Friday, September 28, 2012

AntiVirus at Home

An Introduction

As most of you can attest to, when people find out about a skill, talent, gifting, or trade-craft you posses they ask for help with related issues. In my world this translates to cybersecurity. The prevalence of the Internet and access to it has so permeated life, I don't know of anyone who doesn't or hasn't accessed an Internet resource. US life has become so tightly integrated with the Internet or interconnection between IT systems, that it is literally in everything. Social media (Facebook, Twitter, G+ etc.) have taken this to a new level. With that comes a slew of issues which many people don't have the time, energy, interest, or motivation to pursue. Fortunately we can rely on each other right? That's my goal of this blog. My hope is that I can share some insight into what I've learned and what I do on a day-to-day basis to help all of us safely use this thing call the Internet effectively and responsibly.


Because of my vocation, I get a lot of questions from friends and family about how to stay virus free on the Internet. First of all, it's not possible so let's just set that expectation. I don't care if you use a mac, Windows, or Linux system, if you use the Internet, you will be infected at some point. Just in the way of keeping things modern and accurate, I'm going to also clue you in on a terminology shift. Today it's more commonly practiced that bad things that infect your computer (viruses, worms, trojans, spyware, adware etc.) are referred to as malware, short for malicious software. So moving forward everywhere I say malware, think bad stuff on my computer.

Next a quick explanation on what these bad things called malware are. They range in nature but generally speaking install themselves deceptively or behind the scenes, collect information about you and your system, and transmit that data to an awaiting cyber criminal. That information varies from banking data, to personally identifiable data, to passwords, to everything you type, you name it. There's even malware that will activate your webcam and microphone to spy on you. Yes it's true! Some malware seeks to use you to spread itself to your family and friends so it can steal more information from more people. Some will even transmit communications on your behalf via email, asking your friends to click some link to view cute pictures of your family. The tactic used to deliver malware that comes in the form of an attachment or link in an email, message board, facebook post etc. is called Phishing and is one of the most common delivery methods. Ever receive an email from some foreign royalty asking for your bank account number to transfer millions of dollars to you? Yep, that's Phishing. Every get a strange email from a friend that has a bunch of grammar problems and incomplete sentences and you wonder if they wrote it while under the influence of a foreign substance? That foreign substance is probably a language translator and you've been served Phish. The worst type of malware is commonly called a Trojan Horse. It's goal is to install an application that runs on your computer and allows a remote criminal to connect and interact with your computer. Bad stuff!

Ok, now the bad news. You are being targeted. Yes, you. Don't think I'm not talking about YOU because you are "just a home user who accesses the Internet to check Facebook and email." Another misconception I hear is "I don't do anything like banking on my computer, so it's ok if they compromise me." Really, so you don't mind being used as an intermediary to serve pornography or used to attack national and corporate networks? Social media and email are two of the most targeted Internet communication channels in use today. Criminals abound in Facebook land. The harsh reality is there are teams and organizations of cyber criminals out there trying to get to your computer so they can steal information from you or get you to buy their stuff or use you as an intermediary etc. Their motivations are as broad based as the nets they deploy to capture you. Just browsing to a website can infect your computer if malicious code has been injected into the page by an adversary. There is a dark side to the Internet and criminals abound. If you are interested, there's a terrific book titled "Fatal System Error" by Joseph Menn which includes a running chronology of how criminals moved from physical theft to cyber theft. The mafia is alive and well...they just moved cyber. But it's not just the mafia. Another deep dark secret is the prevalence of cyber criminals who do what they do as a career. Just as there are good organizations focused on providing your Internet access, there are malicious organizations providing infrastructure, tools, and resources to the underground communities. There are too many to count, but thousands upon thousands of websites and home users have been compromised and are unknowingly being used to serve you malicious code. In fact, cyber criminals are better at sharing resources than the defenders are. I heard a recent presentation on identity theft and the costs to purchase information on the Internet that has been stolen to replicate an identity. The price has plummeted because the market is saturated. Yes, free market principles and supply-and-demand are used by the adversary too. They infect you and then sell your information or access to your computer for other criminals to use for their purposes. It's an entire multi-billion dollar industry.

