Answers to common security questions - Best Practices

Best Practices for Safe Computing - Prevention of Malware Infection

Common sense, Good Security Habits and safe surfing is essential to protecting yourself from malware infection. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice these principles and stay informed. Knowledge and the ability to use it is the best defensive tool anyone could have. This includes educating yourself as to the most common ways malware is contracted and spread as well as prevention.

• Simple and easy ways to keep your computer safe and secure on the Internet

Important Fact: It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.

• End Users Remain Biggest Security Headache as Compromised Endpoints Increase
• Studies prove once again that users are the weakest link in the security chain
• Social Engineering: Attacking the Weakest Link in the Security Chain
• Social media platforms...a hotbed of cyber criminal activity
• Millions of users open spam emails, click on links

Therefore, security begins with personal responsibility.
 
Tips to protect yourself against malware infection:

Keep Windows and Internet Explorer current with all security updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. When necessary, Microsoft releases security updates on the second Tuesday of each month and publishes Security update bulletins to announce and describe the update. If you're not sure how to install updates, please refer to How To Access Windows Update.

Avoid pirated software (warez), cracking tools, and keygens. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to wipe your drive, reformat and reinstall the OS.

Avoid peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, BitComet, uTorrent, BitLord, BearShare). They too are a security risk which can make your computer susceptible to malware infections. File sharing networks are thoroughly infested with malware according to security firm Norman ASA and many of them are unsafe to visit or use. Malicious worms, backdoor Trojans, IRCBots, Botnets, and rootkits spread across P2P file sharing networks, gaming and underground sites. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. If you must use file sharing, scan your downloads with anti-virus software before opening them and ensure Windows is configured to show known file extensions.

Avoid Bundled software. Many toolbars, add-ons/plug-ins, browser extensions, screensavers and useless or junk programs like registry cleaners, optimizers, download managers, etc, come bundled with other software (often without the knowledge or consent of the user) and can be the source of various issues and problems to include Adware, pop-up ads browser hijacking which may change your home page/search engine, and cause user profile corruption. Thus, bundled software may be detected and removed by security scanners as a Potentially Unwanted Program (PUP), a very broad threat category which can encompass any number of different programs to include those which are benign as well as problematic. Since the downloading of bundled software sometimes occurs without your knowledge, folks are often left scratching their heads and asking "how did this get on my computer." Even if advised of a toolbar or Add-on, many folks do not know that it is optional and not necessary to install in order to operate the program. If you install bundled software too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. The best practice is to take your time during installation of any program and read everything before clicking that "Install" or "Next" button. Even then, in some cases, this opting out does not always seem to work as intended.
 
Beware of Rogue Security software and crypto ransomware as they are some of the most common sources of malware infection. They spread malware via a variety of common vectors...opening a malicious or spam email attachment, executing a malcious file, web exploits, exploit kits, malvertising campaigns, non-malware (fileless) attacks, drive-by downloads, social engineering, scams and RDP bruteforce attacks against servers particularly by those involved with the development and spread of ransomware.

• Anatomy of a ransomware attack
• Spotlight on Ransomware: Common infection methods
• Spotlight on Ransomware: How ransomware works
• RDP brute force based attacks are on the rise

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach to include prevention. Make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, disable VSSAdmin.exe, close Remote Desktop Protocol (RDP) if you do not need it and routinely backup your data...then disconnect the external drive when the backup is completed.

• How to Protect and Harden a Computer against Ransomware
• How To Lock Down So Ransomware Doesn't Lock You Out
• SANS Enterprise Survival Guide for Ransomware Attacks
• Ransomware: Best Practices for Prevention and Response
• Ransomware: 7 Defensive Strategies
• How to Strengthen Enterprise Defenses against Ransomware
• Best practices for securing your environment against ransomware
• Ransomware Do's and Dont's: Protecting Critical Data
• How Businesses Can Best Defend Against Ransomware Attacks
• 11 things home users can do to protect against ransomware
• 22 Ransomware Prevention Tips for the home user
• Why Everyone Should disable VSSAdmin.exe Now!

You should also use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

...Prevention before the fact is the only guaranteed peace of mind on this one.

How do I decrypt files encrypted by ransomware?

Some anti-virus and anti-malware programs include built-in anti-exploitation protection so be sure to familiarize yourself with all their features and settings.

Keeping Autorun enabled on flash drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device. Many security experts recommend you disable Autorun as a method of prevention. Microsoft recommends doing the same.
* Microsoft Security Advisory (967940): Update for Windows Autorun
* Microsoft Article ID: 971029: Update to the AutoPlay functionality in Windows

Note: If using Windows 7 and above, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

Always update vulnerable software like browsers, Adobe Reader and Java Runtime Environment (JRE) with the latest security patches. Older versions of these and several other popular programs have vulnerabilities that malicious sites can use to exploit and infect your system.

• Kaspersky Lab report: Evaluating the threat level of software vulnerabilities
• Time to Update Your Adobe Reader
• Adobe Security bulletins and advisories
• Microsoft: Unprecedented Wave of Java Exploitation
• eight out of every 10 Web browsers are vulnerable to attack by exploits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications...for the purpose of spreading malware.  These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers.

Tools of the Trade: Exploit Kits

To help prevent this, install and use a Software Updater to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.

Use strong passwords and change them anytime you encounter a malware infection, especially if the computer was used for online banking, paying bills, has credit card information or other sensitive data on it. This would include any used for taxes, email, eBay, paypal and other online activities. You should consider them to be compromised and change all passwords immediately as a precaution in case an attacker was able to steal your information when the computer was infected. Many of the newer types of malware are designed to steal your private information to include passwords and logins to forums, banks, credit cards and similar sensitive web sites. Always use a different password for each web site you log in to. Never use the same password on different sites. If using a router, you also need to reset it with a strong password.

Don't disable UAC in Windows, Limit user privileges, remove Admin Rights or use Limited User Accounts AND be sure to turn on file extensions in windows so that you can see extensions. Ransomware disguises .exe files as fake PDF files with a PDF icon inside a .zip file attached to the email. Since Microsoft does not show extensions by default, they look like normal PDF files and people routinely open them. A common tactic of malware writers is to disguise malicious files by hiding the file extension or or by adding double file extensions and/or extra space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension.

Know how to recognize Email scams and do not open unsolicited email attachments as they can be dangerous and result in serious malware infection. For example, Zbot/Z-bot (Zeus) is typically installed through opening disguised malicious email attachments which appear to be legitimate correspondence from reputable companies such as banks and Internet providers or UPS or FedEx with tracking numbers.

• Using Caution with Email Attachments
• How to Avoid Getting a Virus Through Email
• Safety tips for handling email attachments

Beware of phony Tech Support Scamming.

Cybercriminals don't just send fraudulent email messages and set up fake websites. They might also call you on the telephone and claim to be from Microsoft. They might offer to help solve your computer problems or sell you a software license...Neither Microsoft nor our partners make unsolicited phone calls (also known as cold calls) to charge you for computer security or software fixes...Do not trust unsolicited calls. Do not provide any personal information.

For more specific information about these types of scams, please read this topic.

Important !!! Allow Windows to show file extensions. Malware can disguise itself by hiding the file extension or by adding double file extensions and/or extra space(s) in the file's name to hide the real extension.  In some cases, you may not see the double extension because file extensions are hidden by default in Windows. If you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the file with extra spaces before the ".exe" extension. The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible.

