Best malware defense?

Factual Questions
1

Posting this from my office because my computer recently was invaded by a “Malware blocking” program, purporting to be straight from Microsoft (it has the XP logo) but isn’t, which allows me to access no Internet sites at all until I buy their software to clean my system from and guard againts malware. I took my computer to my brother the engineer to fix it.

Now, this is after I swapped my old computer for my Dad’s slightly-less-old computer. Although I previously subscribed to Norton Symantec antiviral software, I have not yet loaded it onto the (to me) new computer, so that defense was not in place. I have emailed Norton and got a new product key number to do that, once I get it back.

But, my brother says that is not sufficient. To prevent this kind of thing from happening again, I must stick with surfing trusted, commercial websites and avoid any . . . ahem . . . other kinds of sites. :o Is that strictly necessary?! :frowning: Is there any package specifically designed, and effective, for defense against even the most cutting-edge malware? I mean, let’s bear in mind what the Internet is for!

2

Norton sucks. Don’t go there, unless you want your machine to operate as fast as molasses in winter.

AVG antivirus (free version), SpyBot Search and Destroy (free) and MalwareBytes (free version) are all that I have on my machines at home. Most of the time none of them run in the background. I do run them once a week. The most they ever catch in the past two years have been minor, dubios internet/web tracking thingies. No viruses. Of course, we don’t frequent places online that are often dark and gloomy, with a light mist in the air and where your feet stick to everything as you walk. Well, my wife doesn’t.

3

How to protect your computer from malware

4

I want to note that there are three different threads in GQ on this at the moment (and another in ATMB), all describing the Defender/FakeAV virus. None of the typical recommendations for malware are effective against it.

While the impulse to suggest those standard remedies is laudable, they aren’t really helpful. This virus is resistant to most common malware/spyware programs, and launches itself even after you reboot into safe mode.

Mods, I’d like to reccommend merging the threads into one, and perhaps inviting actual answers to help people, rather than just the standard steps for dealing with viruses.

5

The GQ sticky was updated today with the following note:

Note: If you see a fake “anti-virus” prompt, do not click anywhere on the screen. Just turn off your computer and follow these instructions.

If this step is followed, you will not get infected with the fake antivirus in the first place. However, if you have already clicked and infected your system, the steps in the GQ sticky will clean your computer. If Spybot, SuperAntispyware and Malware Bytes cannot detect or remove the fake antivirus, HijackThis most certainly will detect it, and posting your logs to a computer forum (as per the instructions in the GQ sticky) will give you specific instructions on how to clean this fake anti-virus from your system.

That said, I appreciate your feedback. If you know of a specific tool (or steps) that successfully cleans this fake anti-virus infection, please let me know and I’ll update the GQ sticky with it.

Note that anyone who followed the steps in the GQ sticky prior to encountering the fake anti-virus will not get infected in the first place, because their system will detect the fake anti-virus and not allow it to infect the computer to begin with.

Therefore, I request anyone reading these threads, whether infected or not, to follow the steps in the GQ sticky.

ETA: anson2995, based on your feedback, I have now updated the GQ sticky with specific instructions on how to clean the fake “anti-virus” infections. Thanks.

6

Assuming you are using XP, you can make a user account (not an admin) to use for your everyday account and use and administrator account (or runas) to install software and updates. Just make a user, set him to be “limited account,” and start using it. Log in as administrator (or your old account) to do updates and installs.

Your limited user account will not have the privileges to damage your installation so even if you run some malware, it wont be able to damage the system part of your OS, just your user profile.

You also need to keep Flash updated. Its one of the biggest vectors for malware. Adobe Reader is also notorious for exploits. You should remove it and switch to FoxIt reader. If you are not willing to do this then go into Preferences and click on Javascript and set to “disable Javascript.”

You can also run Microsoft’s Security Essentials, which is a free antivirus which will never expire.

Those steps will give you a more or less bulletproof machine.

7

My experience has been that you need multiple pieces of software to defend against malware and fortunately they’re free. Using a combination of Ad-Aware, Spybot, and Malwarebyte’s Anti-Malware has worked for me. But the best defense against malware is to not go poking around questionable websites and definitely don’t click or open anything you’re not absolutely sure is safe.

8

Here we have the ultimate answer.

9

Turning off the computer involves clicking (which you say not to do) on the start button. Unless by “anywhere on the screen” you mean anywhere on the fake prompt?

Isn’t there any other way to safely neutralize the pop-up, like alt+f4 or right-clicking on its task bar appearance?

10

The first thing to do when you install any antivirus is to try to download the EICAR test file. This will set off your antivirus (it’s harmless). When it does, take a look at the screen that displays. That is the standard warning for your antivirus. Memorize it. Anything that doesn’t look like that is a fake.

