I believe you will not hold this option, once will appear incessant pop-up prompts to allow or disallow scripts on your screen and it will be unbearable after a few hits. So, you'll better staying away from this option.

Opera users could uncheck "Enable JavaScript" going to Menu > Preferences (or pressing Ctrl + F12) > Advanced tab > Content. Please take note that's a global setting and all sites will be affected by this change.

However, you can create a kind of white list. Just visit a website that you want to enable the JavaScript > Right-Click on the screen > Click on Edit Site Preferences... > Scripting tab > Place a check on Enable JavaScript > Reload the site. Through the Site Manager you can also manage other options like cookies, frames, plug-ins, sounds on the page. To access the sites that have custom settings (selected for you), go to Menu > Preferences (or pressing Ctrl + F12 > Advanced tab > Content > Manage Site Preferences.

Safari users could just uncheck Enable JavaScript in Preferences > Security tab.

Nowadays, many websites use JavaScript and will not display properly if JavaScript (or Microsoft’s Active Scripting) is turned off. So, you could try browsing with JavaScript on demand or Microsoft’s Active Scripting turned off and see how it affect your browsing experience.

Some samples of JavaScripts threats: http://www.avira.com/en/support-virus-lab?sq=JS (this list is not complete, since there are thousands of variations, different names with different spreading routines and side effects).
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 5 times, last edit by "marfabilis" (Nov 2nd 2011, 11:03am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

9

Monday, July 11th 2011, 11:34pm



Java is an entire programming language developed by Sun Microsystems, while JavaScript is a scripting language that was introduced by Netscape. Sun's Java is a separate download because it is an environment in which a program can be run. Java applets generally do not interact with the Web page itself, but usually runs as a "standalone" program embedded in a Web page. Sun's Java is used for developing small applets and online apps (including games), and again, if you don't need to use any, you can uninstall it. Unfortunately, there's no simple way to find out, except to remove it and see which website features stop working.

Below are some links related to the malicious use of Java over the years:

Malicious Java code uses IE to access computers | Flaw in the sun java plug-in is elusive and very dangerous | Sun java flaw exposes windows users to dangerous web attacks | Java code-execution vuln exploited in drive-by attack | Java's the New Home of the Malicious Exploit | Compromised websites use java flaws hit japanese users | Web malware attacks against java on the rise | Beware of strange web sites bearing gifts ...

It's important to understand that a Java-enabled browser is not automatically a JavaScript-enabled browser: the two technologies require entirely separate interpreters (licensed from separate companies) to handle the languages. Anyway, please keep your Java up to date. Older versions have vulnerabilities that malicious applets or malwares could use to infect your system. Only keep the latest Java version installed and uninstall ALL the previous versions via Control Panel > Add or Remove Programs (Windows XP) or Control Panel > Programs and Features (Windows Vista / 7). You could also use JavaRA or Revo Uninstaller to uninstall old Java versions and deal with possible leftovers.

Firefox users as well as in JavaScript, can use the NoScript extension to manage and run the Java Plug-in on demand. NoScript will prevent the automatic execution of Java while you surf in the Internet. However if you still are not comfortable, you can manually disable the Java plug-in in Firefox. Go to Tools in the Firefox menu > Add-ons > Plug-in > Select Java Deployment Toolkit (...) and Java (TM) Plataform SE (...) and click on Disable button on each plug-in in. Below are some images that will illustrate what we're explaining:

Screenshots (Click on them to enlarge):



Google Chrome users can run all plug-ins on demand, even the Java Plug-in. Press Alt+F > Options > Content Settings > Plug-ins > Select Block all. This option is very similar to the option of disabling JavaScript. When you're browsing to a page with some elements, i.e Java applet, you can right-click over the area referring to it (gray area) and click on Run this plug-in. If you reload the page, it will be blocked again. Very easy, huh? Only the object that is inside the gray area is loaded. If the page has two Java applets and you want to allow only one, Google Chrome will allow only the Java applet that you choose. The same is valid to Flash plug-in or any other plug-in.

If you're absolutely sure that the page has harmless Java applets or a harmless content, then you could click on and select Always allow plug-ins on (...). You still have one more option. You could click on "Run all plug-ins this time". This option will load all plug-ins (Java, Flash, Silverlight etc...) on the page, just once. So, if you reload the page, it will be blocked again.

However, if you still are not comfortable, you can manually disable Java Plug in in Google Chrome.
Type chrome://plugins at the address bar. Search for Java (NPRuntime Script Plug-in Library for Java(TM) Deploy) and click on Disable.
Below are some images that will illustrate what we're explaining:

Screenshots (Click on them to enlarge):



Frankly, Google Chrome browser is easier and safer for a novice user. It's very easy to configure and be protected from malicious Java applets or JavaScripts at all.

Internet Explorer 8 users under Windows XP need to pay more attention to disable Java. So, we will some options to you:

Option #1: Go to Start > Control Panel > Click on Java icon > Advanced tab > Expand [+] Default Java for browsers > Uncheck Internet Explorer > Apply > OK. Next, open your Internet Explorer > Tools menu > Manage Add-ons > Under Show: select All add-ons > Disable all add-ons under Oracle America, Inc (Starting form Java SE 7).
Option #2: Open your Internet Explorer > Tools > Internet Options > Advanced tab > uncheck Use JRE (...) for <applet> (requires restart). Then, just restart for the changes to take effect.
Option #3: Go to Start > All Programs > Accessories > System Tools, and then click Internet Explorer (No Add-ons).

