Virus attack experience: What more can we do?

[satrow]

So tell us which settings please.

So you don't understand how it works? I had to bypass it (and no, I wasn't using Firefox) to enable access to the site. Most people would have been put off from bypassing it or would not know that they could.

Yes, I wanted to test my defences and they held up.

[Infinicore]

More virtualization, give Returnil a go (activate the virtual mode before connecting with the Internet). Protects you from virtually everything by misdirecting anything potentially harmful...you still get attacked, you still get compromised, virus starts congratulating itself on a job well done; you reboot and its gone. So are any other changes so you don't want to install some large program at the same time with virtual mode active.

[KevinChambers]

90% of the viruses I deal with are caused by exploits in Java, Flash or Adobe Reader. I have to remind people that almost all updates they were prompted about in these programs are security updates. This also applies to less widely used programs like Shockwave and Quicktime. Also, as has been mentioned, always make sure your security programs, Windows, and browsers are up to date. On Secunia's website, you can download Personal Software Inspector that scans your computer for all programs needing updates, but I haven't had good luck with it so far when setting up on novice computers. Easier for me to occasionally run a check on the versions of the installed programs on my system and use their own updating feature or check a site like filehippo.com to see if it needs updating.

[Drew1903]

A big part of the problem is ppl getting notices to update things but, ignoring them....such as Java & Adobe, not to mention Windows Updates.

Drew

[cloudsandskye]

Let’s get to the root of the problem: you’re accessing the internet through the administrator account. That’s like opening the front door of your home and letting anyone who wants to walk in and wander around. In that case, there’s some highly sophisticated malware that can actually turn off any antimalware software faster than the software can quarantine the offender, which will then have its way with your computer, and that’s probably what happened. The solution is not extra or different layers of antimalware software because, under that circumstance, those others would have failed, too, but rather to set up your computer properly in the first place. You already have everything you need; there’s no need for anything else.

My operating system is Windows XP Professional, so my suggestions are for that particular product, but also apply to more recent operating systems. Your computer should have at least three password protected accounts: administrator, limited, and visitor. The administrator account is for installing and updating software, computer maintenance, etc, but it’s not for browsing the internet; accessing the internet through the administrator account should be kept to a bare minimum. The limited account is your personal user account for accessing your e-mail, browsing the internet, word processing, etc. The visitor account is a limited account changed to guest account status in case you have a visitor who would like to use your computer.

Turn on the operating system’s Data Execution Prevention and Software Restriction Policy. You can learn more about that here: http://www.mechbgon.com/build/security2.html Turn on “Use the Welcome Screen” and “Use Fast User Switching.” As other posts suggested, learn how to adjust your browser’s security settings and check for software updates monthly. If you have any software that will not open properly in the limited account, right click on the desktop shortcut and use the “Run as …” function to open it. If software is so poorly written that it will not open at all in your limited account, then uninstall that software and find a replacement. Your security software, AVG Internet Security 2012, has two parts: 1. antimalware, and 2. everything else. The antimalware part is actually very good – in fact one of the best, but the rest is not. Since you paid for it in advance, then continue to use it as long as you set up your computer properly. Once your subscription expires, switch to AVG Anti-Virus Free, which is good enough if your computer is set up the way I've described, or if for some reason you feel the need to continue using a security suite, do some research and select one of the top suites at that time.

The antimalware part of AVG Internet Security has an antispyware component, as do all major antimalware products today, so there is no need for SUPERAntiSpyware (a worthless product), Windows Defender, SpywareBlaster, etc. Don’t bother with Malwarebytes Anti-Malware; it’s very good at removing malware, but its detection rate is below average, so if it can’t detect it, it can’t remove it. All those products represent the past, not the present. There is no need to layer your computer with all that time wasting silly stuff when your computer is set up the way I’ve described. All you need is your AVG product and the Windows Malicious Software Removal Tool, which works in the background and will automatically install the latest version when you update the operating system every month. It’s very unlikely that anything will get through and install itself, but in case something does, run the antimalware scan on your AVG Internet Security once a month as a double-check.

When I first set up my computer properly four years ago, I found the change inconvenient and a little frustrating. But, I stuck with it, and now I would never go back. So many people seem to use their computers in a climate of fear and paranoia that “something might happen.” They load their computers with all kinds of security junk and are constantly running scans because “something might happen.” When your computer is set up the way I’ve described, it’s very difficult for anything to get through and install, and even if something does, it will not be able to execute, leaving it to be quarantined when you run your monthly antimalware scan. I’ve used my computer on the internet almost every day for the past four years with calm and confidence, free of the fear I used to experience. I get hit with internet based malware at least once a week and I just laugh at it as my antimalware software grabs it immediately and puts it into quarantine because it has no place else to go and can't execute. Set up your computer like I’ve described and you, too, can laugh at malware.

