Introduction
We have all been living in a world where we are sold security applications at every turn. We are told that our desktops need security protective applications to protect us from viruses, malware, adware, worms, and other malicious code that can wreak havoc if we don’t have the protection. However, if your company has been hit by the Conficker worm, Here You Are virus, or any other recent malicious code, you know first hand that this is not always the case. So, how can this behavior be controlled if anti-virus is not solving the problem?
Why anti-virus is not 100%
Anti-virus applications are based on a known list of applications that are known to be malicious. AV solutions can check for signatures of the file, Registry entries, file types, files existing, etc. This is done by looking for known issues that malicious code places on your computer. The AV application is only as good as the list of known issues it has to reference.
This is where AV fails. If there is a new malicious application or code, the AV application is not aware of it. So, viruses can spread before you know it and all of your computers can be infected within minutes, even though you have AV software running.
What good is AV software then?
AV software is useful, but not for what most people think it is useful for. AV applications are not all that good at ensuring viruses attack, but rather for ensuring there are no malicious applications on your computer. For example, I have run AV software on my computer where I store Cain, DumpSec, etc. These tools appear to AV software as malicious applications due to the nature of what the applications can do. So, AV software flags these applications and asks if I want to remove them.
AV software can also scan for signatures, files, file entries, Registry entries, etc. When malicious code “parks” itself on a computer, it might be doing no work at the time, but AV software will notice it and take action. However, you must keep the database of known issues up to date for AV to work.
If AV is not reliable, how do I protect my Computer?
Since AV software is not all that reliable for all malicious code and applications, you need to use additional solutions. My best recommendation is to remove local admin privileges for users. Nearly all malicious applications require local admin privileges to perform the “job”. So, the malicious code takes over the same privileges of the logged in user to do their work. If the user is a standard user, most applications will not be worth much just being stored on a computer.
Of course this is valid for computers that are run by standard users. Taking away local admin privileges from an administrator can be a daunting task. If you have computers that you want to protect where the user needs to have control can be solved in a few ways.
First, you can take away the local admin privileges initially by removing the user from the local administrators group. This will, of course, cause many things to fail. However, you can then come back in with either UAC (see below) or a third party elevation tool. Third party tools exist today which can have any user elevate any task to administrator, without the user being a local admin. This creates a secured desktop in many ways. First, since the user is a standard user, all tasks not requiring admin privileges will be run with limited privileges. When the user needs to run a process as administrator, a simple right-click… elevate solves the problem!
Second, you can enable user account control (UAC) for your Windows Vista and 7 desktops, and your Windows Server 2008 and Server 2008 R2 servers and domain controllers. UAC will ALWAYS catch when protected (system protected to administrators only) files and Registry values are being modified. As long as you enable UAC for both standard users and administrators, and have the administrators being prompted when these write attempts occur, you will always be notified of a virus writing to your system.
Third, you can use Virtual Machines to do testing and searching of the Web in a protected and isolated environment. Due to the way virtual machines can be isolated to just itself, this environment creates a safety barrier for searching the Web and running applications to test. When you then close the virtual computer, just don’t save changes so that you “start fresh” with the original environment you had before you even started the testing and searching. This will flush out all malicious code and applications that were placed there, as the malicious information is purged when the system is not saved.
Summary
AV is useful, but not for catching all malicious applications and code. AV is excellent for finding malicious applications on a computer, as long as the application is documented in the AV database. In order for your computer to be fully protected, you should remove all local admin privileges. This is easily done by taking the user out of the local administrators group. In addition, you should be running all versions of Windows that support UAC, which will prompt each time a write is attempted to any protected file or Registry value. Security is like a buffet line, you need to have different options to protect against all of the malicious code that can invade your computer.