When you do get a fake alert popup, do this:

  1. Press Ctrl-Alt-Delete and bring up the task manager.
  2. Click an instance of your web browser (under applications).
  3. Click on “End Task”
  4. Repeat steps 2 and 3 for all tasks with your web browser name.

This will prevent infection (or, at least, prevent an infection that won’t clean up easily with Malwarebytes. Run Malwarebytes afterwards as a precaution.

You’re also generally safe if you close the popup window, too – you need to actually download the malware to get infected. Again, run Malwarebytes when you are done.

As for antivirus, I’d recommend Microsoft Security Essentials for first-class protection an few performance issues. AVG was once excellent, but it’s become top heavy and not as good as MSE, or things like Avira (formerly Antivir) or Avast!

I’d also recommend installing Threatfire, which works with other antivirus to provide extra protection and some sort of registry protector.

11

I use linux for surfing the web and so should you.
No malware, no virus, and no cost.
what flavor of linux us up to you, but just to be safe
do not be surfing as root, that would just be silly.

12

Crap old advice. Now you can get attacked by Malware from trusted sites, such as Snopes. That being said, clearly cheesy sites are more dangerous.

Kaspersky is apparently the best defense, but it ain’t cheap.

In any case, you need to make sure you have automatic updates.

13

I don’t agree with that. I think that virtually all the anti-virus programs out there are crap since they are all reactionary. Kaspersky isn’t going to save you if those rouge programmers refactor their code a bit. Anti-virus programs always play catch up.

The best defense is not to run as the admin and to restrict all executables from running, except those explicitly installed with the admin password, using the Software Restriction Policy in Windows. That will do orders of magnitude more to prevent infections than an anti-virus program.

14

Kaspersky is the only AV program I’ve ever been willing to pay retail for. It really is head and shoulders above the rest IMO.

15

[1] First off, it appears there are quite a number of people that are getting this fake “XP Internet Security 2010” program on their computer. You guys are asking how to get rid of it when the real question you should be asking is why you got it on your computer in the first place.

Looking at various posts on the net, “XP Internet Security 2010” is NOT A VIRUS. It is a rouge program. This means that it cannot automatically install on your computer without you actually giving it permission to run. In my experience, it is usually the person in front of the computer that’s at fault for downloading and running these rouge programs because they don’t know any better. I know because I’m the family IT guy and I’m also a programmer. If you are really, really, really, really sure that you were “infected” at no fault of your own, I would like to hear about it.

These best overview of this rouge program is at How to remove XP Security Tool 2010, XP Defender Pro, and Vista Security Tool 2010 (Uninstall Guide)

[2] Now, onto the question of the “best malware defense”. I would like to say as a computer security enthusiast, that once you’ve had untrusted code run on your computer, it is best to nuke it from orbit with a reinstall of your operating system. There is an easy way and a hard way of reinstalling your operating system.

The hard way is to manually reinstall Windows and all your programs every time you think you’ve been infected with something. The easy way is if you made an image of your hard drive immediately after you installed your operating system and favorite programs, using a tool such as Drive Image XML (free):

With Drive Image XML, you store a fresh copy of your operating system on a external backup hard drive and when you think you’ve been infected, you just boot up from the external hard drive and your computer is quickly restored to when you first installed everything. A full restore will take on the order of 15 minutes compared to hours you could be spending trying to reinstall everything from scratch. The external hard drive will cost you about $50-$100 at your local computer store an can also be used to back up your data.

[3] Now, onto the subject of anti-virus programs. The important thing about anti-virus programs is to only choose ONE of them and let it update itself. Anti-virus programs should be install and forget. Don’t go overboard by installing multiple anti-virus programs, that borders on paranoia and there are better ways to spend your time PREVENTING bad things from happening. On Windows, without a doubt, the best anti virus program is Microsoft Security Essentials (free):

Install it and let it do it’s thing. Forget it is even there. Oh yeah, LEAVE AUTOMATIC UPDATES ON. DON’T FREAKING TURN IT OFF. You NEED updates for Windows and Microsoft Security Essentials updates itself through automatic updates.

[4] Now, for the most effective way of preventing unwanted “infections”: Changing your habits. On Windows, NEVER EVER RUN AS THE ADMINISTRATOR UNLESS YOU ARE DOING SYSTEM MAINTENANCE. Always run as the limited/standard user. If you don’t know what I just said, you are most likely running as the adminstrator with full privileges over your computer and I recommend you get someone to show you how to run as a limited/standard user.

