A/V for XP-SP2 old machines

[xgsound]

I am the "fixer" for the family. A lot of the machines are too old to expect SP3 to work and the new Avira update requires SP3 to install. Over the years I've used AVG and now Avira as the standard for us, and tried Avast and MSE. The most sensitive one is a 1300 Mhz pentium 4 with 256 MB RDRAM, but there's an assortment down to PIII 500Mhz.
Between the newest browsers, flash, and java these machines were slow enough.
Am I going to have to tell them (and myself) to bite the bullet and get a new machine or is there a way to keep protection on these old low memory machines.

Cliffs ... Is there a good low impact a/v for old xp sp2 machines?

Jim

 

[Gamingphreek]

Installing a service pack doesn't add additional stress to a system. To be honest, it is borderline negligent to run an XP SP2 system (I would argue XP SP3 is as well).

Honestly why even both running a P3 machine? You could probably find machines for $10 at a yard sale that are faster.

 

[xgsound]

Never the less, I've got 10 or 15 machines out there that are old and working fine for the operators. I would like to keep them using an A/V if at all possible. I won't help them run without one, but I won't sabotage their machines either.

I get the old ones in the family and some from student (they think3 Ghz is slow) renters. Some of these have been recycled through 4 people. I currently have 3 oldies from 800 to 1,000 Mhz that I give out for the slowest of them as the "opportunity" presents itself, but these A/Vs keep getting more demanding than the OS and programs.

I recently had to give up making system 7 machines funtional as they could hardly run a modern browser.

So far the 3 A's are the only options I know of.


Jim

 

[Gamingphreek]

Never the less, I've got 10 or 15 machines out there that are old and working fine for the operators. I would like to keep them using an A/V if at all possible. I won't help them run without one, but I won't sabotage their machines either.

I get the old ones in the family and some from student (they think3 Ghz is slow) renters. Some of these have been recycled through 4 people. I currently have 3 oldies from 800 to 1,000 Mhz that I give out for the slowest of them as the "opportunity" presents itself, but these A/Vs keep getting more demanding than the OS and programs.

I recently had to give up making system 7 machines funtional as they could hardly run a modern browser.

So far the 3 A's are the only options I know of.


Jim

They may be working fine for the operator, but they would also probably work just fine for a hacker looking to add to his botnet. Regardless of what it is used for, connecting them to the internet is negligence and is another reason we have so many problems.

-GP

 

[xgsound]

I believe you when you say you have so many problems, but the machines I maintain aren't the source. Your first post was a little rude and the only correct part was that a $10 machine might beat a 500 Mhz PIII now.The second post is rude, incorrect, and without a single redeeming quality. Why bother posting for that?

Service packs have crashed some machines every time they come out. The potential of ten old crashed machines that I keep running for free would be inconvenient. Furthermore, these machines have Avira A/V and daily updates along with Spywareblaster and Firefox. I say that's better protected than newer machines with McAfee or Norton, especially when updates expire.

Jim

 

[mechBgon]

I believe you when you say you have so many problems, but the machines I maintain aren't the source. Your first post was a little rude and the only correct part was that a $10 machine might beat a 500 Mhz PIII now.The second post is rude, incorrect, and without a single redeeming quality. Why bother posting for that?

Service packs have crashed some machines every time they come out. The potential of ten old crashed machines that I keep running for free would be inconvenient. Furthermore, these machines have Avira A/V and daily updates along with Spywareblaster and Firefox. I say that's better protected than newer machines with McAfee or Norton, especially when updates expire.

Jim

Install SP3. Otherwise those systems will become ever-more vulnerable over the remaining ~3 years of XP support, since security updates aren't available without SP3 installed as a prerequisite.

If you're concerned about it crashing the systems, then here are some practical tips:

1. scan the system for malware, then uninstall the antivirus software so it can't interfere with the SP3 installation.

2. download the full-file SP3 installer from here, start Windows in Safe Mode, and run the installer. It'll take a while, but you won't have stuff interfering with the process.

The potential of ten old crashed machines that I keep running for free would be inconvenient.

It's not very likely, and unless you're doing ten at once in a parallel operation, you're not going to have to deal with more than one at a time. If it doesn't have a problem on initial installation, you're home free.


Tangentially, you mentioned Java. It's exploited on a massive scale these days. Unless there's an actual need for it installed on these systems, simply get rid of it. If it serves some crucial function, get version 7u1 from here: http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html

I'll also recommend EMET 2.1, a freebie anti-exploit app from Microsoft with basically zero footprint: http://www.mechbgon.com/build/security2.html#sehop

Another high-value, zero-impact tweak is to entirely disable AutoPlay/AutoRun. US CERT has a how-to here: http://www.us-cert.gov/cas/techalerts/TA09-020A.html Stay away, worms!

 

[lxskllr]

Maybe you could switch some of those machines to Linux. Security, and performance would be increased, with no new hardware purchases. Dialup more than likely won't work, and if there's proprietary software they can't live without, it would be a problem, but for the web/email/light office crowd, it should work pretty well.

 

[xgsound]

mechbgon: Thanks for the EMET info in particular. I use all the zero/low impact things I can find. I already use flashblock and noscript.

lxskllr: I've always wanted to start with Linux, but never got around to it. Life keeps getting in the way. It's still on my list. Then I'll get to teach the relatives about it. That would be an adventure!

Jim

edit: sometimes I use MSE as Binky suggests below.

 

[Binky]

I'd use the free microsoft security essentials. It never expires like most of the free AV packages. It's too common in my experience for a dim-witted user to ignore the flashing red icon telling them their AV is expiring/expired. They only tell me once it's too late.

 

[mechBgon]

I was updating my how-to-disable-AutoRun page and found that Microsoft has made it absurdly easy now. They've got FixIts for that. Scroll down this page and look for the big FixIt icons: http://support.microsoft.com/kb/967715

 

[xgsound]

I went to Secunia and the test didn't work. It took me a while to realize that it used java on Firefox. I had only disabled java, so a re-enable, use, and disable again got my info.

I wanted to let others know Secunia uses java.


Jim

 

[Gamingphreek]

I believe you when you say you have so many problems, but the machines I maintain aren't the source. Your first post was a little rude and the only correct part was that a $10 machine might beat a 500 Mhz PIII now.The second post is rude, incorrect, and without a single redeeming quality. Why bother posting for that?

Service packs have crashed some machines every time they come out. The potential of ten old crashed machines that I keep running for free would be inconvenient. Furthermore, these machines have Avira A/V and daily updates along with Spywareblaster and Firefox. I say that's better protected than newer machines with McAfee or Norton, especially when updates expire.

Jim

Didn't mean to be rude, but certainly harsh. As an IT Security Professional, just hearing about systems running XP makes me shudder. Running an UNPATCHED XP while connected to the internet deserves a harsh response because it is negligent. Botnet's like Stuxnet and others form because of negligent users.

You think both of my posts were filled with incorrect information? You are sadly mistaken. Exploiting an XP SP2 machine would be painfully simple. There is no DEP, no ASLR, and it has hundreds of vulnerabilities because it is not patched fully.

SP3 for XP has been out forever. It is HIGHLY UNLIKELY that anything would crash. If an application does crash, you should be asking why in the world you are running that application.

Avira, Spywareblaster, and Firefox mean very little on a fully patched system. You; however, are not only running a semi-unpatched system, but you are running one without a very critical service pack. Any Windows Vista or 7 system with McAfee or Norton would be infinitely more secure than the system you have described to me.

Again, not intended to be rude, but absolutely intended to be harsh/critical!

-GP

 

[mechBgon]

I went to Secunia and the test didn't work. It took me a while to realize that it used java on Firefox. I had only disabled java, so a re-enable, use, and disable again got my info.

I wanted to let others know Secunia uses java.

Yeah, it's almost a case of the cure being worse than the disease. To check for vulnerabilities, we need to install a known exploit magnet, aka Java? That makes total sense... not.

The installable Secunia PSI utility is Java-free, however. Give that a try: http://secunia.com/vulnerability_scanning/personal/

 

[warr666]

.....

 

[VirtualLarry]

I don't think that XP SP3 is any more bloated than SP2 was. SP2 was where the bulk of the new features came into XP. SP3 is mostly just patches. SP3 is good, you SHOULD install it.

 

[xgsound]

I'm not worried about bloat so much as crashing the older machines altogether. I've got SP3 on a flash drive to install it as I visit them. A few only have dialup. Some have implants that use USB to accumulate and send monthly reports so I hesitate to fool with what's working.

Gamingphreek: Here's the parts I'll address; You're the only one here that felt the need to tell the thread you're a IT Security Professional. The others here ACTED like IT Professionals. Being harsh when people don't do as you told them IS rude.

