Don’t fall for bogus antivirus downloads

Windows Secrets & Support Alert using a shorter name

The temporary logo (shown at left) that we’ve used for the past two months was created when the Support Alert Newsletter merged with the Windows Secrets Newsletter in July 2008. As was announced on July 9 by the editor of Support Alert, Ian “Gizmo” Richards, our long, transitional name is being shortened to simply Windows Secrets as of today.

We’ll still keep bringing you columns by Gizmo, our senior editor, twice a month. His latest installment is in this week’s paid content. (How you can get our paid content with no fixed fee.) Thanks for your support! —Brian Livingston, editorial director

Don't fall for bogus antivirus downloads

By Scott Dunn A new virus strain pretends to remove malware but actually does just the opposite: it infects your system. Fortunately, you can use a few simple steps to tell the difference between these rogue antivirus programs and legitimate security software.

Antivirus apps may be malware in disguise

A dangerous new virus is making the rounds in the guise of a legitimate antivirus program. Going by such names as “Antivirus XP 2008” and “XP Antivirus 2009,” this malware, as described in a recent Computer Associates advisory, succeeds by looking like a legitimate Windows program.

The Internet security blog Donna’s SecurityFlash reports that rogue antivirus programs such as these are being promoted through spam messages that link to an automatic download of a virus installer.

With such aggressive methods afoot to fool security-minded users, how do you know when an antivirus product is legitimate? Use the following guidelines to ensure that the security products you download are legitimate.

Choose your security vendor deliberately

Be careful how you select a security vendor. Just because you see an ad for a vendor or product on a highly reputable site doesn’t mean the advertiser is reliable.

Conversely, an ad for a reputable product or service on an unfamiliar site doesn’t mean that you can trust the site. Advertisements are often distributed by third parties beyond the editorial control of the hosting site. That’s why you may find ads for untrustworthy products on legitimate sites, and ads for legit products on bogus sites.

Services such as the free McAfee Site Advisor and the Web of Trust add-on for the Firefox browser evaluate beforehand the safety of the site you’re about to visit. (Windows Secrets contributing editor Becky Waring reviewed Web of Trust in her July 17 column.)

Because the ratings generated by these tools may be based on out-of-date reports, they aren’t perfect. But they serve as a useful line of defense.

Another way to evaluate sites before you visit them is with the free LinkScanner Lite application. Rather than rely on second-hand reports, LinkScanner analyzes the code of a given site to check for stealth downloads and other malicious behavior.

The free version of the program requires that you right-click a link manually to get a risk analysis before you surf to the site. If you want your Google and Yahoo search results to be scanned automatically (in addition to other added features), buy LinkScanner Pro for $20.

Published reviews praise LinkScanner for detecting hacked sites, although the program fares less well when rated for detecting phishing sites. CNET’s review gave LinkScanner an overall rating of 7.5 out of 10. PC Magazine’s evaluation was similar, awarding the program 3.5 out of 5 stars.

Finally, never visit a shopping site by clicking a link in a spam message. Even if the message claims to be pitching a reputable product, such as one from Symantec or ZoneAlarm, the link may actually take you to a counterfeit site.

Color-coding the good guys and bad guys

One site that has been tracking rogue anti-malware products since 2004 is Spyware Warrior. If you’re considering a product whose validity is not certain, your first screening step should be to search Spyware Warrior’s blacklist. Although Spyware Warrior focuses on identifying fake antispyware apps, the service’s blacklist of suspicious sites and products also includes a lot of rogue antivirus applications.

Additionally, consult a whitelist of products that have been certified by a reliable independent organization. One such organization is ICSA Labs (formerly the International Computer Security Association), an independent research and certification division of Verizon Business. On its site, ICSA maintains a list of antivirus products it has certified according to its criteria.

Once you’ve validated a product to your satisfaction via these resources, you’re probably safe downloading it directly from the vendor. But to be extra cautious, consider going to a reputable download source that scans every item before placing it in its library. Such sites include CNET’s Download.com, the Downloads page of PCWorld.com, ZDNet’s Downloads page, and Tucows.com’s security section.

These days, every PC user needs security software to protect against online threats. But when the security software itself becomes a threat, the solution becomes a problem.

Fortunately, with a little care, you can dramatically reduce your risk when shopping for safe and effective security products.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Problems with Windows XP SP3 persist

By Dennis O’Reilly If you’re still on the fence about XP’s Service Pack 3, best to stay there for a while. We continue to hear from readers whose PCs choke on the update, and for very different reasons.