The other bad news is AntiVirus is only marginally effective. Even the best AV out there is only by some estimates 50% effective or less. I've heard some argue that AV is only about 30% effective. In my experience analyzing malware and variants, both commercial and freely available AV solutions are horrible at detection beyond the most common forms of malware.

And there's more bad news. There are lots of fake antivirus products out there that are actually malware. If you browse to a website and get a popup that looks like it's coming from Windows or an unknown application that says you've been infected, don't trust it. If it says you have to download or buy something to fix the problem it found, it's most likely malicious or at least deceptive.

Ok so what do you do? Do you stop using the Internet? Do you even bother with AV? My answers are no and yes respectively. Using the Internet has an inherent risk but tremendous rewards. You will most likely be compromised at some point. Just like your credit card numbers will be stolen and used at some point. Mine have been, twice. That's just the world we live in today. But the same risk applies to many aspects of life. Do you stop driving because of the risk of being in an accident?  I hope not.

First Line of Defense

Patch, patch, patch. Make sure you are checking regularly for security and software updates on your computer. In Windows browse over to your Control Panel and launch the "check for updates" application. Install anything and everything (except those annoying language packs listed under optional updates). For mac users, click the apple and launch software update. Again, install anything and everything recommended. Also check and update Adobe PDF readers for updates, flash player, and Java applications. Keep those browsers up to date as well (Firefox and Chrome included). You can't be exploited if you aren't vulnerable. There are always unknown vulnerabilities, but start with at least covering the known ones. Finally don't click links in emails or social meda/chat forums that seem odd or from people you don't know and never open a file you aren't expecting.

What AV should you use? 

That totally depends upon what is available to you. My ISP (Cox) provides a free copy of McAfee's suite of client-based solutions including AV and a convenient website reputation checker. It's a terrific product and generally speaking I'm a fan of McAfee solutions. However, on some computers I use Microsoft Security Essentials (free from which is another terrific product. Yes, I said Microsoft, security, and terrific in the same sentence. Despite the buzz Microsoft is actually very good at security these days. Before Microsoft I used AVG Free which is another terrific product. For my mac I use Sophos because they have a free AV client. Yes, you must use AV on a mac. Despite Apple's amazing marketing campaigns, they are very poor at responding to and fixing security vulnerabilities, and yes there's lots of malware out there that will infect your mac. Don't believe the hype that you are any more secure than a Windows PC because you are not. Just ask my poor little sister. In my professional life I have seen and analyzed mac targeted malware.

Personally, I will not pay a penny for AV. There are plenty of free solutions out there that are just as effective as the most expensive ones (sorry vendors). You may not get all the added features, but you'll get a solid foundation for active defense. Don't believe me? Do some searching...there are lots of organizations who perform regular tests on AV products throughout the year and release "effectiveness" reports. There's also a very handy website called "VirusTotal" ( which compares malware samples among multiple AV engines (all the major ones and many minor ones too). Typically if a piece of malware is known, they all detect it. If the malware is new or a slight variant, none of them detect it. Please don't assume that the AV product your company uses is any better than a solution you can get for free. If you receive an attachment or file, before launching it you can upload it to VirusTotal for free and get a scan report from a few dozen AV products. Pretty neat.

Should You Use Multiple AVs?

Generally speaking no. It seems like a great idea but often times multiple AV products conflict with each other. Some even read AV scanning processes of another as malware and will try to shut it down. Just pick one and stick to it.

What do I do now?

Step 1: Install AV on every system you use to browse the Internet, Windows, mac, and Android smartphones. Check with your ISP for a free copy of a commercial product, or download a free one from Microsoft, AVG, or Sophos. If you want to, spend the money...but it won't buy you much.

Step 2: Keep it updated. Most AV products will automatically update themselves at least daily with new detection capabilities. Check your AV regularly to see the status and update if it's more than a few days behind.

Step 3: Run scans often. I used to run full system scans weekly on all my computers. I've relaxed that a little, but it's still good practice. If the scan finds something, accept the recommended action to remove or quarantine the item.

Step 4: Don't panic when you get infected and don't get mad at your AV product. If it's up to date, then chances are pretty high that the "other AVs" wouldn't have caught it either.

Step 5: Don't trust any "virus" or "worm" or "infection" warnings from websites. They are likely fake and trying to get you to install a fake AV product which in fact is probably malware.

Hope this is helpful to someone.


No comments:

Post a Comment