"New Product Antivirus & Malware Considerations: from some Windows Forums Pros!"

[RichM]

Recently Bigbearjedi and I began a conversation in another thread about our beliefs on how ordinary users can stay protected in today's very difficult climate of ransomware and encryption laced infections so lets share our beliefs as we both have active businesses and tell everyone how we protect our clients. Anyone else here is free to join in based on experiences.

My basic protection begins with Emsisoft Antimalware which is both Antivirus and AntiMalware. All browsers are protected with Adblock Plus and WOT (Web of Trust) individually installed in each. Win Patrol used to lock down startup, registry and home page from changes. All users have Spywareblaster installed to further protect browsers and Crypto Prevent (to keep our Crypto Locker Virus) as an additional layer of defense.

Clients are given a paper with instructions on how to update Spywareblaster and Crypto Prevent and reminded to update Java, Adobe Reader and Flash Player regularly. No toolbars are allowed on any browser and they are shown the proper way to search with Google set as the only search engine in all browsers and of course regular updating with Windows Updates suggested on all versions of Windows except Windows 10 which of course is automatic. With "Unchecky" installed half of the attempts to pollute systems by third party software providers are prevented and clients are advised to carefully uncheck all services offered by such vendors.

 

[Neemobeer]

Every security expert will tell you the same thing. Layered defense or defense in depth. No single product will protect you from everything and typical AV suites are only about 40-60% effective.

• All client workstations should have some form of AV (even Windows Defender is pretty decent and free)
• Client side firewall configured (some are included in the AV suite generally called internet security suites instead of AV
• Current patching on OS and all applications
• OS hardening, disable or remove any unused Windows services or applications
• Remove software you don't need or keep it current, If you don't need Java and/or flash remove them they are the two most exploited applications
• There are some great browser extensions including No Script, ad blockers these are a great defense against malware especially ransomware that use cdn or ad space to host their exploit platforms which include Nuclear and Angler exploit ktis
• A network based firewall and/or IPS/IDS system. Sophos has a cheaper $350 SMB UTM that will help prevent threats
• Web proxy/filter for block unapproved or suspicious web traffic
• MOST IMPORTANT -- A security awareness training program for your employees social engineering is the #1 threat to your personal data and your company. There are lots of cyber training programs out there.

This is just a small list of things to secure your network. I can offer more solutions, but some of the "cooler" or better solutions will be limited by budget.

 

[RichM]

"A security awareness training program for your employees" so true. People infect computers...one of the things we hear the most is "I didn't put that there" or "how did that get there", or "I didn't do it" and it is so important we get people to realize they enabled the thing or installed it by not exercising normal care and they can make a difference.

 

[holdum333]

Windows Defender
MBAM Pro-Real time
Ad-Muncher
WOT
Malwarebytes Anti-Exploit
SuperAntiSpyware- on demand
Smart surfing - the #1 protection
Macrium Reflect- Not much worries me with 8 images of my OS on a external!
Wireless Router
I spend 00$ and I'm not selling any thing and I have never been infected. I'm waiting for MBAM ransomeware beta to be tested!
Introducing Malwarebytes Anti-Ransomware Beta
IMHO You have to be pretty gullible to get infected

 

[Neemobeer]

No you don't have to be gullible to be infected. The bad guys buy ad space to host the malware. You go to a legitimate site and the ad's host the malware that infects your system completely undetected. I've seen this happen in action.

 

[Neemobeer]

Also it's important to note "I've never been infected" is, nothing against you, a really dumb statement. You could have 8 different security applications running and quite easily be infected. Just because your software doesn't detect it doesn't mean you haven't been compromised. I've worked at places with some serious sec-ops budgets 2-10 million / year with some pretty awesome defense in place still suffer from compromise and they didn't detect it for months. APTs are very nasty look up the financial malware Q-bot and you will understand.

 

[holdum333]

Hi @Neemobeer You have to click on it to get the malware. I tell all my friends to use a trusted site for down loads.
I trust filehippo. Legitimate sites don't put malware on you. You have to know when to hold-um and know when to fold-um
Know when to run away.Know when to stay!
FileHippo.com - Download Free Software

 

[Neemobeer]

No you don't have to click on anything to get infected and I have seen ransomware embedded in ad's on yahoo so no again.

 

[holdum333]

As I stated! I've only been a PC user for 12 years. Ransomeware in ad's on yahoo? I don't yahoo!
I don't go there and I've never been infected. I really don't worry about malware and I consider myself a smart surfer!
I realize the internet is a cesspool, and that's the way I treat it. I think I can handle any thing that comes my way! But I'm not going out and look for trouble either!

 

[BIGBEARJEDI]

Well, this thread is off to a great start. Thanks to RichM for helping to get it started.

I agree Neemo; many of the most nefarious infection vectors don't rely on the User going anywhere or clicking anything. If you recall the infamous I LOVE YOU virus from 1998 (aka: the MELISSA VISUS), the virus writers relied on "human-engineering" to entrap users to click on the attachment embedded in the E-mail. This virus was also the first "worm-virus". It's sophisticated script found a way to exploit the User's Address Book. This was previously unheard of because the virus would appear to send the virus from someone in the User's Address Book; since the User recognized the Sender's name, such as "John Jones" or "Sally Smith", they ASSUMED that any attachment was legit, since the User was legit. Back in those days, Users frequently used Outlook Express or Outlook since that's what many business networks employed. So, Users often used those same programs at home on their home computers. In many cases, Users took home their company-issued laptops which used OE or Outlook running on corporate Exchange E-mail servers. Due to this of course this virus also had the dubious distinction of being the first virus to propagate worldwide in less than 24 hours!

Virus writers have evolved significantly since then, and there are many viruses that can be downloaded into a User's computer without clicking on ANYTHING!! Those viruses are much rarer than viruses such as spyware viruses that hide in new program or driver update downloads, and often hide in free toolbars. For instance, Ransomware (such as the Crypto-Locker virus), and Scareware viruses, usually rely on the User to click something either on a website, a toolbar, or on an E-mail with an infected attachment. Some of these, such as P2P network viruses hide in a legit program download or driver update, and once into a network the script directs the virus to the most vulnerable 2nd computer or other computer on the network and infects it first. From there it makes it's way into the User's Wi-Fi router or possible Modem-Router combo unit and hides there. As soon as a new computer is purchased and connected to the network (LAN), the very first thing it does is copy itself from the Router/Modem to the new computer and hides there until it can deploy (P2P resource vampire) or based on a date-activation such as an old style Trojan Virus (April 1st, July 4th, New Year's Day, etc.). This can often negate all the layered or multi-program Internet Security Suites that might be installed on the new computer. If the User doesn't factory reset the Router/Modem or completely replace it, and wipe the hard drives of all computers connected on the User home network, it's extremely difficult to remove, and often takes a network expert to do so. Network onsite visits generally start at $125 and can go up to $250 or more to rid a home network problem such as this. We have a couple of these going right now on some of our forum threads.

Keep it coming, I'll be looking for more good discussions to come.

<<<BIGBEARJEDI>>>

 

[BIGBEARJEDI]

As I stated! I've only been a PC user for 12 years. Ransomeware in ad's on yahoo? I don't yahoo!
I don't go there and I've never been infected. I really don't worry about malware and I consider myself a smart surfer!
I realize the internet is a cesspool, and that's the way I treat it. I think I can handle any thing that comes my way! But I'm not going out and look for trouble either!

>>>Gary; well that's very good, and you are the exception rather than the rule here. I have lots of Clients who tell me they have been using their computer for 15, 20, 30 years, and have never got even 1 virus. Peeshaw! I don't believe that. 99% of the computers I've ever worked on have some kind of viruses on them, even if they are in the form of just pop-up ads which are not destructive but simply annoying. I do believe you that you haven't got infected, as you say. But, that no longer counts--as there are so many methods of infection, it's not a question of "if" you'll get infected, but, rather "when" you'll get infected. This is much like folks who drive their cars around without any insurance, and say "I'll never get into an accident, those statistics are bogus and made up by insurance companies trying to steal my money!". I've got another story about that, but that's for another time. I agree that paying attention to the news, educating yourself about computers, Internet, and AV protection and security is all good. But, we are rapidly approaching the point where no matter how good your protection and common-sense are, there will be no way to keep your computer completely safe--forever. And even though you don't use or go to Yahoo! there are 560 million users worldwide who do. And when those folks get infected, they infect the rest of us through the common-connection point of the Internet. The only way to NEVER get infected is to NEVER connect your computer to the Internet, and go back to the Stone Age and use the computer just as a glorified calculator, letter-writer, and stand-alone game play (PONG)!<<<
<<<BBJ>>>

 

[Neemobeer]

Agreed Yahoo is just one example, any site that has ads can host an exploit kit and they infect with zero user interaction or knowledge. I have several hundred malware samples on my laptop and my AV doesn't detect them all, virus total sometimes doesn't detect them or I can re-encode them and make them undetectable with tools like metasploit.

 

[holdum333]

Hi Guys! I'm not one to argue these things because I'm not that experienced with them. I read all your replies and try to learn from them.
All your replies so far talk about P2P or clicking on some thing. Clicking on attachments in emails ect.Surely these things don't just jump out and hook on you. Porn sites and toolbars are a great place for malware. I think we all know that! @RichM Little joke
I'll keep watching this thread and learn!

 

[BIGBEARJEDI]

Yes, as in Josephur's excellent video on the Bitcoin Miner virus here:
Bitcoin Virus/Malware dissected

BBJ

 

[Neemobeer]

That's the point I'm trying to get across. Yes they can just infect your system. I've gotten a hold of know site with ransomware embedded ad's. Simply visiting the site will infect your system. No clicking, no downloading or installing. These sites are not flagged as malicious either it is simply a rotating embedded ad.

 

[holdum333]

Hi! I guess we all need to start using a program like HTG (My go to guy) recommends. Also I haven't heard any one recommend not going on web with Admin rights. I'm not completely PC illiterate. Don't always have the best PC vocabulary, but I know what I mean!
Sandboxes Explained: How They’re Already Protecting You and How to Sandbox Any Program
HTG Explains: Why Every User On Your Computer Should Have Their Own User Account

User accounts can be either system administrators or standard user accounts. System administrators have full access to the system, while standard user accounts have limited access and need administrator permission to install software, change certain system settings, view files they don’t have access to, and so on.


For example, if you create standard user accounts on your computer and reserve administrator permissions for your user account, you’ll have to type your account’s password whenever a standard user wants to install software, make system settings changes, or do anything else that’s off-limits.

 

[RichM]

There are and always have been two ways to rate Antivirus program. Rate it for detection in the wild (which means known infections) and then as software so the "bloatware" is only involved in the latter. The main problem with Norton, MacAfee and Trend Micro is they are the number one choices and are the most available widespread so that makes them the primary target of "the dark side". Safest to be then is with someone else so then we don't need to debate the ability of any of those though in my testing days Norton was always the poorest. I used to get a kick out of how the Norton lovers always argued that the program was light and the best for detection and yet denied there were any such issues until the next release when they state they had solved all those problems from the past version.

A ways back neemobeer stated that you don't have to click on anything and he was quite right. One of the main differences between virus and the overall category of Malware is that a virus is an installed program but not all Malware is installed and today's batch are more than likely the "virtual" variety. And when defending "protection at the gate" let us remember that the "worm" category is only detected by the very best Antivirus programs as they come in coiled and can easily be detected once open but again the free programs have pathetic heuristics and cannot detect them "at the gate". So now there are a few other things to consider here.

For years my group ran with Nod32 Antivirus and Malwarebytes Pro but I never achieved 100% safety for my users and results have been sliding in recent years. This past year, my first year with Emsisoft was the first year since I have been in business that not a single subscriber was infected and I find that exciting again as I have never had that experience before. Now of course I am prejudiced because I represent Emsisoft but you see my prejudice and my experience match for the first time and that is what I find exciting. Whether or not I get infected means nothing in the overall scope of things its whether my clients get infected that is the whole story for me. When I returned to a client on Nod32 and Emsisoft and they were infected we then switched to Emsisoft and no further infections occurred but that was only in maybe 10-12 users this past year so I am anxious to see how the next year progresses.

 

[holdum333]

Hi! @RichM I'm betting another user could come on the forum and tell the exact opposite story to yours about Nod32 and MBAM Pro. Teach your clients how to clear their PC's of malware. I have only found one senior with a PC so badly infected that we saved the data and did a back to factory restore. I'm thinking I could have cleaned it up, but the senior wanted to go back to factory. I uninstalled AVG. Installed MSE and MBAM pro. Gave the senior some safety tips about malware and I have a very happy malware free senior.They just brought me a peach cobbler a week ago.
I walk the walk not just talk the talk. I'm Gary "The computer guy" If you're still infected after running these, take her back to factory. I don't think I'm to far off topic here. We are talking malware. Use MBAM Anti-Exployit for the drive byes. Use safe surfing habits and you will be just fine! Only click what you want installed on your PC. If it looks like malware, it probably is malware! Don't click on it. Use a account that doesn't have admin rights. If it looks like a good deal and your clicker finger can't be controlled, you will get infected. I'm done!
Malwarebytes Anti-Malware 2.2.1
AdwCleaner 5.117
Junkware Removal Tool
Free Virus Scan | ESET Online Scanner | ESET

 

[BIGBEARJEDI]

Gary: You must be lonely last night. You're so hilarious! Of course you realize that I've forgotten more about computers in the last year than you've learned in your entire lifetime!!

Seriously, you have some good comments. I have some personal stuff to take care of today with the wife, so I'll take a look at your HTG links later this weekend. Like to see what MikeH thinks of them to.

I could write a book about how wrong you are about Norton--and maybe I will, now that I'm retired. One of my favorite stories was how I got fired from one of the companies I worked for years ago when I was a FNE (Field Network Engineer). This situation involved them removing the Norton from their corporate network. For many of the same reasons you mentioned their Executive Management and IT people told me. This was about 20 years ago or more. Are you sitting down, here comes the good part: About 5 years later, I was working for this company's largest competitor (call the company who fired me, Company "A"), Company "B". Now it turns out that I had happened to have installed Norton for Company "B" while working for a different service outfit (I had forgotten all about them); and when we were in a sit down with their IT management and various Execs, the Norton issue came up. They had mentioned to me how glad they were that I had installed it, and insisted on it, not paying attention to the "crap" and haters of Norton out there. Then proceeded to then tell me about a year after I was fired from Company "A", they contracted some devastating worm virus that devastated their network and all their computers. They were down for several weeks (like 5 or 6 weeks), until they could fix their problems and get up and back in business again. In the meantime, I was told, nearly all of Company "A"'s customers called their big competitor Company "B" and ordered their products from them. Essentially, Company "A" was wiped out due to lost sales to their largest competitor, having had their computer network decimated by this virus that wasn't stopped by whatever brand of AV they were using (not Norton!), and Company "B" was flourishing with Record Sales and Company "A" went Bankrupt--never to be seen or heard from again!

So the moral of this story is that the Management of Company "A" failed to install Norton after all my pleading, and someone told them I was full of it, fired me, and then got wiped out by a virus that slipped by their supposed better-than-Norton AV. As if this wasn't interesting enough, this happened time and time again, especially in the early 90s. Also, there are some Fortune1000 companies this also occurred to that I was involved with (yep, fired again for recommending Norton), and those companies went directly to penny-stock when they too got decimated by nasty viruses. You will never convince me that Norton is crap! I've been using them since they started in 1990, and have been a dedicated fan every since. Of course, you are entitled to your opinion. But, out in the Trenches of the business world, and even the Military, they swear by Norton. Norton also does lots of development work with the top security agencies: FBI, NSA, DHS, and many of the other ABC agencies. Many of whom I worked with on securing their information assests. IT professionals vary on this as many of them have never had to secure the US networks and computers from foreign threats. I have, and this has been my experience. As I said previously, I still run Norton on most of my primary machines for my little repair business. I also install it, but not as much since competitive products and the Malware landscape has changed, as detailed by RichM and neemobeer. Many of the 2nd tier AV products have improved, so it's certainly worth testing the other products in "honeypot" environments which I still do, so products like Panda that were hot 10 years ago have been replaced by Avast & ESET, etc.

Well, there it is! Consider yourself educu-macated! Hah!

Talk to you soon...
BBJ

 

[RichM]

BBJ you are forgetting something. The Norton product you are talking about in server environment is entirely different from ones used in home environment as you know as the issues are completely different. No one is complaining about Norton biz product but home products are worse than useless, loaded with eye candy and I have never seen one such product remove anything. Norton Corporate is entirely different and not loaded with eye candy and all kinds of bloat ware.