My wife then asked me how did this virus get through? We have a firewall through the router and she had Microsoft Security Essentials running.
Firewalls only protect you from internet-initiated connections – the kind that other computers out on the internet try to make to yours.
That protection’s important. Some malware constantly tries to connect to random IP addresses on the internet. Once connected, the malware attempts to exploit vulnerabilities. A firewall prevents that connection from happening.
If your router has a log, it’s interesting to see how many random connections are attempted from the outside.
What happened to you wasn’t that kind of malware.
Become a Patron of Ask Leo! and go ad-free!
Welcoming malware
These days, people invite most malware on their machine.
You do something on your machine that makes a request of a page or file to be downloaded. When you request something, the firewall doesn’t stop it; you requested it – even if what you request is malware.
It could be a web page, something that that web page references (i.e. an image), or an email attachment that you then download and run. All these things are initiated by your computer as an outgoing request of some server out on the internet.
Scanning downloads in real time
What anti-malware tools like Microsoft Security Essentials (MSE) usually do is try to scan things as they download. This is called “real-time scanning.”
That can be problematic for a couple of reasons. The biggest is that the tool has to insert itself into the download process without adversely affecting the download. It scans every file being downloaded by an app that was not designed to have some outside process monitor its work without breaking that app.
Not easy.
I can think of several techniques, but they all have their pros and cons.
Because of this, there’s one surprising piece of advice that I sometimes give.
Turn off real-time scanning.
I only give this advice after it’s determined or suspected that the anti-malware tool is indeed interfering with the user’s web-browsing experience or their email downloads.
In general, real-time scanning should probably be turned on as long as it’s not causing a problem.
Hence, step one is to make sure real-time scanning is on. (It’s in MSE’s Settings page.)
The race (or why MSE might have missed it)
Malware can still slip through for several reasons.
- It’s a race in real time. Some scanning techniques do not insert themselves into the download process, but rather run alongside it. The download isn’t intercepted at all, but rather after (or perhaps as) the file is downloaded, the anti-malware tool scans it separately. That implies that the scan-and-quarantine process has to be faster than the download-and-run. If the download-and-run (for whatever “run” might mean) happens too quickly, then the scan may not complete in time and may not detect malware until after the infection occurs.
- It’s a race in calendar time. New malware appears every day; more importantly, new variants of malware appear every day. If the database of known malware for the anti-virus tool hasn’t been recently updated to include the latest, then it may not even know that it should be looking for a particular recent variant. Hence, frequent updates are a must – daily at a minimum. I believe that’s the MSE default.
- It’s a race between vendors. This is harder to comprehend, or at least to explain away, but not all anti-malware tools catch all malware. There are things that MSE catches that others do not. There are things that others catch that MSE doesn’t. It’s confusing, but it is what it is.
If you can’t run real time or if real time might miss things, what hope is there?
Additional techniques
First, that’s what scheduled scans do. They look at what malware has made it on to your machine and clean them up after the fact. It’s less than ideal, but it’s more reliable and significantly better than nothing.
Second, there’s still no substitute for good user behavior. Many people get infected because they are visiting sites that are massive nests of malware just waiting to be downloaded and run. Surprisingly, people do download and run these programs and then they’re shocked when they get infected. Or they intentionally side step security measures because they desperately want to see whatever it is that the malware providers have promised (i.e. the “Dancing Bunnies” problem).
Sometimes, it’s not directly your fault.
As you mentioned, your wife may not have even clicked on a link. A malicious website or worse – a hacked website – can target known vulnerabilities in the software installed on your machine from the moment you visit.
This is why it’s so important to keep your software up-to-date to remove those known vulnerabilities that malware authors can exploit.
This is also why it’s sometimes important to remove software that you don’t need or use. Java is an excellent example. When its vulnerabilities are exploited, a malicious web page can infect your machine without you having done anything but visit the page.
One silver bullet
There is one important thing that you can do that can essentially save you from anything.
I back up like crazy.
The easiest and often the quickest way to get rid of malware is to restore your machine to the most recent backup image taken prior to the infection.
That presumes that you back up regularly. On my primary desktop and my laptop, I do. I back up the systems daily and much of the data that I’m working on is almost constantly being backed up in some way. Other machines, I’ve simply declared as “sacrificial,” but they’re dedicated purpose machines and not as at risk from user activity.
SO … back up: everything, early and often.
Why can’t the evil hackers use their skills for good.
It’s quite scary on the internet nowadays.
I have been using Vipre Internet Security now for a number of years along with Malaware Bytes on all the time and I find that they seem to catch everything. When I click on a dodgy site Vipre stops it Immediately. Plus when I have had an infection Vipre comes in on Teamviewer and sorts it out. Best service out there IMHO.
Much bad-ware is bundled with downloads. Previously decent download sites have jumped into bed with the purveyors of rubbish-ware.
Unwanted toolbars, search engine and home page hijacks are still very common.
Security software{yes..MSE is not exempt} is normally asleep on the job when this crapware installs.
Even Oracle Java and AVG try to foist tool bars onto the unsuspecting.
For free software I don’t trust http://download.cnet.com/ any more.
Snapfiles.com is still ok ..at least a warning is giving if unwanted toolbars are part of the install process.
If I want nothing installed I browse using Sandboxie ..free and actually works, albeit can be slightly teckie. http://www.sandboxie.com/
Jp
Main rule: be suspicious but don’t let’m make you afraid, there’s life after a malware attack.
Some malware (normally trojans) can be found in temporary files, deleting them often can safe you from problems.
I Used to use real time scanning but not anymore.
Reason: the background process uses to much CPU time and slows down the system to a crawl.
Where installed I use MSE in manual mode with scheduled scanning.
Another computer runs Win Defender and Kasparsky on demand scanning only.
Another one runs virtual machine.
I back-up everything important on several devices.
Check for updates for everything often.
And furthermore it’s only a computer, not your life that’s at stake.
Dear Leo,
I am somewhat disappointed that you allow a very inviting Download offer (appearing to offer free Windows XP and 7) with the most microscopic footnote introducing another Toolbar with some not very exciting apps. There is no reference to this in the adjacent text either. One of your staff must have sanctioned this because I have often seen your disapproval at such practices.
BaliRob,
Check out this article: http://askleo.com/whats_the_difference_between_an_ad_and_your_recommendation/
I think you may be mistaking an ad for Leo’s recommendation.
I have only very limited control over what ads are shown on the site. As always when it comes to advertising, here or anywhere, you need to be vigilant.