Internet Explorer 9 users under Windows Vista/7 have an almost mission impossible to disable Java, let's explain:
The option "Use JRE (...) for <applet> (requires restart)" doesn't appear on Internet Options (Advanced tab) and the box to uncheck Internet Explorer on Java Control Panel is greyed out. Even though a user enables the hidden Administrator account, still will not be able to disable Java in IE9. Fortunately, there is a way to do this:

Note: This method contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, please read: Back up the registry
  • Go to Start > Type regedit.exe in the Search box > Press Enter;
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\1.6.0_30; (Java SE 6 Update 30) OR
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\10.2.0; (Java SE 7 Update 2)
  • Right-click on "UseJava2IExplorer" > Click "Change" > Change the value from 1 to 0 > Click OK;
  • If you cannot change this value, run the Registry Editor again right-clicking on regedit.exe and choosing "Run As Administrator" ;
  • Close the Registry Editor.
Then, open your Internet Explorer 9 > Tools menu > Manage Add-ons > Under Show: select All add-ons > Disable all add-ons under Oracle America, Inc.
Done. Java is now disable on your IE 9.

Quoted

Why is Java SE 7 not yet available on java.com?

The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version. If you are interested in trying Java SE 7 it can be downloaded from Oracle.com (http://www.java.com/en/download/faq/java7.xml)

In Internet Explorer, Active X controls are comparable with Java applets since programmers designed both of these mechanisms to allow web browsers to download and execute them. ActiveX controls are small program building blocks, can serve to create distributed applications working over the Internet through web browsers. Examples include customized applications for gathering data, viewing certain kinds of files, and displaying animation.

So, you can also make these changes (IE 8 / IE 9):
  • Open you Internet Explorer > Tools menu > Internet Options;
  • Click on the Security tab > Click on the Internet icon so it becomes highlighted > Click on the Custom Level button;
  • Change the Download signed ActiveX controls to Prompt;
  • Change the Download unsigned ActiveX controls to Disable;
  • Change the Initialize and script ActiveX controls not marked as safe to Disable;
  • When all these settings have been made, click on OK;
  • If it prompts you as to whether or not you want to save the settings, press the Yes;
  • Next, press the Apply button and then the OK.
However, Java applets can run on nearly any platform, while ActiveX components officially operate only with Microsoft's Internet Explorer web browser and the Microsoft Windows operating system. Malwares and spywares, can be installed from malicious websites using ActiveX controls (drive-by downloads). Also read: Why does Internet Explorer block some ActiveX controls?

Opera 11 users must disable the two entries related to Java plugin on Plug-ins list. Java plugin did not run on-demand in Opera 11. Unfortunately, we don't know whether this option will work in previous versions or not. The solution that works is: Type opera:plugins at the address bar > Click on Disable for Java Deployment Toolkit (...) and Java (TM) Plataform SE (...). It will be enough to disable Java in Opera browser.

Screenshots (Click on them to enlarge):



Safari users could just uncheck Enable Java in Preferences > Security tab.

Screenshot (Click on the image to enlarge):



Some samples of Java threats: http://www.avira.com/en/support-virus-lab?sq=JAVA (this list is not complete, since there are thousands of variations, different names with different spreading routines and side effects).
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 5 times, last edit by "marfabilis" (Jan 3rd 2012, 1:05pm)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

10

Monday, July 11th 2011, 11:37pm



"SEO is the process of improving the visibility of a website or a web page in search engines via the "natural" or un-paid ("organic" or "algorithmic") search results. As an Internet marketing strategy, SEO considers how search engines work, what people search for, the actual search terms typed into search engines and which search engines are preferred by their targeted audience. Optimizing a website may involve editing its content and HTML and associated coding to both increase its relevance to specific keywords and to remove barriers to the indexing activities of search engines. Promoting a site to increase the number of backlinks, or inbound links, is another SEO tactic. The acronym "SEOs" can refer to "search engine optimizers," a term adopted by an industry of consultants who carry out optimization projects on behalf of clients, and by employees who perform SEO services in-house. Search engine optimizers may offer SEO as a stand-alone service or as a part of a broader marketing campaign" (Wikipedia)



Now, that you know what is SEO, we will explain what is Blackhat SEO.

Blackhat SEO is a restricted and unethical set of techniques that should not be used for a website. Basically, these techniques attempt to improve page rankings by using unethical methods disapproved by most search engines. The techniques used could be the following: Article spinning, Cloaking, Doorway Pages, Hidden Text & Links, Keyword Stuffing, Link Doping, Link Farms, Link Flooding (this technique is used to promote a website using social networking, bookmarking sites, forums and blogs by adding the links), Referrer Spam, Scraper Site and Spamdexing



The major issue is that malware creators also use these techniques to value and promote the pages in which they wish to distribute their malwares, making the pages more visible to people. So, these malicious websites will appear as the first pages after a search through a search engine like Google, Bing, Yahoo etc... . These malware creators (or cybercriminals) will also infect legitimate sites from trusted companies to generate bogus search results. Usually to spread rogue security softwares masquerade as fake plugin updates, fake system updates, fake antivirus and fake codecs that are actually malwares to infect your computer. Besides all that has been mentioned, malware creators (or cybercriminals) will also use Blackhat SEO Exploit Packs, to automatically generate fake pages with false content about breaking news, online games, trend topics, popular events, natural disasters, celebrities, pornography among other issues. All this in order to mislead you, hoping you for an act of despair or distraction, download and allow the installation of malicious programs. This can also be done to take advantage of vulnerabilities from outdated plugins in your browser, or even other vulnerabilities in your browser or other programs out of date.

