Malware (Viruses, Worms, Trojans, Rootkits, Spyware, Keylogger etc.. are all part of a class of software called "malware,") short for “malicious software” is software that is used to harm computer users. It has a wide-range of capabilities that include:
- disrupting computer operation
- gathering sensitive information
- impersonating a user to send spam or fake messages
- gaining access to private computer systems
The majority of malware is criminal and is most often used to obtain banking information or login credentials for email or social media accounts. Governments, law enforcement agencies, and even private citizens use malware to circumvent encryption and to spy on users. With malware, an adversary can record from a webcam and microphone, disable the notification setting for certain antivirus programs, record keystrokes, copy emails and other documents, steal passwords, and more.
How Can an Adversary Use Malware to Target Me?
The best way to deal with a malware attack is to avoid getting infected in the first place. But that might be difficult if your adversary has access to zero day exploits—attacks that exploit a previously-unknown vulnerability in a computer application. Think of your computer as a fortress; a zero day would be a hidden secret entrance that you do not know about, but which your adversary has discovered. You cannot protect yourself against a secret entrance you don’t know exists. Governments and law enforcement agencies stockpile zero day exploits for use in targeted malware attacks. Criminals and other actors may also have access to zero day exploits that they could use to covertly install malware on your computer. But zero day exploits are expensive to buy and costly to re-use (once you use the secret entrance to break into the fortress, it increases the chances that other people may find it). It is much more common for an attacker to trick you into installing the malware yourself.
There are many ways in which an attacker might try to trick you into installing malware on your computer. They may disguise the payload as a link to a website, a document, PDF, or even a program designed to help secure your computer. You may be targeted via email (which may look as if it’s coming from someone you know), via a message on Skype or Twitter, or even via a link posted to your Facebook page. The more targeted the attack, the more care the attacker will take in making it tempting for you to download the malware.
For example, in Lebanon, hackers targeted civilians with malware that was hidden in fake, trojanized versions of secure communication tools such as Signal and WhatsApp. Tibetan activists were targeted with malware hidden in a PDF file that was maliciously made to look as if it had been sent by another Tibetan activist.
So How Do I Protect Myself Against Malware?
The AV problem
Anti-virus software is big business, companies started out protecting vulnerable operating system and browser code, but we may have reached the point where vulnerable anti-virus software is doing more harm than good.
Issues that have been debated in back rooms became very public last November when Google Chrome security expert Justin Schuh launched a tweetstorm against renowned Bulgarian AV expert, Vesselin Bontchev. Schuh tweeted: “You misunderstand your own ignorance. AV is my single biggest impediment to shipping a secure browser.”
The gist of Schuh’s many complaints was that AV programs messed up the security of other programs while being written insecurely themselves. He tweeted: “You ignore all security best practice, piling dodgy format parsing and other unsafe code into the kernel. I expect it’s possible to make an AV that isn’t more harm than good, but none of you are even trying.”
In January, former Firefox developer Robert O’Callahan chimed in with a confirmatory blog post, Disable Your Antivirus Software (Except Microsoft’s).
Normally, programmers won’t talk about these problems, because they need the AV supplier’s cooperation when AV cripples or crashes their software. And they can’t tell users to turn off their AV, because they’ll be blamed if something bad happens. That leaves one alternative. As Schuh tweeted a few days later: “Browser makers don’t complain about Microsoft Defender because we have tons of empirical data showing that it’s the only well behaved AV.”
Google's Project Zero found 25 high-severity bugs in Symantec/Norton security products. "These vulnerabilities are as bad as it gets," said Tavis Ormandy, a Project Zero researcher. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption." Over the past five years, Ormandy has found similar vulnerabilities in security software from Kaspersky, McAfee, Eset, Comodo, Trend Micro, and others.
Antivirus software is so ingrained with Windows users, and synonymous with the concept of "good security," that software makers have their hands tied. "When your product crashes on startup due to AV interference, users blame your product, not AV," O'Callahan says. "Worse still, if they make your product incredibly slow and bloated, users just think that's how your product is ... You can't tell users to turn off AV software because if anything bad were to happen that the AV software might have prevented, you'll catch the blame."
Moreso the disadvantages of Anti-virus outweigh the advantages immensely for heavy tech users.
Disclaimer: I’m not responsible for any damages or injury, including but not limited to special or consequential damages, that result from your use of this instructions.
Unfortunately, it's not so simple. It happens every time: dispensing simplistic advice to arbitrary security problems. "Use a VPN and you will be safe from 99% of online threats!" "Don't use AV!" etc. I see and hear this all the time, it becomes disturbing after a certain point.
We have to go back to the basics: threat modelling 101. Before you take any action with regards to security figure out: 1) What are you trying to protect? 2) Who are you protecting it from? Who is the potential adversary? 3) What methods, tools, techniques and procedures (TTP) your adversary typically use?
Once you answered these questions you have much better idea what tools to use or not use and why.
