Skip to comments.5 Ways To Defeat Malware
Posted on 08/07/2009 10:48:03 AM PDT by ShadowAce
On a day-to-day basis, we encounter far too many small businesses who have accepted viruses and other malware as an unavoidable part of their life. Their machines are constantly having problems, the anti-virus finds malware every week (assuming there is anti-virus), and they have lots of unexplainable "weird" little issues.
Unfortunately, the given wisdom of the industry seems to focus on anti-virus, anti-spyware, content-scanning, and other for-pay services and products. However, common sense preventative maintenance is almost never suggested as a low-cost alternative.
It doesn't have to be that way!
REACTIVE VS. PREVENTATIVE
The typical approaches encountered to combat malware is reactive. In other words, its leaving your front door and all your windows unlocked, but having a security guard swing by once a day and check up on the place.
A better way is to be proactive, and close the vulnerabilities that make most malware effective in the first place.
As an example, how do you maintain your car? You change the oil, don't abuse it, and follow a scheduled maintenance plan. You don't (I hope) avoid all that but periodically take it to your mechanic for a rebuild at several thousand dollars a pop.
The first is proactive, the second reactive.
Can you guess which approach costs more money? (Hint, its the reactive approach.)
A BETTER WAY
Following is a list of 5 simple preventative steps you can take to stop malware in its tracks. The best part is that it wont cost you a dime for products.
These are listed in order of how difficult they are to do. The first is the easiest, and the last is the most difficult.
1. Automatic Updates
Turn on Windows Automatic Updates. Have it automatically do the updates, not just notify.
This is the single most effective way to protect yourself against infection. A very large portion of the malware in the wild depends on one or more unpatched vulnerabilities to make the initial infection.
If you're always patched within a few days of the patches being released, then a very large portion of all malware will just fail on your system.
The common argument is that sometimes windows updates break things. That's true, but its a very small number. Based on 10 years of doing this sort of work, I'd put the number significantly below 1%.
Based on this, a simple risk analysis shows that patching automatically is the better bet.
2. Use a Modern Web Browser
Use Internet Explorer 8 (IE8) or FireFox for your default browser.
IE6 and IE7 have long histories of being very vulnerable to drive-by-downloads, ActiveX vulnerabilities, and other general nastiness. Dont use them. IE8 is quite an improvement, and actually quite good, especially given Microsoft's history of browsers. The potential challenge is that you may have internet apps or other legacy systems that depend on IE6 running ActiveX controls.
In addition, IE8 on Vista or Win7 runs in a very tightly sandboxed mode by default called Protected Mode. It actually runs with less privileges than a standard, non-admin limited user account. This is a defense-in-depth approach, such that even if something does get through, it'll have little to no ability to do harm.
If you cant move to IE8, then try out FireFox. Firefox is an excellent browser, and will serve you well in most cases.
Keep in mind that FireFox is now popular enough to be specifically targeted by malware attacks. So you have to keep it patched to current. In balance, if you cant rely on keeping FireFox patched to current, then you're better off with IE8.
3. Use a modern email client
If you're still running Outlook 2000 or XP, especially if they are not patched fully, then you have a number of wide open holes in your system.
Consider upgrading to the current version of Outlook or GMail if you're a business, or Thunderbird or a web client if you're a home user. For home users, the built in Outlook Express or Vista Mail is adequate, provided that you are keeping the system fully patched via recommendation #1 above.
In general, the days of emails automatically executing malware on viewing is a thing of the past, but only if you're not still using a mail client from 1999.
4. Keep the Naughty 5 Patched
Adobe Acrobat and/or Acrobat Reader. Adobe Flash Player. Quicktime Player. Java. Firefox.
These are rapidly becoming the primary targets of many attacks, as they're much more difficult to keep patched to current than the built-in operating system software.
They are critical however. Adobe's products in particular are notorious for a nearly endless stream of vulnerabilities. There are even techniques that allow an attacker to exploit a vulnerability in some versions of Flash that allow them to break out of the IE8 Protected Mode.