If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.

• 50+ File Extensions That Are Potentially Dangerous on Windows
• How Hackers Can Disguise Malicious Programs With Fake File Extensions
• Why you should set your folder options to “show known file types”

Finally, back up your important data and files on a regular basis. Backing up is among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.  Some infections may render your computer unbootable during or before the disinfection process. Even if you're computer is not infected, backing up is part of best practices in the event of hardware or system failure related to other causes.

• The smartest way to stay unaffected by ransomware? Backup!
• Avoid having your files encrypted by ransomware...Prevention before the fact is the only guaranteed peace of mind on this one.

Backing up Data Resources:

• The Backup Rule of Three
• What’s the Best Way to Back Up My Computer?
• Windows Backup - The essential guide
• How to Backup Your Computer - The Complete Guide
• Computer Backup Options

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.
 

It is also a good practice to make a disk image with an imaging tool (i.e. Acronis True Image, Drive Image, Ghost, Macrium Reflect, etc.). Disk Imaging allows you to take a complete snapshot (image) of your hard disk which can be used for system recovery in case of a hard disk disaster or malware resistant to disinfection. The image is an exact, byte-by-byte copy of an entire hard drive (partition or logical disk) which can be used to restore your system at a later time to the exact same state the system was when you imaged the disk or partition. Essentially, it will restore the computer to the state it was in when the image was made.

Other Security Resources:

• US-CERT: Safeguarding Your Data
• US-CERT: Good Security Habits
• How to Secure Your Web Browser
• Hardening Windows Security - Part 1 & Part 2
• How to Stop 11 Hidden Security Threats

Simple Ways To Secure Your Privacy:

• The Simplest Security: A Guide To Better Password Practices
• Securing Privacy Part 1: Hardware Issues
• Securing Privacy Part 2: Software Issues
• Securing Privacy Part 3: E-mail Issues
• Securing Privacy Part 4: Internet Issues

Resources to protect your browser, privacy & help prevent browser pop-up ads and scams:

• uBlock Origin for Chrome, Firefox, Edge, Safari, Opera, a general purpose blocker which can block both ads and scripts.
• uBlock for Chromium, Firefox, Safari
• uBlock vs. uBlock Origin: what's the difference?
• AdBlock for Firefox, Chrome, Safari, Internet Explorer, Opera
• Adblock Plus for Chrome, Firefox, Safari, Internet Explorer, Micorosft Edge, Opera, Yandex
• AdBlocker Ultimate for Firefox, Chrome, Safari, Internet Explorer, Yandex
• Adfinder for Internet Explorer
• Adguard for Chrome, Firefox, Safari, Internet Explorer, Micorosft Edge, Opera
• Malwarebytes Add-on, an extension which provides malware, scam, advertising/tracker and clickbait protection.
• HTTPS Everywhere, an extension that encrypts your communications, making your browsing more secure.
• Fraudscore for Firefox
• NoScript - NoScript FAQs
• ScriptSafe for Chrome
• Privacy Badger for Firefox, Chrome, Opera
• Ghostery for Firefox, Chrome, Safari, Internet Explorer, Opera, a tool which allows you to block beacons, trackers, advertising, analytics, widgets and cookies.
• SpywareBlaster Free...see here for detailed information..

 
Other topics discussed in this thread:

• Choosing an Anti-Virus Program
• Safe Steps for Replacing your Anti-virus - Why should you use Antivirus software?
• Supplementing your Anti-Virus Program with Anti-Malware Tools
• Choosing a Firewall
• Glossary of Malware Related Terms
• Why you should not use Registry Cleaners and Optimization Tools
• I have been hacked...What should I do? - How Do I Handle Identify Theft, Scams and Internet Fraud
• About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs)
• About In-text advertising: Text Enhanced Ads & How to remove Them
• File Sharing (P2P), Keygens, Cracks, Keygens, Cracks, Warez, and Pirated Software are a Security Risk
• There are no guarantees or shortcuts when it comes to malware removal - When should I reformat?
• Beware of Phony Emails &Tech Support Scams
• Best Defensive Strategy against ransomware (crypto malware)

.

Updated: 10/26/18

Choosing an Anti-Virus Program

Choosing an anti-virus is a matter of personal preference, your needs, your technical ability and experience, features offered, user friendliness, ease of updating (and upgrading to new program release), ease of installation/removal, availability of quality/prompt technical support from the vendor and price. Other factors to consider include detection rates and methods, scanning engine effectiveness, how often virus definitions are updated, the amount of resources the program utilizes, how it may affect system performance and what will work best for your system. A particular anti-virus that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone and there is no single best anti-virus.

• Consumer Reports: Antivirus Software Buying Guide
• SANS Institute Choosing Your Anti-virus Software

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear and it takes time for them to be reported, samples collected, analyzed, and tested by anti-virus vendors before they can add a new threat to database definitions. Further, if you're dealing with zero-day malware it's unlikely the anti-virus is going to detect anything. Malware writers have the advantage since no matter how hard security vendors attempt to stay on top of new threats, there is always a short time-frame in which a new malicious file goes undetected and can infect a computer without detection. Just because one anti-virus or anti-malware scanner detected threats that another missed, does not mean its more effective.

Every security vendor's lab uses different scanning engines and different detection methods. Each has its own strengths and weaknesses and they often use a mix of technologies to detect and remove malware. Scanning engines may use Heuristic Analysis, Behavioral Analysis, Sandboxing and Signature file detection (containing the binary patterns of known virus signatures) which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus or anti-malware database is updated can also account for differences in threat detections. Further, each vendor has its own definition (naming standards) of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.

Security is all about layers and not depending on any one solution, technology or approach to detect and prevent the latest threats from cyber-criminals. The most important layer is you...the first and last line of defense. Thus, a multi-layered defense using an anti-malware and anti-exploit solution to supplement your anti-virus combined with common sense and following Best Practices for Safe Computing provides the most complete protection.

Free Antivirus programs:

• Kaspersky Free Antivirus
• Bitdefender Antivirus Free Edition
• Sophos Home Free Antivirus
• Panda Dome Free Antivirus
• Avira Free Anti-virus
• avast! Free Antivirus
• AVG Antivirus Free Edition
• Ad-Aware Free Antivirus
• Comodo Free Antivirus
• Microsoft Security Essentials
• Windows 8/10 Defender - Windows Defender Antivirus

-- Many anti-virus vendors are bundling toolbars and other software with their products as a cost recoup measure. In fact, all free Anti-virus programs now come with toolbars or other bundled software except Sophos Home, Microsoft Security Essentials and Windows 8/10 Defender.

• Beware: Free Antivirus Isn’t Really Free Anymore
• Has the antivirus industry gone mad?!

If pre-checked by default that means you need to uncheck that option during installation if you don't want it. This practice is now the most common revenue generator for free downloads by many legitimate vendors and is typically the reason for the pre-checked option.

.

Note for Windows 8/10 users: 

Windows 8 and Windows 10 integrates a more robust version of Windows Defender (and uses that name) for its anti-virus and anti-malware protection. Windows 8/10 Defender provides the same level of protection against malware as Microsoft Security Essentials (MSE) provides on older operation systems plus enhanced protection against rootkits and bootkits. Windows 10 Defender is just as good as any other free antivirus solution (and probably easier to use for the novice) without bundled toolbars or nagging popups.

• Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Windows Defender Antivirus.
• Always-on scanning, using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
• Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.