Basically, the attacker has a server, in which it collects the most searched topics on the Internet (i.e. Google Trends), or simply choose on their own, the keywords that will be used to spread the attack. This server also includes a malicious script that will structure the attack. Then, the attacker will exploit vulnerabilities on legitimate and trustworthy websites and to deploy a malicious code and use them as reliable vectors to spread the attack. This malicious code will handle with search engine bots (like Google bot). So, when this site is crawled by a search engine bot (like Google bot) to be indexed, the malicious code retrieves the latest trends from i.e. Google Trends to the attacker's server. After this, will be crafted links for these trend keywords in the page. Then, these links will crawled by the search engine bot (like Google bot) starting the whole BlackHat SEO process.

When a crawler (like Googlebot) accesses a compromised site, the script deployed by the attacker immediately makes a contact to the attacker's server and asks what to return to the crawler (like Googlebot). The attacker's server will create a webpage in real time with a lot of references to the asked keyword, as well as links to other compromised sites. This custom web page will be provided to the crawler (like Googlebot) and cached locally. It can also automatically generate a webpage content based on a search on a search engine (like Google) using the keyword to retrieve the relevant text and also some images from the search to compose the webpage content related to the keyword. In this case the malicious script will also retrieve a content from attacker's website to be included in the compromised website and redirect a user to fake scan websites, fake AV vendors or other infected pages. See some images below: (click on them to expand)



However, the most common is to compromise sites using the Blackhat SEO technique called cloaking.
This means that the page has "two faces". One for a search engine (like Google, Yahoo, Bing etc...) and other to you, when clicking on a search result.

When directly accessing a compromised website, without clicking on the link that appeared as a search result in any search engine (Google, Yahoo, Bing etc...) you'll just get the same cached page that the crawler (like Google) got (this could be a page with a bunch of random links from other compromised sites, a blank page, a 404 error page or a page with the content automatically generated by a malicious script, which are usually disorganized, poorly written or copied from other sites). Now, when accessing the compromised site by clicking the link that appeared as a search result in any search engine (Google, Yahoo, Bing etc...), this request will have a corresponding referrer set and the script will redirect you to another website that will be infected (could be a site with a malicious iframe, a fake scan website, a site with a exploit pack to install rogue security programs in your system through vulnerabilities in browser's plugins like Java, Flash, QuickTime, Adobe PDF etc...). See some images below: (click on them to expand)


Special Thanks to Denis Sinegubko of Unmask Parasites. Blog. for allowing me to republish the images from this article.

The images above illustrate what happened after the 8.9 earthquake in Japan, when many poisoned Google search results were found a few hours later. The first image illustrates what Googlebot sees (via Google cache) or a user could see when directly accessing the webpage. The second image illustrates what you would see when clicking on a poisoned search result ([i]redirecting you to a fake scan webpage of a rogue security software). Keep in mind that the techniques are improved every day and the way in which cybercriminals operate are also improved. Nowadays, cybercriminals are able to create malicious scripts to recognize your system, your browser, your country and your IP address to know whether you have the perfect conditions to be infected by them or not.
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 4 times, last edit by "marfabilis" (Nov 2nd 2011, 11:06am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

11

Monday, July 11th 2011, 11:37pm



Now that you know what is SEO, BlackHat SEO and knows how works the basic principle of the poisoned search results, will be much simpler to understand what means "Google Image's Search Poisoning". It's basically the same thing has been explained here before. The attacker will compromise legitimate sites (any widely spread software that has known vulnerabilities can be exploited, like old Wordpress versions). Once a legitimate site has been exploited, the attacker will deploy their malicious scripts to automatically monitor trend topics and crafts web pages containing information that is currently interested. These web pages contain not only text, but also images that are collected from many sites. The malicious scripts will embed links to images which are really related to the trend topic, so the automatically generated webpage contains real looking content. Google now will crawl through these compromised sites. The malicious scripts will detect Google’s bots (either by their IP address or the UA) and will send those crafted web pages containing automatically generated content. Google will also parse links to images and, if appropriate, populate the image search database.

Now, when a user searches for something using the Google Image Search function, thumbnails of images are displayed. Depending on the automatically generated content, number of links to the webpage and other parameters known to Google, the attacker’s page will be shown at a certain position in the results web page. The great act happens when a user clicks on the thumbnail. Google will shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it's located) on the right side and the original webpage (the one that contained the image) in the background. This is where the “problem” resides. Google displays this inside a simple iframe (iframes are HTML elements, i.e. elements of Internet pages that delimit an area of a web page. Some iframes can be used to load and display different web content - usually other URLs - as independent documents in a sub-window of the browser. These iframes are mostly used for banner advertising. In some cases, iframes are used to conceal malware. In these cases the area of the iframe is mostly invisible or almost invisible in the browser).

The user’s browser will automatically send a request to the bad webpage which runs the attacker’s malicious script. This script will check the request’s referrer and how you came to this image. If through a click on the results page in Google, the script displays a small JavaScript script to redirect you to another malicious site (fake online scanners, fake av vendors, web pages with exploits kits etc...). Nowadays, these scripts are very clever. These malicious scripts will always choose the most vulnerable victims and the best conditions to deliver this attack to infect them. See some images below: (click on them to expand)



The images above show a perfect example of BlackHat SEO campaign. A user does a search for some words, in this case, I used terms related to the teen singer Justin Bieber. Then, a user chooses a random image that appears in the first pages. Clicking on an image result, a user will see the image centered and the site, in which the image belongs or is hot-linked, will be loaded in the background. It's precisely at this point that the user would be redirected to a malicious Web site. To prevent users from falling into temptation, the above samples are not malicious, BUT one day they may be malicious. Why? Because in this case, we have a BlackHat SEO campaign active, automatically retrieving a content from a search engine (to compose the web pages), and also has adult sites (pornography) as affiliates. One day, maybe can be pulled a malicious code through the search engine that is being used and these web pages listed will become a vector for a malware infection, rogue security softwares, ransomwares etc...