XP SP3 should ship with two aspirins

I’m sure Microsoft made every effort to ensure that the distribution of Windows XP Service Pack 3 would go smoothly. Unfortunately, the company’s efforts didn’t keep some Windows Secrets readers out of the update muck.

One of the many people who shared their SP3 pain with us was Almer Procyshyn, who was seeing the Internet Explorer customization screen every time he started IE 7:

• “Recently, like many others I have noticed, I experienced problems with my laptop after SP3 was installed, one being the RunOnce setting for IE 7. Many forums suggest modifying the Registry, but the simple most effective solution is:

  Tools, Internet Options, Advanced, Reset (under Reset Internet Explorer settings), OK.

  “This allows you to [reset your] RunOnce settings. Simple, and it works.”

If only all SP3 glitches were so easy to resolve. Note that this workaround changes all IE 7 settings back to their default values, which may not be what you want. To fix the problem with a specific change to the Registry or using local security policy, see an explanation at Online Tech Tips.

While most XP users who have installed SP3 experience no problems, the risk/reward balance suggests that there’s no hurry to apply the patch, at least until Microsoft stops supporting SP2 — many months from now.

Renewal pop-ups tick off antispyware user

Reader Ted Cohen is mad as hell at SpySweeper, his antispyware vendor, and he’s going to take his business elsewhere.

• “I have used SpySweeper for years and agree it is among the best. However, 30 days prior to my subscription expiration, the software begins automatic renewal-notice pop-ups every time the machine reboots — for me, several times a day.

  “SpySweeper support says the pop-ups cannot be removed. It is intrusive and annoying, as the pop-ups override my applications. I pay SpySweeper to stop hackers from installing trash on my machine, but it seems they are as guilty as the bad guys where their own revenue is involved.

  “All it would take is the usual ‘do not show this message again’ checkbox to make me happy, but these guys are shameless. I like their software, but I am going elsewhere.”

The computer industry may not own the patent on alienating customers (see Automobiles, American), but software vendors in particular have made an art form out of it.

How good does a program have to be for you to put up with such annoying renewal reminders, not to mention update pop-ups and other intrusions? How loathsome do a company’s marketing practices have to be for you to toss a product you’re otherwise happy with?

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

This guy couldn't spell 'IQ' with a dictionary

By Katy Chenoweth For many of our readers, September is back-to-school time. Even though most of us haven’t cracked a textbook in years, this season still conjures up images of academia and new beginnings. In that spirit, we present this hilarious clip about an IQ test gone wrong. Sure, booksmarts aren’t everything… but this guy is lucky if he earns a degree in recess! Play the video

Low-cost online backup beats free alternatives

By Ian “Gizmo” Richards In the last year, we’ve seen dozens of online backup services appear, spurred on by the widespread adoption of broadband Internet access. The best of the lot give you plenty of bang for just a few bucks.

The pros and cons of storing backups on the Net

Backing up to a remote server offers some attractive features compared to traditional backup methods:

• You don’t need to buy dedicated backup software.
• You don’t need to buy CDs, DVDs, or external USB drives for backup.
• Backups are not stored locally and are thus secure against fire, theft, and other physical risks.
• Your backups are generally accessible from any Internet connection.

That sounds attractive, but there are some serious downsides:

• You must depend on a third party to ensure the privacy and security of your backups.
• Transmitting your data over the Internet introduces additional privacy and security risks.
• If your ISP caps your data transfers, you may incur added charges for exceeding those transmission limits.
• Backup and recovery times are many times slower with online backup services than with restoring a backup from local media.
• There is no support for creating and recovering from system images such as those generated by Acronis TrueImage and other drive-imaging programs.
• You are dependent on the backup service’s remaining in business.

This last point is particularly significant. Setting up a proper online backup system involves a serious time commitment, so you don’t want to waste that investment on a service that goes out of business. But it’s not only a question of time and effort: imagine a situation where you need to recover your data from a backup, only to discover that your online backup service is no longer operating!

This is not a purely theoretical risk. In the last year, I’m aware of at least two popular free backup services that ceased operation, one of which was called The Linkup. Others will surely follow.

