Last week, a blogpost raised the issue about Fireball, a recently discovered browser hijacker and malware downloader. In response, an anonymous poster
[See the full post at: Malware: Its Prevention, Detection & Blocking]
|
There are isolated problems with current patches, but they are well-known and documented on this site. |
-
Malware: Its Prevention, Detection & Blocking
- This topic has 144 replies, 23 voices, and was last updated 4 years, 9 months ago.
AuthorViewing 57 reply threadsAuthor-
Kirsty,
And because 1 size does NOT fit all, is the reason I have found that for ME Vipre Internet Security is the best fit. To each their own.
Dave
1 user thanked author for this post.
-
Their own graph, showing a high level of false positives, on the front page is enough to put me off Vipre. I see similar FPs from it when checking files at Virustotal.
I tend to use a lot of ‘less popular’ software and there’s a tendency for many of the big AV players to jump on my clean, trusted but ‘uncommon’ downloads – that gets old very fast. I often end up using/testing them with all but one or two features installed/enabled and those are often pared right back to AV basics.
Bundled firewalls too can be blunt edged, esp. if they don’t/can’t work with the Windows firewall.
1 user thanked author for this post.
-
I already have my malware defenses established, but I do follow a few security blogs and forums. Always interested to learn if there is some new technology to step up to!
One development I have been watching lately is Sophos Home (free). Sophos has typically been a corporate security company, rather than marketing to the retail end user.
With Sophos Home they now offer free business-grade security for your home Macs and PCs. You can also manage up to 10 devices from a web browser, for free. https://home.sophos.com/
They are currently developing a Sophos Home Premium version, that includes ransomware protection. They are offering one year for free if you sign up for the premium beta now. https://home.sophos.com/register/beta
Sophos bought SurfRight, creators of HitmanPro, in 2015. They have since incorporated the HMP.Alert technology into their Enterprise anti-exploit product, InterceptX.
Sophos consumer website for HitmanPro products: https://www.hitmanpro.com/en-us/alert.aspx
Sophos business products: https://www.sophos.com/en-us.aspx
Windows 10 Pro 22H2
It is true that one size does not fit all, but I think there’s a more fundamental distinction here that should be highlighted and discussed:
One school of thought – quite prevalent – is that users WILL run malware and the system needs to be protected from within against it. This gives rise to AV software that continually checks and re-checks files on the disk, watches for data encryption activities, and generally costs system performance and loss of usability. UAC, for example, seeks to prevent running malware that is running from gaining the privileges to screw up the computer system.
Another quite different focus is to minimize the chance that malware will enter your system entirely, and focus less on what to do if it’s already in and running.
The former is a bit like inviting the local criminals into your house and hiring security guards to watch ’em, vs. keeping a low profile, living in a gated neighborhood, and keeping your doors locked.
The latter approach is the one I’ve chosen to optimize, and it works.
Note that there’s not really a hard either/or situation; some of both isn’t a bad approach. I can tell you from many years of experience that it actually IS possible to keep malware completely away from your computer systems. I haven’t had malware get even close to getting into my systems in all of my 4 decades of computer use (okay, I admit, it wasn’t much of a problem before Microsoft PC software and the Internet, so let’s call it 3 decades). That includes both my professional and home Windows use.
Item 1 on the list is to THINK FIRST. Just don’t do things that are risky. Treat sites on the internet, “free software”, and “too good to be true deals” with suspicion and contempt. Know that they ALL want something from you. Educate yourself as to how things really work, and understand that not everything written on the internet or decided by other people is true.
Item 2 is to determine your attack surfaces and work to change/minimize/eliminate them. Know that default settings are NOT the most secure, yet keep in mind that you actually CAN get surprisingly much of the goodness of the internet while actively excluding the bad parts. In many ways, getting the content without the garbage and bad stuff makes the internet all the more valuable.
Item 3 is to build multiple layers of security around yourself and your systems. In ancient times they built a moat AND built castle walls AND had archers AND knights, etc. Layered security is a must. Even though item 1 is “THINK FIRST” sometimes we screw up. That’s when the other layers come into play. If malware regularly bangs up against your last layer of defense, you’re probably not doing enough with the other layers.
So… Thinking first and considering attack surfaces – what do you do a lot that is likely to bring malware into your system? Surf? Run downloaded software? Have your computer directly connected to the wild internet?
Beef that up, stop doing it blithely!
There ARE ways to avoid bad sites and to avoid running software and to isolate your systems behind a moat that really work, and don’t cut into your enjoyment NEARLY as much as getting a computer infection or ransomware. Some at a high level that come to mind are:
- Use blacklists to keep your systems from accessing sites that deliver bad things.
- Reconfigure your browser not to run dangerous things.
- Vet software before you run it. Hope is not a strategy.
- Get a router that isolates your systems from incoming connection attempts.
- Avoid doing things “in the cloud” if doing them locally is just as good.
There are many strategies that can be brought together to keep bad things away. Surprisingly and wonderfully a lot of them don’t cost any money, though sometimes you have to educate yourself – and when is that ever really bad?
My advice: Don’t accept that malware has to be fought after it already gets in. Do a little (or a lot) more to keep it out and life can be very good!
So…
Please describe what worries you, security-wise, and let’s talk about what you might be able to do about it.
-Noel
-
Which of the free ones gets rid of the Firefox-patch.js pop up?
What web site does it come from? Chances are ad scripts are where that pop-up comes from, assuming it’s not from an add-on you’ve installed into FireFox. Understand that the ad content is generally NOT AT ALL vetted by the web sites that host ads. They’re just looking to make a quick buck by facilitating their transmission to you.
- Using a good blacklist – by adding entries to your hosts file and/or implementing a DNS proxy server – would prevent it.
- Downloading a script and/or ad blocking add-on might help. I’m sure there are free ones. Ask yourself: Why on Earth would I want ads and whatever junk they bring along delivered to my system?
- For Internet Explorer, I disable ActiveX and most capabilities for scripting in iFrames. It’s possible your browser has similar configuration capability in its advanced settings. Reconfiguration is free.
Item 1 is a passive solution, while item 2 involves running more software. I tend toward the passive, as it doesn’t cut into performance.
I can’t speak from personal experience about this pop-up, because I have never seen it. It might be because I don’t actively use FireFox (nor am I sure that it even requires FireFox to pop up). However, I *never* see ads nor pop-ups/junkware running as part of ad data retrieval, because I’ve configured my browser not to run active content from within iFrames and I use managed blacklists.
I would certainly disable any kind of auto add-on installation in the browser.
Regarding any downsides I’ve seen from blocking ad/junk content… I have only run across a tiny number of web sites that refuse to deliver their content without unblocking ads – and for those who do, to heck with them. There are many other things to read online. 🙂
-Noel
1 user thanked author for this post.
- Using a good blacklist – by adding entries to your hosts file and/or implementing a DNS proxy server – would prevent it.
-
Which of the free ones gets rid of the Firefox-patch.js pop up?
I got hit with that fake Firefox update one day, when I decided to lower my Ad Blocker settings for one mainstream site that I frequently visit.
I didn’t click on that popup, instead, I shut my system down. If I had clicked, the .js script would have run and probably attempted to download a malware payload.
I don’t really know if that intended download and infection would have been successful, due to my other layers of security, but no point in testing it on my production system!
