Malware

Practices

• Delete suspicious emails with attachments: Attachments are the main way malware gets onto your computer. Attachments include office document files (e.g., with .doc or .xls suffixes), program files (e.g., with .exe or .bat suffixes), and compressed files (e.g., with .zip suffixes), all of which can contain malware. The CERT Coordination Center advises users to apply the so-called "KRESV" test to detect suspicious emails. KRESV stands for:

  • Know: Do you know the sender?
  • Received: Have you received email from the sender before?
  • Expect: Are you expecting the e-mail?
  • Sense: Do the subject header and attachment name make sense?
  • Virus: Does it contain a virus? You will need antivirus software to check this.

  If an email with attachments fails any of these tests, delete it. If you know the sender, contact him or her to make sure that the message is legitimate.

• Download anti-virus updates: Installing anti-virus software is the first step towards protecting yourself against viruses (see Tools below). But for this software to do its job, you must keep it up to date with information on the latest viruses. New viruses are constantly being created. Anti-virus software vendors try to keep up with these new viruses by issuing virus signature updates and making them available online. Falling behind on updates can allow a new virus to slip through without being detected by the anti-virus software. Most anti-virus software has an option for automatic updates or notification of update availability.

• Conduct regular anti-virus scans: Be sure to scan all files that you have received from other people. All major anti-virus software can be set to automatically scan files when they are transferred, but it's a good idea to also scan your computer manually on a regular basis. You should do this at least once every two weeks, or when you suspect a problem.

• Conduct regular spyware removal scans: You can scan your computer manually, or you can set commercial anti-spyware software to scan your computer periodically for you. If your software has this ability, set it to scan at least once every two weeks. To scan for spyware manually (using Spybot as an example):

  1. Open the Spybot application and look for the navigation bar on the left side of the program.
  2. Click on Spybot-S&D to go to the main page. You will see an empty list and a toolbar at the bottom.
  3. Click the first button in this toolbar labeled Check for problems. After the scan is finished, the list will be populated with threats.
  4. Select all the threats and click the button labeled Fix selected problems.

• Only perform file transfers from trusted sources: This reduces your risk of downloading files infected with malware and introduces accountability, so that you have a better chance of getting a response if you do have a problem.
• Scan all files that you receive through file transfer: It is a good idea to scan the files that you receive from P2P networks with your anti-virus software to detect malware. This may slow down the transfer, but it will help keep your computer safe.
• Avoid clicking on links: Links are commonly used in community applications, especially with instant messaging. Be aware that these links may actually download malware onto your computer.
• Perform frequent backups: Save your important data on a regular basis so that you can recover from a malware attack or intrusion. Thumb drives, CDs, and DVDs are good storage and transport media for large amounts of data. If possible, store your backup media in different location from the computer itself to keep them from both being destroyed in a fire or other disaster.

• Don’t open digital files on your computer if you are not sure about the source: If you don't recognize a file, don’t double-click on the file to see what it is. By doing so, you may activate a virus in your computer.

• Do not run macros from digital documents that you don’t know the source of: Some MS Office documents have applications called macros embedded in them. Most complex Excel files, for example, use macros to dynamically implement charts and graphs. You must be careful when opening files with macros, because they can sometimes contain viruses. You can set Microsoft Word to ask you before you open a file if you want to run the macro application or not (see Settings below). MS Office documents containing macros will ask you for permission to run the macros, as shown in the figure below. Only enable macros if you know the source of a document and you know that the document contains macros.

  

Settings

• Set your anti-virus package for "Real-time Protection": Anti-virus software should provide the option of real-time protection, which means that it actively checks files that come into your system while you work. Although this might not be necessary for mobile devices, it does lower your chances of contracting a computer virus, so check if your brand supports this configuration. If it does, activate it.

• Set your anti-virus package for the types of files you want it to check: To set the types of files the anti-virus software will check, click on Start, then Programs, and start your anti-virus package. Usually, the program gives you the option of choosing between a few scanning methods. Symantec, for example, offers:

  • Scanning all files: All files on the computer will be checked regardless of the extension or file type.
  • Scanning by file type: The package will check all files of the chosen type, regardless of the potentially deceptive file extension. This is especially important in catching files with a double ending such as ".gif.doc".
  • Scanning by file extension: This scan is the fastest, since only files with the chosen extension will be checked.

  If you have a different brand of antivirus software, consult the manual for instructions on how to configure the settings for real-time scanning and scanning method.

• Set your anti-virus software to make scheduled automatic scans: All major anti-virus packages offer the possibility to set scheduled full scans for viruses and malware. So, for example, every Friday night at 9:00 the anti-virus software will search for viruses and malware installed in the computer. Consult your anti-virus software's manual for more information on how to set this feature.