Those who used these defunct backup services lost all the time and effort they had put into creating their backups. If their ISP caps the amount of data they can upload, they also lost the money spent transmitting their data to the remote server. And what has happened to the private data stored on these discontinued services? You have to fear the worst.

For this reason, I don’t recommend totally free backup services for any critical data. If you decide to go the online-backup route, use a commercial service that has a viable business model and has been operating for some time.

The good news is that some commercial services, such as Mozy (see below), offer a limited free service. If you can live with the limitations, such a free service will be fine. You then have your free account, but you also have some guarantee of service continuity.

The three commercial services that I can recommend based on positive personal experiences are: Jungle Disk from Amazon A3, Mozy, and Carbonite. All three are well-established, have a solid user base, and provide a quality service.

The three services have a lot in common. Each requires you to download and install a desktop client that you use to configure your backup, manage restores, and handle the regular background backup of new and altered files to the service’s remote servers.

Each service specializes in backup rather than in simpler and less-secure file sharing. All three encrypt your data before transmission and store it in encrypted form on their remote servers. You can also restore your data to a different computer.

Jungle Disk’s on-demand pricing and ability to back up multiple PCs gives it an edge over Mozy and Carbonite. Mozy offers an abundance of backup and restore options but is slightly more difficult to use than Carbonite. My biggest knocks against Carbonite are the service’s slow performance and lack of Web-based access (you have to use the company’s client app).

#1: AMAZON JUNGLE DISK

A bargain for backing up multiple PCs

With Carbonite, Mozy, and most other online backup services, you get a similar offering with similar pricing. The Jungle Disk/Amazon S3 service is quite different.

The actual online storage is provided by the high-end Amazon S3 system that’s designed for corporate and IT professionals. The “Amazon” here is the online book company, so we’re talking about a serious player.

Jungle Disk is the client program that allows users to access the Amazon S3 system. It’s a product developed by a third party, not Amazon itself.

To use this system, you need to purchase the Jungle Disk client software for a once-off fee of U.S. $20 and you need to separately pay Amazon S3 monthly for the storage you use.

The cost of the client covers any number of PCs accessing the same Amazon account. This contrasts with Carbonite and Mozy, where you pay separately for each PC.

The S3 charge for online storage comes to roughly $0.15 per GB per month for storage used plus $0.10 per GB of data uploaded and $0.17 per GB of data downloaded.

So if you have 10GB of online storage and you refresh 20 percent of that each month, you would pay $1.50 for storage plus $1.00 for the upload, a total of $2.50 for that month.

Clearly, this pricing structure is cheaper than Carbonite or Mozy for anyone who doesn’t need a huge amount of online storage. However, when your storage requirement is larger than, say, 20GB or 30GB, the Jungle Disk/A3 approach is more expensive.

The 20GB-to-30GB threshold increases when you back up more than one PC to the service. For example, if you have four PCs, Jungle Disk starts to be more expensive than alternative services closer to the 100GB level.

But it’s not only Jungle Disk’s pricing structure that differs from Carbonite and Mozy: Jungle Disk is also faster and more full-featured.

In particular, the service is the only one of the three I tested to offer true network drive mapping. This means the files backed up to the Amazon server are accessible to you and your programs via a drive letter in Windows Explorer, Open and Save dialog boxes, and other folder windows.

On my PC, the Amazon backup appears as drive K:, and I can read and write files to this drive as with any other. Similarly, any program on my PC can access the files on this drive.

Unlike the other products, Jungle Disk offers a user-adjustable cache. This lets you tune your system to get the best possible performance when updating or changing your backup data.

Jungle Disk supports the Mac OS and Linux as well as Windows. There’s even a portable client that you can run from a USB flash drive.

But for me, Jungle Disk’s neatest feature is its ability to do block updates. This means that only the changed portions of large data files are transferred to the remote server. You’ll realize huge speed improvements when backing up Outlook .pst and other big, regularly updated files in which only a small portion of the file actually changes.

Figure 1. The Jungle Disk service lets you back up a selected “bucket” manually or all buckets at once.

The block-update feature is available only through Jungle Disk’s “Plus” package, which costs an extra $1 per month. Other features in the Plus package include Web access and e-mail or RSS notification of your backup status.

Jungle Disk may have a lot of features, but it also has the most complex setup of the three products I tried. You need to sign up for an Amazon S3 account in addition to buying the Jungle Disk client.

No, you don’t have to be an expert to set up Jungle Disk, but you do need to be experienced. Certainly, beginners would be challenged.