Jim

 

[Gamingphreek]

I'm not worried about bloat so much as crashing the older machines altogether. I've got SP3 on a flash drive to install it as I visit them. A few only have dialup. Some have implants that use USB to accumulate and send monthly reports so I hesitate to fool with what's working.

Gamingphreek: Here's the parts I'll address; You're the only one here that felt the need to tell the thread you're a IT Security Professional. The others here ACTED like IT Professionals. Being harsh when people don't do as you told them IS rude.

Jim

I *did* tell you exactly what you need to do. If you were afraid of upgrading because of the age of the machines or the software, then you shouldn't be running it or *at the minimum* they shouldn't be connected to open internet.

I never insulted you and, as I said, never intended my response to be rude. Being harsh sucks, but the sooner you get rid of the arrogance that your systems are somehow secure despite everything I posted, the sooner you can understand WHY I am so aggravated that people pull stunts like you.

Next time you hear about botnets and worms spreading over the open internet ruining peoples lives (ie: Probably not fun when your credit information is stolen), ask yourself 2 things:

1. Who has to spend the time analyzing this malicious activity, defending the systems, and working towards shutting down the malicious activity?

2. Which system would be the easiest (by far) to compromise:

• A. Windows XP SP2
• B. Windows XP SP3 Fully Patched
• C. Windows 7 Fully Patched

Negligence/Arrogance is at the root of most of IT Security Problems.

 

[Lemon law]

This thread has assumptions that are basic bullshit from beginning to end.

As far as I am concerned, win XP be it home or pro is still a very capable operating system.
I work on other family members computers, and I have yet to find a XP computer that cannot be fully updated to service pack three.

But if you are dealing with a now 10 year old system, with a Pentium three and and less than 256 megabytes ram, its probably dead now, not because of win XP as an OS, but because of the fact that hardware, in terms of hard drives, motherboards, power supplies, and memory modules are all unlikely to go the eight to ten year distance. And such computers will be slow slow slow compared to more modern computers. But they are equally functional compared to more modern faster computers if your computer needs are basically just emails and such. And doubly so if your only internet options are dial up modems even today.

So what does such a person do when their old XP computer dies of hardware failure post the advent of windows Vista? Especially when they have more time than money and know a thing or two about upgrading computers. Or knows someone in their family who can help them.

The big question #1, is on what terms was the XP license purchased. If it was purchased cheap along with hardware, microsoft has you by the balls. Once the motherboard craps out, sorry Charlie, your old XP OS can't be used on another used and more modern and cheap computer. But if you were wise enough to spend the $100.00 to purchase XP home, you can keep transferring the license to an infinite series of working computers. In my case I bought a used more modern computer with a full license to XP pro, a $159 dollar option, the seller pissed away. Now I have a far more modern system, 2 gigs of DDR2 ram, an over clock able dual core processor, a excellent power supply, a solid capacitor motherboard, and its equivalent in speed to a system running with 2 to three X the hardware to some smuck that spent big bucks to buy windows Vista or win 7.

Point granted, win vista and win XP are slightly more secure, but I have learned how to install an almost bulletproof security system on any windows XP computer using nothing but freeware software.

I also inherited a Windows vista a windows vista lap top. and I hate the OS with a passion. I am also likely to soon own a windows windows 7 lap top, I fixed earlier for a friend of my wife. They bought it brand new three years ago, and in the first week it got totally borked by a virus. So much for the security of Win 7. Win 7 may be a little better OS than Vista, but I am in no hurry to shower Microsoft with more money every time they have the brainfart of bringing out another even more bloatware OS.

Of course if you have infinite money to burn, you are welcome to think different.

 

[wayliff]

I believe you when you say you have so many problems, but the machines I maintain aren't the source. Your first post was a little rude and the only correct part was that a $10 machine might beat a 500 Mhz PIII now.The second post is rude, incorrect, and without a single redeeming quality. Why bother posting for that?

Service packs have crashed some machines every time they come out. The potential of ten old crashed machines that I keep running for free would be inconvenient. Furthermore, these machines have Avira A/V and daily updates along with Spywareblaster and Firefox. I say that's better protected than newer machines with McAfee or Norton, especially when updates expire.

Jim

I do not understand the hesitation with XP SP3. You may have read something that spooks you.
I have installed Windows XP SP3 on Dell Pentium III with 256MB RAM machines and had no issues.

Now I agree with Gamingphreek when it was mentioned XP SP3 won't stress the system.

Also I wanted to comment on part of your post ... "I say that's better protected than newer machines with McAfee or Norton, especially when updates expire."

