Boydo's Tech Talk

This might polarise the audience a bit but I just wanted to expand on my thoughts in this earlier article.

In that article, I noted the only 100% effective solution to cure an infected computer is to format and reinstall or restore from a known good backup. Today, I tried and tried unsuccessfully to eradicate a trojan from a computer belonging to a business which drove their primary point of sale terminal. Unfortunately, it was so deeply rooted that it could not be removed manually or with specialised tools. Fortunately, they had another computer on hand to swap in to keep things going.

The problem is that antivirus software won’t catch 100% of the bad stuff coming in with pattern-based current technology. In order to detect a virus, it first must be known but there will always be a window of time where new viruses, worms, trojans and the like where they can get in and your AV might let it slip through. This is where being cautious with your online activities and portable storage comes to the fore.

Do you trust the site you are browsing or from which you are downloading a file?

Do you know where that storage device has come from and the computers to which it has been connected?

Were you expecting an attachment from that particular person?

If the answer to these questions is no, then you might want to think twice. These are popular vectors for malware infection.

Prevention is always better than the cure particularly as the cure cannot be known to completely reverse what has been installed. Also, regular and clean backups are also going to save you from losing data and time reinstalling and reconfiguring everything from scratch after an incident.

Just a short update tonight.

I’ve installed the recent beta of the upcoming version of Microsoft Security Essentials (Version 4.0.1111.0) to see how it performs and how different it is to prior versions. The upgrade only took a minute and I am setting it off on a scan to assess its speed.

No major red flags as yet but I’ll be sure to report anything that may come to light.

Stay tuned!

Looks like Microsoft are prepping a new major release of the popular Security Essentials package by enlisting a stack of beta testers prior to the final version going out.

Amongst existing features, it’s expected that new feature will include automatic malware removal (removing the requirement for user interaction) plus enhanced performance and protection capabilities.

At any rate, MSE still proves to be a credible option for people who cannot or just don’t want to pay for virus and malware protection for their computers. If you want to signup to be a part of the forthcoming beta you can do so here. Just remember, being beta software there could be unintended consequences!

There’s not much in the way of security software on Windows Phone 7 partially because the operating system already does a good job sandboxing third party app. However, AVG released a scanner this week for Windows Phone 7 which sought to fill a perceived gap in virus security for the platform.

Unfortunately, it seems like it doesn’t do much to protect your phone (not that it needed much protection in the first place).

In a nutshell, all it does is scan music and image files (which can be accessed from third party apps) for antivirus test strings and the word “Hebrew” in Hebrew according to some analysis done by Rafael Rivera. EICAR test strings are used by AV developers to test the detection engines without having to implement actual viruses. This approach has been likened to setting a fire in a bin under a smoke alarm to test out an EWIS (Early Warning and Intercommunication System) in commercial buildings.

So really, AVG does nothing to protect you from nasties.

The real threat to Windows Phones are sideloaded apps (or XAP files) which can be loaded on developer unlocked devices without going through the Marketplace. A malicious crafted app that gets onto a phone using this method could potentially cause some problems. Unfortunately again, AVG cannot scan for these files leaving this attack vector unprotected (although one may argue that people with unlocked phones would probably know when something was up).

So if you have been thinking about using AVG then you might want to think again.

Sometimes it can be hard getting an antivirus to install on an infected machine especially when malware is making it difficult to use an internet connection. I have covered other tools such as MalwareBytes in the past but I thought a new tool released by Microsoft was worth a mention.

The Microsoft Safety Scanner is a fully self-contained security tool that scans for viruses, spyware and other sorts of malware. It doesn’t require installation and works simply by executing the application. At present, the current file size weighing in at around 70MB which shouldn’t take too long on most broadband connections.

When you run the application, you’ll encounter the end user license agreement screen:

Microsoft Safety Scanner - EULA Screen

Then a welcome screen (which could have perhaps been removed to save another click):

Microsoft Safety Scanner - Welcome Screen

On the next screen, you can choose the type of scan you want to run (on infected machines the “full scan” option would probably be most appropriate):

Microsoft Safety Scanner - Scan Type Screen

Once you have chosen your scan, MSS will do its thing and start scanning:

Microsoft Safety Scanner - Scanning Screen

Once completed you’ll be provided the results of the scan (and my computer seems to be clean after a quick scan):

Microsoft Safety Scanner - Scan Results Screen

The scanner comes in 32-bit and 64-bit flavours so make sure you pick the right version for your copy of Windows. The software is also only valid for ten days after downloading. Whilst this might seem a bit inconvenient, it’s done to prevent people running old and obsolete software given the lack of built in update functionality. MSS is also not a replacement for antivirus software. Proper antivirus software runs continuously and automatically in the background to prevent infection whilst MSS is designed to manually remove infections after the fact.

So whilst you might not need MSS straight away it might come in handy later on.

Quick tip for this evening.

An update to Microsoft Security Essentials was released by Microsoft on 16 December, 2010 which saw the version number increment up to Version 2.0. This was after the second Tuesday of the month (AKA “Patch Tuesday”) where Microsoft releases patches and upgrades for its software through Windows Update. This meant that you may not have received the update unless you manually checked for it between 16/12/2010 and 11/01/2011 (“Patch Tuesday ” for January 2011).

However, it seems that people (including myself) still did not receive the update automatically so here’s what you can do to force an upgrade.

• Open Microsoft Security Essentials,
• Click on the down arrow next to “Help”,
• Click on “Check for software updates”.

Microsoft Security Essentials - Manually Check for Software Updates

Once you have successfully updated your software version number should jump up to 2.0.657.0 (at the time of writing) which can be checked by click on “About Security Essentials” in the “Help” dropdown menu shown above.

