After spending years testing security products I've learned an important lesson. Don't get infected by malware.
In other words, put maximum effort into preventing infection rather than detecting and removing infection.
This statement may seem bland and unremarkable but there's more to it than you think.
The traditional way of adding additional protection
Many people protect their PC's by using multiple signature scanners based on anti-viruses, anti-spywares, anti-trojans and anti-rootkits.
It is not as secure as many people think and for most folks, the cost is too high and the additional protection afforded too little.
The cost here is not so much financial though that is an issue, but rather the serious impact adding many security layers can have on the performance of your PC.
There is also a cost in complexity. The more security programs you run the more chance they will either interfere with each other or with other programs.
Each additional layer you add increases your protection but by an incremental amount only. A good anti-virus program may offer 70% protection. Adding a good anti-spyware utility may increase this to 85%. The addition of an anti-trojan may take it to 90%.
This is because today's security products overlap in function much more than they used to. A modern anti-virus program will detect a lot of spyware while a modern spyware program will detect some viruses, worms and trojans as well.
Although the protection achieved only goes up incrementally with each layer added, the processing load on your PC will rise more or less in proportion to the number of layers. So adding an anti-spyware layer to your anti-virus layer will double the load on your PC. Adding in an anti-trojan as well may well triple it.
So folks, while layering is a good thing we are faced here with a law of diminishing returns.
But that's not the only problem with the traditional layering approach to protection. If an aggressive malware program is allowed to run on your PC it may disable all your layers of protection rendering them useless.
I've seen it happen many times and it is a frightening sight to see all your security program icons disappear from the system tray.
Thankfully some security programs resist termination by hostile agents but the majority don't. And even those that do resist may well prove vulnerable to new, more advanced termination methods yet to be developed by malware programmers.
My approach these days is simple: if you allow malware programs to run on your PC don't expect your security programs to fully protect you. If you are lucky they will but with security, you shouldn't rely on luck.
So how do you prevent infection?
Good Safe Computing Practices
- Ensure you keep Windows and MS Office (if you use it) completely up-to-date by applying the latest fixes from the Microsoft Update Service. Make sure the automatic update settings are Automatic (or at least not turned off).
- Make sure your other software products are also fully updated, particularly popular products like Firefox, Opera, Adobe Reader, Sun Java, Flash plug-ins and media players. The easiest way to do this is to use the free Secunia Personal Software Inspector.
- Switch to alternative programs. They can be better in functionality or lighter in resources than more popular programs, and are targeted less by malware writers. Using Firefox instead of Internet Explorer and Foxit Reader instead of Adobe Reader can greatly improve your security.
- Be careful where you surf. In particular stay away from sites offering commercial software serial numbers, keygens or other hacked material. Avoid accidentally wandering to hostile sites by installing WOT and AVG LinkScanner. These are free plugins that append site security ratings to search engine listings and sites.
- Never click on email attachments from untrusted sources however tempting and attractive such attachments may seem. Similarly, never click on links in email from unknown correspondents.
- Never install programs unless you are fully confident they are clean. In particular, only download files from trusted sources and never install programs that friends give you on removable media unless you have verified that they are clean by submitting them to free web based signature scanning services such asJotti or Virus Total.
- Make sure Windows Firewall is turned on. If you are running Vista, you can use the free Vista Firewall Control to enhance the security and usability. Firewalls with outbound protection can also be used, however, the added complexity is not suitable for beginners.
- Disable AutoRun with the free Panda USB Vaccine.
These measures can protect your PC from infection a great deal. However, sticking to these rules is not easy; it requires a level of discipline most users don't have. Who hasn't been tempted to open a funny PowerPoint email attachment or install a free game?
And it's not only a question of discipline. These days you can easily get infected simply by innocently surfing to a trusted web site that has been hacked or opening a "loaded" MS Office document. You need more protection than the basic security rules can provide.
Protection is better than cure
The best way to increase your level of protection is to make sure that if a malware program sneaks its way on to your PC that it is never allowed to run on your PC in a normal Windows environment.
A normal Windows environment is a user account with full administrator rights. It's probably what you are using right now as it is the default setup in all recent versions of Windows up to but excluding, Windows Vista.
