Steve Lamb's Blog

Security Matters

Blogs

What is the best way to deal with malware?

  • Comments 16
  • Likes

Please let me know what techniques you've found useful to tackle the growing menace of malware.

Do you find techniques such as using low privilege for day to day operations to be something you can achieve? Running as non-admin should theoretically prevent malware from being accidentally added to your system.

How effective do you find anti-spyware software in picking up the presence of malware? Personally I think it's too late by then as the proverbial horse as already bolted. I'm keen to hear your views.

Please hit the "feedback / comment" button and let me know what you think. I'll use the input to dig further and will post something again soon.

Thank you.

Comments
  • First some quick background. I work at a K-12 school where all faculty and all students 7-12 have laptops/tablets. This is probably the best breeding ground for malware ever imagined, at least it seems that way to me. I am currently investigating LUA after watching stuff at TechEd. However this is difficult since so many applications break and trying to explain to users about the idea of make me admin and the like is not fun.

    We currently use the Ad-Aware Pro which comes with a real time monitoring piece. I find however that it really doesn't help. One because most users don't know what they want to let happen and what they don't. Second it often misses detecting things in real time. We are often very succesful in removing it after the fact.

    Malware is currently my #1 by far problem, so far outdistancing my next biggest problem of hardware failure that isn't really comparable. If I could solve this problem it would really help and change some people's perspectives. They believe the machines are broken when often it is something that they installed or was slipped in without their knowing.

    I am anxiously awaiting the final relase of MS Anti-Spyware and have high hopes for the promised enterprise management piece. WSUS is so good, get to that level on spyware.

  • SANA Primary Response. It's by far the best way to keep workstations and servers clean. The spyware addons from the AV crowd are a joke. They have caused more problems than solutions. Email me and I'll hook you up with a demo. You won't believe how effective this thing is. Xavier at ashe d0t com.

  • In Tech Support mostly customers approaching us have already been jacked by multiple variants. So the best way to go about is to start with add or remove programs and uninstall malaware like ISVT, Optimizer, etc., an msconfig to disable unfamiliar startup items, look for common places in the registry and delete instances of known variants and unfamiliar applications, install MS anti-spyware beta, default IE settings, clean browser extensions, may be run an IE repair if its broken, look through program files and rename folders of unknown applications. Reboot and generally looks good. The worst part is people use Servers for browsing and then complaint about IE not working or a broken shell with a blank desktop. I have worked on a few cases where we are unable to open EXE files because this registry location is wrecked - HKEY_CLASSES_ROOT\exefile\shell\open\command

    Anti-Spyware is not always effective as much as educated browsing is.

  • Hi Steeve,
    I find your blog posts on security very intersting and informative. I am test Manager interested in Security and software testing in general.

    I think antispyware like the one from MS is very good tool to start with. At regular user level, there is no much awareness about what a malware is and how it is different from a virus. For not so techie background - running as non admin or low privilage user may look bit
    involved or annoying - not able to download/install anything that fascinates them on the web.

    I am not sure about How MS anti-spyware is going to be priced once it sheds it's Beta tag. But I recommend it to most regular internet users who are not so techie.

    Shrini
    Test manager
    iGate global services
    India

  • I agree with Satya - the best way to stop malware in the first place is to educate users in the art of safe browsing.

    I've came across a couple of sites recently that have we "high-tech". With XP SP2 Active-X downloads automatically being blocked, I've seen a few sites with Flash Animations showing users how to install them (to make the site "better"). Now I'm saavy and ignore such bits but to the uneducated user they just point, click, install and release god knows what onto their machine!

    It will be interesting to see in due course what anti-spware app will become the market leader, everyone seems to be releasing them! Not sure if AV's should be going into this space though - should stick to what they are best at.

  • Prevention is better than cure don't they say?

