|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
Prev | Up | Contents | Down | Next
Dr. Nikolai Bezroukov.
Version 4.1 (November, 2012)
Note: This is copyrighted unpublished work. All right reserved.
There are several problems with the current PC infrastructure which make problem of malware a serious threat:
Several of factors listed above makes "disinfecting" Windows a fools errant. Generally only full reinstallation guarantee that you completely get rid of complex piece of malware -- often antivirus program delete of part of the beast and remaining part can download missing parts. Also anti-virus program that scan harddrive for offenders are always one step behind malware authors. At the same time non-scanning approaches to malware defense remains under the radar as antivirus companies now represent a powerful lobby that is hostile to spread of any technology that can undermine their revenue stream. Symantec suit against Microsoft is pretty typical reaction to such threats:
"Symantec, like a lot of security vendors, is afraid that if Microsoft catches up on security they'll win the market by default," said Plato. "I think it shows, once again, that Symantec doesn't have technology that stands on its own merits and they have to sue their way to profitability."
Also anti-virus complies often use questionable tactics to win customers ( Forbes, Jan 11, 2012)
Security firms often warn users about “scareware”: malicious software that performs fake antivirus scans and then demands the user pay for a cleanup. Now a lawsuit claims that the world’s top antivirus firm, Symantec, is itself a scareware scammer.
James Gross, a resident of Washington State, filed what he intends to be a class action lawsuit against Symantec in a Northern District California court Tuesday. Gross claims that Symantec defrauds consumers by running fake scans on their machines, with results designed to bully users into upgrading to a paid version of the company’s software.
Among alternative approaches are:
Let's discuss them one by one .
In the past Microsoft partially tried to address the problem by creating so called "Microsoft's Shared Computer Toolkit". Which later was renamed to Windows SteadyState. It does provide high level of security for public computers and can (and should) be used with home PCs, especially multiuser PCs. Microsoft has discontinued SteadyState in 2010. As of December 2010 [, SteadyState is no longer available for download. Support for Windows SteadyState was available until June 30, 2011 through the Microsoft Support website. There is no upgrade to Windows Vista (see Microsoft decision puts public libraries at risk by Yardena Arar, April 2010 ). Although SteadyState is discontinued, it is still possible to prepare a shared computer using Windows 7 native features and support tools. Microsoft has published guidance Creating a Steady State by Using Microsoft Technologies for implementing Steady State in Windows 7.
People who manage public computers face daunting security and anti-malware threats. Microsoft acknowledged this fact when it introduced Windows SteadyState, an add-on for Windows XP and, later, Vista.
SteadyState essentially resets a computer whenever a user signs off, thus protecting his or her identity and data. It lets administrators restrict how users can interact with the computer — administrators can, for example, block access to programs, Web sites, the Control Panel, and disk drives.
SteadyState can also set time limits on user sessions and import user accounts (so that once you’ve set up an account on one PC, you don’t have to start from scratch on the others you manage). And when a user logs off, a feature called Windows Disk Protection erases all changes, ensuring a consistent user interface.
However, not only is SteadyState incompatible with Win7, Microsoft says it has no plans to introduce a Windows 7-compatible version. That’s leaving some IT managers scrambling for replacement technology and others vowing not to upgrade to Windows 7 at all.
.... SteadyState is descended from the Public Access Computer security software developed in the early 2000s by the Bill and Melinda Gates Foundation. It was part of the foundation’s ongoing drive to put computers into schools and libraries. In 2005, Microsoft picked up the torch with the release of the Shared Computer Toolkit and then followed with SteadyState in 2007 for Windows XP.
As Microsoft’s statement on SteadyState suggests, there are other tools available for managing shared computers. At least one forum poster said he was able to install SteadyState on Win7 systems by using the new operating system’s Vista or XP compatibility mode. But at this time, it’s not known whether all features — particularly Windows Disk Protection — will work.
Third-party solutions, such as Faronics’ Deep Freeze, don’t appeal to cash-strapped educational institutions, which are already spending considerable money upgrading to Windows 7. Faronics does offer libraries and non-profits discounted volume licensing rates that lower the $45 price to about $30 for each PC.
