Windows 8 anti malware

[Peterr]

I use Defender with Win 8.1 and MBAM. I also use Spyware Blaster am behind a router.
Since I have added SUPERAntiSpyware I find a lot of pups and tracking cookies.
MBAM does not have a quick scan any more - it is a 5 minute threat scan.
I know I can uncheck tracking cookies and pups from SAS.
Without SAS I would be accumulating these tracking cookies and some pups.
I think a false positive is a good file which I would not want to lose.
My question is, would I be better off dropping SAS so I do not remove any false positives, keep all of these findings in quarantine or uncheck them?

 

[Fixer1234]

This is really a matter of preference. A false positive is a known "good" program (one that was flagged in error). A PUP is a potentially unwanted program. It could be something you loaded on purpose but fits a pattern that other people find unwanted. Or, it could be something you weren't aware was loaded. You might decide you like it anyway, but it was flagged because the typical way it gets on computers is surreptitiously.

The safe approach is to let everything get flagged and then decide which of it you would prefer to keep. Anti-malware programs are generally pretty good about what they flag. False positives are not excessive. You are much better off with a program that finds all the bad stuff plus some false positives than one with very few false positives but misses the real risks. If something walks like a duck and quacks like a duck, I would prefer to be aware that there is something walking and quacking like a duck and decide for myself whether it really is a duck.

In terms of quarantining, that should be considered a temporary measure. Usually, stuff that is harmless, just annoying or potentially unwanted, is not quarantined. Stuff that is potentially dangerous is quarantined. Good practice would be to decide whether the item in quarantine is a false positive. Unquarantine it if you are sure it is safe. Otherwise, delete it. If you are not sure whether it is a legit program (malware often impersonates good programs), leave it in quarantine for awhile. You can research it (does the file have the correct size, come from the correct directory, etc.to potentially be the legit file?), or just run the computer for awhile to see if the program's absence causes any problems. When you satisfy yourself of its correct status, either delete it or unquarantine it.

 

[Peterr]

I understand.
I especially caught your reference to catching the bad entries even if it means a lot of fluff.
I am going to try, temporarily, to use my router wisely, MSE with Win 8.1, and its firewall.
Also, I will periodically scan with MBAM and look up any entries in quarantine before I remove them.
SAS, SpywareBlaster etc. - there were too many things catching too many cookies and pums and pups to check on. Yes, I could have disabled the cookies etc. but I think I am paring down to MS with the help of the router and MBAM. The balance between rootkits and false positives was stressing me out so I am backing off.
I would hate to lose a valid file so I will be diligent.
Thank you

 

[Fixer1234]

Just so you are aware about firewalls--

• The one in your router is pretty much there by default. You can usually go in and turn on additional precautions for added security but the default settings cover the basics.
• If you have multiple computers connected to your router (wired or via WiFi), also using a firewall on each computer, like you are doing, is good practice. If you have just one computer, it doesn't hurt but probably doesn't buy you additional protection.
• Firewalls don't protect you from malware. They mainly focus on whether an outside person or entity has authorization to transact business (send or receive files) on your side of the router. They prevent problems like someone remotely accessing your computer without your knowledge or consent. Firewalls don't make any kind of judgement about the desirability or potential risk of the content. Think of it as an ID check at a club. It screens out people who aren't allowed to be there but doesn't address what they might do once inside.