Windows 10 Anniversary update introduced Limited Periodic Scanning which allows you to also use a third party anti-virus program as your primary protection. Starting with Windows 10 Creators Update, Windows Defender is called Windows Defender Antivirus...it includes always-on protection which consists of real-time protection, behavior monitoring and heuristics to identify and block malware based on known suspicious and malicious activity.

• Windows Defender Antivirus compatibility with third-party antivirus
• What's new in Windows Defender for Windows 10 Creators Update
• What's new in Windows Defender for Windows 10 Anniversary Update
• How to Use the Built-in Windows Defender Antivirus on Windows 10

Starting with Windows 10 Fall Creators Update, Windows Defender Antivirus includes Exploit Guard which has four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. Windows Defender EG is intended to replace Microsoft’s EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained here. "Controlled Folder Access" Anti-Ransomware is a feature that allows you to protect files in certain folders to that they cannot be modified by unknown applications. This protects the files within these folders from being encrypted by a ransomware infection. In Windows 10 Spring Creators Update, Microsoft has added a dedicated Ransomware Protection section in the Windows Defender Security Center under the "Virus & threat protection" settings.

• What’s new in Windows 10 Fall Creators Update
• Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
• Windows Defender Exploit Guard (Windows Defender EG)
• Stopping ransomware where it counts: Protecting your data with Controlled folder access
• How Windows Defender’s Exploit Protection Works

What's new in Windows 10 Spring Creators Update (version 1803)

• The Block at First Sight feature can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
• The Virus & threat protection area in the Windows Defender Security Center now includes a section for Ransomware protection. It includes Controlled folder access settings and Ransomware recovery settings.

Note for Windows XP users: Forced to use Windows XP...Ditch the Free AV - Get a Paid Solution

 
If looking for a paid for program, I generally recommend ESET NOD32 Anti-Virus or Emsisoft Anti-Malware as they leave a small footprint...meaning they are not intrusive and do not utilize a lot of system resources. Kaspersky Anti-virus is also a good choice for the same reason.

ESET Antivirus and Smart Security uses multiple layers of technologies which includes a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules (Advanced Memory Scanner) to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET's enhanced Botnet Protection module blocks communication between ransomware and Command and Control (C&C) servers. ESET's Exploit Blocker is designed to fortify applications that are often exploited (i.e. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes [script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.

• ESET Antivirus Technology and Features
• ESET Technology and Overview
• ESET’S Multi-Layered Approach to Security
• Advanced Memory Scanner, Exploit Blocker. enhanced Botnet Protection module
• What is HIPS (Host-based Intrusion Prevention System) in ESET Smart Security/NOD32 Antivirus?

Emsisoft Anti-Malware is an antivirus platform that includes anti-malware protection. Emsisoft uses two scanning engines, combining its technology with Bitdefender Anti-Virus and three security levels (or layers) of protection to prevent the installation of malware and stop malicious processes before they can infect your computer. These layers consist of surf protection, a dual-engine file guard, and advanced behavior blocking analysis which is extremely difficult to penetrate. Emsisoft’s Behavior Blocker continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks.

Emsisoft utilizes live cloud-verification for superior detection and removal of malware infections effectively. Despite it's name, Emsisoft Anti-Malware is an antii-virus program...see Emsisoft FAQs: Why is it called "Anti-Malware" and not "Antivirus"?. Emsisoft includes a malware removal guarantee and personal assistance in emergency situations. Starting with version 2017.8, Emsisoft merged Emsisoft Internet Security with Emsisoft Anti-Malware and now relies on the built-in Windows Firewall and their Firewall Fortification feature which blocks illegitimate manipulations of Windows Firewall rules to ensure its settings can’t be manipulated by malware from the inside. The free version of Emsisoft Anti-Malware does not include real-time protection in its freeware mode...it is a on-demand cleaner only.

• An in-depth look at the Emsisoft scanner technology
• Emsisoft’s dual-engine scanner Behind the scenes
• Why is layered malware protection important? Surf Protection
• Emsisoft’s Behavior Blocker
• New in 2017.5: Emsisoft Anti-Ransomware
• Emsisoft and Windows Firewall: Your questions, answered

Note: By default Emsisoft Anti-Malware installs as a free fully functional 30-day trial version with real-time protection. After the trial period expires you can either choose to buy a full version license or continue to use it in limited freeware mode which still allows you to scan and clean infections. The freeware mode no longer provides any real-time protection to guard against new infections. Once the trial period expires nothing really changes except that the options to activate real-time protection are no longer available without purchasing the full version.

Are Emsisoft products fully compatible with other security products?

No. Emsisoft products were originally designed to complement antivirus and firewall software. Today this is no longer the case, with Emsisoft now providing a full replacement for any antivirus and/or firewall software. As such, some of Emsisoft's protection modules are not compatible with other antivirus software. Emsisoft Anti-Malware is a complete anti-malware and anti-virus solution and offers solid protection. Emsisoft Internet Security also includes these features, but with the addition of a firewall for comprehensive protection of your computer.

ESET and Emsisoft Anti-Malware also have the added advantage of warning/detecting the installation of most Potentially Unwanted Programs (PUPs) (such as adware, spyware, unwanted toolbars, browser hijackers) if you enable that feature.
.
 

IMPORTANT NOTE: Using more than one anti-virus program with real-time protection  simultaneously is not advisable...it can cause conflicts, slow down computer performance and cause other issues except for Limited Periodic Scanning in Windows 10 Anniversary Update, Windows 10 Creators Update and Windows Defender Antivirus on Windows 10 which is intended to offer an additional line of defense to your existing anti-virus program’s real-time protection. This feature allows you to run occasional scans with Windows Defender without conflicting with a third-party anti-virus. When enabled, Windows 10 will use the Windows Defender scanning engine to periodically scan your computer (or allow you to schedule scans) for threats and remove them. The Limited Periodic Scanning feature is intended to offer an additional line of defense to your existing anti-virus program’s real-time protection. Windows 10 will use the Windows Defender scanning engine to periodically scan your computer (or allow you to schedule scans) for threats and remove them.

• Limited Periodic Scanning in Windows 10 to Provide Additional Malware Protection
• Windows 10 Limited Periodic Scanning explained

Even if one of the anti-virus programs is disabled for use as a stand-alone on demand scanner, it can still affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

When scanning engines are initiated, each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "false positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that threat. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you may encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found after it has already been neutralized.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of another and may insist that it be removed prior to installation. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms as described above while trying to use it. In some cases, one of the anti-virus programs may even get disabled by the other.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Microsoft and major Anti-virus vendors recommend that you install and run only one anti-virus program at a time.

You don’t need to install more than one antivirus program. In fact, running more than one antivirus program at the same time can cause conflicts and errors that make your antivirus protection less effective or not effective at all.

Microsoft: Do not install more than one antivirus program

• Kaspersky: Why Using Multiple Antivirus Programs is a Bad Idea
• Emsisoft's statement
• Symantec's statement
• Bitdefender's statement
• AVG's statement
• Microsoft Security Essentials statement <- click Details

Edited by quietman7, 16 July 2018 - 05:59 AM.

Safe Steps for Replacing your Anti-virus

IMPORTANT: Before removing (or reinstalling) your existing anti-virus, you should download and save the setup file for the anti-virus you are going to replace it with. Also download any specialized removal tools available from the vendor for your current anti-virus in case you need them. If is not uncommon for some anti-virus programs to not completely uninstall itself using the usual method of Apps & features in Windows 10 or Programs and Features (Add/Remove Programs) in Control Panel. Sometimes the uninstall will work more effectively if you first stop and disable the antivirus' service or perform the removal in safe mode.

Revo Uninstaller Free or Portable is an alternative to Programs and Features or Add/Remove Programs. Revo provides a listing of all installed software by installation date and when removing a program, it does a more comprehensive job of searching for and removing related registry entries, files and folders. Just follow these instructions...How to use Revo Uninstaller.

Note: If you already attempted to remove the program and failed, use Revo Uninstaller Pro (free for 30 days) which has an audit feature you can enable in order to track all changes made during the install.

In many cases anti-virus vendors also provide clean-up utilities or removal tools on their web sites to remove remnants left behind after uninstalling or for a failed uninstall so always check there first. It's best to download directly from the vendor's site to ensure you are using the most current version of the uninstall utility as it is not uncommon for third-party hosting sites to have outdated versions which may not work properly.

Comprehensive List of Uninstallers and Removal Tools for Antivirus Software

• Microsoft Wiki: List of anti-malware product removal tools by Stephen Boots, MVP
• ESET: List of Uninstallers (removal tools) for common antivirus software
• Bitdefender: Removal tools (uninstall tools) for common antivirus software
• SingularLabs: Uninstallers – Security Software
• Antivirus removal tools
• Comprehensive List of 26 Uninstallers and Removal Tools for Internet Security and Antivirus Software

Summary of steps to replace an existing anti-virus

• Before removing your old anti-virus, download and save the setup file for the anti-virus you are going to replace it with (unless you plan on activating and using Windows 8 Defender.
• Download any specialized removal tools available from the anti-virus vendor for your current anti-virus in case you need them.
• Disconnect from the Internet.
• Uninstall your current anti-virus following vendor's instructions - sometimes uninstalling in safe mode works better.
• Run the anti-virus vendor's specialized cleanup utility if needed.
• Reboot normally and install the replacement.
• Reboot again if prompted to ensure the anti-virus is working properly before reconnecting to the Internet.
• Connect to the Internet and immediately download the latest definition database updates.

.
 
Why should you use Antivirus software?

Antivirus is crucial, like seat belts or airbags. If you never actually need them, that’s great. But when you do need them, there’s no warning, and they can be the thing that saves you.

Who doesn’t need antivirus?

• Why You Need Antivirus Software
• Do I Really Need Antivirus?
• Do I Need Antivirus Software?
• Antivirus Software and Why I Need It?
• 40 Reasons Why You DON’T Need An Antivirus

Using unprotected computers on the Internet is a security risk to everyone as they are prone to attack from hackers, Botnets, zombie computers and malware infection. Using anti-virus software will help minimize the risk and help to prevent the computer from being used to pass on infections to other machines. When infected and compromised, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, spammers have more platforms from which to send e-mail and more zombies are created to perpetuate the cycle.

How do folks who claim they do not use an anti-virus and never get infected know for certain that their computer is malware free? Many of today's attackers employ advanced techniques which involve sophisticated Botnets, Backdoor Trojans and rootkits to hide their presence on a computer. Without proper security tools including an anti-virus which can detect such malware, you can never be absolutely sure your computer has not been infected.
 

Supplementing your Anti-Virus Program with Anti-Malware Tools

An anti-virus program alone does not provide comprehensive protection and cannot prevent, detect and remove all threats at any given time. Anti-virus software is inherently reactive...meaning it usually finds malware after a computer has been infected. Further, if you're dealing with zero-day malware it's unlikely the anti-virus is going to detect anything. Anti-virus and anti-malware programs each perform different tasks as it relates to computer security and threat detection. Essentially, they look for and remove different types of malicious threats.

In simplistic terms, Anti-virus programs use massive databases with different scanning engines and detection methods to scan for infectious malware which includes viruses, worms, Trojans, rootkis and bots.
Anti-malware programs use smaller databases and generally tend to focus more on adware, spyware, unwanted toolbars, add-ons/plug-ins, browser extensions, browser hijackers, potentially unwanted programs and potentially unsafe applications which are classified differently and do not fall into any of those categories...that is the primary reason some anti-virus programs do not detect or remove them.
Anti-virus and Anti-malware solutions with anti-exploitation features protect against zero-day malware, drive-by downloads, exploits, exploit kits and ransomware.

Therefore, you need both an anti-virus and an effective anti-malware solution with real-time protection for maximum protection. However, there can be some overlap in functionality and detection features depending on the program's scanning engine, how the vendor defines a specific threat and what Malware Naming Standards are used.

• The Difference Between Antivirus and Anti-Malware
• Malware Remover vs. Antivirus Software: What's the Difference?
• Antivirus and Antispyware Software: What's The Difference?
• What Is the Difference Between Antivirus & Antispyware?
• Use an Anti-Exploit Program to Help Protect Your PC From Zero-Day Attacks

Since no single product is 100% foolproof, it is recommended to supplement your anti-virus by using trustworthy security tools with real-time protection and performing routine scans.

• Malwarebytes: How to scan and remove malware from your computer
• Emsisoft Anti-Malware: How to scan and remove malware from your computer
• Zemana AntiMalware: How to run a scan with Zemana AntiMalware Free
• SUPERAntiSpyware: How to use to scan and remove malware from your computer

Just like with anti-virus programs...There is no universal "one size fits all" solution that works for everyone and there is no single best anti-malware. Every security vendor's lab uses different scanning engines and different detection methods. Each has its own strengths and weaknesses and they often use a mix of technologies to detect and remove malware. You may need to experiment and find the one most suitable for your needs.

Note: Using Multiple Anti-Malware products:

As a general rule, using more than one anti-malware program like Malwarebytes, SuperAntispyware, Emsisoft Emergency Kit, Windows Defender in Windows 7 and earlier, Zemana AntiMalware, etc. will not conflict with each other or your anti-virus if using only one of them for real-time protection and the others as stand-alone on demand scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. Using different signature databases will aid in detection and removal of more threats when scanning your system for malware.

Security vendors use different scanning engines and different detection methods such as Heuristic Analysis, Behavioral Analysis, Sandboxing and Signature file detection which can account for discrepancies in scanning outcomes. Depending on how often the anti-virus or anti-malware database is updated can also account for differences in threat detections. Further, each vendor has its own definition (naming standards) of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another.

If using multiple anti-malware real-time resident shields together at the same time, there can be conflicts as a result of the overlap in protection. These conflicts are typical when similar applications try to compete for resources and exclusive rights to perform an action. They may identify the activity of each other as suspicious and produce alerts. Further, your anti-virus may detect suspicious activity while anti-malware programs are scanning (reading) files, especially if it uses a heuristic scanning engine, regardless if they are running in real-time or on demand. The anti-virus may even detect as threats, any malware removed by these programs and placed into quarantined areas. This can lead to a repetitive cycle of endless alerts or false alarms that continually warn a threat has been found if the contents of the quarantine folder are not removed before beginning a new security scan. Generally these conflicts are more of an annoyance rather than the significant conflicts which occur when running two anti-virus programs in real time.