IT consultant Michael Jurayj of Saint Paul, Minn.-based House Calls Technologies thinks he can re-create some of SteadyState’s features in Win7, but he’s not happy about it. Jurayj wrote in an e-mail:
“I can probably lock it down through the Group Policy editor and the Registry, but it will be more labor intensive and therefore more expensive [for customers]. Unfortunately, it will not be as elegant and because of the expense will be less likely to be used.”
As a result, Jurayj said, he’s thinking of offering his customers the option of rolling their machines back to Windows Vista so they can use SteadyState.
But there is a simpler way to getting 90% of protection the is provided by Steady State and similar tools with zero inconveniences that are a natural part of such tools (and first of all difficulty of changing the configuration).
Disposable VM images is another approach and it can be used in Windows 7 Professional as it allows to create Windows XP compatibility VM. Vmware can also be used for this purpose
You can eliminate arbitrary complex infections by restoration of "clean" state from the backup image. Please note that a full disk backup to image is not that much different in time to run from full disk AV scan of the harddrive. In both case almost full content of the drive is read. But despite similar time to run, the latter provides you with the opportunity to restore this state of Windows anytime you want. As such is a better option. Please understand that the only difference between backup and AV program scan of the hard drive is that AV-program does not send the data it read to another drive and skips some files. Otherwise the amount of bytes read from the harddrive and total time required for the scan are comparable.
|Please understand that the only difference between backup and AV program scan of the hard drive is that AV-program does not send the data it read to another drive and skips some files. Otherwise the amount of bytes read from the harddrive and total time required for the scan are very similar.|
Typically additional hidden agenda of a user with infected PC frantic Internet search for the cure for the particular malware infection is a very popular idea that it is possible to find "the best anti-malware scanner". See for example Top Spyware Scanners.
In reality the idea of perfect cure for malware is very similar to the search of Philosopher's stone, the mysterious substance that can turn lead to gold. This is actually pretty apt analogy as infected computer is as close to a brick of lead as one can get. The problem of converting lead to gold remains intractable.
Malware is a generic term that encompasses tremendous variety of products and each approach to combat it faces limitation on certain types of malware. Also geographical distribution of various strains of malware if not uniform, in other words malware is local to particular geographical area. Only tiny percentage became global. So while there definitely can be the best AV for a particular type of malware at given period of time (until all other get the sample and catch up) there is no and can't be "generic" best AV. Scanning approach is by definition is a solution mired in the past, as there is always a lag between the signature database and state of the things "in the wild". Also signature databases are universal while malware distribution has distinct regional features (see also Overview of VB’97). All those claims are just PR designed for really stupid users.
For example plain-vanilla signature based scanner will fail on the root kit based malware. It also will fail if malware is too new and was not included in the installed version of its signature database (the lag is typically at lease a week since the detection, sometimes more even for the most money rich AV vendors such as Microsoft, McAfee and Symantec who can afford farms of lab computers specifically for infections and automatic signature creation tools). For all this period it will happily report "no infections found".
Also some types of malware install additional drivers or components on the computer which can provide for the recovery of deleted components on the next reboot. In such a component was missed then malware scanner can successfully delete malware processes and some files that constitute Trojan, but this disinfected state will last only till the next reboot.
Some malware uses random names to make it more difficult to find and delete registry entries that launch it after it started. This list can go on and on. Right now malware authors started to dust off the bag of tricks invented by DOS virus writers.
Only changes in Windows architecture can provide lasting malware defense effects and the last thing Microsoft wants is the break in compatibility. In this sense the most secure version of Windows is Windows 8 that run on tablets with non-Intel CPUs. Moreover frantic search for the anti-malware program that can remove particular infection subjects PC users to additional dangers. Not all anti-malware vendors play fair. The recent proliferation of fake antivirus products is one example of the trend. In January 2006, Microsoft and the Washington state attorney general filed suit against Secure Computer for its Spyware Cleaner product. On December 4, 2006, the Washington attorney general announced that Secure Computer had paid $1 million to settle with the state. That means that they have that amount of money. See also People of the State of New York v. Direct Revenue, LLC.