There are many ways you can keep malware well away from your normal Windows account. Here are four:
1. Use a Windows limited user account for your daily work
2. Run all high risk programs with limited rights
3. Run all high risk programs with policy restrictions
4. Run all high risk programs in a sandbox or virtual machine
Each method has its pros and cons so let's look at them individually:
Option 1: Use a Windows limited user account for your daily work
Using a limited user account can be very effective in preventing malware infection as most malware products need full administrator rights to install themselves. In a limited account they just can't get a foothold.
It's easy to set up a limited user account. Just go the Control Panel, select User Accounts and create a new user account as a limited user. Then sign in to this account for your normal computer work rather than the account you are currently using.
Setting up a limited account may be easy but using it can be a real pain. For example you won't be able to install most programs. You won't be able to update others. You won't be able to access any part of the PC other than your own documents and the shared documents area. Heck, you won't even be able to change the system date!
Some folks can work with these limitations or work-around them by swapping to a full privilege administrator account when they need to install programs or do other more advanced tasks. Others use the Windows "Run as" command and similar utilities to temporarily elevate their privileges when needed.
Most users though, find using a limited account to be simply too awkward and inconvenient. Sure. their computer is safe but that's little comfort if their PC is only barely usable.
That said using a limited account is an excellent solution for advanced users prepared to tolerate the inconvenience or ordinary users with basic computer needs. If Granny never does anything but check her mail and browse to newspaper sites to read the headlines than setting her up with a limited account is a good way to go. Do expect phone calls though; one day even Granny is going to need to do something that requires administrator privileges.
Option 2: Run all high risk programs with limited rights
This is a more practical strategy. Run as a full administrator user but restrict the rights of all programs such as your browser and email client that can be sources of malware infection.
Getting this to work could be a complex business but thankfully there are some free utilities available that were written to perform this exact task.
The best known of these is DropMyRights. It allows users to easily create special versions of their browsers, email clients IM client, media player or other internet facing programs that run from a full administrator account but with the restricted rights of a Windows limited user.
It's a simple and neat solution that provides good protection from infection yet doesn't inconvenience the user in the same way as working from within a limited user account. I've written a practical guide to running programs using DropMyRights.
The approach however has some weaknesses perhaps the worst of which is downloaded files. Yes you are safe from infection while using a browser but if you run any files you download then you can easily be infected if those files contain embedded malware.
However, if you add Software Restriction Policies you restrict your computer even more so most malware will not be able to install. This guide has excellent instructions on how to set up Software Restriction Policies on your computer.
Option 3: Run all high risk programs with policy restrictions
GesWall free is an excellent option. It is similar to DropMyRights, but provides better security. GesWall works by restricting what your internet applications can do to your computer.
GesWall requires no user intervention (but advanced users can configure it for better security); it is truly set-it-and-forget-it. It does not restrict your usability (unlike using a Limited User Account) and is not as intrusive as Sandboxie.
Option 4: Run all high risk programs in a sandbox or virtual machine
The strange name "sandbox" derives from the Java world where it refers to the highly contained and restricted environment in which Java programs (applets) are allowed to run. They are allowed to "play in the sandbox" but not go outside it. The important point is that while running in the sandbox, the programs have no access to your real PC.
So it is with sandbox security programs. While browsing or engaging in any computer activity within the sandbox you are totally corralled off from your other parts of your PC. Any files you download are isolated to the sandbox. Similarly, any programs that are executed only do so within the sandbox and have no access to your normal files, the Windows operating system or indeed any other part of your PC.
That means that if you get infected by malware while using the sandbox your "real" computer is not affected. Furthermore you can close the sandbox and all that's within it is erased including any infections, leaving your real PC in a pristine state.
Sandboxing is a great security solution for preventing infection. There are also some excellent sandboxing programs around including my favorite, the donationware utility "Sandboxie." It is very light on resources, provides very strong protection and has a well-supported forum.
There are some downsides. Sandboxing creates a two-worlds view of your computer and this confuses some users. They could get it wrong and think they are surfing in the sandbox when they are not - and then it's possible to become infected. This confusion is particularly evident with downloaded files. Files in the sandbox are not really permanently on your computer unless you deliberately move them from the sandbox to your real PC. If you shut the sandbox without moving them they will be lost forever.
This two-worlds view is simply too confusing for some users. A confused user is an unsafe user.