On the specific issue at hand: Anti-virus is a massive attack surface when it comes to targeted attacks (processing untrusted, malicious input without any sort of sandboxing, breaking memory corruption mitigations etc.), however if targeted attacks is not a concern, then you probably don't need to worry too much: the AV ecosystem is extremely diverse it's simply not worth developing exploits for arbitrary AV products, it's still much better ROI to use phising or IE, Flash exploits. In practice, AV exploits just aren't used to drop malware, on the other hand users unwittingly downloading malware which is stopped by AV happens regularly.
I personally don't use any AV product nor am I advocating for AV. With that said If you are not on Windows 10, mistake-prone, if you run a business or if you have other reasons for wanting better protection, there’s still a place for anti-malware programs.
How to run a secure version of Windows
Run a hardened version of Windows 10 with Windows Defender, the SmartScreen filter, cloud-based, Windows firewall, heuristics and basic telemetry (which is largely security related) all turned on. Also consider using 3rd party DNS services that provide a content filter along with DNSCrypt.
For advanced users, see Simplewall, a simple tool to configure Windows Filtering Platform (WFP) be sure to turn off Windows firewall as everything will need to go through two walls.
Use Windows as a standard user, not as an administrator. (MacOS and Linux users already do this.) Running as a standard user may eliminate 90% of threats.
Nake sure Windows and all your PC’s software is updated. Most malware exploits security holes that have already been patched, sometimes several years earlier. For maximumizing security don't use Edge or IE, use a hardened version of Firefox with multiple profiles or a Chromium-based browser such as Brave.
Also make sure you have good backups of all your personal data. In addition to normal PC backups, use 3rd party software to copy my main data folders to an external hard drive every day, and this gets backed up later to a second External HD (for redundancy). Blu-rays are another good option, because they can’t be encrypted by ransomware.
Don't forget to scan your computer periodically. Microsoft does this with its MSRT (Malicious Software Removal Tool) before installing major updates. On demand scanners we recommend are: Malwarebytes Antimalware, Hitman Pro, Emsisoft Emergency Kit, ESET Online Scanner and HerdProtect. Pick and use a minimum of 3 of any mentioned (in case one of them misses something.)
And remember that Windows 10 provides good refresh, reset and recovery options. If those don’t so what you want, be prepared to wipe your hard drive and reinstall Windows 10 from scratch, either from a DVD or a thumb drive.
The above is suited for 99.99% of users, myself included, but like mentioned if you have special requirements then have a look below for more options. Security isn’t about the software you use. It begins with understanding the unique threats you face and how you can counter those threats. Otherwise it's a waste of money and your essentially paying for bloatware and coincidentally making yourself a bigger target for attack, so make sure you assess your threat model.
If you understand that then you're on your way to becoming a competent user of the internet.
Antivirus software can be effective at combating basic, “non targeted" malware that might be used by criminals against hundreds, or even thousands, of targets. However antivirus software is usually ineffective against targeted attacks, such as the ones used by the Chinese government hackers to compromise the New York Times.
A sandbox is an isolated testing environment that enables users to run programs or execute files without affecting the system. Software developers use sandboxes to test the new programs code. Cybersecurity professionals use sandboxes to test potentially malicious software. Without sandboxing, an application or other system process could have unlimited access to all the user data and system resources on a network. The most notable of sandboxing is creating a virtual environment with Virtualbox. Another popular choice is Sandboxie. Windows 10 now includes built in sandboxing.
Behavior Blocker (BB) is used to monitor the running programs and based on the logged actions from that specific program, block actions based on how malicious the action is determined to be/match the logged behavior to a specific threat type (e.g. worm, backdoor, bootkit, etc.). Therefore, if I wrote a sample which was ran with administrative privileges (for the correct privileges) which then tried to open a handle and write to it for Master Boot Record modification (boot sector on the physical drive) then the Behavior Blocker may support monitoring of this behavior and prevent the sample from performing this action since it's very high up on the scales for determination of malicious activity; it may show an alert to ask the user what they want to do (and indicate the activity is definitely malicious-appearing as opposed to just suspicious), or it may auto-quarantine the sample.
Host Intrusion Prevention System (also known as HIPS)
Host Intrusion Prevention System (HIPS) is used to monitor the running programs (e.g. the ones which have been set to be monitored by user-defined methods or if the program is unknown/appears to be suspicious based on static characteristics) and prevent specific behavior from being carried out based on the user's settings configuration for the HIPS rules (e.g. prevent new driver installations, prevent modifications to the Windows Hosts file, prevent suspicious memory attacks towards external processes, prevent new start-up entries, etc.)
Software Restriction Policy (SRP)
MBR Filter (free)
Note: The MBRFilter uninstall instructions are poorly written. If the uninstall is done incorrectly or goes badly, then you might get the dreaded BSOD INACCESSIBLE_BOOT_DEVICE - which means a probable clean install of the OS. When uninstalling you need to delete the key value and not the entire key itself.
MBR Filter is a simple disk filter designed by Cisco Talos to block write access to the Master Boot Record (MBR). The MBR is used to store information related to how the storage device is partitioned, as well as details regarding the filesystem configuration on the device. MBR Filter prevents rootkits, bootkits, and ransomware, such as Petya Ransomware, from overriding the operating system’s (OS) boot loader. Ransomware, like Petya, overwrite and encrypt the victim’s Master File Table (MTF) to coerce them into paying for an encryption key.