Strengths:
• You pay only for the storage you use
• Experienced users will appreciate the ability to create a backup set
• True network drive mapping allows your programs to access your server data directly
• Online storage backed by Amazon will be accessible even if the desktop-client vendor goes out of business
• Fastest of the three services tested
• Caching of server files with user-adjustable cache size offers improved performance
• Personal encryption key
• Data can be permanently archived
• All major platforms supported
• Portable version available
• Desktop client can be used on any number of PCs
• Desktop client comes with unlimited lifetime upgrades
• Ability to do block updates means that only changed portions of large files are uploaded (Plus version only)
• Web access (Plus version only)
• E-mail or RSS backup-log notification (Plus version only)

Weaknesses:
• Setup is more complex than with other services and not suited to beginners
• Resource throttling is not as flexible as in Mozy
• You need to buy the desktop client separately ($20)
• Requires a subscription to the Amazon S3 service
• Vendor of desktop client possibly not as substantial as other vendors
• Web access, resumable uploads, and block-level file updates are available only with the Plus service ($1 per month)

#2: EMC MOZY HOME

An online-backup service with options

Mozy, like Jungle Backup, offers unlimited storage but with slightly different pricing: $4.95 per month or $54.45 per year. You get more features with Mozy than you do with Carbonite for roughly the same price. Mozy is faster, offers Web access, and is more flexible in the way backup sets can be defined.

However, this comes at the cost of a slightly more complex setup. Still, Mozy isn’t that complex and is probably a better choice for experienced users.

Most importantly, Mozy is the only one of the three services I reviewed that offers a free option. The free service is for a maximum of 2GB of online storage, but if that’s enough to hold your data, you need look no further.

Strengths:
• Option of a free account, though limited to 2GB of online storage
• Experienced users will appreciate the ability to create a backup set
• Very flexible resource throttling
• Lots of setup options
• Calibrates your Internet bandwidth during setup
• Local 1GB caching of server speeds up operation
• Allows optional use of private encryption key
• Web-based restore
• EMC, the owner of Mozy, is a substantial company

Weaknesses:
• More daunting for beginners than Carbonite
• No genuine network mapped drive in home version
• Poor archiving — old versions deleted after 30 days
• No file-sharing option
• Separate license required for each PC

#3: CARBONITE

Unlimited backup space, but limited accessibility

Carbonite offers unlimited online storage for a flat fee of $49.95 per year. It’s the easiest of the three products to set up and has the best user interface. However, Carbonite is also the slowest of the three and the most limited in other respects.

The service doesn’t allow the use of personal encryption keys and lacks a Web interface. The latter problem means that the only way you can access your data stored on the Carbonite server is by installing the Carbonite client software.

Strengths:
• Easy-to-use interface
• Select files to back up by right-clicking, which is intuitive and easy for beginners
• Default selection of files to backup will suit most users

Weaknesses:
• Lack of traditional “backup sets” will annoy advanced users
• No provision for personal encryption key
• Client must be installed in order to recover data
• No Web-based restore feature
• No genuine network drive mapping, so your programs cannot access remote files directly
• Poor archiving — old backups are deleted after 30 days
• No file-sharing option
• Separate license required for each PC
• Slowest of the three on my test PC

For backing up multiple PCs, the choice is clear

After using all three of these systems for at least a month, I found that the product best suited to my needs was Jungle Disk. For backup sets less than 20GB, Jungle Disk is the clear winner on both price and features. Similarly, anyone with several PCs to back up will be attracted to Jungle Disk’s licensing policy, which allows use of the client on any number of systems.

If you need to back up less than 2GB of data, then the free version of Mozy’s service is an easy first choice. If you need to back up more than that amount of data and you’re a beginner with PCs, then Carbonite is your best bet.

More experienced users are better served by either Jungle Disk or Mozy Home.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

Put Windows' built-in spyware catcher to use

By Woody Leonhard It may not be the best security program, but Windows Defender can help keep your PC free of malware. The spyware detector built into Windows gets dissed — and rightly so — but up the program’s sleeves are a few little-known tricks that make it worthwhile.

A ‘spyware catcher’ in name only?

Several times recently, I’ve been asked if I have seen or heard tell of Windows Defender — the antispyware program built into Windows — ever preventing anyone from downloading or installing a bad file. I have to admit the answer is no. I’ve read lots of accounts of Windows Defender removing this and missing that. But in the real world, I don’t see Defender catching anything.

