Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Why didn’t my firewall stop this malware?

//
The other day, my wife was looking at a website when suddenly she was hit with the System Progressive Protection virus. She never even clicked on a link! We shut her machine down, and I went on the internet and found what seemed to be a reasonable site describing how to get rid of it. After many steps, I think I did.

My wife then asked me how did this virus get through? We have a firewall through the router and she had Microsoft Security Essentials running.

Firewalls only protect you from internet-initiated connections – the kind that other computers out on the internet try to make to yours.

That protection’s important. Some malware constantly tries to connect to random IP addresses on the internet. Once connected, the malware attempts to exploit vulnerabilities. A firewall prevents that connection from happening.

If your router has a log, it’s interesting to see how many random connections are attempted from the outside.

What happened to you wasn’t that kind of malware.

Become a Patron of Ask Leo! and go ad-free!

Welcoming malware

These days, people invite most malware on their machine.

You do something on your machine that makes a request of a page or file to be downloaded. When you request something, the firewall doesn’t stop it; you requested it – even if what you request is malware.

It could be a web page, something that that web page references (i.e. an image), or an email attachment that you then download and run. All these things are initiated by your computer as an outgoing request of some server out on the internet.

Scanning downloads in real time

What anti-malware tools like Microsoft Security Essentials (MSE) usually do is try to scan things as they download. This is called “real-time scanning.”

That can be problematic for a couple of reasons. The biggest is that the tool has to insert itself into the download process without adversely affecting the download. It scans every file being downloaded by an app that was not designed to have some outside process monitor its work without breaking that app.

Not easy.

I can think of several techniques, but they all have their pros and cons.

Because of this, there’s one surprising piece of advice that I sometimes give.

Turn off real-time scanning.

I only give this advice after it’s determined or suspected that the anti-malware tool is indeed interfering with the user’s web-browsing experience or their email downloads.

In general, real-time scanning should probably be turned on as long as it’s not causing a problem.

Hence, step one is to make sure real-time scanning is on. (It’s in MSE’s Settings page.)

Ye Olde Double FacepalmThe race (or why MSE might have missed it)

Malware can still slip through for several reasons.

  1. It’s a race in real time. Some scanning techniques do not insert themselves into the download process, but rather run alongside it. The download isn’t intercepted at all, but rather after (or perhaps as) the file is downloaded, the anti-malware tool scans it separately. That implies that the scan-and-quarantine process has to be faster than the download-and-run. If the download-and-run (for whatever “run” might mean) happens too quickly, then the scan may not complete in time and may not detect malware until after the infection occurs.
  2. It’s a race in calendar time. New malware appears every day; more importantly, new variants of malware appear every day. If the database of known malware for the anti-virus tool hasn’t been recently updated to include the latest, then it may not even know that it should be looking for a particular recent variant. Hence, frequent updates are a must – daily at a minimum. I believe that’s the MSE default.
  3. It’s a race between vendors. This is harder to comprehend, or at least to explain away, but not all anti-malware tools catch all malware. There are things that MSE catches that others do not. There are things that others catch that MSE doesn’t. It’s confusing, but it is what it is.

If you can’t run real time or if real time might miss things, what hope is there?

Additional techniques

First, that’s what scheduled scans do. They look at what malware has made it on to your machine and clean them up after the fact. It’s less than ideal, but it’s more reliable and significantly better than nothing.

Second, there’s still no substitute for good user behavior. Many people get infected because they are visiting sites that are massive nests of malware just waiting to be downloaded and run. Surprisingly, people do download and run these programs and then they’re shocked when they get infected. Or they intentionally side step security measures because they desperately want to see whatever it is that the malware providers have promised (i.e. the “Dancing Bunnies” problem).

Sometimes, it’s not directly your fault.

As you mentioned, your wife may not have even clicked on a link. A malicious website or worse – a hacked website – can target known vulnerabilities in the software installed on your machine from the moment you visit.

This is why it’s so important to keep your software up-to-date to remove those known vulnerabilities that malware authors can exploit.

This is also why it’s sometimes important to remove software that you don’t need or use. Java is an excellent example. When its vulnerabilities are exploited, a malicious web page can infect your machine without you having done anything but visit the page.

One silver bullet

There is one important thing that you can do that can essentially save you from anything.

I back up like crazy.

The easiest and often the quickest way to get rid of malware is to restore your machine to the most recent backup image taken prior to the infection.

That presumes that you back up regularly. On my primary desktop and my laptop, I do. I back up the systems daily and much of the data that I’m working on is almost constantly being backed up in some way. Other machines, I’ve simply declared as “sacrificial,” but they’re dedicated purpose machines and not as at risk from user activity.

SO … back up: everything, early and often.

7 comments on “Why didn’t my firewall stop this malware?”

  1. I have been using Vipre Internet Security now for a number of years along with Malaware Bytes on all the time and I find that they seem to catch everything. When I click on a dodgy site Vipre stops it Immediately. Plus when I have had an infection Vipre comes in on Teamviewer and sorts it out. Best service out there IMHO.

  2. Much bad-ware is bundled with downloads. Previously decent download sites have jumped into bed with the purveyors of rubbish-ware.
    Unwanted toolbars, search engine and home page hijacks are still very common.
    Security software{yes..MSE is not exempt} is normally asleep on the job when this crapware installs.
    Even Oracle Java and AVG try to foist tool bars onto the unsuspecting.
    For free software I don’t trust http://download.cnet.com/ any more.
    Snapfiles.com is still ok ..at least a warning is giving if unwanted toolbars are part of the install process.
    If I want nothing installed I browse using Sandboxie ..free and actually works, albeit can be slightly teckie. http://www.sandboxie.com/
    Jp

  3. Main rule: be suspicious but don’t let’m make you afraid, there’s life after a malware attack.
    Some malware (normally trojans) can be found in temporary files, deleting them often can safe you from problems.

    I Used to use real time scanning but not anymore.
    Reason: the background process uses to much CPU time and slows down the system to a crawl.

    Where installed I use MSE in manual mode with scheduled scanning.
    Another computer runs Win Defender and Kasparsky on demand scanning only.
    Another one runs virtual machine.
    I back-up everything important on several devices.
    Check for updates for everything often.
    And furthermore it’s only a computer, not your life that’s at stake.

  4. Dear Leo,

    I am somewhat disappointed that you allow a very inviting Download offer (appearing to offer free Windows XP and 7) with the most microscopic footnote introducing another Toolbar with some not very exciting apps. There is no reference to this in the adjacent text either. One of your staff must have sanctioned this because I have often seen your disapproval at such practices.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.