Overzealous malware hunter: Norton Internet Security 2010

I‘m a happy user of Norton Internet Security 2010 (referrred to as NIS 2010 henceforth). I have never been infected with any nasties primarily due to a combo of taking common-sense precautions (like not downloading “free ringtones”, “sexy videos” or any “codecs” to view said sexy videos), being aware of my internet surroundings and having NIS take care of things when I’m lax. However, NIS 2010 has issues that I need to vent about.

NIS 2010 has this nifty feature called Insight Network Scan where Norton consults its community/database on a file it’s not sure about. By default, it appears that if a file has been used by less than 10 users (not sure how they can definitively say this because they may be counting only systems with Norton Internet Security 2010 installed, who knows?), Norton classifies the file as a risk, specifically as WS.Reputation.1 or Reser.Reputation.1. Here are some specific and notable instances of Norton Insight ensnaring ‘innocent’ files:

  1. Wireshark x64 v. 1.2.6: On the 28th of January 2010, I downloaded the 64-bit version of Wireshark and I got alerted that the file was Suspicious and the risk it posed was called “Reser.Reputation.1”. After complaining on Norton’s Facebook page, some updates were pushed out and the “Reser.Reputation.1” classification was removed.
    wireshark.png
  2. FastPicture Viewer Codec Pack v. 2.1R3: On 26th of May 2010, I purchased this Codec Pack and downloaded the file. Norton complained and deleted the file after calling the risk “WS.Reputation.1”. This case was actually interesting because I contacted the developer via email to verify that their software hadn’t been somehow tampered with and I got a semi-humorous lecture about my use of internet security software. ๐Ÿ™‚ They assured me their software was fine, provided me with VirusTotal links, etc. I also went ahead to notify & they instructed me on how to submit a false positive report.
    fastpicture-nortonissue-flattened.png
  3. Fraps (paid version) v. 3.2.3: On the 16th of June 2010, I learned of a new version of Fraps via Neowin and I went to download this latest copy. Norton deleted this file because it was *gasp* a risk, having been used by less than 10 people in the Norton “community”. This time, the Fraps file’s risk was termed “WS.Reputation.1”. I wasn’t even given the opportunity to whitelist the particular executable that I downloaded. Eventually, I had to temporarily pause Norton’s “antivirus protect” service just so I could download and install the file! As usual, I notified @NortonOnline and filed a false positive report.
    fraps.png

Now, up till now, my impression of the “xx.Reputation.1 risk” classification has been that it’s a minor disturbance. Everytime this happened with a file I cared about (Wireshark, Fraps, etc), I notified @NortonOnline (their official twitter account) and filled out a dispute form on their site. and I can certainly appreciate why this feature was put in place, but clearly the feature is becoming a little too trigger-happy. So far, the files that have been caught in this dragnet have been files I downloaded from the internet. However, today (06/27/2010), Norton Internet Security 2010 went too far.

I learned that Firefox 3.6.6 had been released via Twitter and I quickly went to upgrade my install of Firefox from 3.6.4 to 3.6.6. NIS 2010 didn’t complain about the upgrade and I got the standard post-install welcome page from Mozilla about the successful upgrade. Fast forwarding to about ~ 4.20pm (EST) today, I got a prompt from NIS 2010 that I had never seen before:
nortonprompt.png

I was surprised because I hadn’t even received notification of a suspicious file being found. So, I reviewed the “Recent History and found out that NIS 2010 had slapped the “WS.Reputation.1” tag on 3 .dll files in Mozilla Firefox‘s install folder on my C: drive (freebl3.dll, softokn3.dll and nssdbm3.dll). From the NIS 2010 interface when reviewing the history, it’s not readily apparent on how to “reverse” any decisions the Insight engine has made so I reluctantly restarted my computer.
ffdlls.png

Since restarting my computer at ~7.30pm (EST), Firefox refused to start and crashed every single time.
ffcrashes-06272010.png
I’m pretty sure it wasn’t happy that those 3 .dll files were deleted by NIS 2010. In fact, those files are pretty important to Firefox (duh). Anyway, after getting tired of having IE 8 as my default browser and feverishly updating NIS 2010 definitions, I reinstalled Firefox 3.6.6. and *knock on wood* it hasn’t mysteriously decided that certain dll files are suspicious.