List of Free Scan & Disinfection Tools which can be used to supplement your anti-virus and anti-malware or get a second opinion:

• Emsisoft Emergency Kit
• Emsisoft Anti-Malware Free
• Malwarebytes 3.x Free
• Zemana AntiMalware
• RogueKiller Anti-malware
• SUPERAntiSypware Free - SUPERAntiSypware Portable
• AdwCleaner
• Kaspersky Virus Removal Tool
• Sophos Virus Removal Tool
• Panda Cloud Cleaner - How to disinfect computer with Panda Cloud Cleaner
• Dr.Web CureIt
• ESET Rogue Applications (ERA) Remover - How do I use the ESET Rogue Application Remover (ERAR)
• AVZ Antiviral Toolkit by Kaspersky
• Avira PC Cleaner
• Hitman Pro
• SecureAPlus Freemium
• MicroWorld eScan Anti-virus Toolkit (MWAV)
• Microsoft Safety Scanner (MSS aka MSERT)
• Norman Malware Cleaner
• Windows Defender Offline
• botfrei EU-Cleaner
• ClamWin Free Anti-virus - ClamWin Portable
• McAfee Stinger Tool - How to use Stinger
• Trend Micro Fake Anti-virus (FakeAV) Removal Tool
• Trend Micro System Cleaner
• herdProtect Anti-Malware Scanner
• VIPRE Rescue
• List of Anti-virus vendors that offer free LiveCD/Rescue CD utilities

Many of these tools are stand-alone applications contained within zipped files...meaning they require no installation so after extraction, they can be copied to and run from usb drives.

Emsisoft Free Emergency Kit and Kaspersky Virus Removal Tool are two of the more effective scanners recommended for use on a usb drive.

Note: AdwCleaner and JRT are specialized tools which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants. With most Adware/Junkware/PUPs it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features (Add/Remove Programs) in the Control Panel or an alternative third party uninstaller like Revo. In many cases, using the uninstaller of the adware not only removes it more effectively, but it also restores many changed configuration settings. After uninstallation, then you can run specialized tools like AdwCleaner and JRT to fix any remaining entries they may find.

Not so Free malware scanning/removal programs:

• Malwarebytes 3.0 Premium
• Zemana AntiMalware Premium
• Emsisoft Anti-Malware
• SecureAPlus Premium

For a list of other recommended security tools (i.e. SpywareBlaster, WinPatrol) and resources, please refer to:

• Bleeping Computer's Freeware Replacements For Common Commercial Apps
• Bleeping Computer's List of Anti-virus, Antimalware, And Antispyware Resources

You can always supplement your anti-virus or get a second opinion by performing an Online Virus Scan.
.
 
Malwarebytes 3.0 combines their previous Anti-Malware, Anti-Exploit, Anti-Ransomware programs along with malicious website protection into one product which is just called "Malwarebytes". It uses a combination of remediation technologies as well as proactive and signature-less technologies which were previously incorporated into their Anti-Exploit and Anti-Ransomware. Malwarebytes 3.0 Premium can be used to replace your existing anti-virus or serve as an adjunct anti-malware solution to strengthen your protection since it lacks some constructs that a traditional anti-virus application employs. The Development Team continues to provide support for those who choose to use a traditional third-party anti-virus solution together with Malwarebytes.

Malwarebytes 3.0 comes in Premium and Free versions which supports all Windows versions from XP to Windows 10. The Premium version includes a real-time Protection Module that uses advanced heuristics scanning technology to monitor your system, prevent access to and from known malicious webpages, and prevent the installation of most new malware, stopping malware distribution at the source. Malicious Website Blocking (IP Protection) is part of the Protection Module and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert. This technology dynamically blocks malicious webpages & servers, prevents the execution of malware, proactively monitors every process and helps stop malicious processes before they can infect your computer. The free version of Malwarebytes 3.0 does not include real-time protection in its freeware mode...it is a on-demand cleaner only.

• Malwarebytes 3.0 FAQs: New in Malwarebytes 3.0
• Explained: the Malwarebytes Website Protection module
• About Malwarebytes Anti-Malware Malicious Website Blocking

Note: A 14-day trial of Malwarebytes 3.0 Premium is available when first installing so all users can test the real-time protection component for a period of two weeks. When the limited time period expires those features will be deactivated and locked. Enabling the Protection Module and other features again requires registration and purchase of a license key. Malwarebytes has a free mode after the trial expires...it does not provide any real-time protection and therefore, it cannot be used to block or prevent malware infection. If you continue to use the free version, there is no requirement to buy a license...you can just use it as a stand-alone scanner.

Emsisoft Anti-Malware is an antivirus platform that includes anti-malware protection. Emsisoft uses two scanning engines, combining its technology with Bitdefender Anti-Virus and three security levels (or layers) of protection to prevent the installation of malware and stop malicious processes before they can infect your computer. These layers consist of surf protection, a dual-engine file guard, and advanced behavior blocking analysis which is extremely difficult to penetrate.

Emsisoft’s Behavior Blocker continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks.

• Emsisoft Anti-Malware Anti-Ransomware module
• New: Emsisoft Anti-Malware 12 – Keeping you safe from ransomware

Emsisoft utilizes live cloud-verification for superior detection and removal of malware infections effectively. Despite it's name, Emsisoft Anti-Malware is an antii-virus program...see Emsisoft FAQs: Why is it called "Anti-Malware" and not "Antivirus"?. Emsisoft includes a malware removal guarantee and personal assistance in emergency situations. The free version of Emsisoft Anti-Malware does not include real-time protection in its freeware mode...it is a on-demand cleaner only. Emsisoft Internet Security is a complete security suite which combines Emsisoft Anti-Malware with an efficient powerful firewall created using the same core previously found in Emsisoft Online Armor. The rest of the software code is hand·made by the Emsisoft team.

• How Emsisoft Anti-Malware works
• Emsisoft’s dual-engine scanner Behind the scenes
• An in-depth look at the Emsisoft scanner technology
• Emsisoft’s Behavior Blocker
• Emsisoft Anti-Malware User & Configuration Guide

Note: By default Emsisoft Anti-Malware installs as a free fully functional 30-day trial version with real-time protection. After the trial period expires you can either choose to buy a full version license or continue to use it in limited freeware mode which still allows you to scan and clean infections. The freeware mode no longer provides any real-time protection to guard against new infections. However, at any time during the trial enabled period, you can easily turn off all real time protection and just use it as on-demand scanner only. Once the trial period expires nothing really changes except that the options to activate real-time protection are no longer available without purchasing the full version.

Are Emsisoft products fully compatible with other security products?

No. Emsisoft products were originally designed to complement antivirus and firewall software. Today this is no longer the case, with Emsisoft now providing a full replacement for any antivirus and/or firewall software. As such, some of Emsisoft's protection modules are not compatible with other antivirus software. Emsisoft Anti-Malware is a complete anti-malware and anti-virus solution and offers solid protection. Emsisoft Internet Security also includes these features, but with the addition of a firewall for comprehensive protection of your computer.

Edited by quietman7, 30 January 2018 - 04:15 PM.

Choosing a Firewall

Choosing a firewall is a matter of personal preference, your needs, your technical ability/experience, features offered, user friendliness, ease of updating, ease of installation/removal, availability of quality/prompt technical support from the vendor and price. Other factors to consider include effectiveness, the amount of resources it utilizes, how it may affect system performance and what will work best for your system. A particular firewall that works well for one person may not work as well for another. There is no universal "one size fits all" solution that works for everyone. You may need to experiment and find the one most suitable for your use and your system. For more specific information to consider, please read:

• Understanding and Using Firewalls
• HTG Explains: What Firewalls Actually Do
• What’s the point of having a firewall?

