Jump to content

Anti-Malware Suggestions


Recommended Posts

People sometimes ask me, "what's the best strategy for avoiding viruses and malware?"

Here are the layers of protection *I* feel are important:

1.  Smart computing involving a user philosophy that keeps malware out.  This is primarily a matter of the user learning to be conscientious and just not do irresponsible things.  Develop an awareness that the software world is a dangerous place and have a willingness to do without some glitz and without running whatever you feel like on the moment without serious consideration, involving testing and taking precautions.

2.  Building an environment that will help not bring malware into the system.  Strategies not typically used or known, designed to help protect against accidental deviation from the philosophy of item 1.  This includes adopting a managed hosts file and/or DNS service for blocking access to parasite web servers that are apt to provide the worst of what's out there, choosing/configuring the browser not to be promiscuous, etc.

3.  Active protection - i.e., an active antivirus package.  Note that this is third because it is no more than a safety netvirtually never expected to be exercised - because of the effectiveness of items 1 and 2 above.  This protection MUST be low-impact, i.e., it should not cause things you do on the computer to be noticeably slower to run, nor should it detect legitimate software and cause you problems. 

4.  Regular scanning with both the active protection in item 3 and also a different product to see if anything has managed to creep through layers 1 through 3 above.  Again, if all is as expected, this should never find anything.  A different product is warranted because not every anti-malware maker has the same database of malware, it's a good idea to partner with more than one.

5.  Do regular backups to prepare for the eventuality of loss of data, just in case.

In particular, my choices for the above (and assuming Windows 10 is substantially as we see it in the preview releases) will be:

1.  Always being vigilant and exercising common sense.  Being willing to take the time to research and vet things before adopting their usage.  I read code if choosing to use open source software, and I test things in throwaway VMware virtual machines.

2.  Use of a hosts file created from sources such as MVPS.org (without changing the Windows DNS service), configuring my router to use OpenDNS, and using reconfigured Internet Explorer settings to avoid running ActiveX and to restrict what scripts can do from the Internet zone.  IE still has the best security model of all of them if you set the features properly.  A possibly better alternative to using a hosts file to block name resolution of bad web sites would be to use a DNS proxy server software package, such as the one I use:  Dual DHCP DNS Server.  One advantage it brings to the party is that it can block entire domains through the use of wildcarded blacklist entries.  I have modified the source code (it's an open source project) to handle much larger lists (tens of thousands of entries) so that blacklisting many domains can be practical.  The updated software can be found here and a copy of my installation can be found here.

3.  Windows Defender, as it seems quite efficient and also doesn't detect false positives.  That items 1 and 2 are almost completely effective means that this layer can be somewhat minimized.  Windows Defender is the only anti-malware software I'd suggest for active protection on the Win 10 pre-releases.

4.  The default scans Windows Defender sets up automatically, plus a daily scan by the well-regarded MalwareBytes Antimalware package.  I have also replaced the Windows Firewall entirely with a configuration built on the commercial firewall package Sphinx Windows Firewall Control.  The version 8 release of this product brings name-based configuration management which REALLY makes long-term maintenance of a deny-by-default firewall configuration feasible.

5.  I schedule nightly wbadmin commands to take regular system image snapshots.  I can restore such a backup to bare metal, or I can access the files within using a volume shadow copy access tool such as Z-VSSCopy.  Windows 10 is even restoring the Previous Versions feature (yay!) to help with this.

I have been following the above philosophy for decades, with some differences in the specifics, and I have yet to get even a single infection.  Going all the way back I have only ever had to install Windows once on each of my systems, have had virtually zero infections blocked by the safety net, and have never had a scan turn up anything (except for false positives, which was a problem when I used Avast antivirus).  I have used each setup for years without degradation.  In short, this works.

I have private and secure Windows 7, 8.1, and 10 systems now where I am following the above philosophy, and I haven't detected malware even getting near my systems.