*That* was a mouthful. I’m sure I’ll have more of these false positives before the month is over. I’d rather NIS 2010 err on the side of caution every time, but they’re running the risk of me/users getting used to temporarily turning off the software just to install stuff. The end. ๐Ÿ˜›

In an automated email to me, Norton recommended:

  1. Digitally signing your binaries.
  2. Submitting your software to their Whitelist program here: https://submit.symantec.com/whitelist/

norton-rec.png

Providing PC support remotely to family and friends

I take the role of “computer-problem-fixer” in my family very seriously. ๐Ÿ™‚ I love tinkering and troubleshooting so helping out doesn’t feel like a burden to me. So, I thought I’d do a post on how I’m able to assist my family members and friends from afar.

One of the things I’ll tell you right away is to assume that your computer jargon will be that: jargon and not understood by the non-techie. That said, do the following and you’ll be less likely to be frustrated:

  1. If you absolutely must direct the person being helped over the phone, spell out each step using specific terms (right- or left- click versus just telling them to ‘double-click’, position of the windows/prompts, etc) and depending on the skill level, feel free to spell out letters (this comes in handy when collecting usernames and/or passwords), use colors, and directional language (bottom-left panel/windows/alert-box, top-right, etc) to get the job done. It might sound silly, but if someone’s not as used to using computers as you are, they’ll need all the pointers they can get. From a recent memory, I lost an hour of time because the asker omitted a space between their Windows username and Logmein kept rejecting my login!
  2. If we’re talking about removing badware from the person’s computer, I strongly recommend using a remote service. I like to see what’s going on and reduce the chance that something crucial gets overlooked.

For this article, I’ll writing about my experiences with the following services: Logmein, Windows Remote Assistance (for XP, Vista, Windows 7), Windows Remote Desktop and Microsoft SharedView.

 

Logmein

Short and sweet verdict: If you’re called up out of the blue and have never touched the asker’s computer, this may be a lot of pain, but once you get over the installation and connection part, you’re good!. That said, there are a couple of steps to get things going:

  1. you’ll have to get the asker to sign up for the logmein.com website.
  2. install the Logmein software (increasing support time and risk of something else going wrong)
  3. Get the asker’s username and password to the Logmein website. With the Logmein free version (compared to the Pro version of Logmein), there’s no way to temporarily “invite” someone to work on your computer. The alternative would be to have the asker to install the Logmein software on their computer and input your credentials so that on the Logmein.com web interface, you can take remote control of the asker’s computer. Obviously, I recommend against doing that.
  4. The better alternative is to have the asker provide their Logmein.com credentials after they’re done installing so you can log in to the website and take control of their computer that way.
  5. I’ve done this and I highly recommend you already set up your relatives/friends who you think might need help) with Logmein before they need help. ๐Ÿ˜› And write down their username/password combination to the Logmein website AND their Windows username/password combination too! Trust me, in S.O.S situations like this, anything that can go wrong, will.
  6. Go ahead and fix what’s broken.

Windows Remote Assistance

Short and sweet verdict: no installation process especially if they’re on the Windows operating system and requires a bit of attention to detail on the asker’s part. That’s *always* the tricky part when assisting people. That said:

  1. On Windows XP, go to this Microsoft knowledge base article. Please read the article which explains how to get access Windows Remote Assistance in-depth. Briefly, fire up XP’s Help & Support and look for the tool under the “Ask for help” section. When in doubt, search for “remote assistance”. For Windows Vista and 7, hit “start” and type “remote” and you should see this image:
    remote.png
    Quick Tip: Read this link to learn how to enable remote assistance on Windows XP. On Windows 7, right-click on the “My Computer” icon and go to “Properties”. Click “Advanced System Settings” and navigate to the “Remote” tab. Refer to this image for more:
    win7-remoteassistance.png 

