It goes without saying that
antivirus software can't catch everything. But, does it catch 10% or 90% of the
malware targeted at Windows users?
In a recent user group presentation,
malware expert David Perry, of Comodo, said there are between
200,000 and 300,000 new viruses discovered every day (here "virus"
is a generic term encompassing dozens of types of malware). They are built from
kits and most circulate in the wild for a very short time, perhaps only a day.
In other words, by the time they are detected, they're often out of
circulation.
Typical reviews of antivirus
software use small samples so their usefulness is questionable. For example, at
PC Magazine, Neil J. Rubenking tests with
" ... a dozen or more virtual machine test systems, each one pre-loaded
with three or four malware samples." Somewhere in the vicinity of 60
samples doesn't seem like much to judge with.
Statistics published by Brian Krebs,
indicate that antivirus software detects about 25% of the most popular
malware currently being emailed to people.
The data comes from "computer
forensics and security management students at the University of Alabama at
Birmingham". They profiled the most popular email-based malware attacks in
the last month and, most interestingly, how well the 42 or so antivirus
programs employed by VirusTotal did at detecting the malware. Krebs
published the data as a PDF (recommended for
the live links) and as an image.
The initial detection of the
"password stealing and remote control Trojans" was not encouraging.
Krebs wrote:
The average detection rate for these
samples was 24.47 percent, while the median detection rate was just 19 percent.
This means that if you click a malicious link or open an attachment in one of
these emails, there is less than a one-in-five chance your antivirus software
will detect it as bad.
So, the answer to how effective
antivirus software is currently seems to be around 25%.
In fairness, this is an average
across all the products at VirusTotal and some poor performers bring it down.
Still, in the last month alone two new malware samples were undetected by all
42 virus scanners and many were detected by only a handful of products.
In reviewing the figures, we noticed
that the number of days between the first report of a malware sample to
VirusTotal and the last one is often only a few days, enforcing Perry's
observation about the extremely short lifespan of Windows malware.
TWO DEFENSIVE STEPS
What to do?
This list of Defensive Computing steps is long. Brutally,
depressingly long.
That said, perhaps the two most
important things a Windows user can do are rarely, if ever, cited in stories
about malware. I attribute this to the way stories come into being: reporters
get their information from companies with a self-interest. Being a nerd rather
than a reporter, we instead suggest two things that are each free; things from
which only you profit.
1. Run as a restricted Windows user.
The concept is simple, restricted
users are walled off from the guts of the operating system. For example, they
can't insert/update/delete anything in the C:\Windows folder. Put another way,
the operating system tries to defend itself when a restricted user
is logged on. Malware may run once, but it should be prevented from permanently
installing itself.
"Restricted" is the
concept. In Windows XP the term Microsoft uses is "limited." In
Windows 7, restricted users are referred to as "standard." Sadly,
Administrators are the de-facto standard, and the default, type of user on
Windows machines.
My scheme is to create two Windows
users, for example MichaelAdmin and MichaelRestricted. I logon as
MichaelRestricted normally and only logon as MichaelAdmin when necessary.
In Windows XP it was much more
necessary than in Windows 7. In the last year or so, using Windows 7 daily, it’s
not necessary to logon as the administrator once. Both users share the same
password.
This is not a perfect defense
against malware, nothing is. But you are much safer running as a
restricted user. The same goes for OS X and Linux, by the way.
2. Always be skeptical.
If you are using an iPad and the
Bank of America app says it needs to updated, you can be pretty sure that's
true. But on a Windows machine, when a window pops up claiming that an update
is needed to Flash, it's just as likely to be a scam as the real thing. Windows
users are lied to all the time and they need to always keep that in the back of
their mind.
Email users are also lied to all the
time, a problem not restricted to Windows. Anyone using email, even on a tablet
or smartphone, needs to always be conscious of the fact that it is
trivially simple to forge the FROM address of an email message.
That email from UPS about a package
that couldn't be delivered most likely did not come from UPS
FINANCIAL TRANSACTIONS
So many defensive steps are required
of Windows users, that the safe assumption is no one does them all. Working
from this assumption, we suggest never doing financial transactions on a
Windows computer.
Anyone who doesn't think their
computer is infected, should consider another warning from Perry: malware is
frequently invisible and silent. Think Stuxnet and Flame.
Some alternatives to Windows are
- Boot a Windows computer to Linux running off a USB flash drive. Yes, CDs are safer but they are soooooo slow.
- Use a Chromebook, which runs a hardened version of Linux that automatically self-updates.
- Use an iPad/iPhone app from your financial institution. Just be careful which Wi-Fi networks you connect to.