-Noel

Edited by NoelC
Link to comment
Share on other sites


These all seem like good suggestions, especially smart computing and not doing irresponsible things.

 

But you didn't mention the best suggestion of all--use an operating system that doesn't beg to be infected.  That is, don't use Windows.

 

There are lots of enjoyable "distros" of Linux, many of which have been very friendly to novices for years.  You can compare and check them out at DistroWatch.

 

And of course Linux isn't alone.  There's  FreeBSD and it's distros, MacOS and maybe even Solaris.

Link to comment
Share on other sites

Thanks, Ken.  Unfortunately the decision isn't just an easy arbitrary "okay, I'll do that instead" for a large chunk of Windows users.

 

There's nothing inherently more secure about Linux/Unix.  It's just that it's a relatively low-popularity OS that not many malware writers have chosen to target.  Thing is, Microsoft may be driving a lot of users to Linux in the very near future.  With increased popularity will come increased targeting and risk.

 

-Noel

Link to comment
Share on other sites

I don't know what you mean or are implying by "obvious tinfoil hat responses".

I would guess something *like*:

http://www.infoworld.com/article/2608352/internet-privacy/another-privacy-threat--dns-logging-and-how-to-avoid-it.html

Free, at least, in the sense that they don't charge you for using their servers; but if you're not paying for the service, you are the product, of course.

 

 

jaclaz

Link to comment
Share on other sites

People sometimes ask me, "what's the best strategy for avoiding viruses and malware?"

 

Here are the layers of protection *I* feel are important:

 

1.  Smart computing involving a user philosophy that keeps malware out.  This is primarily a matter of the user learning to be conscientious and just not do irresponsible things.  Develop an awareness that the software world is a dangerous place and have a willingness to do without some glitz and without running whatever you feel like on the moment without serious consideration, involving testing and taking precautions.

 

2.  Building an environment that will help not bring malware into the system.  Strategies not typically used or known, designed to help protect against accidental deviation from the philosophy of item 1.  This includes adopting a managed hosts file and/or DNS service for blocking access to parasite web servers that are apt to provide the worst of what's out there, choosing/configuring the browser not to be promiscuous, etc.

 

3.  Active protection - i.e., an active antivirus package.  Note that this is third because it is no more than a safety netvirtually never expected to be exercised - because of the effectiveness of items 1 and 2 above.  This protection MUST be low-impact, i.e., it should not cause things you do on the computer to be noticeably slower to run, nor should it detect legitimate software and cause you problems. 

 

4.  Regular scanning with both the active protection in item 3 and also a different product to see if anything has managed to creep through layers 1 through 3 above.  Again, if all is as expected, this should never find anything.  A different product is warranted because not every anti-malware maker has the same database of malware, it's a good idea to partner with more than one.

 

5.  Do regular backups to prepare for the eventuality of loss of data, just in case.

 

In particular, my choices for the above (and assuming Windows 10 is substantially as we see it in the preview releases) will be:

 

1.  Always being vigilant and exercising common sense.  Being willing to take the time to research and vet things before adopting their usage.  I read code if choosing to use open source software, and I test things in throwaway VMware virtual machines.

 

2.  Use of the MVPS hosts file, configuring my router to use OpenDNS, and using a reconfigured Internet Explorer set to avoid running ActiveX.  IE still has the best security model of all of them if you set the features properly.

 

3.  Windows Defender, as it seems quite efficient and also doesn't detect false positives.  That items 1 and 2 are almost completely effective means that this layer can be somewhat minimized.  Windows Defender is the only anti-malware software I'd suggest for active protection on the Win 10 pre-releases.

 

4.  The default scans Windows Defender sets up automatically, plus a daily scan by the well-regarded MalwareBytes Antimalware package.  I am also considering reducing the permissiveness of the Windows Firewall (another user here, and I'm sorry I forgot specifically whom, has recently posted a configuration that does this).