    With Windows Remote Assistance on Windows 7, you have the option of saving the invitation file to a .msrcincident file which can be opened by PC’s running other versions of Windows or using Easy Connect which can only be used with another Windows 7 computer. I was not able to get Easy Connect to work with this persistent “can’t connect to global peer-to-peer network” message. Microsoft has a tool on their website called the “Internet Connectivity Evaluation Tool” which “checks your Internet router to see if it supports certain technologies.” See image below:
    remote-easy-con.png

  2. Anyway, get the asker/use to fire up Windows Remote Assistance and invite you using your email address with a time limit of ~ 4hrs (arbitrarily chosen). Get them to email you this file and once you have received & opened it, walk them through the expected prompts. In my case, I had pictures of what it would look like on the asker’s machine so that I could talk them through accepting my request to take over their computer.

Windows Remote Desktop

Short and sweet verdict: Involves advanced concepts like port forwarding, public IP addresses and such. ๐Ÿ˜› I can’t speak too much on this and the biggest reason being I haven’t given it a serious shake to properly configure and gain access to a test system. On a private/home network, it’s easy, but on a public network behind an ISP, things are trickier. This FAQ by Microsoft on using Remote Desktop has pointers to helpful info and this article by TeamTutorials.com on setting up remote desktop does a great job of giving you a detailed walkthrough on using remote desktop. Good luck! ๐Ÿ™‚

SharedView

Short and sweet verdict: involves the asker & you signing up for a Windows Live account, downloading & installing the software but otherwise easy-to-follow steps with some attention to detail.
I found out about Microsoft SharedView through reading Scott Hanselman’s list of tools he uses. I downloaded & installed it, but never got a chance to use it until a couple of days ago. It’s billed as a collaboration tools and thus, should serve very well as a means to work on a relative’s computer, no?

  1. If you don’t have a Windows Live account (if you have a Hotmail account, you’re good to go), go ahead and sign up for one. Get the asker to sign up for one as well.
  2. Download & install the SharedView program.
  3. Start a session. Refer to the image below (first image show what it looks like when I’m connected to the asker’s computer and the second image shows how to start a session).

sharedview.png
sharedview-1.png

As always, corrections and comments are welcome. For my personal home network, I use Logmein Free. For assisting others, I’ve used a combination of Windows Remote Assistance and SharedView. Your mileage may vary. There are other ways of assisting people remotely, but that’s beyond the scope of this “short and sweet” article. Thanks for reading! ๐Ÿ™‚

Habari-powered blogging: Tweaking your theme

First thing: I’m *not* a coder, but I’ve got the next best thing: search engines like Bing, Google and DuckDuckGo on my side. For every theme I’ve used on the blogging software running my blogs (janetalkstech.com and fadingwhispers.org/home), I’ve ended up editing the theme’s files to include some small features I admired in previously used themes (see a list of available themes for Habari). This particular post will attempt to go over little tweaks I’ve made to the current theme (Georgia by Thomas Silkjรฆr) running this blog as of 06/15/2010. By the way, if you’re running Habari, try Georgia sometime or any of the other themes. It’s a beautiful two-column theme with an emphasis on gorgeous typography and excellent use of white space..

Before I continue, here are some assumptions I’ve made:

  1. I’m assuming that you’re familiar with content management systems. Examples of content management systems or CMSes would be the famous WordPress, Drupal, Joomla, etc. Habari is another such system and it powers janetalkstech.com currently.
  2. I’m assuming you’re able to edit files on your webserver. Bonus points for you if you even installed WordPress yourself.
  3. I’m assuming you have file backups of the original unedited files for your theme because you will (like I have) make some changes and attempt to undo said changes only to discover you made things worse. ๐Ÿ™‚
  4. I’m assuming you are not averse to trying things and finding things by trial and error.
  5. Please don’t hold me responsible for any bad things that may or may not happen to your theme/files/blog/computer/person/house from using any code snippets posted here. I’m not a security ninja (see my About page).