Unfortunately, there's really not much to be done, since the Google's behavior to index websites and show images on Google Images, with a background iframe to the related website, work as a security hole, allowing cybercriminals to exploit loopholes in the Google search engine (a similar behavior also happens in Bing Images and Yahoo Images, since both also open the website related to the in a simple iframe). The Google's behavior with hot-link images, the indexing ranking and the popularity of the service, makes the problem even more serious than it is.

However, there are some important tips to minimize and reduce the risk of infection:
  • Be careful when searching for images from hot trends (trend topics), celebrities, natural disasters or hosted in domains with low or unknown reputation.
  • Keep your system, programs, and especially your browser plugins (Java, Flash, QuickTime, Adobe PDF) updated. Since most cybercriminals, use exploits kits that exploit vulnerabilities in older and outdated versions of these plug-ins. How to do this, will be explained in the next topics of Basic Guidelines.
  • Keep your browser's plug-ins on-demand whenever possible.
  • Never click on links looking for hot or exclusive news. So, only access trustworthy media sites (radios, newspapers, magazines etc...)
  • Use Mozilla Firefox + NoScript addon in order to block iframes while browsing & searching for images on the Internet. See how it works:


    (Click on the images above to expand them)

  • When using Google Chrome browser you should run JavaScript and all plugins on demand (this will really help a lot to avoid an infection). When using Opera browser, you should disable JavaScript, creating a whitelist for trusted websites, disabling Java plugin and running the other plugins on-demand (this is not the best to do, but it's possible and very very good). When using Internet Explorer, you should disable JavaScript and adding sites according to the desired security zone. It would be a good idea to disable Java as well (it's the weakest and boring alternative of all).
  • Use other security addons (like WOT) to get, at least an idea, of websites reputation before accessing them. Anyway, never trust entirely in a positive reputation for subdomains (this will be explained in the next versions), whenever you have a doubt, make a good search before clicking on the search result or image result.
Note: Avira AntiVir WebGuard will also work as an extra layer of protection. Since, Webguard is a transparent system proxy for HTTP and FTP. Every page which is downloaded by the computer (browser or any other service) is first compared against a local blacklist and if it proves to be malicious (hosts malware or phishing) gets blocked. If the page passes this level, it is saved in a temporary folder and scanned by the scanning engine for malicious content. So, you'll have one more layer of protection beyond the measures to prevent such attacks.

If despite all the security measures you took, you have been redirected to a fake scan website, a strange site, something that is forcing you to click a button, pay close attention: Do not click on anything. Stay calm, breathe and press Ctrl-Alt-Delete (all these 3 keys at the same time). The Task Manager window will open. Select the browser's process that you're using (firefox.exe, iexplore.exe, opera.exe etc...) on the Processes tab and click on End Process button. Wait until the browser closes (you may need to click on “End process” more than once), make a complete system scan with your Avira Antivir. If needed, contact us using this forum.

Spend at least a bit of time, to learn more about the threats that are present on the Internet. A good start point would also reading this article: Introduction to Website Parasites Introduction to Website Parasites. Also, stay tuned about new threats for poisoned search and image search results. So, IMHO (marfabilis) the best repository of technical information and how each poisoned result from Google Images or Google Search works to infect you, can be found at Unmask Parasites. Blog. developed by Denis Sinegubko. So, whenever you have time, stay tuned there.

Below are some links related to BlackHat SEO, Google Search and Google Images poisoning over the years:

Malware redirects: The aftermath | BREAKING: Massive amounts of malware redirects in searches | Hackers re-poison Google search results | WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next? | Mass hack plants malware on thousands of webpages | Lenovo Support Website Infects Visitors with Trojan | Blackhat SEO uses online games to distribute malware | Domain-Hopping Tactics in Blackhat SEO | Yuri Gagarin Google Images Search Results Poisoned | Blackhat SEO poisoning leads to Blackhole Exploit Kit | Blackhat Google SEO Poisoning of keyword "patti labelle" | Scammers Swap Google Images for Malware | Attackers Using Google Image Search to Distribute Malware | Turning scareware devious distribution tactics into practical protection mechanisms | Hackers Abuse Servage Hosting to Poison Google Image Search | Major Disasters in Poisoned Search Results | Thousands of Hacked Sites Seriously Poison Google Image Search Results | Google Image Poisoning. Mitigation and the New Wave | Google Image Poisoning. What’s New in June?

Also read: How Hackers Have Automated Search Engine Poisoning Attacks to Distribute Malware (PDF file from Sophos).
Also watch: How blackhat SEO and Fake Anti-Virus work (Youtube video from Sophos).
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 2 times, last edit by "marfabilis" (Nov 2nd 2011, 11:06am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

12

Monday, July 11th 2011, 11:38pm



There are hundreds URL Shortening services available for use on the Internet like TinyURL, bit.ly, is.gd, goo.gl etc... and all of them have the same common point: converting the lengthy URL’s into the shorter ones. Shortened URLs are not just a way for easy sharing of links, in fact they are extremely useful to sharing the links in websites whose messages have a limited length, like Twitter.