So, yup, I would say run something like uBlock Origin (it’s like AdblockPlus on steroids). There are many 3rd party filters available in the options that can prevent malvertising attacks, and much more …
My post mortem thoughts on that particular experience, is that the website I was looking at refreshes the ads as it updates content. On a refresh, I was most likely hit with a malvertising type ad that launched me to the fake Firefox page. What’s weird is that I had just left the room, so was not clicking on anything, and when I returned I saw a cool mockup of a page with the Firefox logo and all. Saw the popup asking me to click to run a .js file. Said uh-oh, and hit the power switch. 🙂
Windows 10 Pro 22H2
I also cannot answer the specific of that .js item; because I also use many of the preventative techniques discussed better by those above.
But I think Geo is looking to remove an item already resident. And I do not know enough to suggest Malwarebytes over any other free removal tool, for that specific item. Any one else?
1 user thanked author for this post.
-
Generally, Malwarebytes first, followed by AdwCleaner and then JRT (all from the Malwarebytes stable). Once rebooted, reset the browsers to defaults, remove any unkown proxy servers, check/fix the DNS settings. Save all logs in case *something else* is indicated/suspected, in which case HitManPro might dig something else out.
Specifically, that all depends on what the actual infection is and whether it’s brought any ‘friends’ along.
-
You arn’t kidding . I use Malwarebytes but then used ADWcleaner as you suggested. It was way faster then it’s partner Malwarebytes and cleaned a number of threats that malwarebytes didn`t show.
1 user thanked author for this post.
-
-
I have also heard of a Chrome variant of the fake browser update alert, that presents a popup with a .js file, but I have not seen that particular one … I keep Chrome very locked down. 🙂
Windows 10 Pro 22H2
-
There was a security update issued for Chrome in the last few days.
Google Releases Security Updates for Chrome
https://www.us-cert.gov/ncas/current-activity/2017/06/06/Google-Releases-Security-Updates-ChromeOriginal release date: June 06, 2017
I also cannot answer the specific of that .js item; because I also use many of the preventative techniques discussed better by those above. But I think Geo is looking to remove an item already resident. And I do not know enough to suggest Malwarebytes over any other free removal tool, for that specific item. Any one else?
If you did not click on the .js link you are good. I think he was asking how to avoid getting the popup in the first place. As far as I know, that requires an ad blocker or some site blacklisting, or both …
Windows 10 Pro 22H2
1 user thanked author for this post.
Generally, Malwarebytes first, followed by AdwCleaner and then JRT (all from the Malwarebytes stable). Once rebooted, reset the browsers to defaults, remove any unkown proxy servers, check/fix the DNS settings. Save all logs in case *something else* is indicated/suspected, in which case HitManPro might dig something else out. Specifically, that all depends on what the actual infection is and whether it’s brought any ‘friends’ along.
For cleaning, I suppose the state of the art is to first your AV, then Malwarebytes, then HitmanPro. But I don’t know for sure, since I never get infected to begin with… 🙂
Windows 10 Pro 22H2
1 user thanked author for this post.
Woody, as you and many others here know, I look after about 150 Win7 machines. Here is my security formula:
Bitdefender Antivirus + on every machine
When ever I remote in, I run adwcleaner to cleanup any malware that gets by BitdefenderHaven’t seen an infection of any consequence on any machine in 3 years.
If you take a look at the testing reports at https://www.av-comparatives.org/wp-content/uploads/2016/12/avc_prot_2016b_en.pdf you will get a pretty good assessment of the quality of the underlying AV engine in each of these products. Keep in mind that a 95% score is 5 times more likely to let an infection in, than a 99%.
I used Malwarebytes for years and it clearly was the best of breed and did the job very well.
I later learned of ADWcleaner and after years of use (probably numbering thousands of uses), I realized that it does everything Malwarebytes does, but faster. It also has the advantage of being a downloadable scanner instead of an installed ap. Apparently Malwarebytes the company agreed with me to some extent because it recently bought the product from Toolslib.
I had an additional problem with Malwarebytes which is the main reason I do not allow it on my client computers. Malwarebytes thinks it is an AV, and sometimes creates conflicts with your chosen AV. I don’t need that aggravation, especially when ADWcleaner does the job every bit as well and does it much faster and simpler.
CT
2 users thanked author for this post.
-
-
No idea. I have a wide variety of clients from teenagers to seniors. Their usage varies widely. I find this stretch of problem free computers to be quite astonishing. I guess this is something like 450 machine years.
Prior to Bitdefender, I used Norton AV for many years on mostly the same computers. There were infections then, not a huge amount but certainly at least 6 a year. In addition, I had to put up with Norton’s nasty habit of telling you you have an infection but not cleaning it up and pointing you to some tech solution. Norton also too frequently got itself into some kind of a mess. I learned that the best way to deal with those was to uninstall and re-install.
Bitdefender has never enabled an infection. I have never had to re-install or manually remove an infection.
Bitdefender for the average user is really good because it is very silent and lies in the background without intervention of any kind. My clients forget it is there.
CT
1 user thanked author for this post.
-
-
-
Hm, the forum lost a bigger post I had formatted. Here’s a short version…
Color me impressed with Bitdefender’s performance.
I did a set of tests that model the kind of work I often do, and it only slowed down one of the various operations I attempted with it: A disk-wide search with a 3rd party tool for a particular filename. Some other tests actually seemed to run faster with it installed.
Strangely, the free version doesn’t seem to offer a UI that I can see.
Also, it contacts various sites online. I’m still working out what and why.
-Noel
3 users thanked author for this post.
-
-
-
-
Trying using the paid version. It is available quite economically if you buy the package for 3 computers for 2 years. You can share. Or if you have the need, you can buy a 10 licence pack for 2 years for $130 Cdn.
CT
1 user thanked author for this post.
-
-
I know nothing about Win10. Will not touch it with a 10 foot barge pole. All of my clients are on Win7. Therefore that is the basis of my experience and comments here.
CT
1 user thanked author for this post.
-
-
Oh well, I requested info on what BitDefender was connecting to and why – and they chose not to respond. Most of the software’s communications online were encrypted. All I was able to glean online was that nimbus.bitdefender.net is involved with URL checking. I’ve already got URL blacklisting covered, thanks.
So… No more BitDefender on my test system, or any system since I can’t nail down what they’re doing online. They forgot to realize that one actually has to trust the antivirus maker too.
The last thing I feel I need is a cloud-integrated security package from someone who isn’t interested enough in new business to let you know what it’s sending or why. Perhaps they figure the people who don’t want to think about what data is being sent where comprise a big enough market.
-Noel
-
-
-
-
It always pops up when I`m on the yahoo finance page. The only advice on line so far is us an ad blocker which I do but in some cases I have to disable to obtain yahoo finance stock quotes.
All I can suggest is to Google for “malvertising” for some background info on the problem.
Yahoo, and most other commercial websites count on advertising clicks as part of their revenue model. The ads that they display typically come from ad broker networks that they have no direct control over. Since the sources of the ads are not always carefully screened, the bad guys can sometimes slip a few bad ones in … it’s still a cr*pshoot!
Windows 10 Pro 22H2
-
Not really a c*** shoot with a decent blacklist, backed by software that can do things like block the name resolutions using wildcarded blacklist entries (e.g., ad.*, ads.*, etc.)