There is always the option to use Windows built-in Firewall. Most concerns you may have heard or read about the Windows Firewall were in the XP operating system so many users were advised to use third-party alternatives. Microsoft significantly improved the firewall to address these concerns in Vista and then added more improvements in Windows 7/8.

• 5 Reasons Why the Windows Firewall is One of the Best Firewalls
• Windows Firewall: Your System’s Best Defense
• Why You Don’t Need to Install a Third-Party Firewall (And When You Do)
• Using Windows Firewall with Advanced Security

Windows Vista Firewall offered two-way filtering for better security than it did in XP but it was still limited. The firewall is combined with IPsec, turned on by default and set to a basic configuration that works in tandem with the Windows Service Hardening feature. If the firewall detects activity that it considers prohibited behavior according to the Service Hardenings preset rules, the firewall will block the suspicious activity. Another feature in the Vista firewall is that it can set rules based on three different types of networks using the Rules Wizard so creating firewall rules is much simpler.

By default, most (not all) outbound filtering is turned off (outbound connections are allowed) and inbound filtering is turned on (inbound connections are blocked/not allowed). Why? This is what Microsoft has to say:

Matt Parretta, a former spokesperson for Microsoft's PR agency, Waggener Edstrom, offered this defense: "If we turned on outbound filtering by default for consumers, it forces the user to make a trust decision for every application they run which touches the network. After they upgrade to Windows Vista or purchase a new PC with that OS, they will be prompted on the first launch of every application that touches the network: Instant Messaging, IE, e-mail, Windows Media, iTunes, every self-updating app such as Adobe, and so on. Unless they click 'allow', the app will be broken and won't function properly. The out of box experience would be poor, and they would soon be desensitized to the prompts."

Although most outbound filtering is disabled, Vista’s firewall does provide limited outbound filtering which users may not be aware of as it is essentially invisible.

Jason Leznek, Microsoft senior product manager, told Computerworld that outbound filtering rules "are enabled by default for core Windows services as part of Windows Service Hardening, which enables the firewall to understand specific behaviors Windows services should have, and block them if they are doing something unexpected (ie, via an exploited vulnerability). Windows Firewall also protects the computer by blocking certain outgoing messages to help prevent the computer against certain port scanning attacks."

Outbound filtering can be configured to provide an additional layer of security and it does provide corporate and business administrators control over applications (i.e. peer-to-peer file sharing) they may want to restrict. Any such applications that require outbound access must be added to the rules list by using the firewall with the Advanced Security Microsoft Management Console (MMC). Configuration may be confusing for some and there is no practical way to to configure outbound filtering to stop all unwanted outbound connections. Inbound filtering can be turned on or off and through various tabs and configuration settings.

For more specific information about configuration and security, please refer to these articles:

• Windows Vista Security and Data Protection Improvements
• Understanding Windows Firewall settings
• The Windows Vista Firewall explained
• How to Allow a program to communicate through Windows Firewall
• Netsh Commands for Windows Firewall with Advanced Security

For an independent review read these articles (some include a response by Microsoft regarding outbound filtering as quoted above):

• Review of the Windows Vista Firewall by Arun Kumar, MVP
• Security Blanket: Vista's Outbound Firewall
• Windows Firewall: the best new security feature in Vista?
• Vista Firewall Fails on Outbound Security
• Windows Vista's Firewall

Windows 7 Firewall is similar to Vista and also offers two-way filtering for inbound and outbound traffic. However, Windows 7 adds a few new features in the firewall and related network-safety areas such as separate configuration settings for private (Home or Work) and public networks.

The Vista firewall was built on a new Windows Filtering Platform (WFP) and added the ability to filter outbound traffic via the Advanced Security MMC snap-in. With Windows 7, Microsoft has tweaked the firewall further and made it much more useable, especially on mobile computers, by adding support for multiple active firewall policies.

The Windows 7 Firewall refines the much-improved firewall that was included in Windows Vista, and brings its "hidden" advanced features out into the open. Many users, including some IT professionals, were unaware that you could filter outbound traffic, monitor and otherwise perform advanced configuration tasks for the Vista firewall, because none of that was apparent from the Firewall applet in Control Panel. With Windows 7, Microsoft has created a built-in host firewall that is much more functional than its predecessors and now poses a viable alternative to third party host firewall products.

What's new in the Windows 7 Firewall?

As with Vista, the basic settings for the Windows 7 firewall are accessed via the Control Panel applet. Unlike Vista, you can also access the advanced settings (including configuration of filtering for outbound connections) through the Control Panel instead of having to create an empty MMC and add a snap-in...

The Vista firewall allows you to choose whether you are on a public or private network. With Windows 7, you have three choices - public network, home network or work network. The two latter options are treated as private networks...With All-Network types, by default the Windows 7 firewall blocks connections to programs that are not on the list of allowed programs. Windows 7 allows you to configure the settings for each network type separately,...

What's new in the Windows 7 Firewall?

For information about using the Windows 7 firewall, managing settings, blocking programs from accessing the Internet, opening/closing ports or disabling firewall notifications, please refer to:

• Understanding Windows Firewall settings
• How to Manage the Windows 7 Firewall

For an independent review read:

• Security in Windows 7: Firewall and Networking
• Should You Use Windows Firewall?

Windows 8/10 comes with a built-in firewall that is similar to the one found in Windows 7 and includes more advanced features.

• Using Windows Firewall with Advanced Security

Windows Firewall Tools which can be used to extend the default Windows firewall behavior and used for quick access to define rules and configure the most frequently used options.

• Windows Firewall Control for Windows 10, 8, 7, Vista - alternate download link
• Windows Firewall Notifier for Windows 10, 8, 7, Vista
• Windows 10 Firewall Control - alternate download link
• TinyWall for Windows 8, 7
• Firewall 3.0

IMPORTANT NOTE: Using more than one software firewall on a single computer is not advisable. Why? Using two firewalls could cause issues with connectivity to the Internet or other unexpected behavior. Further, running multiple software firewalls can cause conflicts that are hard to identify and troubleshoot. Only one of the firewalls can receive the packets over the network and process them. Sometimes you may even have a conflict that causes neither firewall to protect your connection. However, you can use a hardware-based firewall (a router) and a software firewall (i.e. Kerio, ZoneAlarm, Comodo, etc) in conjunction.

• The Differences and Features of Hardware & Software Firewalls
• Choosing a Firewall: Hardware v. Software
• What’s the point of having a firewall?
• US-CERT recommends using both hardware and software firewall

Edited by quietman7, 16 May 2018 - 04:55 PM.

Glossary of Malware Related Terms

• What Is the Difference: Viruses, Worms, Trojans, and Bots?
• Common Malware Types: Cybersecurity 101 for beginners
• Dialers, Trojans, Viruses, and Worms Oh My!

What is Malware?
What is Spyware?
What is Adware?
What is Rogue software?
What is a Drive-by download? - Anatomy of a drive-by download web attack
What is an Exploit kit?