Also, if users are not thinking, they could allow every alert, which would recover files to your real environment.
And like every single other security software, some malware can still break out of sandboxes.
There are other problems too. Sandboxing is only available for PCs running Windows 2000 and later. Furthermore sandboxing can create problems on some PCs. Indeed I've known PCs to seize up totally with a sandbox installed. Luckily though, this is not common.
Another option is Returnil Virtual System Personal Edition. It works by virtualising partitions (only the local drive). When you turn the protection on (this does not require a reboot), your whole partition is virtualised and all changes made to it are lost. When you want to turn the protection off you have to restart your PC. This sounds like a great idea and it is, but there are several drawbacks. One is that it is not very flexible, all your data will be lost too (unless you manually configure some files to be excluded, but this reduces the security). Another reason is that it can still be bypassed - recently there have been several well-publicized malware exploits which can bypass its protection.
Virtual machines such as VMWare, Microsoft's Virtual PC and Sun's VirtualBox are similar to sandboxing but take the idea one step further by completely separating the virtual machine from the real PC at a conceptual level. Rather than have a sandbox as part of your real PC you have a virtual PC that is notionally fully distinct from your PC.
This difference aside these virtualization models have a lot of similarities. Infections that are incurred in the virtual machine cannot affect the real PC. Similarly shutting down the virtual PC removes all trace of infection.
Unfortunately they also share the same user confusion: "Am I in my real PC or the virtual one?"
The greater separation provided by the virtual machine approach does offer a more robust security model than sandboxing but it comes at a cost. Virtual machines consume a lot of memory and have a fair degree of processing overhead compared to sandboxing. And moving between the real and virtual machines can be more awkward than with sandboxing. Like sandboxing virtualization can be troublesome on some PCs.
From a user's perspective sandboxing or partition virtualisation are more attractive options though IT professionals would probably prefer the greater flexibility and superior isolation offered by virtual machines.
Security wise all three offer excellent protection from malware infection. The protection is so good that disciplined users don't need any other security products to protect them.
What about on-demand scanning?
OK I've come out heavily against running multiple active security products but what about passive security products like on-demand scanners?
An on-demand scan is one you manually initiate. It may be an anti-virus scanner, an anti-spyware scanner, a rootkit detector or a keylogger scanner.
I'm all for on-demand scans as, unlike using products that employ active monitoring, they don't impose an on-going overhead on your computer. They only consume computer power while they are actually performing a scan.
Take for example a good anti-spyware scanner like the free version of SUPERAntiSpyware or the excellent free Panda Anti-rootkit detector. They consume no computer power unless you actually run the programs. And because they are not constantly running they are less inclined to cause any problems with other programs.
So by all means run on-demand scans periodically: weekly, monthly whatever. They are a good backstop to your anti-virus program.
Conclusion
When it comes to today's aggressive malware programs, preventing malware from ever getting on your PC is a better strategy than trying to intercept it when it tries to run.
Make sure to use a blend of different technologies and products when you use security software, not just signature scanners. Remember, absolutely no product provides 100% protection.
You can prevent malware getting on your PC by combining safe computing practices with other techniques such as reducing the privileges of high risk programs, policy restriction programs, sandboxing and the use of virtual machines.
Reducing the privileges of high risk programs is a simple workable solution for most users. Policy restrictions offer greater security and usability than reducing privileges, but can slow down your internet connection speed drastically. Sandboxing, virtualization and policy restrictions offer a more complete solution but are not entirely free of practical problems. For those who can work with these problems, sandboxing, other virtualization solutions and policy restrictions offer the best way currently available to prevent malware installing itself on your PC.
With these elements in place the only active security software you really need are an inbound firewall and any good anti-virus program. That said you can, indeed should, supplement these with periodic on-demand scans of your PC with a good anti-spyware product and a good rootkit detector. These on-demand products won't impose the on-going overhead you would incur with security software that uses active monitoring.
This set up provides better security than employing multiple layers of real-time signature scanners. Even better your PC will run much faster; a complete contrast to machines running multiple real-time security products.
None of this comes without cost. Defensive computing requires time and discipline. Users not prepared to put in the effort are advised to stay with a layering strategy using multiple security products.
For me, the days of running five or more active security software products on my PCs are over. So your Grandmother was right: An ounce of prevention is worth a pound of cure.