    99% of malware attacks are mitigated by defensive browsing and sensible use of e-mail clients. It never ceases to amaze me how many users have never even heard of the "Trusted Sites" Zone in IE, (even some supposedly IT savvy folks!)
    I always explain this stuff to users whenever the chance presents itself, and I recommend setting the Internet Zone to "High" and the Trusted Sites zone to "Medium"...if I can get them to run as a non-admin then so much the better. So, basically if anyone asks me which tool I'm using to combat Spyware/Adware etc. the answer is, "Internet Explorer".

  • Techniques found useful to tackle malware:
    - isolate off all networks
    - verify RAM and processing hardware sanity
    - verify HD physical and then file system sanity
    - formally manage traditional malware
    - manage commercial malware
    - purge hidden stores, set "clean" baselines
    - defrag
    - patch code defects
    - protect against known attacks; HOSTS, kill-bits, av
    - manage risk; safer apps, kill risky things not needed
    - manage data; relocations, hygiene, auto-backup
    - manage networking; shares, firewall, unused connects
    - repeat on all systems before reconnecting to LAN, etc.

    "Check your rock (before climbing on it)" as below:

    - check you are working on the system alone
    - check it's safe to process anything at all
    - check it's safe to write to the file system
    - check the core code is safe to boot
    - check the "live" system is clean
    - check there's no hidden dormant malware
    - ensure file system is optimized for performance
    - check the system is sane, i.e. not open to code exploit
    - harden system against known attacks
    - check the system is safe, i.e. reduce by-design risks
    - check that data backups are good, and safe to restore
    - check that it's safe to reconnect to the world
    - check the "private" world you connect intimately to is clean

    Privacy depends on security (can't promise what you don't control)
    Security depends on safety (can't secure if riskier than expected)
    Safety depends on sanity (can't risk-manage if exploitable code)
    Sanity depends on health (can't be sane in sick brain hardware)

    "Do you find techniques such as using low privilege for day to day operations to be something you can achieve?"

    No. That approach makes sense in the intended context; a person with set limits on what they can do or not do, and who does nothing outside of those limits, all day.

    However, I may do a number of different things at the same time: I may play a game, which I don't want to access my data or the 'net; take a phone call and look up a database that I don't want the 'net to have access to; write a document in my data space that I want no arbitrary self-propelled software to fiddle with at all, and read some email that I want to have zero 'net, data or system rights either.

    Logging in as "Sally the sysadmin" or "Mary the marketoid" for the rest of the day does nothing to address these needs. In particular, even the most limited user has the right to edit their own data, and that means any malware running with those rights can trash it.

    However, "techniques such as" do apply, i.e. risk management:
    - if no-one needs take the risk, rip it out of the system
    - if some users need take the risk, password/account protect
    - if taking the risk, evaluate it first
    - if taking the risk, av-scan it first
    - if declining the risk, ensure software doesn't take it for you

    A safe system:
    - takes no risk ahead of the user's intent
    - displays the risk level to you in terms you can understand
    - acts no further than the risk level it displayed to you

    Just about every malware event can be tracked down to failure of the above, i.e. "risk WYSIWYG" that wasn't. That shifts the blame
    from the user to the system, as the system hijacks the ability to evaluate and control (and thus be responsible for) risk from the user.

    "Running as non-admin should theoretically prevent malware from being accidentally added to your system."

    It's a good band-aid, but it's a square peg in a round hole (malware can kill your data) and it's undermined by poor safety. When risk WYSIWYG is poor, what the user does no longer correlates well with what the user intended to do. Sure, security can prove which user to blame, but the damage is done. Daily.

    "How effective do you find anti-spyware software in picking up the presence of malware?"

    40-60% each, which is why I use 3 of them, plus the hairy eyeball.

    "Personally I think it's too late by then as the proverbial horse as already bolted."

    The above is shallow security, or the Titanic Syndrome (i.e. "if the ship is unsinkable, why do we need lifeboats?" or "well, he was inside the building, which means the guards must have approved him, so I didn't ask him for ID").