What is Ransomware?
Symantec: Ransomware A Growing Menace
TechNet Blogs: The past year has been one of expansion for ransomware
The ascension of Crypto-Ransomware and what you need to know to protect yourself

What is a Spyware Dialer? - Understanding Spyware, Browser Hijackers, and Dialers
What are Potentially Unwanted Programs (PUPS)? - McAfee White Paper: Potentially Unwanted Programs

What is a Worm?
What is a Trojan Horse
What is a Backdoor Trojan? - Backdoors explained
What is a Botnet?
What is an IRCBot?
What is a Backdoor.IRC.Bot
Bots and Botnets — A Growing Threat
What is a Zombie Bot?
What is a Botnet (Zombie Army)?
What is a Clickbot
What is a Remote Access Trojan (RAT)?
What is a Remote Access Trojan (RAT)?

What is a Virus?
What is a File infecting virus?
What is a Boot sector virus?
What is a Polymorphic virus?
What is a Metamorphic virus?
What is a Script (Macro) virus?

Camouflage in Malware: from Encryption to Metamorphism
The Difference Between a Virus, Worm, Trojan Horse and Blended Threats
What is the difference between viruses, worms, and Trojans?
Trojan FAQs: Common Trojans and how they work

What are Alternate Data Streams (ADS)?
What is Spam?
What is a Spambot?
What is a Web Crawler?

What is Whistler Bootkit
What Is A Rootkit?
What danger is presented by rootkits?
Windows Rootkit Overview: User Mode Rootkits/Kernel Mode Rootkits
r00tkit Analysis: What Is A Rootkit

What is a TDSS rootkit?
TDSS: Rootkit technologies from the beginning
TDSS part 1 - TDSS part 2: Ifs and Bots - TDSS part 3: Bootkit on the Other Foot
TDL4 Top Bot: The indestructible botnet
Memory Forging Attempt by a Rootkit: TDL4 variants
Bootkit: the challenge
TDL4 Rootkit Bypasses Windows Code-Signing Protection
TDSS loader has now got legs - a self-propagation mechanism
The Worm, the Rogue DHCP, and TDL4
Stalking TDL4: All Access Pass to the Hard Drive
POPUREB vs. TDL4
TDL4 rebooted and its hidden partition table
A New TDL4 with a Stealthy New Twist: creates hidden partition table

ZeroAccess (Max++) Rootkit:
ZeroAccess rootkit
Olmasco bootkit: next circle of TDL4 evolution
TDL4 Infection Update Win32/Olmasco MAXSS Pihar
ZeroAccess / Max++ / Smiscer Crimeware Rootkit
Dissecting the ZeroAccess Rootkit
MAX++ sets its sights on x64 platforms
ZeroAccess (Max++) Rootkit
ZeroAccess Gets Another Update
ZeroAccess rootkit malware shifts to user-mode
ZeroAccess malware revisited - new version yet more devious

These are .pdf documents with more comprehensive information.
ZeroAccess an advanced kernel mode rootkit
Rooting about in TDSS
The Evolution of TDL: Conquering x64
Defeating x64: The Evolution of the TDL Rootkit
TDL3: The Rootkit of All Evil?
Backdoor.Tdss.565
TDL3: Part I A detailed analysis of TDL rootkit 3rd generation

Each security vendor uses their own naming conventions to identify various types of malware. Names with Generic, PUP or Patched are all very broad categories so it's difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the actually file(s) involved. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is. Since there is no universal naming standards, all this leads to confusion by the end user.

• A Virus by Any Other Name: Virus Naming Practices
• Windows Defender Security Intelligence Naming Standards
• Computer Antivirus Research Organization (CARO) Malware Naming Convention
• Current Status of the CARO Malware Naming Scheme

.
What is Distributed Denial-of-Service Attacks (DDOS)
What is Denial-of-Service Attacks (DOS)
How Distributed Denial of Service Attacks Work
Understanding Denial-of-Service Attacks (DOS)
What everyone needs to know about DDoS
How Zombie Computers Work: Distributed Denial of Service Attacks

For information about malware vectors, please read:
Malware Infection Vectors: Past, Present, and Future
How Malware Spreads - How your system gets infected
.
 
Who Writes Malicious Programs and Why? Hackers and malware writers come from different age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Most malware writers and cyber-criminals today treat it as a business venture for financial gain while "script kiddies" typically do it for the thrill and boosting a reputation as being a hacker among their peers. Below are a few articles which attempt to explain who these individuals are and why they do what they do.

• Who is Making All This Malware — and Why?
• Who creates malware and why?
• Who Writes Malicious Programs and Why
• What goes through the minds of hackers?
• Why do people write viruses?
• Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)
• What Makes Johnny (and Janey) Write Viruses?
• Hidden Backdoors, Trojan Horses and Rootkits...Hacker Tools of the Trade

Why you should not use Registry Cleaners and Optimization Tools

There are numerous programs which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programs even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product. I would not trust any results such programs detect as problematic or needing repair nor recommend using the options to fix them.

Some "classic clean-up software" such as "Ccleaner" are classified as "Useless" in this database because the Windows registry does not need any maintenance except if you are victim of a malware infection and because tweaking the windows registery does not speed up a computer at all. It does not mean that Cleaner and similar tools are not good for sweeping your harddrive and help to keep your privacy. Registry cleaners have been become social engineering products (e.g. Iobit Advanced System Care, CCleaner, Wise Registry Cleaner, etc.) and paying for this particular function is just a waste of money.

AV Comparatives "Rogueware library" of useless, misleading or fraudulent, malicious software

Further, these types of junk optimization programs are often bundled with other software you download and most are considered Potentially Unwanted Programs (PUPs) so they may be detected or even removed by some security scanners which specifically look for PUPs and adware.

Bleeping Computer DOES NOT recommend the use of registry cleaners/optimizers for several reasons:

Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.

Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Further, some vendors who offer registry cleaners use deceptive advertisements and claims which are borderline scams. They may alert you to finding thousands of registry errors which can only be fixed to improve performance if you use or buy their product.

Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.

Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".

Official Microsoft support policy for the use of registry cleaning utilities (KB2563254)

...Windows continually references the registry in the background and it is not designed to be accessed or edited. Some products such as registry cleaning utilities suggest that the registry needs regular maintenance or cleaning. However, serious issues can occur when you modify the registry incorrectly using these types of utilities. These issues might require users to reinstall the operating system due to instability. Microsoft cannot guarantee that these problems can be solved without a reinstallation of the Operating System as the extent of the changes made by registry cleaning utilities varies from application to application. A damaged Windows registry can exhibit a range of symptoms including excessive CPU utilization, longer startup and shutdown times, poor application functionality or random crashes or hangs.  These random crashes and hangs can ultimately lead to data loss due to the systems inability to save data back to the storage location during the occurrence.

• Microsoft does not support the use of registry cleaners...
• Microsoft is not responsible for issues caused by using a registry cleaning utility. We strongly recommend that you only change values in the registry that you understand or have been instructed to change by a source you trust, and that you back up the registry before making any changes.
• Microsoft cannot guarantee that problems resulting from the use of a registry cleaning utility can be solved. Issues caused by these utilities may not be repairable and lost data may not be recoverable.

Unless you have a particular problem that requires a specific registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly is dangerous and could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great. The major source of orphaned registry entries is poorly uninstalled programs so using a good uninstaller program is a much better way to keep the registry clean.