Unfortunately, there's a reason this item is #4. It's not simple for home users, or businesses without strong IT departments to keep these up to date on all computers. So that means that you do them manually. Once a month should suffice in most cases.
5. Run as Non-Administrator/Limited-User
This is the big one. If you can do this and #1, you're going to be largely (though never completely) protected, even without anti-virus.
Unfortunately, for home users and small businesses without strong IT shops, this step can sometimes be difficult to do.
Vista and Win7 make it simpler, as UAC (despite its very vocal detractors) is significantly better than RunAs and MakeMeAdmin were on XP (for those brave few who tried running as non-administrator in XP).
However, this is probably the single most effective approach, after patching. The vast majority of malware out there requires administrative rights to be able to install itself and do its evil. If you aren't running as admin, then most of this stuff is just stopped in its tracks.
If you're a business still running XP, and you have some level of IT support available (either in house or outsourced), and viruses/malware are a consistent problem, try this. Even if you have a couple pieces of software that don't run well as non-admin, your IT staff or consultants can often tweak the system to make them work.
Bottom line, if you can operate in this mode, malware will be nearly a thing of the past in your business.
Did you notice that none of those required buying anything from anybody, with the possible exception of your IT provider?
On top of this, you can also use the typical means (anti-virus, mail scanning, etc). These provide a wonderful defense in-depth.
But I can tell you from years of experience. There is a direct correlation between these 5 preventative approaches, which we use internally in our business, and problems with malware. We have none.
We actually see more than an order of magnitude difference in support costs and quantity between clients that run as non-admin (and follow the other 4 steps) and those that don't. The savings can really be quite significant.
The bottom line here is one of cost. It's simply cheaper to run your systems with a little bit of preventative maintenance, than to have to clean them up periodically. And what business owner wouldn't prefer their staff spending time doing their business, rather than fighting with their computers?
In other words, prevention beats firefighting, any day of the week.
#6 would be Don’t Click on That. The vast majority of random crap the internet throws at you has unwanted stuff with it. Whether it’s emoticons or toolbars if it doesn’t come straight from one of the top dozen or so companies whose names we all know there’s about a 90% chance it’s got at least cookie trackers and probably worse stuff. Even the top dog companies like to laden their crap with stuff that while not technically malware sucks off your performance. Almost any time somebody’s computer has been rendered next to useless you’re going to find a dozen browser add-ons. So quite simply, don’t click on that.
The naughty 5 should be emphasised.
What is the best way to see if you have the most current versions?
running a host file can also save you a boatload of trouble and block many annoying adds. You can get a good hosts file at http://www.mvps.org/winhelp2002/hosts.htm
Most of them have an option (which defaults to on) to check and see if there’s a more current version. So start ‘em up, make sure that option is on, and give them a few minutes to phone home, and watch for little things in your tray, Adobe is really fond of the nearly silent download, so if you just whip open a PDF and close it two minutes later you could be interrupting an update.
6. Buy a Mac.
"Did you notice that none of those required buying anything from anybody, with the possible exception of your IT provider?"
I disagree, our marketing support guy begged and pleaded in our office to get a Mac saying it will make his job easier. It and the software cost 3-4 times what the rest of us were working on and not a week goes by that he's trying to get the rest of US to add or change software on our PC's so he can be more compatible.
Mac doesn’t support any of these?
“Adobe Acrobat and/or Acrobat Reader. Adobe Flash Player. Quicktime Player. Java. Firefox.”
Knoppix Live Linux CD
I do not EVER accept MS files without EVER checking what I am downloading first!
Linux Mint for Newbies...great intro system....
Don’t know that one but will check it out. Thanks....
I have been using Malwarebytes anti-malware for some time. It works amazingly well, doesn’t run in the background all of the time, and it’s free. You hit the update button and then run it. It has saved my system at least twice. In my opinion, it beats the pants off every other program out there.