    In contrast, deep security recognizes that:
    - no security method is failure-proof
    - therefore every positive security method has value
    - therefore plan what to do *when* security fails

    That goes beyond preventing infection, to managing it when it happens; something that MS haven't started to think about yet.

    Currently, it's "if you're infected, you've lost; give up, wipe the system and start over". But that means if you cannot determine whether you are infected, then every PC that *might* be infected, i.e. gives any cause for suspicion, has to be wiped. Really good malware arouses no suspicion, therefore all PCs should be wiped.

    This is clearly an absurd situation that can only make sense if you avoid looking directly at it. Now that we've moved to NTFS and lost the ability to formally manage malware from outside the HD-based OS (from DOS diskette boot), everyone is studiously avoiding looking at this particular bright clue-light.

    Also, consider MS's Rule #1: "if a bad guy can run code on your system, it's not your system anymore". By design, MS allows or has allowed the following to run code on your system; the web sites you visit (and the banner ads you didn't want to see), the unsolicited email "messages" your email app previews, and the
    MS Office "data" files that MS would like to see used as a generic data interchange medium.

    Why are all these entities offered ownership of your PC, and how do we get it back? See:

    http://cquirke.mvps.org/whatmos.htm

  • LUA. Simple, you will spend less time in the long run and more fully understand the applications that you are running. NTFS and Registry ACLs along with filemon/regmon will become part of your daily routine if you install software all of the time. If this is too much trouble for you, then don't expect to combat malware effectively.

  • the thing that sucks about this is you never know when your ahead of the game!

  • Another amazing thing is just how little it pro's know. We've been using lua since w2k for 14k users. None of our app's have really required admin priv's.
    A friend of mine was discussing how his endusers (not his idea) were all admin's and this was for a rather large organization...

    Microsoft's finally got the message and is really pounding this in, Microsofts current problem is all the home users and this is the issue with linux is that users don't like switching between accounts just to install some dumb game...
    my .000000001 cents worth!

  • There's some great advice in the comments to my recent post about Malware - thanks to everyone who contributed....

  • I think perhaps a solution that I and others would be relatively quick to adopt would be some sort of hardware level solution.
    Many of our developers refuse to run anti-virus and anti-malware applications on their dev boxes because they get annoyed watching real-time apps eating cpu cycles. I think perhaps a hardware solution that uses it's own resources to watch things would be a nice touch. I'm not certain as to the feasibility to such an endeavor as my familiarity of kernel level functionality is limited. I figure that if they can make video cards operating at 1/2 a teraflop, you could apply that same type of computing power to keeping our machines secure.
    All of us that work in a corporate environment are well aware that 99% of all computer users are way too lackadaisical about security and will go to any measure to circumvent/avoid it. Thus creating cracks for the filth to seep through.

  • "the thing that sucks about this is you never know when your ahead of the game!"

    Not true. With a good network bases IPS like the Juniper IDP, you can see Spyware and Malware traffic give you proof that you successfully cleaned the computer.

  • What's malware *smug Linux user* -------------- Seriously though, it's a "£$%&*, its one of those things that most people have and once youv'e got rid of you have to do again within a day. 1. Block dodgy sites 2. Lock down users so they can't install laods of c*&p 3. Run, spybot S&D, ad-aware, MS, and spyware blaster 4. use a less popular browser not in IE mode (FF will be targeted in the future, however is still more secure - I will not go into this argument, if you want it we've had hundreds of posts on hexus.net) ---------- Those are basic things for a home environment, when you've got local users on their own computers plugging in, it's a "£*(&, but you could force them to VPN in from a dirty network and then quarantine them - but that puts unnecesary stress on the servers

  • Matt> Linux.....now let me think.... I've heard of that....Oh yes and the myth that it's impervious to Malware, Worms, Viruses.....

    Seriously though I agree with many of your comments in that a multi-stage(Defence in depth) approach is the best way to go. The very nature of Windows and Linux leads people to customise their sytems and hence they are responsible for accepting the risk that the authors of the software the add are trustworhty.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment