Monday, September 01, 2008

what are anti-virus best practices?

i'll be blunt - some of this (maybe even all of it) is going to seem dead obvious... i'm sorry if this is old news you, however it would appear that quite a number of otherwise smart people (be they security professionals or [ahem] rocket scientists) have decided either that av marketing is gospel and thus been bitten by the ensuing false sense of security, or that av marketing should be trustworthy (even though the marketing for virtually every other product on the planet isn't) and became bitter and jaded because av failed to live up to the expectations that the marketing created...

just to be clear, this is going to be best practices for known-malware scanning (what most people consider to be the entirety of av)...

  1. use it - i don't just mean have it installed, i mean sit down and actually scan things (like files you download or removable media you insert into your computer) from time to time (and scanning the entire drive on an automated schedule doesn't count)... install and forget security is bullshit... you need to interact with the software, to learn what it's alerts actually look like so you can distinguish them from fake alerts, and to become skilled in the actual use of the tool...

    some may say that's working for your security software instead of making it work for you and real people have real jobs to do, but it doesn't actually take much time or effort to scan incoming materials and both of those other concepts ('working for the software' and 'making it work for you') are nonsense... it's a tool, and like any tool you can only get out of it what you put into it... if you don't know how to use it properly then you ultimately won't do as good a job at protecting yourself with it as you might have otherwise... it's a poor craftsman who blames his tools...

  2. keep it up to date - known-malware scanners are only as good as the knowledge-base they embody... new malware is being created at a rather incredible rate and the only way to make known-malware scanners effective against that new malware is to update those scanners with 'knowledge' of that new malware...

    sure there are other types of anti-malware software that don't require such updates, but they also don't come with expert knowledge about known-malware built into them and so are of little diagnostic value when prevention inevitably fails... also, it's always easiest to prevent something bad if you 'know' specifically what to look for...

  3. quarantine first - don't trust the scanner to automatically delete things it thinks are bad... scanners make mistakes and you don't want to compound those mistakes by allowing the scanner to automagically delete critical files...

    trust the results enough to consider that the file(s) in question may be bad, but verify those results, and verify that it's safe to get rid of the file(s) before you actually do so... trust but verify...

  4. don't rely on it alone - just as you shouldn't place absolute trust in it's results when it detects something you also shouldn't place absolute trust in it when it doesn't find anything... this is probably the best practice most directly in conflict with av marketing, and there are a number of people i really wish would stop listening to marketing and catch up because i learned of the benefits of using a multi-layered approach (what would be better known now as defense in depth) back in the early 90's thanks to the people who actually made (rather than marketed) this stuff...

    you need to use other types of anti-malware technology in conjunction with scanners (not just additional scanners) if for no other reason than because there will always be a window of time between when a new piece of malware is created and when an update for that malware is made available... in other words: if the malware's too new, a scanner won't do...

  5. scan from a known-clean environment - just as you shouldn't necessarily trust the scanner you also shouldn't trust an infected or even possibly infected machine... this likely won't seem intuitive since the av industry itself has for years been producing features and services that contradict this such as web based scanners or the ubiquitous scheduled system scan... in an effort to be less of an uncompromising s.o.b. let me say that those are features and services that are offered for convenience and shouldn't be solely relied upon as they do not replace outside-the-box scanning...

    you can't trust a compromised environment to accurately report it's own integrity... the code the runs first wins and the only way to make sure malware doesn't run first is to operate in an environment where no code from the suspect system has run; not the operating system, not even the boot sectors...


now, hopefully, most or all those smart people who i know are familiar with the concept of best practices will modify their expectations and stop listening to those marketing departments that are filling their heads with lies... (stop. listening. to marketing!)

2 comments:

Unknown said...

This was informative post. Kinda got a story to illustrate on of the points about getting your protection on early.

Now, at work I recently got this really bad virus on my work computer when I hit a website from google - adware.virtumonde - which was really bad. The computer had Norton installed and updated, but it did nothing. This virus takes over your browsers, changes the home page, takes control of your desktop.

At home I had Cyberdefender install, and paid for the upgrade since I liked it. At work I downloaded the free version of cyberdefender and installed it, and got the BSOD and it would not run or install.

I contacted cyberdefender (thank God I had the upgrade at which comes with 24/7 tech support)and they told me that some viruses will shut the system down if you try to install certain anti-virus software. They helped me get the system up and running, and a day later they release a new update that takes care of the adware.virtumonde virus!!!

On my sons system at home, my son hit a website that also had the same damn virus, and since it was just before Cyberdefender put out the Adware.virtumonde update, it crashed the system. The difference was that I was able to run cyberdefender and update it, then clean the virus of the system.

Now I don't know what other programs this virus blocks from installing or running, but this is a good example why you should have your anti-virus on your systems before you get a virus.

kurt wismer said...

while it does seem to point that way in the example of your son's computer, i think on the whole this is also an example of why you should not rely 100% on just anti-virus... both your work computer and your son's computer had anti-virus and both got compromise by the adware - the fact that you were able to get it off of one of them is fortuitous but you may not be so lucky next time, and really the ideal scenario is to stop the malware from getting it's hooks into your system in the first place...

i'd like you to consider adding a layer to the security of these systems... in the case you've illustrated, the attack vector is the internet - it might be a good idea to try to sandbox your internet-facing software like your browser and email client... i can't say what (if any) sandbox would be right for you but i can point you towards the wilders security forums (http://www.wilderssecurity.com) where there are people who know a lot about a wide variety of different sandbox (and other security) software...