I disagree...
If you put a user which cares not for security...both the old and the new machine will end up getting infected but the newer machine has the benefit of running a more modern OS, that is supported, and has likely more robust security mechanisms.

Just because someone was harsh does not make the information incorrect.
Gamingphreek (GP) posted lots of good info.
I see some arrogance in your my SP2 setup "my way" is fine and yes GP was harsh but honest!

If you ask for help, be ready to take different types of responses\opinions\personalities. If you don't like something backup your claims politely...and likely everyone will be polite...even if it did not start polite.

Anyway best of luck...I'd get SP3 and install the AV that you had in mind.

 

[Gamingphreek]

This thread has assumptions that are basic bullshit from beginning to end.

As far as I am concerned, win XP be it home or pro is still a very capable operating system.
I work on other family members computers, and I have yet to find a XP computer that cannot be fully updated to service pack three.

But if you are dealing with a now 10 year old system, with a Pentium three and and less than 256 megabytes ram, its probably dead now, not because of win XP as an OS, but because of the fact that hardware, in terms of hard drives, motherboards, power supplies, and memory modules are all unlikely to go the eight to ten year distance. And such computers will be slow slow slow compared to more modern computers. But they are equally functional compared to more modern faster computers if your computer needs are basically just emails and such. And doubly so if your only internet options are dial up modems even today.

So what does such a person do when their old XP computer dies of hardware failure post the advent of windows Vista? Especially when they have more time than money and know a thing or two about upgrading computers. Or knows someone in their family who can help them.

The big question #1, is on what terms was the XP license purchased. If it was purchased cheap along with hardware, microsoft has you by the balls. Once the motherboard craps out, sorry Charlie, your old XP OS can't be used on another used and more modern and cheap computer. But if you were wise enough to spend the $100.00 to purchase XP home, you can keep transferring the license to an infinite series of working computers. In my case I bought a used more modern computer with a full license to XP pro, a $159 dollar option, the seller pissed away. Now I have a far more modern system, 2 gigs of DDR2 ram, an over clock able dual core processor, a excellent power supply, a solid capacitor motherboard, and its equivalent in speed to a system running with 2 to three X the hardware to some smuck that spent big bucks to buy windows Vista or win 7.

Point granted, win vista and win XP are slightly more secure, but I have learned how to install an almost bulletproof security system on any windows XP computer using nothing but freeware software.

I also inherited a Windows vista a windows vista lap top. and I hate the OS with a passion. I am also likely to soon own a windows windows 7 lap top, I fixed earlier for a friend of my wife. They bought it brand new three years ago, and in the first week it got totally borked by a virus. So much for the security of Win 7. Win 7 may be a little better OS than Vista, but I am in no hurry to shower Microsoft with more money every time they have the brainfart of bringing out another even more bloatware OS.

Of course if you have infinite money to burn, you are welcome to think different.

XP and the word 'secure' do not belong in the same universe.

 

[mechBgon]

Another issue with XP is that it doesn't support ASLR. And the old hardware won't have hardware DEP support. ASLR + DEP are foundational to making stuff less trivial to exploit, and a P3 with XP will have neither (sorry, software DEP doesn't cut it IRL).

The best bet on XP would be to try to intercept the exploit payload and prevent execution, and my weapon of choice for that is Software Restriction Policy (on XP Pro/Media Center Edition). And naturally it's valuable to reduce attack surface by removing unnecessary stuff, and keeping the rest rigorously up-to-date.

By the way, another easy win to help those systems: if you're using Adobe Reader, install 10.1.1 and for each Windows account, open Adobe Reader, click Edit > Preferences, hit JavaScript and disable it. This has to be done for each Windows account, it's per-user. Historically, this has been an attack vector in a couple high-profile exploit campaigns.

Also run the Adobe Flash Player Uninstaller, then get Flash Player 11: http://forums.anandtech.com/showthread.php?t=2196239

And I said it already, but get rid of Java if at all possible, or else update it and use EMET to add more mitigation to it.

 

[bononos]

..... Cliffs ... Is there a good low impact a/v for old xp sp2 machines?

Jim

I'm still keeping an old P3 pc for old stuff which is running Win2k. Avast runs well, spybot runs ok except for the immunization part which gives the msg about unloading/loading registry hives which hangs the app. Lavasofts Adaware doesn't run properly at all on a faster pc so I didn't bother installing it on the P3. The size of AV databases/updates to store virus signatures have just grown so much that older PCs can't keep up processing all the nonsense.