I just visited yahoo’s finance page and scrolled down for a while. No ads and no pop-ups…
What I DID see in my logs was this monstrous stream of DNS resolutions, implying finance.yahoo.com is jam packed with ads and junk:
finance.yahoo.com A resolved from Forwarding Server as 68.180.134.8 yep.video.yahoo.com A resolved from Forwarding Server as 68.180.134.8 udc.yahoo.com A resolved from Forwarding Server as 98.139.199.204 bats.video.yahoo.com A resolved from Forwarding Server as 68.180.134.8 us.adserver.yahoo.com A not found (1) --- blacklisted by DNS proxy --- video-api.yql.yahoo.com A resolved from Forwarding Server as 68.180.134.7 p.bankrate.com A resolved from Forwarding Server as 151.101.1.132 beap-bc.yahoo.com A resolved from Forwarding Server as 68.180.134.7 ad.wsod.com A not found (1) --- blacklisted by DNS proxy --- na.ads.yahoo.com A not found (1) --- blacklisted by DNS proxy --- pr.ybp.yahoo.com A resolved from Forwarding Server as 72.30.3.42 use-tor.adsrvr.org A not found (1) --- blacklisted by DNS proxy --- ad.adsrvr.org A not found (1) --- blacklisted by DNS proxy --- choices.truste.com A not found (1) --- blacklisted by DNS proxy --- ads.yahoo.com A not found (1) --- blacklisted by DNS proxy --- ad.doubleclick.net A not found (1) --- blacklisted by DNS proxy --- www.googletagservices.com A not found (1) --- blacklisted by DNS proxy --- s.yimg.com A resolved from Forwarding Server as 68.180.134.8 geo.yahoo.com A not found (1) --- blacklisted by DNS proxy --- mibrack01.vpg.cdn.yimg.com A resolved from Forwarding Server as 68.180.134.76 sb.scorecardresearch.com A not found (1) --- blacklisted by DNS proxy --- query1.finance.yahoo.com A resolved from Forwarding Server as 68.180.134.8 log.fc.yahoo.com A resolved from Forwarding Server as 98.138.47.54 html5.adsrvr.org A not found (1) --- blacklisted by DNS proxy --- query2.finance.yahoo.com A resolved from Forwarding Server as 68.180.134.7 streamerapi.finance.yahoo.com A resolved from Forwarding Server as 63.250.200.54 yrtas.btrll.com A not found (1) --- blacklisted by DNS proxy --- beap.gemini.yahoo.com A not found (1) --- blacklisted by DNS proxy --- s1.yimg.com A resolved from Forwarding Server as 68.180.134.8 c-cf77c8bef8a29546ae11a39e1a4614d0.http.atlas.cdn.yimg.com A resolved from Forwarding Server as 68.180.134.142 mibrack02.vpg.cdn.yimg.com A resolved from Forwarding Server as 68.180.134.140 us.af.beap.bc.yahoo.com A resolved from Forwarding Server as 76.13.28.21 bs.serving-sys.com A not found (1) --- blacklisted by DNS proxy --- secure.insightexpressai.com A not found (1) --- blacklisted by DNS proxy --- casper.sp1.convertro.com A not found (1) --- blacklisted by DNS proxy --- ad.atdmt.com A not found (1) --- blacklisted by DNS proxy --- fc.yahoo.com A resolved from Forwarding Server as 216.109.112.213 a1400.casalemedia.com A not found (1) --- blacklisted by DNS proxy --- csync.flickr.com A resolved from Forwarding Server as 68.180.134.8 csync.yahooapis.com A resolved from Forwarding Server as 76.13.28.196 a1460.casalemedia.com A not found (1) --- blacklisted by DNS proxy ---
Note all the blacklisted entries. I glanced through the list and I think my setup nailed most all the ad and tracking sites, letting just the content through. Voila, no pop-ups.
-Noel
Woody, as you and many others here know, I look after about 150 Win7 machines. Here is my security formula: Bitdefender Antivirus + on every machine When ever I remote in, I run adwcleaner to cleanup any malware that gets by Bitdefender Haven’t seen an infection of any consequence on any machine in 3 years. If you take a look at the testing reports at https://www.av-comparatives.org/wp-content/uploads/2016/12/avc_prot_2016b_en.pdf you will get a pretty good assessment of the quality of the underlying AV engine in each of these products. Keep in mind that a 95% score is 5 times more likely to let an infection in, than a 99%. I used Malwarebytes for years and it clearly was the best of breed and did the job very well. I later learned of ADWcleaner and after years of use (probably numbering thousands of uses), I realized that it does everything Malwarebytes does, but faster. It also has the advantage of being a downloadable scanner instead of an installed ap. Apparently Malwarebytes the company agreed with me to some extent because it recently bought the product from Toolslib. I had an additional problem with Malwarebytes which is the main reason I do not allow it on my client computers. Malwarebytes thinks it is an AV, and sometimes creates conflicts with your chosen AV. I don’t need that aggravation, especially when ADWcleaner does the job every bit as well and does it much faster and simpler.
I only allow one real-time AV to run. Then I also run a few on-demand scanners, such as Malwarebytes. Lately I have also been running some anti-exploit software, that does not scan files on access, etc. It is not signature based, so is only behavior based. So light I cannot even tell it is running. But it will stop anything that tries to encrypt my files in a heartbeat!
Windows 10 Pro 22H2
From Blacklist Ecosystem Analysis: Spanning Jan 2012 to Jun 2014:
‘Motivation: We compare the contents of 86 Internet blacklists to provide a view of the whole ecosystem of blocking network touch points and blacklists. We aim to formalize and evaluate practitioner tacit knowledge of the fatigue of playing “whack-a-mole” against resilient adversary resources. Method: Lists are compared to lists of the same data type (domain name or IP address). Different phases of the study use different comparisons. Comparisons include how many lists an indicator is unique to; list sizes; expanded list characterization and intersection; pairwise intersections of all lists; and following, a statistical test we define to determine if one list adds elements shortly after another. Results: Based on a synthesis of multiple methods, domain-name-based indicators are unique to one list 96.16% to 97.37% of the time. IP-address-based indicators are unique to one list 82.46% to 95.24% of the time. Discussion: There is little overlap between blacklists. Though there are exceptions, the intersection between lists remains low even after expanding each list to a larger neighborhood of related indicators. Few lists consistently provide content before other lists if there is intersection. These results suggest that each blacklist describes a distinct sort of malicious activity and that even merging all lists there is no global ground truth to acquire. Practical insights include (1) network defenders are advised to obtain and evaluate as many lists as practical, (2) “whack-a-mole” is inevitable due to list dynamics, barring a strategic change, an (3) academics comparing their results to one or a few blacklists to test accuracy are advised to reconsider this validation technique.’
1 user thanked author for this post.
-
From Blacklist Ecosystem Analysis: Spanning Jan 2012 to Jun 2014: …
There is an update to this paper – “Blacklist ecosystem analysis update: 2014” – available from the authors at resources.sei.cmu.edu/asset_files/WhitePaper/2015_019_001_428614.pdf
1 user thanked author for this post.
-
-
“Blacklist ecosystem analysis: January – June, 2016” – download pdf from hxxp://resources.sei.cmu.edu/asset_files/WhitePaper/2016_019_001_485289.pdf.
A later paper, “Blacklist ecosystem analysis: July – December, 2016”, is also available and can be downloaded at
resources.sei.cmu.edu/asset_files/WhitePaper/2017_019_001_499689.pdf
1 user thanked author for this post.
-
-
I could not get the link to work, so I must have done something wrong. Another thing I did wrong in that post was linking to a different paper – a later one. See my revised post above.
1 user thanked author for this post.
-
-
From Measuring Drive-by Download Defense in Depth (paper available for free on Google Scholar):
“Intuitively, most products would use the same techniques and signatures making them mostly redundant, but we find that security products are only slightly redundant on average with many doing as well as completely independent detection mechanisms and some performing even better. While security products seem to vary greatly in their detection rates, even the less effective overall seem to occasionally detect an attack that bypasses most other security products. These results may come from a lack of attack intelligence sharing by the security industry, a wider than expected range of effective proprietary algorithms, or the challenge and chance associated with trying to detect increasingly polymorphic malware. The results indicate that perhaps extensive usage of what might intuitively seem to be redundant security products could in fact significantly increase security. While using multiple inline host sensors is impractical, the results suggest that using multiple domain reputation systems and network based antivirus engines could increase the detection rate of the whole defense in depth strategy.”