It’s not all Defender’s fault, though. Web browsers are getting better. Firefox 3 and Internet Explorer 8 (currently in Beta 2) make it much more difficult for pop-ups to, uh, pop up. Programs that reset your home page or change your search defaults don’t stand much of a chance with these browsers, either.

Unfortunately, Microsoft’s definition of “spyware” may not match yours. A program that you (or Lavasoft’s Ad-Aware or Safer Networking’s Spybot Search & Destroy) find objectionable may pass muster with Microsoft, as explained on Microsoft’s spyware-analysis page.

If Windows Defender doesn’t catch much any more, what’s it good for? Heck, Defender doesn’t even look for cookies. And let’s face it, Microsoft would much rather sell you Windows Live OneCare for catching the really creepy stuff.

Defender keeps unwanted apps from autostarting

Nowadays, Windows Defender’s principal claim to fame is its position as gatekeeper for programs that start automatically when Windows loads. That’s a big stretch from Defender’s humble beginnings as Giant Antispyware, a product that was bought by Microsoft in 2004.

When Windows Defender determines that an autostarting program could harm your computer, it prevents the app from opening and warns you with a message such as the one shown in Figure 1. In Vista, for example, a program that requires Administrator privileges will invoke such a warning when it attempts to start.

Figure 1. Windows Defender intercepts a potentially problematic autostarting program.

There are several ways to take a program off the blocked list, but I prefer to take a look at all of my autostarting programs so I can pick and choose.

Make sure Defender is guarding your system

In any version of Vista, you open Windows Defender by clicking Start, All Programs, Windows Defender. Easy.

If you’re using Windows XP (Service Pack 2 or 3) and you don’t see a Windows Defender shortcut on your Start menu, you have to jump through several hoops to install the program:

• Step 1: Open Internet Explorer and browse to the Windows Defender download page; using IE makes Windows Genuine Advantage validation easier.
• Step 2: Click Continue, turn your head, cough, and go through the WGA Validation routine. If Microsoft’s happy with your copy of Windows, you’ll be permitted to download the program.
• Step 3: Double-click the downloaded file, WindowsDefender.msi. The Windows Defender installer asks you to validate your copy of Windows again. Click Validate. When you get to the point in the installation wizard where Microsoft invites you to “Help Protect Windows” (oy!), choose the box that says Ask me later and click Next. Accept all the default settings from that point on.

Windows Defender will install itself, run an initial scan, and then sit quietly in the background.

Take control of your system’s autostart apps

Before I tell you how Defender controls which programs start automatically on your computer, you have to promise me that you won’t cut off any autostarting programs unless you have a good reason for doing so. It’s very easy to block a program that your system needs in order to run correctly.

Here’s how to open your list of autostarting programs:

• Step 1: Click Start, All Programs (Programs in XP), Windows Defender. You’ll see the Windows Defender main window.
• Step 2: Click Tools, Software Explorer. Windows Defender shows you a list of all the “Startup Programs” for the current user.
• Step 3: Click Show for All Users. In Vista, click through the User Account Control message.

If you’ve ever gone spelunking around Windows Defender’s Startup Programs list and found that you can’t remove or disable some of the items listed, chances are very good that you forgot to click the Show for All Users button.

Each time you change a program’s status, you have to reboot to make the change take effect. You can switch between disabling and enabling certain items, but if you remove something, it’s gone forever.

Apparently, the autostart classifications are set by Microsoft — if you disable or enable a program, its classification doesn’t change. Before you make any change in an autostart program’s status, enter the program’s name in Google or another search engine to find out what you’re dealing with. For instance, removing Windows Explorer isn’t a terribly good idea.

The right way to tweak Defender’s settings

While it’s possible to have Windows Defender check for and apply its program updates automatically, I tend to distrust any kind of automatic updating from Microsoft. That’s why I set Windows to notify me that Defender definition updates are available (a balloon appears over the Windows Defender icon in the system tray). When I want to check for the latest definitions manually, I click the down-wedge to the right of the question mark in the main Defender window and choose Check for updates.

You can schedule automatic full scans by clicking Tools, Options. If you want to see the results of those scans, click the History button on the Tools menu.