Just a quick one for tonight.

A few days ago, it was announced that Intel had bought McAfee for under $8 billion. McAfee was not in any financial trouble despite sending out an update to its antivirus software that rendered computers inoperable when a critical system file was quarantined.

The question here is what is Intel’s motivation in making such a move?

Intel is not in the security market from a desktop software perspective and the involvement that Intel does have in security is largely centric to the hardware inside our computers such as Trusted Platform Module which stores cryptographic information such as keys or certificates securely.

One can only guess that Intel is wanting to break into markets such as Unified Threat Management (UTM) boxes that have a wide range of capabilities such as firewall, VPN and real-time virus scanning (web and e-mail). Certainly as security becomes a bigger issue and small businesses are becoming more connected with larger networks, trying to keep every computer secure is a hard task in itself.

Still, I didn’t consider McAfee to be the shining beacon of the security industry. If you have been following the blog for a while you will know of my distaste of the major antivirus companies trotting out new products each year with questionable features and updates that serve nothing more to lock in more revenue and increased occupation of space on your hard drives. Perhaps as a security research firm McAfee might have had something to offer but their software solutions are woeful.

I guess we will see where Intel will take this recent acquisition but it will take some time to see what exactly the outcome will be.

Just a quick update for this evening.

In news that might have slipped under the radar, Microsoft has released a beta version of its popular Microsoft Security Essentials software. This version of the software sports a few new features but also keeps down the bloat which is great for low end computers like netbooks. New features include:

• Windows Firewall integration,
• Internet Explorer integration (to help prevent against malware coming from the web),
• Revised protection engine (for more efficient detection and overall performance),
• Enhanced network protection (to help protect against threats on your local network).

Microsoft Security Essentials 2.0 Beta

On the surface it looks very much the same as the first version except for the black background. Functionality is also pretty similar and it does its thing in the background without nagging you unless it finds something (which I exactly the way I like it).

If you are keen to give it a try, you can visit Microsoft Connect and sign up for the beta. It’s available for Windows XP, Vista and 7 so most people should be able to install it. Just a word of warning, it is beta software so it can have the potential to crash your system or do bad stuff. Having said that, I have been using it without too many issues on my desktop computer at home.

Today, a work colleague and friend of mine had an issue with her computer being overcome by a nasty piece of malware formally known as PolyCrypt and commonly disguised as “Security Master AV” (which looks a lot like the Windows Security Centre). The computer was still operational and remote accessible via LogMeIn (which I have covered in a prior blog post).

These days, there are so many vectors for malware to get into a computer. Not only do we have to think about the media that we insert into the computer like floppies (if anyone still uses them), optical discs, external hard drives and USB sticks but things that arrive over the Internet like e-mail, webpages, torrents and instant messages. Long gone are the days where we had computers operate in complete isolation.

Malware can easily overrun your system by taking advantage of unplugged or undiscovered security holes in the software you use including your browser, e-mail client and operating system. It only takes one piece of software to succumb to a security exploit despite the rest being fully patched and all bets are off. That’s why it is really important to do accept the Windows Update notifications at a minimum.

Anyway, the malware in question had disabled McAfee (the resident antivirus) and had also suppressed Windows Defender (the resident anti-spyware software). I was not prevented from accessing the registry but I think this was due to the User Interface Privilege Isolation (UIPI) functionality in Windows Vista. This function prevents lower privileged processes (such as the malware) from controlling higher privileged ones. Internet Explorer would also close as soon as it would attempt to load a webpage but I found a way around this by right clicking on it then clicking on “Run as administrator” (which was then insulated from the malware as a result of UIPI).

Eventually, I found the manual steps for removing PolyCrypt but thought that the system really needed a thorough inspection. Since the already installed anti-spyware was non-functional I had to find an alternative.

Enter Malwarebytes’ Anti-Malware.

I used the free version in this instance which provides access to the on-demand malware removal functionality but if you stump up for a license at US$25 unlocks real-time protection as well as scheduled scanning and updating. It can scan an entire system fairly quickly and provides detailed logs as to what was found as well as the steps it took to remove any discovered malware. It has yet to let me down when a system is riddled with viruses and other rubbish.

At any rate, the affected system was back up and running later this morning (after a System Restore to fix the broken networking). However, you can only ever truly guarantee that a system is clean by reformatting and reinstalling from scratch or restoring from a known good back up (you are backing up, aren’t you?). however, to get by until that can be carried out then Malwarebytes’ Anti-Malware is very useful.

In a new parliamentary report, Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber Crime, it has been recommended that it become mandatory that computers have firewall and antivirus software installed prior to an Internet connection being activated.

There have also been other measures suggested to assist in containing infected machines such as the “walled garden” approach (which would pretty much limit Internet access to a page where you can download the required tools to disinfect a computer). Other listed approaches include throttling the speed of connections harbouring infected machines or flat out disconnections.

In theory, I think this is a positive step but I think we can do better than burden ISP helpdesk representatives with having to educate their customers as to why their connections have been crippled or terminated. We need to be teaching computing fundamentals in schools to instil knowledge early in upcoming generations. Getting knowledge and awareness out to the rest of the population is where the real challenge lies. I guess it is always easier for politicians to get the private sector to pick up the tab for their initiatives.

Nonetheless, there are plenty of free antivirus solutions out there and any modern operating system includes basic firewall functionality. Furthermore, router modems provide an extra layer of security courtesy of NAT (Network Address Translation) by dropping incoming connections that were not initiated from behind the router.

Personally, I think disconnecting people outright may be a bit extreme (especially given reconnection penalties) and lumping the burden of handling confused or upset customers on ISPs is a bit harsh. I still believe eduction is the answer but as to how that should be delivered is still up for debate.