1 user thanked author for this post.
From “Infect-me-not”: A user-centric and site-centric study of web-based malware (paper available for free on Google Scholar):
“Abstract:
Malware authors have been using websites to distribute their products as a way to evade spam filters and classic anti-virus engines. Yet there has been relatively little work in modeling the behaviors and temporal properties of websites, as most research focuses on detecting whether a website distributes malware. In this paper we ask: How does web-based malware spread? We conduct an extensive study and follow a website-centric and user-centric point of view. We collect data from four online databases, including Symantec’s WINE Project, for a total of more than 600K malicious URLs and over 500K users. First, we find that legitimate but compromised websites constitute 33.1% of the malicious websites in our dataset. In order to conduct this study, we develop a classifier to distinguish between compromised vs. malicious websites with an accuracy of 95.3%, which could be of interest to studies on website profiling. Second, we find that malicious URLs can be surprisingly long-lived, with 10% of malicious sites staying active for three months or more. Third, we observe that a significant number of URLs exhibit the same temporal pattern that suggests a flush-crowd behavior, inflicting most of their damage during the first few days of appearance. Finally, the distribution of the visits to malicious sites per user is skewed, with 1.4% of users visiting more than 10 malicious sites in 8 months. Our study is a first step towards modeling web-based malware propagation as a network-wide phenomenon and enabling researchers to develop realistic assumptions and models.”
More:
“[…] 71.6% of URLs in D WINE appear for only one day during the 8 months […]”
3 users thanked author for this post.
From Understanding the Relationship between Human Behavior and Susceptibility to Cyber Attacks: A Data-Driven Approach (paper available for free on Google Scholar):
“Abstract
Despite growing speculation about the role of human behavior in cyber-security of machines, concrete data-driven analysis and evidence have been lacking. Using Symantec’s WINE platform, we conduct a detailed study of 1.6 million machines over an 8-month period in order to learn the relationship between user behavior and cyber attacks against their personal computers. We classify users into 4 categories (gamers, professionals, software developers, and others, plus a fifth category comprising everyone) and identify a total of 7 features that act as proxies for human behavior. For each of the 35 possible combinations (5 categories times 7 features), we studied the relationship between each of these seven features and one dependent variable, namely the number of attempted malware attacks detected by Symantec on the machine. Our results show that there is a strong relationship between several features and the number of attempted malware attacks. Had these hosts not been protected by Symantec’s anti-virus product or a similar product, they would likely have been infected. Surprisingly, our results show that software developers are more at risk of engaging in risky cyber-behavior than other categories.”
More:
“Of these statistically significant results, the ones that we deem the most solid are ones showing that the number of malware infections on a machine are related to the number of downloaded, unsigned, and low-prevalence binaries for all categories of users.“
2 users thanked author for this post.
Here are some of the things that I do (Windows 7):
Use a standard account for everyday activities. For convenience, I use an elevated program launcher to launch commonly used elevated programs in the standard account.
Use an antivirus (Avast Free).
Use an anti-exploit program (Microsoft Enhanced Mitigation Experience Toolkit).
Use an anti-executable (AppLocker) to allow execution only from locations not writable by the standard user account.
Run Firefox as low-integrity program.
Scan for malware occasionally with HitmanPro and Malwarebytes Anti-Malware.
1 user thanked author for this post.
-
-
Not on my own computer that I recall. I realize it’s probably nontrivial but I’m willing to live with it.
1 user thanked author for this post.
-
-
Avira is my #1 AV choice. I have used others, but I find that both Avira Free and Pro are stable and light, great protection, with plenty of configuration options.
The only difference with free and Pro is that Pro offers support, Web protection, and mail protection. Same malware detection engine, and APC (Avira Protection Cloud).
Some users may report annoyances with the launcher (now called “Connect”), which can easily be disabled in Task Manager startup tasks.
Connect offers many additional products that marketing hopes to upsell and cross-sell, but you can ignore them. You have final control over what options are installed (except for Connect) by using the uninstall/change option in the Windows Control Panel Programs and Features menu.
Overall, Avira seems to be a very reputable company with good test scores, that offers an excellent product for free. I have read their privacy policy and I do not believe there is any unscrupulous spying going on here. Also a plus in my opinion, is that they are based in Germany, not a five eyes member. 🙂
Windows 10 Pro 22H2
-
-
From A clinical study of risk factors related to malware infections (paper available for free on Google Scholar):
“Abstract
The success of malicious software (malware) depends upon both technical and human factors. The most security conscious users are vulnerable to zero-day exploits; the best security mechanisms can be circumvented by poor user choices. While there has been significant research addressing the technical aspects of malware attack and defense, there has been much less research reporting on how human behavior interacts with both malware and current malware defenses.
In this paper we describe a proof-of-concept field study designed to examine the interactions between users, anti-virus (anti-malware) software, and malware as they occur on deployed systems. The 4-month study, conducted in a fashion similar to the clinical trials used to evaluate medical interventions, involved 50 subjects whose laptops were instrumented to monitor possible infections and gather data on user behavior. Although the population size was limited, this initial study produced some intriguing, non-intuitive insights into the efficacy of current defenses, particularly with regards to the technical sophistication of end users. We assert that this work shows the feasibility and utility of testing security software through long-term field studies with greater ecological validity than can be achieved through other means.”
One interesting result:
“And somewhat non-intuitively, we found that computer expertise is a weak factor increasing the risk of infection.“
1 user thanked author for this post.
-
From A clinical study of risk factors related to malware infections: …
This paper is also available directly from the authors. It can be found at pdfs.semanticscholar.org/788a/ecc48b5cae3fe1c6f84a04fa60e0e0e122c0.pdf
1 user thanked author for this post.
-
This reflects my real-world experience. The most dangerous users are the ones who think they are so good and they end up taking more risks and get more into trouble because of it. You give them security advice and they think they know better because they are good computer users.
They think they won’t click on something bad because they have the power to see what is behind every apparently legitimate link on the web and they have this special power that makes them able to see through files downloaded from torrents and know that they won’t contain malware for them. Or, they have the super power of deniability and naiveté, which makes them able to tell everyone they practice safe browsing and they never got virus, until they bring their slow computer to us and we end up finding traces of many bad things all their arsenal of anti-everything didn’t catch.
1 user thanked author for this post.
-
The authors of this paper desperately need a writing coach. I can’t make heads or tails out of the title, and the quoted text is hardly better. What the heck are “missed attack sample impacts”??
Plain English, please! 😉
Downloading the paper as I write this, just to get to the comparison table. Will not be macheteing my way through the thicket of jargon and verbiage.
And still: MrBrian, thanks for linking to all these studies. (thumbs up)
1 user thanked author for this post.
-
I’ll give an example to illustrate. Let’s suppose we scan 100 malicious files with Antivirus A and Antivirus B. Suppose that each antivirus didn’t detect one file as malicious. Each antivirus has a 99% detection rate on this test. However, suppose the malicious file that Antivirus A missed was much less commonly found in the real world than the malicious file that Antivirus B missed. Let’s suppose that the number of computers using Antivirus A is close to the number of computers using Antivirus B. Considering just these 100 malicious files, many more computers using Antivirus B were potentially infected by the malicious file that it didn’t detect than the number of computers using Antivirus A that were potentially infected by the malicious file that it didn’t detect. As this example shows, the prevalence of a given malicious file should be taken into account. This study does this, weighting the file detection test results of https://www.av-comparatives.org/wp-content/uploads/2013/09/avc_fdt_201309_en.pdf by file prevalence data supplied by Microsoft telemetry. When weighted by file prevalence, the best product failed to detect approximately 1.2 of every 1000 malicious files encountered (column 3 of Figure 5), the 11th best product failed to detect approximately 8.2 of every 1000 malicious files encountered, and the 21st best product failed to detect approximately 18.9 of every 1000 malicious files encountered.
In Figure 5, the 3rd column is the 2nd column multiplied by 1000. The 4th and 5th columns are data from https://www.av-comparatives.org/wp-content/uploads/2013/09/avc_fdt_201309_en.pdf. Notice that data for Microsoft’s product is contained next to the asterisk below the table.
2 users thanked author for this post.
-
THANK YOU MrBrian. I have been using av-comparatives for years. I do not have the insights you do, but your posting here re-assures me that I have been looking at the right reports. This report shows scientifically just what I experienced with Norton and Bitdefender. When my favoured source (Norton) stopped making a pure antivirus product, I was forced to look elsewhere. I relied on AV-comparatives to suggest alternatives. That is how I discovered Bitdefender. My actual experience bears out what this report shows.
CT
1 user thanked author for this post.
-
-
-
Thanks for the rundown, MrBrian.
Turns out that the IEEE report is for pay, so the download didn’t work. I’m weighing the cost against my curiosity over which AVs did best (or worst) in this modified analysis.
UPDATE: Saw your next post with the breakdown by effectiveness. (thumbs up)
1 user thanked author for this post.
-
You’re welcome :).
The data for this study is years old unfortunately. I tried to find more recent similar research, but have not found any yet.
It really is amazing how much of a difference weighting by prevalence can be. Example: Microsoft Security Essentials did relatively very poorly in the unweighted data, but was in the top 6 when global prevalence was taken into account.
1 user thanked author for this post.
-
-
You arn’t kidding . I use Malwarebytes but then used ADWcleaner as you suggested. It was way faster then it’s partner Malwarebytes and cleaned a number of threats that malwarebytes didn`t show.
Using both is recommended. ADWCLEANER has a different purpose than Malwarebytes. It targets PUPs (potentially unwanted programs) and browser hijackers. It does not perform a complete malware scan of your PC.
Here is a recommended 4 step process for scanning from Malwaretips: https://malwaretips.com/blogs/remove-potentially-unwanted-program/
TL/DR;
1. ADWCLEANER
2. Malewarebytes
3. HitmanPro
4. Zemana Antimalware
Windows 10 Pro 22H2
4 users thanked author for this post.
I used Malwarebytes for years and it clearly was the best of breed and did the job very well. I later learned of ADWcleaner and after years of use (probably numbering thousands of uses), I realized that it does everything Malwarebytes does, but faster.
I don’t think that is still true. The current version of ADWcleaner just scans for PUPs and browser hijackers. It does not perform a full malware scan of your PC. It is faster because it does less. In all fairness though, it does look like a great complement to Malwarebytes MBAM!
Windows 10 Pro 22H2
Waking up every day thinking, “what a great day”, until i get my first machine full of surprises! Just to end up with the customer saying:
“my whole life is in there!”
Also, i do help a grandmother, accountant, to go thru her digital life peacefully!
Until one day she opens a pdf from an infected customer computer (ignoring my advice to ask mailer if mail is legit) and getting a ransomware damaging all her documents! Lucky her that did not ignored my advice to do a daily offline backup. She _only_ lost a day worth of work (accounting more or less 22 companies and some more private customers!
Finishing a day of work with a smile! after thinking: “hey, you helped a lot today (big grin)”, receive a call from another customer that had his phone (android) infected! Those monkey virus, and some other pests stuff bringing up ads everywhere you click! Darn, past ten pm and still have to reprogram this device and bring up all the important stuff to it! well, lets go (big grin again)! Tomorrow is another day!
1 user thanked author for this post.
No idea. I have a wide variety of clients from teenagers to seniors. Their usage varies widely. I find this stretch of problem free computers to be quite astonishing. I guess this is something like 450 machine years. Prior to Bitdefender, I used Norton AV for many years on mostly the same computers. There were infections then, not a huge amount but certainly at least 6 a year. In addition, I had to put up with Norton’s nasty habit of telling you you have an infection but not cleaning it up and pointing you to some tech solution. Norton also too frequently got itself into some kind of a mess. I learned that the best way to deal with those was to uninstall and re-install. Bitdefender has never enabled an infection. I have never had to re-install or manually remove an infection. Bitdefender for the average user is really good because it is very silent and lies in the background without intervention of any kind. My clients forget it is there.
I agree with your assessment of Bitdefender. I use Bitdefender Free on one desktop, and it is light and silent, and updates regularly.
Another AV that I use elsewhere is Avira. It has similar high detection scores and low system impact as Bitdefender. I find it slightly more configurable for a computer expert, but I would definitely recommend BD to the less experienced. Plug and play, stays outta the way! 🙂
Windows 10 Pro 22H2
Not really a c*** shoot with a decent blacklist, backed by software that can do things like block the name resolutions using wildcarded blacklist entries (e.g., ad.*, ads.*, etc.)
I meant it was a c*** shoot if you let all ads display, not if you use blocking methods as described … 😉
Windows 10 Pro 22H2
I had an additional problem with Malwarebytes which is the main reason I do not allow it on my client computers. Malwarebytes thinks it is an AV, and sometimes creates conflicts with your chosen AV. I don’t need that aggravation, especially when ADWcleaner does the job every bit as well and does it much faster and simpler.
I have never run Malwarebytes as real-time malware protection, so I cannot comment on the implied system impact, but I am not surprised that it can cause slowdowns and conflicts.
I agree that the best policy is to run one really good, trusted, AV (not a suite) as your real-time defense, then as many on-demand scanner/removers such as Malwarebytes Free as you wish.
There is a also new breed of protection that recognizes that signature based defenses have reached the limits of their potential. With all the malware variants possible, the potential for zero-day exploits has risen dramatically. Anti-exploit software (anti-ransomware, etc) relies instead on behavior based tactics and blocks known exploit vectors without needing any code signatures.
Here is a side by side comparison of several anti-exploit products, including Microsoft EMET, Malwarebytes Anti-Exploit, and Hitmanpro.Alert.
Windows 10 Pro 22H2
3 users thanked author for this post.
Looks like it’s unwilling to put up any UI at all on a Windows 10 system that’s had the UWP side deconfigured. Am I right to think ProductAgentUI.exe should put up something on the screen? -Noel
I run BD Free on Windows 7 Pro x64 without any issues. Nice simple UI. 🙂
Windows 10 Pro 22H2
I have run numerous tests in which I ran ADW, restart, then run Malwarebytes. Malwarebytes rarely finds anything.
Just because it finds nothing, don’t assume it is not effective. It probably means you are doing everything correctly. It’s just a 2nd opinion … but it may catch something nasty one day that your #1 ignored …
If Malwarebytes ever actually finds anything on my computers, I will probably have to re-think my entire approach to security, LOL!!! 🙂
Windows 10 Pro 22H2
I have a very similar view to MrBrian on all security, but here I will present things a bit differently for normal users.
==== Letter to a young or not that young computer user ====
On the top of my head, if I wanted to tell a normal user what should be his priorities to have the most adware and malware free experience, using advice that is not too impractical for him/her, I would say:
-Keep software patched. This prevents vulnerabilities. This includes your music player and all software that can read files from remote locations.
-Don’t download from torrent sites and illegal files. This is a sure way to get the latest bad code embedded and 0-days attacks that might not be catched by your antivirus. Did you know maybe only 1 out of 3 new threats are recognized by your antivirus? Shake that false sense of security off right now!
-Run in a Standard User Account, not an administrative user account. Create a different user with administrative rights, reduce your rights on your normal account. Put a password on the admin user so when you have to click the UAC in Standard mode, it will make you think twice because you will have to type a password instead of mindlessly clicking allow my computer to be destroyed. Plus, if you are just a normal user with not many software and only good ones, you shouldn’t get many UAC prompts. Better, if you can log to admin account to perform the administration task asked instead of clicking on any UAC prompt, bonus points!
-If you don’t know how to tweak your browser for a more secure experience, forget IE and use Chrome or Firefox. Avoid plugins as much as possible and go in the options to activate them on demand only, so bad pages need to ask a permission to use one of your plugins vulnerabilities. Don’t activate Flash unless you really need to. Don’t blindly click on yes on every activation demand. I have Flash on demand when I just don’t have it, Sumatra pdf for offline pdf viewing, but I use the native capacity of Firefox to view most online pdfs. It is safer than using Adobe Reader to do it that way. I don’t need other plugins. I use Firefox with little add-ons (not plugins) to improve security, but someone else might be better to say which ones are the best right now (ublock origin or adblock plus or what else). I use Noscript as an add-on, but it is annoying to many so I install it while allowing all scripts globally for some users so at least they benefit from some protections without the annoying warnings at the bottom of the browser.
-Consider running your browser in a sandbox like Sandboxie. This is great protection from unknown threats as it shields the rest of your computer from your browser, at the price of some dollars and some performance during browsing. Unknown menace? It won’t even reach your antivirus that might not even recognize it.
==to be followed in next post as it was too long and got deleted ==
== something I can’t post ==
then
-Some people use anti-exploit software. I think they can be a nice addition. They are probably more important than antivirus for a careful user, who is more vulnerable to unpredictable drive-by downloads than clicking on hackme.exe. Like a sandbox, they prevent malware from operating where they want instead of trying to identify what is malware based on an always changing list of signatures. This is a more proactive approach to security. I use the free Microsoft EMET. Use it with default settings and Firefox 64 bits (check other versions on Mozilla site for the 64 bits version because the default is still 32 bits and know that the 64 bits doesn’t support as many plugins (which is good in my opinion for what it is worth)) for maximum efficiency of some features. You might prefer a commercial software to EMET for simplicity and support. I like free for home users I help. Don’t activate other settings than default on EMET unless you know what you are doing. You could prevent some old programs from starting or updating. EMET might also cause issues with Steam cheat detection for you gamers, I am not sure, so you have been warned.
-Scan occasionally with Hitman pro or Malwaresbytes free as MrBrian suggested, just in case something slipped through the cracks. If you want something serious, there is no way to know you cleaned everything using tools, as the malware might have downloaded newer malware that is not recognized, it might have neutralized your antivirus while making it pretend it works and don’t find anything. The only sure way to sanity when that happens is reinstall.
4 users thanked author for this post.
Sorry for all the posts. There are parts of my message I can’t post and I don’t know why, although there is nothing special in it. I had to split it in parts and figure out what couldn’t be posted. It was a part saying to use one antivirus, not suite.
I personally don’t use wifi in the home at all. Most importantly – never use free wifi internet connections in public places like coffee shops etc.
WiFi in the home is safe if you take the proper steps to secure it. I allow my desktops to share the network on the main SSID, but my mobile devices connect only to my secured guest network SSID, in isolation mode. In isolation mode they cannot see any other endpoints on the LAN, only the WAN connection.
Public WiFi is OK to use, but you MUST use a VPN for security and privacy.
Windows 10 Pro 22H2
1 user thanked author for this post.
Also, i do help a grandmother, accountant, to go thru her digital life peacefully! Until one day she opens a pdf from an infected customer computer (ignoring my advice to ask mailer if mail is legit) and getting a ransomware damaging all her documents!
It sounds like security failed on a couple of levels in her case:
First, her AV software failed to identify and isolate the malicious attachment upon download.
And second, an anti-ransomware program (was there one installed?) failed to stop the attachment’s behavior once she opened it.
A specialized resident anti-exploit/anti-ransomware program like HitmanPro.Alert could come in very handy in this kind of situation. I highly recommend HMPA.
1 user thanked author for this post.
-Scan occasionally with Hitman pro or Malwaresbytes free as MrBrian suggested, just in case something slipped through the cracks. If you want something serious, there is no way to know you cleaned everything using tools, as the malware might have downloaded newer malware that is not recognized, it might have neutralized your antivirus while making it pretend it works and don’t find anything. The only sure way to sanity when that happens is reinstall.
One other step that could be useful before nuking the existing OS installation, is to check the computer with an offline AV scanner. There are a number of Linux-based “Live CDs” out there from reputable AV companies. They can download the latest definitions and then scan the system while Windows isn’t running, which makes it harder for any malware present to hide.
4 users thanked author for this post.
-
Yes, but all of this has always been to me an acceptable solution only when you can’t do a reinstall, because it is too much trouble or costly for the person you help or the person himself/herself.
My point is there is no way to know for sure you are completely clean using any product. Malware can encrypt itself, it is an always evolving playing field where products keep playing catch-up and where there is no set point where you can have a definitive clean install configuration of your own unique computer for the antimalware to compare to. In theory, if you had malware, you need to consider the computer broken at the software level and reinstall. Maybe if you catch a very well researched not very sophisticated malware that isn’t also a downloader, you can have a bit more faith cleaning is enough, but to me, when malware sets in, it is just an indication something failed and that maybe something else slipped through too, so I prefer to have a good image backup and restore.
Can you imagine a policy where a professional organization cleans an infected computer instead of just reimaging it? It is much faster to take 15 minutes to bring back the computer to clean install than to try to figure out what is wrong and if it can be fixed. I had to clean some computers that I couldn’t reinstall over the years for a quick fix and a lot of them were much better after but I still suspected they were not ok. I told the person he should reinstall when possible but they needed quick solutions to get by their day until they could take the time to do the thing.
All of this to say I think that people need to understand antimalware is not a silver bullet fixing everything. It can give a false sense of security. You get speed back and no bad ads on your computer, but maybe that keylogger is still there stealing your personal informations after the cleanup and you don’t know about it. You need to focus much more on prevention than cleaning. That is why I don’t spend too much time researching cleaning products because however good they are, they are theoretically not the best solution.
-
Agreed that prevention is far better than cleanup. That’s why I run (and recommend) setting up multiple layers of defense. To me, they’re well worth it even at the cost of some performance (with a nod to Noel Carboni :-)).
It’s all a balancing act: losing some performance in order to lower the chances of getting infected, we each have our personal price point. Another balancing act is in the cost/inconvenience of running daily image backups vs. running the risk of the system getting infected with no recent backup. At the enterprise level I can’t see this not happening, but virtually no small business that I personally know of goes to the effort of running daily backups. There are many other immediate things to attend to, and only so much staff to get it done. For them, I tell them it’s that much more important to apply defense-in-depth.
2 users thanked author for this post.
-
Caught in the sp*m bucket. Slow down on the edit/submit/edit and give the system a chance to update for better results 🙂
1 user thanked author for this post.
-
-
colon : dash – close parenthesis )
🙂1 user thanked author for this post.
-
-
-
-
I agree that cleaning is a risky approach. The IT team where I used to work always re-imaged a workstation or laptop after it was compromised.
Like you mentioned, the time factor and loss of productivity is key here. Plus nuking the disk ensure that the threat was completely eradicated.
So I would state that my disk imaging process is probably my most important malware defense. My AV’s and other tools are really just serving me as prevention, detection, and alerting systems.
My cleanup plan is and always has been nuke and re-image.
My exception might be for certain PUPs and annoying stuff, that I was reasonably sure came with something that I installed and was not dropped by a trojan or one of the more nasty exploits.
Windows 10 Pro 22H2
2 users thanked author for this post.
I’ll give an example to illustrate. Let’s suppose we scan 100 malicious files with Antivirus A and Antivirus B. Suppose that each antivirus didn’t detect one file as malicious. Each antivirus has a 99% detection rate on this test. However, suppose the malicious file that Antivirus A missed was much less commonly found in the real world than the malicious file that Antivirus B missed. Let’s suppose that the number of computers using Antivirus A is close to the number of computers using Antivirus B. Considering just these 100 malicious files, many more computers using Antivirus B were potentially infected by the malicious file that it didn’t detect than the number of computers using Antivirus A that were potentially infected by the malicious file that it didn’t detect. As this example shows, the prevalence of a given malicious file should be taken into account. This study does this, weighting the file detection test results of https://www.av-comparatives.org/wp-content/uploads/2013/09/avc_fdt_201309_en.pdf by file prevalence data supplied by Microsoft telemetry. When weighted by file prevalence, the best product failed to detect approximately 1.2 of every 1000 malicious files encountered (column 3 of Figure 5), the 11th best product failed to detect approximately 8.2 of every 1000 malicious files encountered, and the 21st best product failed to detect approximately 18.9 of every 1000 malicious files encountered. In Figure 5, the 3rd column is the 2nd column multiplied by 1000. The 4th and 5th columns are data from https://www.av-comparatives.org/wp-content/uploads/2013/09/avc_fdt_201309_en.pdf. Notice that data for Microsoft’s product is contained next to the asterisk below the table.
AV-Comparatives is the main reason I would never touch Windows Defender with a 10 foot pole.
Windows 10 Pro 22H2
For those that use an admin account as your everyday account, and also use UAC, you may wish to browse topic Method found that bypasses UAC even at maximum level for all versions of Windows.
1 user thanked author for this post.
From Test: This is how well 8 security packages and 7 special tools come to the rescue after a virus attack (December 2016):
“Can security packages or special tools on a boot CD completely clean and repair a system infected with viruses, Trojans and other malware? To find out, AV-TEST subjected 8 well-known security suites and 7 popular special tools to an endurance test. Here is the first interim report after 6 months of tests with the best helpers.”
-
More recent test: Put to the test for 12 months: This is how well security packages and special tools help after an attack.
2 users thanked author for this post.
-
The interim results are interesting, with 6 of 8 packages and 2 of 7 special tools recommended.
The final results reduced that down to 4 recommended packages and 1 recommended special tool.
(I too am having trouble posting a quote here, same as #119936)
-
Here are antivirus test results from two organizations:
More recent test: Put to the test for 12 months: This is how well security packages and special tools help after an attack.
I now feel much better about using Avira as my primary AV product. With Malwarebytes and HitmamnPro as backup scanners, for the win!
Windows 10 Pro 22H2
1 user thanked author for this post.
You can set exclusions for specific files in Bitdefender Free after they’ve been quarantined, at least in theory. That was the problem I had with it… it kept quarantining harmless files, and when I told it to restore them/exclude them, it would just go ahead and detect them again, and it wouldn’t restore them when it was supposed to. From what I understand, it’s a known bug in BD Free, but for some reason they do not seem motivated to fix it. (What could that be?) I’m just using Windows Defender now as far as signature-based detection. In addition to that, I’m using Malwarebytes Anti-Exploit free.
It seems that no matter what security software we are discussing, there are always certain systems that have conflicts. But obviously, not all systems have these conflicts.
I wonder why that is?
Is this issue perhaps more common with advanced users that are not using a standard system configuration, or are they combining products that do not play well together.
Assuming here for a minute that the AV vendor probably passed their QA tests with vanilla PC setups …
Windows 10 Pro 22H2
-
-
-
-
Not sure about that, because they released a refreshed version of BD Free last year.
Windows 10 Pro 22H2
-
-
-
The point I tried to make is that BD Free appears to work fine for its intended use. By that, I believe that it is intended for casual computer users. In my use case, that’s exactly how I use it, and not a single detection has occurred so far.
I was aware of the limited UI going in, with no proactive exclusions provided. But for that particular PC, that works out great. I have a spare Avira Pro license I could use in this case, but I choose not to. BD Free works just fine here.
On the other hand, I don’t believe it would be very happy with my main PC, which contains various project folders with C, Python, and Javascript files.
As far as detection goes, I think that the way the Bitdefender engine works with cloud scanning options is like this: (1) first compares file hash with local cache (2) if not found in cache, sends hash to cloud for lookup (3) if no match as safe executable is found, then bang! Quarantine time.
In a more advanced AV, the user can be prompted interactively for what to do at this stage. With Avira, I just select ignore, and it will not alert me again. That is probably the main thing missing from BD Free. I don’t want my stuff going to quarantine unless I ok it first.
But if you fit the casual user type, don’t write your own code, scripts, or batch files, and always run signed code, you will probably be fine …
Windows 10 Pro 22H2
-
I wonder what this means for Defender?
Hexadite to Join Microsoft
https://www.hexadite.com/blog/hexadite-join-microsoft/
Microsoft’s Hexadite acquisition means Windows Defender is going to get a lot more secure
Windows 10 Pro 22H2
“But obviously, not all systems have these conflicts.” Maybe that ought to be “Most users of this basic, free AV probably wouldn’t notice that exclusions had failed.” Perhaps that Bitdefender bug has been fixed in the latest version? I didn’t have it installed for long enough to find out. 29 test days results through March ’17 here: https://malwaretips.com/threads/malwaretips-bitdefender-report-march-2017.70710/ failed on 6/29 days, not that it means very much without baselines from other AVs tested with the same malware sets on the same days and definitions times.
On the system that I have run Bitdefender Free on for over a year, I have never had a detection, and have never needed to set an exclusion. It is my home theater PC, and I only run mainstream, signed code on it. Light browsing, gaming, and recording/watching TV shows. Have never tried to run any code that I wrote on that one, or anything sketchy downloaded from the internet.
Maybe that is a more typical profile of a standard user? Run well known, signed code, no problems …
Perhaps if you are an expert user, a developer, or a malware researcher, you need to pony up for the full version?
I use the paid version of Avira Pro on my main desktop workstation. Exclusions there are abundant and easily set proactively.
Windows 10 Pro 22H2
You’re welcome :). See post #120054 for study results.
My biggest surprise was to see Bitdefender all the way down in the 3rd tier. Based on all other test reports that I have seen, it usually scores right up there with Avira and Kaspersky. I think of them as the “Big Three” nowadays …
Windows 10 Pro 22H2
1 user thanked author for this post.
-
There’s really nothing special about partitions when it comes to malware prevention and removal. Most modern malware can easily jump partition boundaries, and infect additional disks and even external disks and devices attached to the main PC. This is why recovery from ransomware requires that the data backups have not been connected to the infected PC.
-- rc primak
-
Those are good points. I regularly copy backup files from my internal drive to my external drive (using FreeFileSync), and sometimes burn them to DVD. I also regularly audit my data files for unwanted changes, additions, and deletions using FileVerifier++.
1 user thanked author for this post.
-
I use Autoruns to check for new autoruns that were created either by malware or legit software. I do this immediately before and after installing software. I use its comparison function to compare the most recent Autoruns snapshot with the next most recent Autoruns snapshot, for each user account that I regularly use.
2 users thanked author for this post.
I am testing a free whitelist based anti-executable called “VoodooShield”.
The main purpose of this is to prevent malware from running. It will not clean your system. For that reason, it looks very promising! 🙂
VoodooSoft VoodooShield – Review http://www.pcmag.com/article2/0,2817,2470799,00.asp
Very light footprint and no detectable system impact so far. No conflicts with my AV or HitmanPro.Alert.
Windows 10 Pro 22H2
I regularly browse https://www.us-cert.gov/ncas/current-activity to be informed about software updates to very popular products.
-
If you want to keep your software up to date for security or other reasons, there are several good, adware-free updates checkers which cover a wide variety of third-party software.
Although you have to jump through a few hoops to get a clean version, I find SUMo Lite to be adequate for finding out what can be updated, without reference to whether or not these are security related updates.
I don’t know if Secunia PSI is still in business, but Belarc Advisor has some update checking. Even Glary Utilities uses File Puma’s update checker, though this one misses some of my more obscure titles.
If you stick with the more popular titles, Ninite works well to keep a system up to date.
The only source I would trust for Microsoft products is Microsoft Updates, checked first with wushowhide just to make sure nothing unwanted is lurking in the download queue.
-- rc primak
-
-
I used to be a Secunia PSI user, but the last time I tried Secunia was after they had released a new version, I think it was 3. It seemed buggy, so I wrote it off. Liked the concept though.
The company is now part of Flexera Software, which seems to have an enterprise focus, so not sure how much attention they will focus on a free personal software inspector.
Now I just try to stay focused on my internet facing programs, any media players, and office programs or document readers to make sure that they are up to date.
I no longer install plugins for Flash, Java, Quicktime, Silverlight, etc., and that was mostly what Secunia reminded me about, besides my web browsers … and if I ever really need Flash, I just run Chrome, which has the latest version built in, click to play.
Windows 10 Pro 22H2
-
-
Australian Signals Directorate recommends doing these eight things as a security baseline.
From Block adverts, delete Flash, kill Java: ASD:
‘”The eight mitigation strategies with an ‘essential’ effectiveness rating are so effective at mitigating targeted cyber intrusions and ransomware, that ASD considers them to be the cyber security baseline for all organisations,” the ASD writes.’
4 users thanked author for this post.
-
There are actually the so-called “Top 4” which are more or less mandatory for compliance for organisations which implement those guidelines.
https://asd.gov.au/publications/protect/top_4_mitigations.htm
However, do not expect anyone to apply those guidelines to the letter due to various reasons, most often legacy software which is business critical and as such required to run.
End-users should not stop using Flash, Java, Silverlight if they find them useful, but they should patch in a timely manner and stop believing that they are prime targets for malware.3 users thanked author for this post.
-
It’s the top 4, plus 4 more.
1 user thanked author for this post.
-
-
-
And is it technically feasible in today’s “software does things whenever and wherever it wants to” cloud-based computing philosophy?
My firewall occasionally catches, for example, Visual Studio, Skype, etc. installer components running from my TEMP directory. We have no control over that stuff, under the covers. The requirement, in order for these things to work, is to allow such behavior as a temporary exception. There’s getting to be more of this kind of thing, not less.
My conclusion that a long-term strategy of “only allow what’s been pre-approved” is becoming less and less possible. Generalizing a bit, with current OS direction we are losing control of what’s happening on our computing devices, certainly not gaining it!
-Noel
1 user thanked author for this post.
-
-
-
-
-
-
-
-
-
I have been running VoodooShield, which is based on an application whitelist.
(FREE FOR NON-COMMERCIAL HOME USE)
The VoodooShield Difference
VoodooShield uses a proprietary proactive whitelist snapshot approach to virus and malware protection. VoodooShield is a patented toggling Desktop Shield Gadget / Computer Lock that automatically toggles to ON and locks your computer when you start a web app. There is never a good reason to let new, non-whitelisted executable code run while a web app is running.
Windows 10 Pro 22H2
-
For browser security and privacy, I highly recommend browser extension uBlock Origin. uBlock Origin can be thought of as a firewall for browser connections. uBlock Origin can be configured for various levels of user interaction.
I use a variation of medium blocking mode with a few additions. I added global blocks for inline scripts and 1st-party scripts. Also, I added third-party filters Fanboy’s Enhanced Tracking List and Fanboy’s Social Blocking List.
1 user thanked author for this post.
Thanks to Adam for this malware blogpage link – information on malware/security, both desktop and mobile:
Antivirus Statistics for 2018
By Aviva Zacks | October 14, 20181 user thanked author for this post.
From WordPress Emergency Support – an in-depth look at malware, its spread, detection, reasons, types and terminology:
A -very- detailed Guide about Web Malware
By Bit of WP | November 26, 20181 user thanked author for this post.
Viewing 57 reply threads
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Long Live the Red Envelope Era | Farewell to DVDs | Netflix
by 6 hours, 21 minutes ago
-
Faststone Image Viewer updates
by 8 hours, 5 minutes ago
-
Malicious ad served inside Bing’s AI chatbot
by 8 hours, 7 minutes ago
-
win10 pro 22H2 current minus 1 mo,to, win11. suggestions…
by 3 hours, 55 minutes ago
-
Microsoft entered negotiations to sell Bing to Apple in 2020
by 17 hours, 17 minutes ago
-
X CEO shows her iPhone’s Home Screen – and X isn’t there
by 18 hours, 31 minutes ago
-
Keeping an older Mac secure
by 18 hours, 44 minutes ago
-
Thunderbird – problem ”setting up existing email address”
by 18 hours, 41 minutes ago
-
Windows 11 Insider Preview build 23555 released to DEV
by 1 day, 5 hours ago
-
Something didn’t go as planned KB5030310, KB 5030219
by 2 hours, 54 minutes ago
-
“Enhanced” search box
by 1 day, 6 hours ago
-
Windows Ends Installation Path for Free Windows 7/8 Upgrade
by 1 day, 7 hours ago
-
Icon text drop shadows latest Win 11 update
by 1 day, 1 hour ago
-
Group Policy to change context menu to Win10 version?
by 1 day, 9 hours ago
-
You can no longer activate newer Windows 11 builds with Windows 7/8/8.1 keys
by 7 hours, 59 minutes ago
-
Reddit is removing the option to prevent Reddit from tracking ..
by 1 day, 16 hours ago
-
Vivaldi for iOS and iPadOS released
by 1 day, 16 hours ago
-
Windows 11 attempted update to 22H2 results in Error Code 0x8024001e
by 1 day, 6 hours ago
-
lock screen goes black after ~ 25-30 secs.
by 1 day, 1 hour ago
-
Need File Location Which Lists Default Apps Used
by 1 hour, 42 minutes ago
-
Canadian’s identify alternative tape that prolongs life of laptop batteries
by 2 days, 3 hours ago
-
Browswers and Windows 11
by 2 days, 3 hours ago
-
Advice on whether to upgrade to Windows 11
by 2 days, 4 hours ago
-
Linuxmint LMDE 6 Officially Released
by 1 day, 6 hours ago
-
Edge browser – ad quality concern
by 2 hours, 41 minutes ago
-
Strange problem after upgrade from Win10Pro 22H2 to Win11Pro 22H2
by 1 day, 18 hours ago
-
Return Full Context Menus to File Explorer
by 1 day, 9 hours ago
-
Unusual Activity on Startup
by 6 hours, 41 minutes ago
-
Windows Backup – incremental possible?
by 3 days, 3 hours ago
-
New HD addition??
by 2 days, 18 hours ago
