How to secure your Windows machine.

A recent statistic I read stated that over 70% (SEVENTY PERCENT) of new infections come from surfing to legitimate sites that are infected. A recent case was the New York Times (full story here):

Here’s a front-page story the New York Times (NYT) would rather not be running: The paper is warning readers to be aware of bogus ads running on its Web site. The paper says “some readers” have seen unauthorized pop-up ads promoting antivirus software on NYTimes.com, and warns visitors who see the ad not to click on it but to restart their browsers instead. While the Times doesn’t spell this out, the newspaper has likely had its site hijacked by a “malware” scammer who is trying to trick visitors into installing pernicious software onto their hard drives

Thus, to get infected, it is perfectly enough to just hit your legitimate web sites. You do not have to browse to any questionable content anymore to get compromised.

In light of this, lots of people have been asking me what in my opinion is to reliably secure a Windows machine and protect it from the threats that are out there – viruses, worms, trojans, etc.

I recommend multiple layers of defense to be setup on a Windows machine. Below items are listed in order of importance, highest listed first.

1. Keep your Windows machine current with the latest patches.
Ensure that Windows Update is turned on and configured to automatically download and install patches. Make sure that when you put your machine into standby mode (instead of turning it off every day), that you pay attention to whether patches need to be installed and the machine need to be rebooted. I encounter a lot of installations that never get turned off, where the patches never get installed (although they are downloaded and ready to go).

2. Install a Anti-virus scanner.
This can be one of the big names out there: AVG (free), Norton, Trend Micro, McAfee. Get one of their package offerings that include phishing protection, link scanning, encrypted password storage. DO NOT BELIEVE that this is the only thing you need. Although they want to make you think that this is all you ever need, it is not true. Even the best AV scanners cannot keep up with the ever-changing strains of viruses that are out there (strains change hundreds or even thousands of times a day), therefore you need to have multiple layers of scanners to get a higher rate of protection.

Make sure that the ‘auto-protect’ features are turned on, i.e. the AV scanner runs ‘resident’ in memory. That means that live protection is turned on and viruses do not make it through.

IMPORTANT: YOU STILL NEED TO DO WEEKLY FULL SYSTEM SCANS.

Some people believe that they can leave auto-protect on but never scan their systems. The caveat with this is that auto-protect may miss a new strain of a virus and let it through. While the signatures get updated, auto-protect never detects it.

Therefore, a scan then may find it, but you need to make sure to run these scans.

Product-wise, I have been using Norton Internet Security for a long time, but I will let the license expire and try out a different AV scanner next year. Norton has disappointed me recently with the failure rate it has, i.e. viruses that do not get caught by it. Ideally, you use at least 2 different virus scanners, but this may get costly if you are looking to purchase solutions.

I am currently trying out the new Microsoft Essentials ‘AV and Malware’ scanner that was released on 9/30/09. I believe that AV and Malware protection should be free and included in a Operating System, but the MS AV scanner still may need some tuning to be comparable to any $$- solution.

3. Install a separate Malware scanner. This is important.

You NEED to have a backup scanner to whatever AV solution you are using. This increases the rate of detection and your total exposure significantly.

I recommend Malwarebytes’ Anti-Malware for this. It has worked well for me. There is a freeware and a commercial version for it. The major difference between the freeware and the paid version is that in the free version you have to run manual scans and it does not run in the background protecting you from new threats. I recommend you spend the $25 and purchase it. It is worth it. The interface is simple and structured in a no-nonsense kind of way, focusing on scanning, updating its database and showing you results of the last scans.

If you do not want to shell out the money to buy the full version, I recommend you use the Windows Task Scheduler to run this software daily to update the database and at least weekly to do a full scan of your system. It supports command-line arguments. Shoot me an email at info (AT) gansec.com if you want to have instructions on how to do that.

4. Install Secunia Personal Inspector to keep your applications up to date

Install Secunia PSI to keep your third party applications (Adobe PDF Reader, Flash Player, Shockwave, Real Audio Player, any other stuff you use besides Microsoft Software) current. It scans your system and matches it up with an always current database of new versions for the applications you use. It is an extremely handy tool that you will not want to miss once you get used to it. You would not believe how many third party applications can severely compromise your system security if exploits are used against vulnerabilities that they have (example). Secunia PSI is Freeware.

5. Install a firewall on your Windows machine.

This usually comes with Windows (Windows Firewall) or with one of the ‘Internet Suites’ of the commercial AV vendors. This is to block annoying connection attempts, Malware that tries to communicate outbound across other ports than your standard web port (80), potential inbound hacking attempts. Make sure it is enabled. When you first enable a firewall you may have to permit standard ports (e.g. outbound Web for iexplore.exe, firefox.exe, etc), but this will settle down after the initial turn-up. Yes, it is extra work, but you need to invest it.

6. Keep backups.

Keep backups of your Windows installation. You can burn the data on DVDs or external storage solutions. If you would like to look into external storage (especially important if you own a small business), I recommend Netgears’ ReadyNAS storage solution: About $1K for a fully redundant 1 TeraByte of storage. It is extremely trivial to setup (takes about 10 minutes to configure it to be ready for backups from the time you turn it on). Data will not be lost on this one.

These are 6 simple steps to get going on Windows Security. It takes some work to get there, but believe me, it beats the ‘man, my system is lost because of infections, I lost my documents, my bank account information got stolen and people write checks in my name via my Online-Banking access‘ by far.

– Sven Olensky.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: