My wife then asked me how did this virus get through? We have a firewall through the router and she had Microsoft Security Essentials running.
Firewalls only protect you from internet-initiated connections – the kind that other computers out on the internet try to make to yours.
That protection’s important. Some malware constantly tries to connect to random IP addresses on the internet. Once connected, the malware attempts to exploit vulnerabilities. A firewall prevents that connection from happening.
If your router has a log, it’s interesting to see how many random connections are attempted from the outside.
What happened to you wasn’t that kind of malware.
Become a Patron of Ask Leo! and go ad-free!
These days, people invite most malware on their machine.
You do something on your machine that makes a request of a page or file to be downloaded. When you request something, the firewall doesn’t stop it; you requested it – even if what you request is malware.
It could be a web page, something that that web page references (i.e. an image), or an email attachment that you then download and run. All these things are initiated by your computer as an outgoing request of some server out on the internet.
Scanning downloads in real time
What anti-malware tools like Microsoft Security Essentials (MSE) usually do is try to scan things as they download. This is called “real-time scanning.”
That can be problematic for a couple of reasons. The biggest is that the tool has to insert itself into the download process without adversely affecting the download. It scans every file being downloaded by an app that was not designed to have some outside process monitor its work without breaking that app.
I can think of several techniques, but they all have their pros and cons.
Because of this, there’s one surprising piece of advice that I sometimes give.
Turn off real-time scanning.
I only give this advice after it’s determined or suspected that the anti-malware tool is indeed interfering with the user’s web-browsing experience or their email downloads.
In general, real-time scanning should probably be turned on as long as it’s not causing a problem.
Hence, step one is to make sure real-time scanning is on. (It’s in MSE’s Settings page.)
The race (or why MSE might have missed it)
Malware can still slip through for several reasons.
- It’s a race in real time. Some scanning techniques do not insert themselves into the download process, but rather run alongside it. The download isn’t intercepted at all, but rather after (or perhaps as) the file is downloaded, the anti-malware tool scans it separately. That implies that the scan-and-quarantine process has to be faster than the download-and-run. If the download-and-run (for whatever “run” might mean) happens too quickly, then the scan may not complete in time and may not detect malware until after the infection occurs.
- It’s a race in calendar time. New malware appears every day; more importantly, new variants of malware appear every day. If the database of known malware for the anti-virus tool hasn’t been recently updated to include the latest, then it may not even know that it should be looking for a particular recent variant. Hence, frequent updates are a must – daily at a minimum. I believe that’s the MSE default.
- It’s a race between vendors. This is harder to comprehend, or at least to explain away, but not all anti-malware tools catch all malware. There are things that MSE catches that others do not. There are things that others catch that MSE doesn’t. It’s confusing, but it is what it is.
If you can’t run real time or if real time might miss things, what hope is there?
First, that’s what scheduled scans do. They look at what malware has made it on to your machine and clean them up after the fact. It’s less than ideal, but it’s more reliable and significantly better than nothing.
Second, there’s still no substitute for good user behavior. Many people get infected because they are visiting sites that are massive nests of malware just waiting to be downloaded and run. Surprisingly, people do download and run these programs and then they’re shocked when they get infected. Or they intentionally side step security measures because they desperately want to see whatever it is that the malware providers have promised (i.e. the “Dancing Bunnies” problem).
Sometimes, it’s not directly your fault.
As you mentioned, your wife may not have even clicked on a link. A malicious website or worse – a hacked website – can target known vulnerabilities in the software installed on your machine from the moment you visit.
This is why it’s so important to keep your software up-to-date to remove those known vulnerabilities that malware authors can exploit.
This is also why it’s sometimes important to remove software that you don’t need or use. Java is an excellent example. When its vulnerabilities are exploited, a malicious web page can infect your machine without you having done anything but visit the page.
One silver bullet
There is one important thing that you can do that can essentially save you from anything.
I back up like crazy.
The easiest and often the quickest way to get rid of malware is to restore your machine to the most recent backup image taken prior to the infection.
That presumes that you back up regularly. On my primary desktop and my laptop, I do. I back up the systems daily and much of the data that I’m working on is almost constantly being backed up in some way. Other machines, I’ve simply declared as “sacrificial,” but they’re dedicated purpose machines and not as at risk from user activity.
SO … back up: everything, early and often.