 

5.  I schedule nightly wbadmin commands to take regular system image snapshots.  I can restore such a backup to bare metal, or I can access the files within using a volume shadow copy access tool such as Z-VSSCopy.  Windows 10 is even restoring the Previous Versions feature (yay!) to help with this.

 

I have been following the above philosophy for decades, with some differences in the specifics, and I have yet to get even a single infection.  Going all the way back I have only ever had to install Windows once on each of my systems, have had virtually zero infections blocked by the safety net, and have never had a scan turn up anything (except for false positives, which was a problem when I used Avast antivirus).  I have used each setup for years without degradation.  In short, this works.

 

-Noel

 

Very sensible advice!

 

However, I would stress the importance of #3 over 1 and part of 2. IMX it's not really the case anymore that you can be safe from malware by avoiding or blacklisting specific dubious websites. Just a couple of nights ago I was at (of all things) a classical-music site when Norton advised me that it had blocked a Trojan attack. :o  I'm not sure that a hosts file would help in that case (I use the one put out by the Spybot folks.)

 

But setting yourself up to be protected from phishing sites (the other part of #2) is definitely a plus.

 

IIRC, using ad blockers might also protect the user from drive-by downloads on otherwise innocuous websites.

 

--JorgeA

Link to comment
Share on other sites

i'm simple guy

 

1. use HOSTS file which I update with my own entries

2. configure browser on certain settings

3. use specific cleaning paths (batch)

4. scan once month with MBAM

 

don't use UAC, don't use any real-time protection

-

still doing ok :D

Link to comment
Share on other sites

Oh but I need Java to play Minecraft! :w00t:

 

My security setup seems to work well enough, but I don't get so crazy about it. I have UAC enabled, Windows firewall, MSSE and then the firewall in the router. It is maybe my browsing habits that are a little different.

 

My primary browser is a Mozilla type (Firefox or Palemoon) with NoScript. That addon does well enough to block any sort of thing from entering from a webpage. However, I will not compromise my computer's security to ensure that a website works correctly... For example, if there is some site that I want to use (or currently use) that generates an XSS warning, and thus is not operable without using an exception... I won't use it until the warning no longer exists. This happened a few years ago on Facebook, where I decided to stop using certain apps because they were using XSS. The response from the support group was to add an exception to allow apps on Facebook to use XSS!

 

I use other browsers for specific thing. IE is used for Microsoft related websites only... Chrome is used primarily for Google related sites like Youtube.

 

I have MBAM installed but I only use it if I suspect something is up.

 

When I do repairs or virus cleaning for friends or family, I typically recommend they use Chrome as their browser. It seems to do a good enough job stopping attacks from coming in through the web. And that is really the #1 source of infections these days. Very few people are still using actual email clients, and now are using web-based versions instead. Outlook and Outlook Express used to be virus havens!

Link to comment
Share on other sites

I just don't know, I see lately some product from malwarebytes called "anti exploit",  that "shields" java and other crap

dunno how it work and if it works.... but as my logic goes whenever you let something out of sandboxed area then

your sandbox is useless, so how the hell can it "shield" anything, especially things like java that need inet access

Link to comment
Share on other sites

Define "works".  Define "protected".

 

Do you feel you should be able to run any piece of software you want from any source and magically your system will be protected?

 

That's a fantasy, and doomed to failure.

 

There is no anti-malware philosophy that will work without thought.  Common sense and adoption of good practices are required first and foremost.  If you can't be bothered to think, then you WILL be bothered by malware.

 

-Noel

Link to comment
Share on other sites

  • 2 weeks later...

Quote from NoelC:  '3.  Windows Defender, as it seems quite efficient and also doesn't detect false positives.'

The only issue I have had with Windows Defender IS THE False-Postive alerts with some of the Nirsoft products
such as BrowserPassview, Productkey and Wirekeyview but that can easily be corrected by adding these to the exception
list.
~DP
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...