However, this incredible ease to share links creates a small problem. The problem is that before visiting the link you can’t predict at all what the shortened link is all about because shortened URL simply looks like this: http://goo.gl/J1hl. These links may contain viruses, trojans, hijackers, malwares or they may even lead you to spam or phishing sites. So it's always better to know, verify or preview such kind of links if they are really safe or are trying to fool you with promises, in exchange for a malicious content to you and your family.

The question is: How can you avoid malwares, viruses and phishing from a shortened URL?

There are many online services that allow you to know the real address from a shortened link. One of the most widely service used for this, is the longURL.org. This service in the past provided the screenshot of the webpage. Nowadays it only provides: The expanded URL, Webpage title, Meta description and Meta keyword information of the webpage. The preview will not be displayed because it was a third-party service that was shut down on December 15, 2010.

Anyway, depending on how frequently you meeting with the shortened links, we have two methods:

Method 1: Accessing longURL.org directly from your browser + Search Engine (Google, Bing, etc...)


Insert the shortened URL (typing or copy and paste the URL there). See the information available about the address that you just typed. In this case the expanded URL, redirects to avira.com. We will search for more information.


The key here is not to rely on the preview but knowing the actual address of the page and search references to the address in the web (using Google, Bing, etc...). So, you'll stay more safe when click on shortened URLs than clicking directly on them. Most previews are not in real time, they have a delay of hours or even up to 24 hours. In the meantime the pages may have changed, deceiving you. Always make a good search about the address, see the site's reputation (#2), ask friends etc...

The full list of services supported by longURL.org, you'll find here.

Method 2: Browser Extension + Search Engine (Google, Bing, etc...)

The second method is recommended for those users who are addicted to social networking sites like Facebook or Twitter. Users who have so much contact with shortened URLs. Considering this situation and level of risk you could install an extension in your browser. Usually the extensions will offer two options (the settings will depend on the extension that you choose):
  • The links will be visible when hovering URLs

  • The shortened URLs will be replaced with the unshortened URLs within the text of link tags


As you can see before we have shortened URLs and after the extension we have expanded URLs in which are displayed directly on the page.
We will only give examples of extensions for Google Chrome, Mozilla Firefox and Opera in this tutorial.

Firefox: Long URL Please (Supporting +80 services)
Google Chrome: ChromeMuse (Supporting +300 services and the URL expansion is provided by LongURL.org)
Opera: Unshorten (Supporting +120 services)

Alternative Services: Untiny.com (Supporting +200 services) | longSHORE (Supporting +500 services)

Note: It's important to highlight here that we're not responsible for any damage or modifications made to install such extensions and we cannot guarantee that the extensions will work in the version you use. That responsibility belongs to the developers.

Below are some links related to the malicious use of shortened URLs over the years:

Spammers exploiting trust in shortened URLs | Bit.ly is filtering “free iPhone”Twitter spam URLs | Shortened URLs direct users to infected sites | Twitter worm leads users to fake and malicious site
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 1 times, last edit by "marfabilis" (Nov 2nd 2011, 11:07am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

13

Monday, July 11th 2011, 11:39pm

  • Don't believe in online scanners that appear on your screen, showing that you are infected or vulnerable after you access a website. Such scanners are false and when you click them, you will be infected by some rogue security software.
  • Beware of fake computer optimization and analysis programs (i.e: HDD Low, HDD Fix, HDD Plus, Memory Fixer, System Defragmenter, Windows Monitoring Utility, Windows Examination Utility and others). They're rogue and malicious softwares. Also read: Rogues now imitate utilities rather than anti-malcode apps | Rogues in 2010: number of variants stable, new “utility” look appears;
  • Don't click on links in spam messages offering antispyware, antivirus or any other software;
  • Don’t click on banner advertisements where possible;
  • Don’t visit untrusted and inappropriate websites (pornography or illegal content etc).
  • Try to avoid these sites with inappropriate content, since such sites could attempt to hijack your browser or install malwares;
  • Don't download or install, softwares or plug-ins updates, from untrusted sources;
  • Enhance your browser from automatic processing to prompt warnings where possible;
  • If you visit a website and your browser informs you that it’s dangerous, you should consider the warning and close the page;
  • When browsing for topical subjects, be aware that malware authors are getting good at ranking infested sites for popular search terms. Keep in mind that malware creators will use search engines to look for news about trend topics. They'll fill their malicious sites with buzzwords and keywords, to lead and lure the visitors to their sites, where they can get infected them with drive-by malwares (usually fake antivirus, fake antispyware, rogue utilities etc...). Also read: How to reduce the risk of online fraud | Top 10 Myths of Safe Web Browsing;
  • Only make a download for freewares, sharewares, trials or demos from sites that you know or trust;
  • Completely clean your browser cache regularly of all temporary files, history, cookies, passwords, etc...;
  • Whenever possible, run the Java Plug-in on demand and protect yourself from JavaScripts (creating a white list or using add-ons);
  • Always use security add-ons (extensions to improve your protection) for your browser which you can find on your browser’s official site and in this tutorial.
Note: You should read about the features of each extension before install them. Knowledge about the features is synonymous of more online protection.





Avira Antivirus Premium 2012 / Avira Internet Security 2012 have a Web Protection (the same applies to Avira AntiVir Premium 10 / Avira Premium Internet Security 10, that have a WebGuard module). The Web Protection has a real-time drive-by protection that allows you to make settings to block I-Frames, also known as inline frames. I-Frames are HTML elements, i.e. elements of Internet pages that delimit an area of a web page. I-Frames can be used to load and display different web content - usually other URLs - as independent documents in a sub window of the browser. I-Frames are mostly used for banner advertising. In some cases, I-Frames are used to conceal malware. In these cases the area of the I-Frame is mostly invisible or almost invisible in the browser to block.

Web Protection also protects all the HTTP based internet traffic. Every page which is downloaded by the computer (browser or any other service), is first compared against a local blacklist and if it proves to be malicious (hosts malware or phishing) gets blocked. If the page passes this level, it is saved in a temporary folder and scanned by the scanning engine for malicious content. Web Protection scans incoming internet data to see if it is malware infected. Content that has been scanned and found clean is forwarded to the browser. Content that is infected can be blocked or moved to the secure quarantine. Web Protection performs extremely quickly so that the rendering of downloaded elements in the browser is not affected by the scan process. The scan itself can be faster by excluding MIME types or URLs. Web Protection works with all Internet browsers.

Keep in mind that Web Protection doesn’t filter secured connections (HTTPS).

Web Protection protects you from: Spam URLs, Malware, Phishing URLs and Fraud / Deception.

Note: It's important to highlight that since Avira 10 SP2, AntiVir WebGuard is available for AntiVir Personal users (now called Avira Free Antivirus). To enjoy this benefit, these users must have to install Avira SearchFree Toolbar (which is essentially an optional add-on for the free AntiVir product). This happens ONLY for AntiVir Personal users (now called Avira Free Antivirus). Read more: Avira AntiVir 10 Service Pack 2 (SP2)



You can also check whether your browser plug-ins are up to date or not, using Mozilla Plug-in Check
Below are samples from a computer with fully updated plug-ins. These examples were generated using the following browsers: Internet Explorer 8, Firefox 5 and Google Chrome 14. Keep in mind that some plug-ins may appear as needed to update. Make sure you have the latest version of these plug-ins by comparing the version in the plug-ins list on your browser with the latest version at the developer's site. If everything is updated and the result doesn't indicate it, just ignore it.


*All names, logos, trademarks and/or copyrighted images are the property of their respective owners

Never, under any circumstances, update your plug-ins from untrusted places, even though they say that you're out of date. Always look for an information before. Remember that one of the most common ways of infection is through the installation of false updates. Don't be fooled, right? Also, you could use Secunia Personal Software Inspector (read this guide), Belarc Advisor - Free Personal PC Audit or FileHippo.com Update Checker to check plug-ins outdated. These softwares will also scan your computer for vulnerable or outdated programs, alerting you when your programs and plug-ins require updating.

Below are some links related to the false plug-in updates over the years:

Warning over fake Windows update | Fake updates and phony postcards carry malware | Be aware of fake Microsoft Updates | Rogue downloads look real: read the fine print | Fake Codec uses false Facebook page | SecurityTool rogue begins using fake codec scam | Rogue downloader overlooks IE users | Fake Microsoft Updates Used in Attacks Targeting Firefox on Windows
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 1 times, last edit by "marfabilis" (Nov 2nd 2011, 11:08am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

14

Monday, July 11th 2011, 11:40pm

  • Avoid e-cards from people that you are not known;
  • Be careful when someone offers you something for nothing, such as gifts or money;
  • Don’t click on any URLs in emails, unless you trust to it;
  • Don't click on 'Unsubscribe' links. This will confirm that your email address is being used, and spammers will target your email address in the coming days and months;
  • Change your password often and keep it in a safe place;
  • Don’t share the password with anyone;
  • Don't use links in emails to visit your banking site (such links are almost certainly false and will lead to phishing sites);
  • If you receive email from someone that you do not know, then don’t open it, just delete it;
  • Never click on links sent to you via Instant Messaging services;
  • Never open email attachments unless you are 100% certain that you can trust the sender;
  • Never respond to unsolicited requests to update your account information.
  • Never update your operating system or your Avira AntiVir via links in emails;
  • Use multiple email addresses. Keep one private (for personal use) and at least one other for public forums (like here), chat rooms, mailing-lists and other public web sites or online services.
  • Apply Windows and Office Updates as soon as possible - Turn Automatic Updates on (use Microsoft update for both environments);
  • Avoid entering sensitive information or performing e-commerce on a shared public PC at cafes, hotel lobby, library, airports or any public place;
  • Avoid P2P File sharing sites for "free" music or videos.
    Also read: Risks of File-Sharing Technology;
  • Avoid unused software programs, with no more support from its developers;
  • Change your passwords periodically;
  • Keep your programs updated.
    Also read: How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector;
  • Make regular backup of your most important files as personal documents, licenses, music, video or images to CD, DVD or Flash Drives;
  • Protect your computer against power surges and brief outages;
  • Read the EULAs in any software being installed;
  • Regularly scan your computer for malwares (at least once a week);
  • Use complex passwords of 8 characters or more (at least 1 letter and 1 number, plus 1 upper/lower case -- and special characters if desired).
    Also read: Choosing and Protecting Passwords;
You can find more tips here: CyberSecurity Tips.


Bleeping Computer | Geeks to Go!
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 3 times, last edit by "marfabilis" (Nov 2nd 2011, 11:09am)


marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

15

Wednesday, November 2nd 2011, 11:10am



To increase the level of detection of Avira, leave checked the following options shown in the images below:



Avira Free Antivirus 2012, Avira Antivirus Premium 2012, Avira Internet Security 2012

Go to Configure Avira (...) > enable Expert Mode > PC Protection > [+] System Scanner > [+] Scan > Heuristic (See the image below) > Apply
Go to Configure Avira (...) > enable Expert Mode > PC Protection > [+] Realtime Protection > [+] Scan > Heuristic (See the image below) > Apply

Avira Personal 10, Avira AntiVir Premium 10, Avira Premium Security Suite 10

Go to Configure AntiVir > tick Expert Mode > [+] Scanner [+] Scan > Heuristic (See the image below) > Apply
Go to [+] Guard [+] Scan > Heuristic (See the image below) > Apply





Avira Free Antivirus 2012, Avira Antivirus Premium 2012, Avira Internet Security 2012

Go to Configure Avira (...) > enable Expert Mode > Internet protection > [+] Web Protection > [+] Scan > Heuristic (See the image below) > Apply

Avira Personal 10, Avira AntiVir Premium 10, Avira Premium Security Suite 10

Go to [+] Webguard [+] Scan > Heuristic (See the image below) > Apply > OK



Then, you can adjust the Blocked Requests settings.

Avira Free Antivirus 2012, Avira Antivirus Premium 2012, Avira Internet Security 2012

Go to Configure Avira (...) > enable Expert Mode > Internet protection > [+] Web Protection > [+] Scan > Blocked Requests > (See the image below) > Apply

Avira Personal 10, Avira AntiVir Premium 10, Avira Premium Security Suite 10

Go to Configure AntiVir > [+] WebGuard > [+] Scan > Blocked Requests > (See the image below) > Apply





Select all extended threat categories:

Avira Free Antivirus 2012, Avira Antivirus Premium 2012, Avira Internet Security 2012

Go to [+] General > Threat categories > Select all > Apply

Avira Personal 10, Avira AntiVir Premium 10, Avira Premium Security Suite 10

Go to [+] General > Threat categories > Select all > Apply





You can lock your HOSTS file: (For Avira Premium Security Suite 10 only)
Go to [+] Firewall > Settings > Click Lock now (See the image below) > Apply > Ok


  • Following the procedures described above, regardless of one or more procedures, click OK to exit the configuration screen.
  • These changes may generate a greater number of false positives than the default settings, but will not interfere with the performance of your machine.
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

16

Wednesday, November 2nd 2011, 11:11am



Go to Avira's Vlab submission page: http://analysis.avira.com/samples/index.php





Alternatively, you can submit more than one file to be analyzed, just compressing them into a single file (.rar, .zip or .7z).
Please take a look about some details:





Unfortunately, there is no way to submit files larger than 8 MB to the Avira's Vlab, unless you send a PM to any Moderator and telling him / her to forward your request to the Avira's Vlab. In this case, the file should be submitted to a file-sharing service like Rapidshare.com and the download file URL should also be sent via PM.

When using Rapidshare.com, will also be provided a link to delete the file. Save this link and delete the file as soon as a Moderator provide you the analysis result.

Note: It's important to highlight that Rapidshare.com is an external link and Avira doesn't manage this site, so Avira will not be responsible for any damage or loss incurred in connection with the third party web sites or any products or services available from the third party. Rapidshare.com is only a suggestion, please feel free to use the service that you want.



The quarantined files will be located at Avira INFECTED folder. The path to the INFECTED folder is:

Windows XP: C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\INFECTED
Windows Vista/ Windows 7: C:\ProgramData\Avira\AntiVir Desktop\INFECTED

The folder Application Data (XP) or ProgramData (Vista/7) are hidden folders by default. Please follow this procedure (according to your operating system) to view the folders (if needed)

When submitting a file you will see a progress bar loading your file.


Just wait. The submission should not take long.



When you don't move a file to the Quarantine folder (considering it a false positive) and you're absolutely sure that is a false positive, you could add exceptions to the Scanner and Guard modules. It's important to highlight that this is at your own risk. Right?

Avira Antivir Personal 10, Avira AntiVir Premium 10 and Avira Premium Security Suite 10:

Common procedure: Click on Configure AntiVir > tick "Expert Mode"
Scanner module: [+] Scanner > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted for the scanner > Apply
Guard module: [+] Guard > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted by the Guard > Apply > OK

Avira Free Antivirus, Avira Antivirus Premium 2012 and Avira Internet Security 2012:

Common procedure: Click on Configure Avira (...) > enable "Expert Mode"
System Scanner: PC Protection > [+] System Scanner > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted by the scanner > Apply
Realtime Protection: PC Protecion > [+]Realtime Protection > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted by the Realtime protection > Apply > OK

More details click on Help / Help button on both configuration screens.

Then, you should submit the file to the Avira's Vlab. Otherwise, once the file is detected, you can click on Details > Always Ignore. This option will ignore the file until the next reboot. The option "Always Ignore" was created in the past, for novice users, to prevent them completely ignore a file without being sure of what they were doing. Keep in mind that under normal conditions, you should have no detections, and use these exceptions for other purposes.

Note: The most recommended is always move the file to Quarantine and submit it to be analyzed by Avira's Vlab.



A screen like this will appear after your submission:



The result may appear as UNDER ANALYSIS, FALSE POSITIVE, MALWARE, KNOWN CLEAN etc...
However, this result is automatic and it's only preliminary, not the final result. An email will be automatically generated and will be sent to your email address.
Also, a File ID will be generated for the file that you submit. Always try to save this number, since it may be asked by a Moderator.