The truth is that there is no perfect antispyware/antivirus program and there cannot be such thing. This is a variant of a classic "shell vs. armor" story. Malware authors quickly adapt to the capabilities of existing tools when writing new versions or new generation of malware based on more deeply analyzed vulnerabilities of Windows and the most popular applications. Now states joined the game and part of "state-sponsored" malware got into wild.
But even without helpful state sponsored malware, malware authors have access to funds as substantial part of malware is now about money (via direct or indirect extortion). And due to typical return on investment they do have motivation to achieve their goals. To get an idea of the technical complexity of spyware please read the description of Conficker (see Conficker-analysis). All this suggests that scanner based protection is far from being the best way to protect PC from spyware. It is valuable as a generic detection tool as sooner of later popular spyware will get into the signature database. But can be a month or more, if you are unlucky. Enterprise users can submit samples and get modified signature database in a day or so but that service costs money.
My claim is that better (or equal ;-) level of protection is achievable using image based restores of C-drive. That means that it is preferable to limit yourself to free antivirus/antispyware program like offerings from Microsoft (Microsoft Security Essentials ), AVG Free , Avast! Home or Avira Antivir Personal and invest money into creating a fast system partition images backup infrastructure.
|My claim is that better (or equal ;-) level of protection is achievable using image based restores of C-drive. It takes less then a couple of hours and unlike AV-based disinfection is 100% reliable disinfection method.|
The key value of AV/antispyware scanners is not immediate disinfection, but alerting you to the problem "after the fact" in case you missed it. All those tools are usually are one step behind spyware writers. This is a generic weakness of AV/antispyware scanners and nothing can be done about it. They always are fighting the last war.
So buying some commercial AV/Antispyware program, for example Norton Antivirus 2010 from Symantec for $20 (which is actually $60 if you have three computers at home; see NORTON ANTIVIRUS 2010 1U/3PC ) is not a wise move. While it might be better on some spyware it is definitely worse then Microsoft's Security Essentials in some areas. Historically Norton Antivirus home edition used to cause so many problems on Windows to the extent it can be classified as a Trojan horse in its own right, no less dangerous then most ad-ware ;-).
Generally the less AV/antispyware programs is running on your Pc the more stable it works. So one free from Microsoft is more then enough. At least Microsoft's software is less likely interfere with the stability of the OS. The less known and smaller is the AV company the less money they have for testing and the higher is the danger of side effects on your configuration of OS. There is no free lunch -- yes smaller companies are more nimble and often provider better quality of disinfection. But they can crash OS or interfere with some applications.
Money spent on commercial AV should better be spent for creating fast image-based backup subsystem and 1 or 2 TB USB drives. This amount of space permits creating images on a weekly basis (or even daily if you move your data folder to another partition) and keeping them for several months. In this case you can restore your computer in case of troubles in approximately a three-four hours instead of three four days. And can resume your work in an hour or so. Saving countless hours on the phone with the vendor or researching the subject on Internet (which actually can lead to additional infections ;-).
SATA or iSATA connection to backup permits backing up/restoring of 30G of data on C partition (which is the typical size of data on C partition in Windows XP) in approximately 15 min. USB 2.0 takes approximately twice longer but still you can fully restore 30 GB image in less then hour. USB 3.0 is close to iSATA.
A additional step in this pretty simple but very effective anti-spyware strategy involves splitting your harddrive into two partitions and storing some of your user folders (Documents and Settings in Windows XP) and private data on the second partition, which you should backup daily using Acronis image or similar Ghost-based backup tool. For those who store a lot of media on this drives this makes creation of the image of your system partition quicker as it has a smaller size. For those who do not store much data on the C: partition this step can be omitted. But those are tactical issues. The key strategic idea here is using image based fast restore instead of AV/antispyware program. That presuppose rigid discipline of making backups so it is beneficial for all other not connected with spyware problem and crashes of the computer. So the strategy has positive side effects allowing you better (actually much better than usual) protect your vital data.
While many simpler variants are possible in variant described below we will assume usage as a backup storage one of the following devices:
To make recovery faster and less labor consuming, this backup drive can be split into two partitions: one small for booting the OS (~ 60GB) and the second for backup images. Two drives also can be used. The idea is to have ability to boot from the partition of the second drive the OS with all components. Summarizing we need to have:
Prev | Up | Contents | Down | Next
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March 12, 2019