Windows Defender ties into a large database that Microsoft calls SpyNet. While the goals are noble (“to protect Windows, apple pie, and the American way,” or something along those lines), the simple fact is that enabling SpyNet allows Microsoft to keep a log of any (or all) of the Web sites that you visit. To check your SpyNet status in Defender, click Tools, Microsoft SpyNet.

As I wrote in my Apr. 24 column, Firefox 3 has a very effective notification method that doesn’t intrude on your privacy.

Other ways to block startup apps in Windows

Windows ships with a utility called System Configuration (AKA MSconfig) that can be used to view and manage your autostart programs. To open it in Vista, click Start, type msconfig, and press Enter. In XP, click Start, Run, type msconfig, and press Enter. In both versions, click the Startup tab.

MSconfig lists the same programs as Windows Defender, but Defender provides many more details about them. Defender is also much easier to use than MSconfig.

If you’re feeling geeky, download the ultimate autostarting program detector and manager: Microsoft’s AutoRuns for Windows. Mark Russinovich and Bryce Cogswell created this brilliant, incredibly thorough autostart detector. It’s complete overkill for all but the most avid autostarting ferret, however.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Free Windows security checker is flawed

By Ryan Russell Windows has so many tweakable security settings that you need a checklist to avoid being overwhelmed. A free program from the Center for Internet Security attempts to test the security and configuration of Windows XP Pro, 2000, and Server 2003 machines automatically, but be aware of its weaknesses.

A new government standard for security

In the government-security field, there is an unending parade of acronyms. Now there’s the Extensible Configuration Checklist Description Format (XCCDF).

The quick explanation is that the NSA, NIST, and various other U.S. government agencies and partners developed a set of XML files intended to automatically evaluate a system and determine its compliance with a security policy defined by some of these same agencies.

The XML files are intended to replace the humans who currently have to check manually using paper checklists. The very long and complicated version of what’s going on can be found on the Cover Pages site.

Freebie gets only half the job done

An early attempt at implementing this kind of automatic security check for Windows XP Pro, 2000, Server 2003, and other Windows versions — as well as for Linux, Mac OS, and other popular operating systems — is available from the nonprofit Center for Internet Security (CIS). (Full disclosure: My employer sells a competing commercial product that checks PC security using the same government standards.)

Before you download and run CIS’s Benchmarks and Scoring Tools, you have to provide your e-mail address and other basic information. Carefully review the group’s privacy policy as you scroll down to the I accept and Submit buttons.

You’ll be offered a choice between downloading a JAVA PACKAGE or a NON-JAVA PACKAGE. Select the JAVA PACKAGE, which is bigger but works better than the non-Java option.

Run the installer. When it completes, browse to the program group it created on the Start menu and run the NG Scoring Tool GUI. For my XP Pro SP3 system, I chose the Windows XP Professional Benchmark with the SP2 Enterprise Desktop Standalone profile. (The benchmark doesn’t yet cover XP SP3 or Vista.)

Click the Score button. After a moment, you’ll be presented with a dialog that asks several questions about settings that the tool itself doesn’t know how to determine. The simplest approach is to choose Unknown for each question. After you work through that screen, the program produces a report. Back in the tool, click Benchmark Report to view the results in an HTML document.

Now for the fun part: interpreting the file.

Flawed scoring leads to questionable results

My system scored 57.038. Is that good? I have no way to answer that. More useful are the benchmark’s pass/fail items. The things you answered as Unknown are carried through to this report, and you can click them to get more info.

The explanatory links are brief and of limited use. For example, the explanation for why my PC failed 2.2.1.5 Audit Object Access stated what the item is for (to track which users access which objects) but gave me no pointers on how to fix the problem. This tool strictly reports; it offers no remedies.

CIS’s FAQ isn’t much help, either. Take item 3.4, for example. The nature of the question is that your security settings are actually more stringent than the standard, but you failed anyway. Why? Because in order to “pass,” you have to match the settings exactly. Yes, if the minimum password length is 8 characters and yours uses 10, you fail.

Suffice it to say that I’m not impressed with this tool’s interface and its inability to fix the problems it finds, which is a feature it just begs for.

Still, running this benchmark is simpler than doing a PC security check by hand. I’ll keep looking for a security checker that’s based on the same standards and helps you address the security holes it identifies. If you know of any such programs, please drop me a line via the Contact link below. (My thanks to reader Richard DeWald for requesting information about the CIS tool.)

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is Director of Information Security at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.