[WSLfan]

Hi, thanks for the advice. I am studying it carefully. You are the only one to answer my original question about the effectiveness of restricting Internet access to a Windows non-admin account. It seems like the way to go but I am surprised that there is not more said by and heard from authoritative sources (e.g. Windows Secrets, or have I missed it?) about this option and its effectiveness. Also the mclogon link provided is very useful and detailed.
So you are saying also that the free version of AVG Anti-Virus is much better at virus protection than the paid version of AVG Internet security 2012. Wow, that's a revelation! I have no reason to doubt what you allege and if true it's an indictment on AVG. I wonder what their position is. Are there any authoritative sources for further information about this?

[cloudsandskye]

So you are saying also that the free version of AVG Anti-Virus is much better at virus protection than the paid version of AVG Internet security 2012. Wow, that's a revelation! I have no reason to doubt what you allege and if true it's an indictment on AVG. I wonder what their position is. Are there any authoritative sources for further information about this?

Wait a minute, that’s not what I said! Although, I can now see from my post how that might be inferred. What I am saying is that if you set up your computer the way I described, AVG Anti-Virus Free is good enough, but it is not superior to the pay version. I better revise my post.

[Drew1903]

As an IT Pro, I am going to be bold enough to inject my 2 cents FWIW. Over the years the security landscape has changed. For 1 thing, we have (finally) come to realise the magnitude of malware as a problem. We track & alert in regard to dangerous web sites like we never did before. Browsers & OSs have become more secure than ever. Back in the day, I carried an arsenal of weaponry to fight the nasty web. Put a 'team' of tools in machines I built or overhauled for clients.

I am not going to enumerate all the various securities I've touched & details of the past vs now, but, the approach has changed.

Certainly for Windows7 & 8, absolutely MSE. Additionally, Malwarebytes, run wkly, just as an extra 'cushion'. Windows Firewall & possibly behind a router.

Optional is SpywareBlaster & BrowserGuard.

From both experience & awareness the above (simple) formula works & works well. I will always use it & recommend it highly & enthusiastically. And be content & confident sticking w/ that formula w/out feeling a need for alternatives. Safe surfing & downloading must, also, be factors!

Cheers,
Drew

[Infinicore]

Limited accounts for anything engaging potential infection with a virtualization layer (in the past SteadyState for XP; effective but a bit cumbersome) like Returnil and a good hardware router would be; is(!) so robust, there wouldn't be a need for anything else, period.

Problem is that the concept is almost as alien as the idea of walking nude on the moon and "sticking with it" as cloudsandskye said. Put OpenDNS on the job as well to protect against phishing sites and general types of sites you want to keep yungin's off of anyway and a PC is practically impregnable because even the occasional virus that is hand-held and led across the barriers (the vast, vast majority-is there a kind way to say users are so close to 100% at fault its virtually 100%, so we don't have to say no no, its not your fault, you just need better AV and maybe don't click on "that" again) is gone with the next reboot.

To me it is so mind-non-bogglingly easy, but guess how many people I know that are set up this way? Yep, no others, 'cept my immediate family.

We have since moved on to just employing virtualization for the cognizant adults since XP really is a PITA when it comes to limited accounts, and we're still running free and clear, 12 years and counting (it helps to be physically isolated as we are as well--in a city I would take additional steps to secure wireless of course. MSE is on a couple systems but only used for scanning downloaded PDFs (even though we use safemode display in FoxIt) and the like and Malware bytes is available for the occasional scan.

This might be another alien concept but I don't consider it malware vs. my computer. Its my brain vs. malware writer's brain and I have the superior hand because he/she has to get into my fortress; and if need be, I have the ability to make my fortress vanish right before his or her eyes even if they're standing in the courtyard thinking they've succeeded...someday, if my brain loses to a malware brain, I might even get to pull my parlor trick! Right now I just get to use it for dumb stuff, like using a trial program without using a trial program because I don't think I use it often enough to purchase it.

[cloudsandskye]

I noticed AVG Internet Security 2012 includes a firewall. Since your operating system also has a firewall, you should choose one and turn off the other; don't run them both at the same time. When the AVG product was installed, it may have turned off the operating system firewall, so this may be a moot point.

[Drew1903]

If you are going to use AVG instead of MSE, use the OS native firewall not, the AVG firewall.