You'll receive another email with the complete report (final outcome), which will be sent to the email address that you filled in the form from Avira's Vlab within 48 hours (when submit on weekends).
--------------------------------------------------------------------------------------------------
Email automatically generated | Email with the final outcome (just a sample)

||

The Tracking Number is also very important, it contains all data belonging to your submission.
Avira will also provide a link for you to perform a online check of the analysis results.

Never post that link with your Unique ID. This is a personal identification and ensures the privacy of your submissions.



When the result in the final outcome is a false positive, you can safely add exceptions to the Scanner and Guard modules.

Avira Antivir Personal 10, Avira AntiVir Premium 10 and Avira Premium Security Suite 10:

Common procedure: Click on Configure AntiVir > tick "Expert Mode"
Scanner module: [+] Scanner > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted for the scanner > Apply
Guard module: [+] Guard > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted by the Guard > Apply > OK

Avira Free Antivirus, Avira Antivirus Premium 2012 and Avira Internet Security 2012:

Common procedure: Click on Configure Avira (...) > enable "Expert Mode"
System Scanner: PC Protection > [+] System Scanner > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted by the scanner > Apply
Realtime Protection: PC Protection > [+]Realtime Protection > [+] Scan > Exceptions > Add the complete file path at File objects to be omitted by the Realtime protection > Apply > OK







Then, restore the file from Quarantine.

Avira Antivir Personal 10, Avira AntiVir Premium 10 and Avira Premium Security Suite 10:

Go to Start AntiVir > Administration > Quarantine > Select the item that was analyzed as a false positive > Press F3 key on your keyboard to restore the file to the folder where it was detected (recommended) or F6 to restore to another folder.

Avira Free Antivirus, Avira Antivirus Premium 2012 and Avira Internet Security 2012:

Go to Start Avira (...) > Administration > Quarantine > Select the item that was analyzed as a false positive > Press F3 key on your keyboard to restore the file to the folder where it was detected (recommended) or F6 to restore to another folder.



Keep your Avira updated, 'cause the detection should be removed within 48 hours.
You can check whether the detection has been removed submitting the file to Virustotal.com.

* If the detection was removed, you can also remove the exceptions added.
* If the detection has not been removed, feel free to contact us, creating a new thread at Viruses and other security risks section.

Note: It's important to highlight that Virustotal.com is an external link and Avira doesn't manage this site, so Avira will not be responsible for any damage or loss incurred in connection with the third party web sites or any products or services available from the third party. Virustotal.com is only a suggestion, please feel free to use the service that you want.



When the result is not what you expected, in other words, whether the result in the final outcome is still detecting a file as malware or the detection will not be removed for some reason, then you could create a new thread at Viruses and other security risks section, to explain the situation and also post the File ID / Tracking Number of your submission. A Moderator will request for a reanalysis.



Sometimes it may appear on your screen after your attempt to submit a file:



Your submission may fail 'cause of one of the following reasons:
  • The size of extracted file is bigger than reported on list
  • Cannot list files in archive
  • Invalid password
  • Invalid compression data
  • Unknown archive format
Please check each item or repack your files again and re-submit.
If you've tried everything and failed to submit your file, please send a PM to any Moderator

  • Basically, two cases may happen while you're browsing under AntiVir WebGuard protection. Let's just imagine that you're trying to download a file, from a trusted source, considering it reliable and harmless or you're accessing a site that you also feel safe, when this window or this screen appears:

    |

  • In the first case, simply move the suspected false positive "object" (indeed it's a file) to Quarantine and then submit it to Avira's Vlab, just following the same procedure as shown previously. Please avoid posting the URL on your own post. What seems harmless to you, may not really be harmless to other users;
  • In the second case, the screen appears directly in your browser. So, when you're thinking that it is a false positive, please send a PM to any moderator of Avira Support Forum. The list of team-members, you can find here. Please tell us the web address, the detection and the reason you find that the detection of Avira is wrong. This 'reason' may be just a personal hunch or thought;
  • If Avira is not detecting a malicious website do the same procedure as described in the second case;
  • Meanwhile, if you're absolutely sure it's just a false positive, you can add the exceptions to the WebGuard / Web Protection module. See the image below:




* It's important to highlight to you that the procedure should only be done after an analysis that reported a website as a false positive.
* If you want to do it before the analysis, you will be at your own risk
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

marfabilis

Moderator

Date of registration:
May 14th 2010

Version:
Avira Free Antivirus
Avira Antivirus Suite
Avira Internet Security Suite
Avira Internet Security

Operating System:
System of a Down

  • Send private message

17

Wednesday, November 2nd 2011, 11:12am


johnyjohn; closely; Mapler; bigua

Internet Explorer is a registered trademark of Microsoft Corporation. Firefox is a registered trademark of the Mozilla Foundation. Google Chrome is a trademark of Google Inc. Opera is a trademark of Opera Software ASA. Safari is a trademark of Apple Inc., registered in the U.S. and other countries. All logos, company names, brands, images, trademarks and other intellectual property are the property of their respective owners and their appearance on this site is merely intended to illustrate the content available for informative purposes in these basic guidelines and the authors of this tutorial are not intended in any way to imply or suggest that the respective owners of these names, logos, trademarks and/or copyrighted images consent to, approve or endorse the procedures or recommendations listed here.

--------------------------------------------------------------------
Last update: Tuesday, November 1, 2011
--------------------------------------------------------------------
| :: RU | EN | PT-BR | ZH-CN | ZH-TW ::

This post has been edited 1 times, last edit by "marfabilis" (Jan 15th 2012, 5:35pm)