That said, a vanilla (plain) installation of the Georgia theme for Habari will leave your frontpage (index.php) cluttered with the full-length posts. I say “cluttered” because I typically include pictures and/or embedded video in my blog posts. Leaving full-length posts on the main frontpage can cause problems. I wanted my posts on the frontpage truncated for the reasons below:

  1. Performance reasons: I have pictures and videos (usually) in each post. Have all the pictures and/or videos in all 4 posts load at the same time increases the load time of the homepage. Internet users are big fans of pages that load quickly so doing this will be a step towards that goal.
  2. Being smart and optimizing: Having the full posts loading on your home page is an example of information overload. Besides that, you’re essentially discouraging readers from clicking through to read the posts which will make any form of analytics hard to interprete.

Since I couldn’t very well code some plugin to do this, I had to mimic another Theme’s method of implementation. Specifically, I took a look at the theme files of the Dilectio theme because it shortened posts on the frontpage by default. After trial and error, I found what I was looking for. In the theme.php file, I found a line of code that specified how much of the posts to display before displaying the “read more” link. For preventing the full-length of the posts from being displayed on the home page of your blog, here’s the relevant snippet to alter (code culled from the theme.php file in the Dilectio theme for Habari):

<?php
// tell Habari which class to use
define( 'THEME_CLASS', 'Dilectio' );
class Dilectio extends Theme
{
	//Execute on theme init to apply these filters to output
	public function action_init_theme()
	{
	        //I snipped out a bunch of irrelevant (for this post) code
		// The snippet below puts out a reduced size version of the post when there are multiple posts displayed
		Format::apply_with_hook_params( 'more', 'post_content_out', _t('Read More') . ' ยป' , 100, 1 );
	}

That’s all you need to insert into your theme.php file under the public function action_init_theme() block to shorten posts. That done, the next issue I faced with my theme was figuring out how to allow gravatars to display with proper formatting.

With the gravatars plugin for Habari, you’re expected to install this code snippet in the ‘relevant’ files:

<img src="<? echo $comment->gravatar ?>">

It didn’t take me long to figure out where to insert the code, but the lack of a readme file with the plugin didn’t help matters. I can imagine how daunting this must seem, but then again, Habari is really young and forthcoming iterations will address these user interaction issues. In the case of the gravatar plugin, the relevant file to be edited was the comment.php file. Specifically, you should insert the code snippet as shown below:

<li id="comment-<?php echo $comment->id; ?>" <?php echo $class; ?>>
<img src="<? echo $comment->gravatar ?>">	
<h2 class="comment_author"><?php echo $comment_url; ?> <em>at</em> <a href="#comment-<?php echo $comment->id; ?>" title="Time of this comment"><?php $comment->date->out(); ?></a></h2>

If you’ve done that, you’ll see that your comments section will look like this:
habaricomment.png

I wasn’t quite satisfied with the layout so I added some changes and here’s the code that I added to make my comments section a little prettier:

<img align="left" style="padding:4px" src="<? echo $comment->gravatar ?>">

I added the align and style properties to the img tag which can alter the layout. See what my comments section looks like now:
habaricomment-2.png

Cheers and that’s all for now. I’ll update this post with corrections or additions. Feel free to comment on any inaccuracies, etc. ๐Ÿ™‚ For those wanting to dive deeper into Habari and themes, check out the Geek media’s articles on Habari. As always, if you have questions, pop into the Habari IRC channel (#habari) on Freenode.

Here’s a tip: Join the Habari Dev list so you can get a feel for the developers behind Habari. Then, head over to IRC and use JibbyBot to pass messages to them! ๐Ÿ˜› To do that, you say: “JibbyBot tell blah blah” and it’ll store your message for the next time the person logs in. Pretty nifty and I had a problem solved that way without me having to monitor IRC constantly. The IRC logs are here.