Drew

[Maudibe]

I totally agree with Mart44. I always surf sandboxed with Sandboxie. I also use it on a test machine to visit bad sites that infected customer's computers just to see what it attempted to install. I just close the sandbox and it all goes away. I have never had any residual effects. Although nothing is 100%, it comes pretty darn close. Bundled with MSE as an AV, Windows defender (anti-spyware), Comodo Firewall, DNS filtering, Acronis True Image, and a bit of common sense, I have been able to stay out of harms way.

[Infinicore]

If you're going to use Sandboxie on a 64-bit system, be sure to visit their website and read about the reduced protection disclosure and their proposed Experimental Protection package to help close the hole they can't prevent otherwise.

[Eric Legge]

I wouldn't use Google's Chrome browser. Everything Google is spyware that obtains personal information about you and uses it to create a personal profile that is in turn used to deliver personalised ads across the web.

There is one thing that no one has advised you to use - use a User Account instead of an administrator account when accessing the web. You can create one via User Accounts in all versions of Windows. A user account does not allow software to be installed, so is much safer than using the Administrator account.

In 20 years of surfing the web, I have yet to be hit by a virus seriously enough to make it necessary to reinstall anything. What has hit me is installing bad software from the cover discs of computer mags.

Also, make sure that your broadband router has its hardware firewall enabled by accessing its configuration page in a web browser.

[WSLfan]

After reading all the helpful suggestions posted here I was, admittedly, a little overwhelmed. What should I do next was the immediate question. How do I implement the best solution/s and avoid double ups of mutually redundant solutions? Also, how do I rationalise the quandary we are all faced with of choosing a malware protection solution that may be or has been really good at one time but is now superseded by another better product.

Someone suggested a multi-layer approach. I don't know what is meant by that but it stated me thinking. So I came up with the idea of the MADAM model, an acronym for Malware Detection And Mitigation. A copy of this model is attached here.

What the MADAM model does is to represent a computer user's Internet access experience as a seven layer model. The Internet WWW is layer 1 in the model, the computer user is at the top at layer 7 and the rest of the essential infrastructure is in between in layers 2 to 6.

So how does this modal help? Firstly, we can postulate that the best malware protection is provided by implementing appropriate solutions across as many of the 7 layers as is appropriate for the level of protection we wish to provide. Secondly, we might observe that implementing mutually redundant solutions within the same layer may not be as effective a strategy, so we should avoid doing this.

Thirdly, the lower down in the model we implement protection then the lesser the propensity there is for the malware to infiltrate further and therefore the easier it should be to mitigate its adverse effects - to clean up the damage in other words.

So here are some ideas of what can be now done by way of protection in each layer:

Layer 2 - DNS filtering, as suggested by Susan Bradley in Windows Secrets Newsletter • Issue 333 • 2012-04-05

Layer 3 - Enable and configure the hardware firewall in your broadband router, as suggested by Eric above.

Layer 4 - Implement Windows user account, Data Execution Prevention and Software Restriction Policy controls as suggested by a couple of contributors above and with further information here http://www.mechbgon.com/srp/index.html

Layer 5 - Install a total Internet security application, or at least anti-virus and malware protection applications. These have to run in real time otherwise they will not be able to prevent an attack as it occurs. Lots of recommendations were given by contributors in this layer.

Layer 6 - We are pretty high up in the model now. The application layer is for virus and malware whole system scanners. The infiltration has already occurred so we have to scan for and remove them and, hopefully repair the damage caused. Some of the applications we choose for layer 5 may also do the scanning required here in layer 6 but may not be able to repair the damage. We may have to utilise a specific 3rd party repair tool to do this.

Layer 7 - We are at the highest level in the model now so the malware has already infiltrated and damaged the computer. If we have to resort to implementing a fix-up at this level we may have to do it ourselves, manually, or with a purpose written software tool. Much more time consuming to do so at this level. If only I had implemented a solution at a lower layer. 8-)

There is a fourth advantage of the MADAM model. It suggests a solution to the problem of choosing the "best" protection. The problem is, as already mentioned, how can we ensure we are using the best protection product and will it always remain the best? The answer is of course that we can never be 100 percent sure all the time. But we can implement a layered solution based on the model above knowing that the threat is now more likely to be detected and prevented in another layer. Additionally, when we become aware of a better protection solution we can identify our current equivalent solution, where it sits in the model and then just replace it.

So I would suggest at this time an approach along these lines is likely to constitute "best practice" for guarding a computer against malware.

Many thanks to all here for their contributions. I hope all this helps.