LinkBack URL
About LinkBacks
I figured it was worth writing a quick* & dirty guide on ways to help keep your system clean of spyware & malware, both proactively and reactively...
(* okay, so not really "quick")
Proactive System Protection
This falls into 4 main categories: hardening, patching, firewalling and anti-malware.
Hardening
This is the basic principle of making your system "base" settings more secure by disabling services that are not required and removing permissions for existing services for users that do not require them.
Examples of software which hardens parts of your system automatically are Spybot Search & Destroy's "Immunizing", and Spyware Blaster.
Thse are tools which the user runs once (or periodically if they get updated) to make certain system changes, they are not a constantly-running process.
Patching
When software is written, it has "bugs".
Some bugs are visible to the user as an application crashing, hanging or corrupting data - others can be so obscure that they are never uncovered.
Software can also have vulnerabilities.
A vulnerability can be viewed as a very specific type of bug, but personally I view it as an "oversight" on the part of the programmer.
Vulnerabilities usually come around because of something the programmer neglected to do, rather than did wrong, a classic example is not checking the length of a chunk of data before putting it into a buffer - the "buffer overflow".
Sometimes the potential risk of a vulnerability is as trivial as crashing the application, but occasionally a malicious user could insert their own code which is executed and start exposing files or setting up a connection through which the system listens for further instructions.
When the vulnerabilities are discovered, the author then has to "patch" their code to prevent it being abused - sometimes it is a simple process, but if the module in question is used by hundreds of other components then it can take a long time to get the testing performed to make sure the patch has no side effects.
Part of Windows Update is dedicated to providing the relevant patches for your system, which is why automatic updates being enabled is important.
Firewalling
This is the process of making sure that network traffic is only allowed through if it matches a predefined set of rules.
Traditionally, firewalls are dedicated network devices (actually glorified routers), but "personal" firewalls have become more and more popular in recent years.
They have an advantage over network (or "hardware") firewalls - they can look at the actual applications which are trying to establish outbound connections, or set themselves up as a server.
A hardware firewall generally looks at the ports being used and decides whether to allow the machine as a whole to make the connection.
This is why worms such as Nimda, Code Red and Blaster had such a massive impact - they use the allowed (standard) ports to communicate with web or SQL servers and take advantage of vulnerabilities in the software.
(Vulnerabilities that in their cases already had patches available to fix, some for months.)
Anti-Malware
Anti-virus software has to be the most well-known flavour of anti-malware product - monitoring running processes and file access on a system for known "signatures" of viruses.
Depending on who you speak to, trojans, zombies and keyloggers may be considered "viruses", but they don't necessarily have the classic aspects of what makes a virus.
A virus might be used to deliver such a piece of malware, but equally it could be a maliciously designed website taking advantage of browser vulnerabilities.
Anti-malware products, rather predictably, are designed to look for specific malware products and alert the user to their presence.
"Spyware" is a term associated with malware, but is more of a set of products based around the invasion of privacy - uploading your browsing habits to a server, or making "targetted" popup adverts appear on your PC.
People have tried to get spyware classed as a virus if it installs itself without the user's knowledge and consent - though often the EULA does mention that the product will be installed, and not everyone reads through the whole text.
Reactive System Cleaning
This is what happens when you have acquired some kind of nasty that you want to get rid of.
Exactly what you do to eradicate the unwanted pest depends on the category it falls into - but ideally if your proactive measures are in place and all signatures up to date, this should not be required very often.
Windows-specific Stuff
All of the above is very general information applicable in most parts to any OS, not specifically Windows.
However, Windows is the only OS I use and here follow some recommendations for tools to aid with system health checking Windows.
For system hardening, Spybot Search & Destroy has an "immunization" section, and the tool Spyware Blaster is dedicated to making adjustments to IE and Mozilla/Firefox browsers to harden them.
Disabling services that are not required is a good hardening process, but out of the scope of this article as each user may have different requirements - there is no "one size fits all".
For patching, it is definitely wise to have automatic updates enabled, and periodically check the vendors website for updates or fixes to any software you use (a lot of software now has built-in update checking).
A personal firewall is a good idea even if you have a router with built-in firewall - I'm not going to make a specific recommendation as my personal experience has only been with a handful, but I strongly recommend that one is used on every machine which has any connectivity with others (through dial-up or LAN).
(The software sticky in this forum has a list of products recommended by people who frequent here.)
Anti-malware products: as with personal firewalls you will find different people have different opinions of anti-virus products, so no suggestion from me other than "use one!".
Spyware Guard - from the author of SpywareBlaster, this is a memory-resident tool which monitors your machine's memory for known spyware products
For "reactive" system health checking, if you suspect or know you have some pest and want to figure out how to find and kill it, there are a few tools:
Spybot Search & Destroy has been mentioned a couple of times - definitely worth keeping this up to date and running periodic checks on your system
HijackThis is not too user-friendly, but a great tool to get an idea of what might be something you want to remove, it can generate a text log of its findings so you can ask others for advice if you think something is suspect
Autoruns is a tool to give you a complete analysis of what is being launched on your PC every time you log in, complete with description, publisher (if present in the executable) and path
Process Explorer will show you every process running on your system at that exact time, the parent/child relationship (processes that spawn other processes), even down to individual threads
Yes, there are other tools available, I have only listed ones I use myself.
PROACTIVE PROTECTION IS BETTER THAN REACTIVE CLEANING
Computer security is multi-layered - there is no single solution:
- harden
- check for patches regularly
- use a personal firewall
- use anti-malware tools (at least anti-virus)
All the above information is my personal opinion, there will undoubtedly be people who disagree with certain points (hey, this is the Internet after all), but I hope some of you find it useful.
Maybe even useful enough to sticky, who knows.
Reply With Quote
Originally Posted by eldren