Cookies have become so ubiquitous, and PUPs and PUMs are getting there, that dealing with them can be stressful. No matter how much you do, there are always more. Think about handling them like this:

• You can't get away from cookies. They are part of life if you use the Internet, and using the Internet has become part of life. There are just too many to deal with individually. They generally aren't harmful except to your privacy. The only problem with deleting them is that you might want to keep a few for sites you frequent because having to re-enter information at those sites is an inconvenience. See if you can "whitelist" your favorite sites. Either way, the collection of cookies will grow like a tumor, so either periodically purge them or just allow your anti-malware software to delete them all, but don't spend the time going through the list of all the cookies every time you run your AV software.
• PUPs don't exist with anywhere near the frequency of cookies. They will usually show up in association with downloading software or joining a web site, which you probably don't do every day. They generally are not a real threat but they are rarely something you knowingly chose to download. Reviewing them is generally not much of a burden because there usually are not very many. A simple approach is to allow them to be checked for. If you didn't recently download any software, just let it be deleted. If you did download, verify the findings. This is a lot easier if your AV program separates types of problems so the PUPs are not interspersed and lost in the endless list of cookies. If you accidentally delete a PUP you wanted, it can usually be recovered or just download it again.
• I put PUMs in a different class. They are a lot more insidious and potentially dangerous. The ones that are not dangerous tend to be a real pain in the butt, like changing your default browser. There should not be a lot of them and they are rarely desirable. However, there is a better solution than wading through endless cookie hits to see them. Instead of having your AV software search for them, get WinPatrol ( http://www.winpatrol.com/ ). It is an excellent free program that will auto-load at startup and look for attempts to change your system.

 

[Peterr]

It was very nice of you to take the time to explain as you did.
I am in quandary. MSE with Win 8.1 is insufficient as recent reports indicate. MBAM catches malware but I have no idea if I should delete it or not.
MSE has a place where you can send your detections for analysis.
I can have Norton free as a Comcast subscriber but did not like it when I had it before - improved or not..
I get ready to buy Emisoft for example then read one can obtain sufficient protection free.
I am now using MSE and run MBAM occasionally getting the same PUPS each time. There is supposed to be a way to rid them when they keep occurring -but should they be removed.

The above is why I am in a quandary -I don't want to drop a file but how am I to know what it is?
The flip side is I don't want to become infected.
There must be a compromise.

 

[Fixer1234]

I found Norton to be more trouble than it is worth. At one time, it was the gold standard. Now I don't know whether it is any better than other offerings, but it does not play well with others. I repeatedly ran into problems with software not working on my system, only to discover the problem was Norton. I finally just removed it.

MBAM has a good reputation and doesn't produce a lot of false positives. I would apply the same rule as for old stuff in your refrigerator--when in doubt, throw it out. PUPs can almost always be safely discarded. If it is legit software and important software, the odds are pretty low that it will be flagged. Almost by definition, anything that is a PUP is probably not important software.

If you want a simple approach, just let the AV software do its thing and accept its judgement. The actions are governed by rules that have been developed by teams of people whose job is to be experts in malware, and the occasional false positives get reported and corrected. Even if you take the time to research each hit, you will rarely find that the AV software was wrong, or that the level of response (delete, quarantine, or notify), was inappropriate. If you do experience a legit program being falsely quarantined or deleted, there is a near zero chance that it will be any of your critical software. It is far more likely that you will never miss it.

You are probably focusing on the wrong side of the equation. The truly important issue is preventing real malware. The cost of that is dealing with some level of false positives. The safest and least stressful approach is to do the most thorough possible job of preventing malware and then deal with the resulting false positives, whatever that turns out to be, in the least stressful, most convenient way. Don't design your process to minimize false positives, design it to expect false positives as a good thing and to cope with them in a way that's best for you. Even if you just give the AV software a free hand to delete or quarantine as it sees fit, it will be truly rare that you have to restore something important. If you do, it will be a lot easier and faster than trying to recover from a malware infection.

 

[Peterr]

One example of a conflict with Norton and MS is the tamper protection. Actually, in this instance, Norton is doing its a job. When one attempts to perform a system restore it is fouled as Norton is considering someone trying to alter it or the UAC.

I knew what you stated, that prevention trumps a false positive but I was looking for a compromise that I am not yet informed about and content with. I am diligently researching this and will soon have a comfortable answer.

 

[Fixer1234]

A totally different approach: with enough alcohol, you won't care about false positives.