• Set your web browser security level to Medium or High: Your browser's security level setting determines how much active content it allows. Internet Explorer has pre-defined "Default Level" security levels to choose from. You may also customize these Default Level security settings, which is more involved than simply selecting a Default Level.

  To set a pre-defined Default Level:

  1. In Internet Explorer, click on Tools > Internet Options.
  2. Select the Security tab and click the Default Level button.
  3. Make sure the Internet zone (globe icon) is selected in the window, and move the slider to Medium-High or High. Click Apply.

  Note the differences between the settings:

  • The Medium security setting generally allows active content. The browser will run programs, sometimes only after prompting you, that perform animations, allow the browser to read documents in various formats, and otherwise improve your browsing experience. However, this also allows these programs to possibly introduce malicious or unwanted code or files to your computer.
  • The High security setting prevents active content entirely. While this gives your computer better protection from malware, it may prevent you from viewing content on many Web sites.

• Configure MS Word security settings: The latest versions of Microsoft Office (Word, Excel and PowerPoint versions 2000 and later) allow you to configure security settings for running macros. The recommended security setting, High, only allows "signed" macros to be run. Signed macros are digitally signed, which means they have a mechanism that confirms that the macro originated from the signer, and that it has not been altered. To set this in MS Word:

  1. Go to Tools > Macro > Security.

     

  2. Select "High" for strong security. Alternatively, you can select "Very High," which allows no macros to run. This is a good idea if you don’t use macros at all.

     

• Set your firewall to filter the appropriate ports: Make sure your firewall is filtering the ports that correspond to the applications you use. For example, if you download files using FTP, you need to open and filter port TCP-21. If you use your computer as a public server, set filtering inbound as well. Make sure to always deny unused ports and allow regular traffic, not the other way around.

• Disconnect from the network if you have any security concerns: There are two ways to disconnect from a network. The first way is to shut your computer down entirely. The second way is to disable the network interface card on your computer.

  1. To do this in Windows, go to the Control Panel (Start > Settings > Control Panel) and double click on Network and Dial-Up Connections.

     

  2. Select the name of the network interface that connects your computer to the Internet. It is usually labeled Wireless or Local Area Network.
  3. Right click on it, and select "Disable." When you disable the interface, the icon will turn a light gray color.

     

  4. When you want to reconnect to the Internet, return to the interface icon, right click on it, and select "Enable."

Tools

• Anti-virus software: The popularity of the Microsoft Windows operating system makes it a prime target for hackers and other virus writers, so anti-virus software is crucial for users of this system. Anti-virus software works by identifying files that match definitions of known viruses and keeping them from infecting the system. Make sure that your virus definitions are kept up to date by automatically or manually downloading them from your software manufacturer's Web site. Do not install more than one anti-virus program because incompatibility issues between the programs may end up leaving your system unprotected.

  Two popular anti-virus packages are Symantec’s Norton AntiVirus  and McAfee AntiVirus . AVG , AntiVir  and ClamWin  are free alternatives. The major anti-virus programs, such as Symantec and McAfee, can protect against worms and Trojan horses as well as viruses.

  PDA and mobile phone anti-virus applications normally interact with the full version on a PC and hold fewer virus definitions. New virus updates are automatically transferred from your desktop computer each time you synchronize your PDA. Therefore it is important to keep your desktop computer's anti-virus software updated and synchronize your PDA regularly. Some commonly used anti-virus packages are Trend Micro's PC-cillin for Wireless  and Symantec AntiVirus for Windows Mobile .

• Firewall: A firewall is like a security guard for your computer that monitors the traffic into and out of your computer. A firewall is your first line of defense against intrusions, especially Trojan horses. One popular firewall is Symantec's Norton Personal Firewall . The Windows operating systems such as Windows XP and Windows Vista  include a firewall that is turned on automatically. This built-in firewall is described in more detail on the Microsoft site .

• Malware removal applications: Malware removal applications can remove viruses and other harmful programs that might have been installed in your computer without your knowledge. There are many commercial and free malware removal applications, including Spybot , Ad-Aware , and Pest Patrol . They are designed to remove spyware, pop-up ads, and malware that traditional anti-virus packages don't remove completely.

• Spyware removal applications: Anti-virus applications generally do not rid your machine of spyware, but there are many commercial and free spyware removal tools available. Some examples are Spybot - Search & Destroy , Ad-Aware , Pest Patrol , and Microsoft Windows Defender . Make sure that you find a legitimate spyware-removal application, since some products touted as anti-spyware applications are ineffective or actually install spyware and adware on your machine. Spyware Warrior  can point you to some good applications and tell you which applications to avoid.

• Rootkit detection software: Rootkits cannot be detected by ordinary anti-virus programs because they are very good at hiding themselves. You need special software to detect rootkits, such as RootkitRevealer  by SysInternals and F-Secure Blacklight .