[5] Upgrade to Windows Vista/7 for a better security architecture. Did you know XP is 10 years old? That’s ancient and software security has greatly advanced since then. Windows Vista/7 has UAC, which is a GREAT feature, no matter what your run of the mill techy friend might tell you. If they tell you to turn UAC off, I say get a new techy friend because he/she is not competent with computer security. Vista/7 also has other features like more thorough DEP, ASLR, and kernel patch guard.

[6] I recommend you get the Professional version of Vista/7 if at all possible because it has a great feature called the Software Restriction Policy. This means that if you are an idiot, you can get a techy friend to set up your computer where you cannot run any programs other than the ones that are protected and installed with the administrator password. I can’t stress how absolutely GREAT THIS FEATURE IS! It’s one of the ways of making a computer idiot proof.
[7] Keep your non-Microsoft programs updated with the Secunia Personal Software Inspector: About Secunia Research | Flexera This program scans your computer and provides you with a list of required updates. It is highly regarded by security enthusiasts.
[8] If you pirate programs, may God help you.

16

Just wanted to point out that many of the pop-ups include their own ‘X’ (Windows’ close-this-window button) so be extra careful about closing those pop-ups. Best bet is to always follow the End Task sequence (or close windows via the task bar).

Also, if an unexpected prompt appears, don’t assume that ‘Cancel’ or ‘No’ means anything different than an ‘OK’ or ‘Yes’ … websites can still trigger an action from those button presses!

17

I use Avast myself. It’s free and works pretty good and isn’t a resource hog. I’ve noticed a lot more web sites are infected than used to be the case. When Avast popped up a virus warning for the New York Times recently, I assumed it was a mistake, but then it was in the news the next day. Apparently one of their ad suppliers accepted the wrong ad.

http://news.cnet.com/8301-1009_3-10351460-83.html

Here is a review of Avast:

http://download.cnet.com/Avast-Free-Antivirus/3000-2239_4-10019223.html

18

With all due respect, this is the sort of glib answer that is particularly not helpful. This virus is spread through ad networks, so people get it from visiting legitimate sites like the wikia, the NY Times, and even this website.

Also, as others have pointed out, this particular virus is deceptive because clicking on the cancel button or the close window “X” actually launches the infection agent. Because the pop-up is designed to look like Windows Defender or other security software, folks are often fooled into thinking they’re clicking on a program they’ve actually got installed.

19

I just went through using the site mentioned in ATMB (link to thread). And, even though everything you say is true, every time I got a legitimate download alert asking if I really wanted to install the program. I tried in both Firefox and IE. This would imply that, at some point, you had to have clicked Save or Open.

I was surprised. I expected that it had somehow gotten around that. Because that’s the main defense. Anytime a website tries to download a file to your computer, you should click Cancel in that dialog box. Only if you specifically initiated the download should you ever allow something to download.

I also wanted to comment on Wordy’s post. You already covered how I was going to reply to [1], so I’ll just cover the rest. I’m going to go a bit out of order.

[3] I thought I remembered Avira Antivir (mentioned in Xash’s computer sticky) being the antivirus that tested the best. And it also has the benefit of not being used by everybody, so you’re less likely to see a fake warning that actually looks like it.

[2] You’re right that reinstalling Windows (or restoring a hard drive image backup) every time you get an infection is the most sure way to make sure you are not infected, there’s a similar solution that is a bit less of a headache. You can just run your web browser (and any other problematic software) in a sandbox.

A sandbox is a way to trap programs and keep them from writing directly to the harddrive. You have to explicitly allow it, otherwise the changes can be just wiped out. This is similar in that it keeps your malware from touching your main copy of your harddrive. It is different in that the main copy is not the backup you made. It also means that, if you’ve worked on a file between your last backup and the infection, you can actually keep that file.

[5]&[6] But this is the main thing I wanted to address. Not everyone who is still using XP has the money or the hardware to go out and get Windows 7. A lot of computers are barely chugging with XP. And even those people with Win7 or Vista may have not have gotten Pro versions, and lack funds to upgrade.

A solution for those people is a program that covers both UAC and SRP: SuRun. It’s pretty easy to use. It’s much easier than SRP.

20

You are correct, however, I want to state again that the way this particular virus works is intentionally deceptive. A pop-up window is displayed (prompted by an nefarious ad on a web site). This won’t trigger most AV software.

The pop up window looks like Windows Defender, or some other legitimate security software such as Norton or AVG. The pop-up window is pretending to give you an alert that a virus has been detected, and prompting you to take action by first scanning your system and then downloading updated virus definitions. The reason that this has been so effective, even among educated users, is that it is virtually indistinguishable from what actually happens when a virus is detected.

It seems to me that it has been more effective at spreading to folks who are security conscious. Which is what makes this particularly insidious.