Hello Tagshare - tell Wayne he owes me a Chivas
"What is the best antispyware application?" is an oft asked question. Unfortunately, gentle reader, the answer is one that you may not like.
In short, there is no magical prophylactic out there that will protect your computer from all spyware, or from the inevitable results of "unsafe hex". So, as much as I would like this article to say "download and install Product X and you will be safe", that is not going to happen.
I have lost track of the number of times I have been asked to clean an infected PC, and the owner says to me "but I'm running Product X, or Product Y - I thought I was protected". I've also lost track of the number of times products such as AdAware, Spybot, Trend, and sundry other catch-all antispyware or antivirus product have been installed on a PC yet FAILED to PREVENT or properly CLEAN an infection.
You see, many antivirus and antispyware applications are "reactive". A threat emerges and they react to it - studying the threat, and then writing and releasing definitions that detect it, leaving a window of opportunity when the threat is undetectable.
The malware world is not what is was back when AdAware, Spybot and the like came into being. Back then, adware removal was easy. All you had to do was delete a few files whose names never changed, and perhaps some registry entries.
But then randomly named files appeared, then hidden files, then super hidden files, then the bad guys started installing multiple services that monitored each other, instantly recreating/reinstalling removed malware, then came the rootkits, then writing to AppInit_DLLs making it well nigh impossible for old style cleaners to get rid infections.
Nowadays, I do not recommend AdAware *at all*, and only recommend products like Spybot to reduce the signal to noise ratio - that is, to get rid of the easy stuff so that I can concentrate on the big problems.
What we need to do is get past the idea of depending on what is effectively a monitored alarm system, and stop the bad guy *before* he climbs through the open window and trips an alarm. By the time that alarm has been tripped, a lot of damage may have already been done.
Ok, so as we move away from detection of threats as they appear on our machines, towards preventing the badguys from being able to raise a threat at all (a subtle, but important distinction), how is this best achieved? We take a multi-pronged approach. We look at the operating system; we look at its patch level; we look at the Web browser; we look at user permissions; we look at the Web browser settings.
Ok, let's get to work.
Operating system:
Move away from Windows 95, 98, 2000 and XPSP1. Upgrade to XPSP2. Local Machine Zone lockdown (LMZ), Zone Elevation Blocks, and MIME Handling Enforcement all work together to make it that bit harder for the bad guys to get to us via the Internet.
Rather than repeat the content of one of my published articles, I'll send you to its URL for further information:
http://www.microsoft.com/windows/ie/community/columns/improvements.mspx
Security patches:
Download and install those security patches. Turn on automatic updates and set it to check for updates every day (yes, I know, we have "Patch Tuesday" now, but products such as Windows Defender are not restricted to once a month updates, and we also want to get out-of-band security patches as soon as they are released - and believe me, if its out of band, you want to install it as soon as possible).
When the myspaces banner ad debacle occurred in July this year, over 1 million PCs were infected via an exploit that had been patched six months earlier!!! In August, itnews.com.au reported that 50,000 PCs had been detected that had been infected via a specific exploit in just one week after a patch was released. This is because the bad guys grab those patches, reverse engineer them and work out how to use the vulnerabilities those patches fix to infect as many machines as possible. You have to patch, or you have to use one of the approved workarounds if you must test a patch before roll-out.
Internet Explorer:
The single most effective thing you can do to protect yourself from spyware on the Internet is to update to Internet Explorer 7. Of course, if you are in a corporate environment you will need to check your Line of Business applications to ensure that they will continue to work. Read the RELEASE NOTES and make a judgment call based on the software that you run.
To be extra careful, you can search the general Internet Explorer newsgroup for mention of your software to see if others are having problems.
Now, as the following URL will show you, running IE7 will *NOT* protect you if you don't practice safe hex. That is, if you reduce Internet Explorer's security settings, if you say yes to download prompts, if you believe, and click on, those ridiculous pop-ups and banner ads that trumpet false warnings about infection, or you allow pop-up advertisements (that are also often used to slip malware on to a PC) you will end up getting infected.
Malware in action - August 2006:
http://msmvps.com/blogs/spywaresucks/archive/2006/08/28/110588.aspx
Other Web browsers:
Don't assume that just because you use Firefox, or Opera that you are somehow "safe". You're not. Firefox and Opera will not protect you from unsafe behaviour and settings, and they have also been subject to their own exploits. Search this blog for the word Firefox or the word Opera to find articles that I may have posted about vulnerabilities in those products.
Safety on the Internet:
As the Winfixer example above illustrates, we *must* start practicing "safe hex". Pop-up advertisements, banner ads, and Web pages are all conduits for infection. If anything tries to warn you that your PC is infected **and you did not go to that site and request a scan** DON'T BELIEVE IT! Seriously. If you really want to be sure, go to a reputable site like Trend or Ewido and conduct your own scan.
Remember, pop-ups and Web pages **cannot** see what is installed on your computer without the assistance of additional software which you must download and install first, so if a pop-up or banner reports that it has detected <whatever> it's lying.
There is a famous Microsoft essay entitled "The 10 Immutable Laws of Security" which can be found here:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true
Briefly, the 10 laws of security are:
Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the Web
Law #10: Technology is not a panacea
But I still want to use antivirus and antispyware software - what do you recommend?
Ok, I'll answer your question, but you have to *promise* to keep your system patched, practice safe hex, and not assume that your choice of prophylactic is going to allow you to throw caution to the wind and do whatever you want online without risk of harm.
Forget AdAware and Spybot, ok? They're not up to the job with the nasty stuff out there like Smitfraud, Vundo and their ilk.
This is what I recommend:
1. Install IE7 (after reading the release notes and assessing whether it is compatible with essential applications). Not only does it beef up your Web browser security, it has not been vulnerable to virtually every exploit published this year.
2. You may want to consider Mike Burgess's HOSTS file. It works by stopping your computer from getting to many known bad sites - that is, your computer will not be allowed to download stuff and *then* be stopped from running it (assuming it is not already too late) - instead, access to the bad sites will be completely blocked, and the bad stuff won't get anywhere near you. If a Web page tries to load something from a bad site, whether it be a pop-up, or a banner ad, a dangerous file, or even an entire Web page, IE simply won't get there because the URLs are all mapped to localhost (your local machine). Mike's HOSTS file can be found here:
http://www.mvps.org/winhelp2002/hosts.htm
IMPORTANT DISCLAIMER: The HOSTS file will not protect you from previously unknown or extremely new dangerous URLs, but it will do more than just about any product to reduce the risk surface. It must be updated regularly, and you can subscribe to a mailing list that will alert you to updates.
3. Windows Defender Beta 2 - but make sure you upgrade to Advanced Membership and turn on real time protection. Windows Defender is a traditional "detection" product in many ways, but it stands out from the crowd because of SpyNet. SpyNet is an early warning system about spyware and other undesirable software. As Windows Defender is used around the world to scan systems, information about new threats that have been discovered is quickly circulated between SpyNet’s advanced members using the SpyNet Community Rating system for unclassified software. This rating system shows us what other Windows Defenders users have been doing when particular software is discovered on their machines by displaying a bar graph which shows how many people have allowed, removed or blocked a particular program or item- so, you are warned not only about classified software, but also about unclassified software that the SpyNet community does not trust.
Windows Defender can be set to check for updates immediately before every scan. Make sure you use that setting.
4. Antivirus. For years I used Vet Antivirus until the product was bought out by Computer Associates and I became concerned at where the product was going, at which time Trend wooed me away. Again, it must be updated regularly (all my systems are set to check for updates hourly), and I strongly recommend nightly scans (not weekly, as some recommend).
I strongly recommend AGAINST Norton and McAfee products.