The word "HOSTS" seems to be strangely missing from this discussion.
Several services offer a free download of a Hosts file, updated on some periodic basis. Mine presently lists about 15,000 known badsites, by URL or domain name rather than by IP. So for the bad guy to change IPs does no good. Of course, they can host their malware at a new domain also, but that is a problem with *every* anti-virus, site warning, or other protection. Some number of people get hit before the word gets out. See further defense to that below.
For those not familiar, the Hosts file (a relic of the days when there were only a dozen computers on the planet, and each had a list of the others and how to contact them) maps URLs to IPs, and *every* browser, including IE, Opera, etc. as well as Fx, checks for domain name resolution there before inquiring of your ISP or Domain Name Server. These Hosts services map all of their known bad sites to a non-existent IP address. So upon finding that badsite.com maps to 0.0.0.0, the browser immediately gives a "can't connect" message, *
before it even puts the request on the network*. So you save time and bandwidth, too. Also, it's n00b-proof: Even if Grandma types in badsite.com, or clicks on a disguised link to there, the browser will not be able to establish connection.
Most of these services use 127.0.0.1, the "localhost" or "loopback" address of your own computer, but after discussion among one such service and NS dev Giorgio Maone, I changed mine to 0.0.0.0. Works great. Easy: In Win XP, go to C (or whichever is the OS drive) > Windows > system32 > drivers > etc. Open the Hosts with Wordpad or Notepad -- IIRC, Wordpad does the changes faster. Do a Find/Replace, replacing 127.0.0.1 with 0.0.0.0.
You must then change the first entry back to:
127.0.0.1 localhost
which must *always* be the first entry in the Hosts file. "Save" the file, close everything up, and you are done, until the next update. All changes, including new entries or deletions when you install an update, take effect upon the next start of the browser. It is not necessary to re-boot the machine.
This prevents NoScript or any other program from having to deal with those sites at all. You can't connect to them, and they can't connect to you, even if they're in an ad or IFrame on a trusted site.
2) A new malsite is always dangerous until AV and other defense sites get the word. For additional protection, you can use one of the virtual-machine solutions, or a much more lightweight approach that virtualizes only the browser, such as Sandboxie or VMWare Workstation. (I have no connection to either company, and make no endorsements, warranties, etc. over things I can't control.) Some are free for personal home use. I use Sandboxie, *always*, and configure it to empty the sandbox every time the browser is closed, which is frequently -- *especially* before and after visiting sensitive sites, like online banking. Any malware will be trapped in the sandbox and dumped, and your hard drive remains untouched.
I did a good bit of support work here before other obligations took over, and people were always saying, "Site X works fine without NS, but NS breaks it." I'd have to disable NS to reproduce the issue, which I would never do without a containment feature such as these. Search this forum for "innoshot" for a case in which I reproduced an infection received by a poster, but lost it on the next browser restart, while the user had it for three weeks while we hunted down the source and location on the hard drive. Fortunately, NS prevented either of us from allowing the malicious code to run. No harm, no foul.
This is why "defense in depth" is the best practice, and no single solution, no matter how good, can ever be enough. Debating whether A or B is better, or the merits of either, is useless. Choose what you think is best in each category -- AV, site-warning or evaluation sites, firewall, the Google service if you like (I don't like their privacy violations, but that's just MHO), NoScript of course, and virtualization.
And don't allow any third-party content, other than
Akamai, unless you *must*, AND you trust that site. For that matter, don't allow any FIRST-party content that isn't necessary for the function that you need.
Perhaps this combination is why I've remained safe, despite using a browser that's been unsupported for a year and a half, as the useragent below shows.
Cheers and safe browsing to all.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