• Ed Bott's Webog: Why I don’t use registry cleaners
• Are Registry Cleaners Safe to Use?
• Registry Cleaners are the Digital equivalent of Snake Oil!
• Registry Cleaners and System Tweaking Tools
• PC Cleaning Apps are a Scam: Here’s Why
• Why Using a Registry Cleaner Won’t Speed Up Your PC or Fix Crashes
• 10 Types of System Tools and Optimization Programs You Don’t Need on Windows

If you want to improve computer performance, please read: Slow Computer/Browser? Check here first; it may not be malware

 
Note: Driver Update utilities are just as bad as registry cleaners. Most are junk programs often bundled with other software you download from the Internet and many are classified/detected as potentially unwanted programs (PUPs) by security scanners.

• Driver Updaters: Digital Snake Oil, Part 2
• Never Download a Driver-Updating Utility; They’re Worse Than Useless
• HTG Explains: When Do You Need to Update Your Drivers?

I have been hacked...What should I do? - How Do I Handle Identify Theft, Scams and Internet Fraud

If your system was hacked, you should disconnect the computer from the Internet and from any networked computers until it is checked and cleaned of possible malware...see How to remove Malware. If you need individual assistance with a possible malware infection, you should follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, start a new topic and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum for assistance by the Malware Response Team.

After disinfection you should create a new Restore Point and purge the rest to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state. Then to remove all but the newly created Restore Point, use Disk Cleanup.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, taxes, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised.

If using a router, you also need to reset it with a strong logon/password before connecting again. Consult these links to find out the default username and password for your router, and write down that information so it is available when doing the reset:

• Router Password
• Default Password List
• Default Username and Password of Router

These are general instructions for how to reset a router:

• Unplug or turn off your DSL/cable modem.
• Locate the router's reset button.
• Press, and hold, the Reset button down for 30 seconds.
• Wait for the Power, WLAN and Internet light to turn on (On the router).
• Plug in or turn on your modem (if it is separate from the router).
• Open your web browser to see if you have an Internet connection.
• If you don't have an Internet connection you may need to restart your computer.

For more specific information on your particular model, check the owner's manual. If you do not have a manual, look for one on the vendor's web site which you can download and keep for future reference.

Banking and credit card institutions should be notified immediately of the possible security breach. You should file a report with the FBI and your local law enforcement agency which most likely will have a Cyber Unit specializing in tracking down hackers and prosecuting them. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.

If you were the victim of Internet/Phone fraud or a scam, you should also file a report.

For more detailed instructions as to what you should do, please read:

• Identity Theft: What to Do if It Happens to You
• Internet Fraud Tips for Victims of ID Theft
• Warning Signs of Identity Theft
• What Should I Do If I've Become A Victim Of Identity Theft?
• Email and web scams: How to help protect yourself

Reporting Fraud and Scams:

• USA.gov Report Frauds and Scams
• ConsumerFraudReporting.org: How to Report a Fraud or Scam
• How to recognize and How to recognize and report phishing scams
• Report phishing or suspicious/scam sites to Google
• Avoid and report phishing emails
• Report phishing email by forwarding the original email and “Internet header” information to spam@access.ironport.com.  
• Suspicious e-mail can be forwarded to uce@ftc.gov, and complaints should be filed with the state attorney general's office or through the FTC at www.ftc.gov
• Scambook.com: Submit complaint
• Scamguard.com: Submit complaint
• PissedConsumer.com: Submit complaint
• ComplaintsBoard.com: Submit complaint

Reporting Phone, Fraud and Tech Support Scams:

• Reporting Phone Scams
• FTC Complaint Assistant
• WhyCallMe Complaint
• Report a technical support scam to Microsoft
• How to Report the Microsoft phone scam
• Action Fraud: UK’s national reporting centre for fraud and internet crime

Reporting Internet Fraud and Identity Theft:

• FBI Common Fraud Schemes - Internet Crime Complaint Center (IC3): Filing a Complaint
• FTC Identify Theft Site - FTC Complaint Assistant
• Reporting Computer Hacking, Fraud and Other Internet-Related Crime
• Find and file a report with your local FBI Office
• Report Internet Crime around the World
• Fraud.org File a Complaint: Online Incident Report
• USA.gov: Reporting Internet Fraud
• ConsumerFraudReporting.org: How to Report a Fraud or Scam

Note: Below are resources for determining if you have been hacked and how to identify the attacker. While these are suggestions you can try, it is strongly recommended to allow law enforcement authorities to conduct the investigation if the hacking is confirmed and you have been the vicitim of fraudulent financial transactions or stolen funds...they have the resources and expertise to identify hackers and prosecute them.

How to Tell if someone has accessed your computer:

• How to Detect a Remote Access to My Computer
• How to Know when Your Computer Was Last Used
• Has Someone Used Your PC? 3 Ways to Check
• Quickly Find Out Who's Connected To Your Computer

• Have your accounts been compromised? PwnedList Can Tell You - PwnedList FAQs
• How do I know if my computer has been hacked?
• How to detect computer & email monitoring or spying software

Investigating Hacking:

• Windows Forensics: Have I been Hacked?
• Tracing a hacker...Using TCPView and other tools
• How To Identify Unknown Network Connections In Windows with TCPView
• How to Track Hackers with netstat and tracert ip
• How to use the Tracert command-line
• Using Tracert - Example: How to Use the Traceroute Command

Always remember...no amount of security software is going to defend against hackers, scammers and malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software. Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you...the first and last line of defense.

• 20 ways to keep your internet identity safe from hackers
• 7 practical tips to keep yourself from getting hacked
• 5 Ways to Keep Your Social Media Accounts Safe From Hackers
• Ten tips to help beat the hackers and stay safe online
• 10 Tips To Stay Safe Online

Security begins with personal responsibility, common sense, safe browsing habits and following Best Practices for Safe Computing are all essential to protecting yourself from hackers and scammers.
 

About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings

Many programs, toolbars, add-ons/plug-ins, and browser extensions come bundled with other free third-party software you download from the Internet (often without the knowledge or consent of the user). In some cases, they may be included in Installers or Downloaders found at hosting sites such as CNET, Download.com, BrotherSoft, Softonic, FreewareFiles and Tucows. These bundled packages, installers and downloaders can often be the source of various issues and problems to include Adware, pop-up ads, browser hijacking which may change your home page and search engine, and cause user profile corruption. As such, they are typically classified as Potentially Unwanted Programs (PUPs) .

When a vendor includes bundled software, they do so as a way to "pay per install" and recoup associated business costs. This practice is now the most common revenue generator for free downloads and is typically the reason for the pre-checked option....see Third-Party Bundling. If pre-checked by default, that means you need to uncheck that option during installation if you don't want it. If you install too fast, you most likely will miss the "opt out" option and end up with software you do not want or need. However, in some cases, this opting out does not always seem to work as intended..

Sometimes, PUPs will just naturally be bundled into pseudo-legitimate applications and you won’t even get the option to not install it.

Encountering the Wild PUP

Even if advised of a toolbar or Add-on, many folks do not know that it is optional and not necessary to install in order to operate the program. Since this sometimes occurs without your knowledge, folks are often left scratching their heads and asking "how did this get on my computer."

Regardless of where you go to download software, you always have to be careful with deceptive download links. Clicking on the incorrect link may redirect to another download site which uses heavy and confusing advertising with more download links. On almost every site, including safe software download sites, you may encounter an obtrusive green "Download Now" button as a type of advertisement. These buttons ads come from third party ad networks and work well because many users are capricious by nature. Clicking on one of these "Download Now buttons" (thinking its the one you want) often results in downloading a program the user did not intend to download.

Folks need to take some personal responsibility and educate themselves about the practice of bundling software.

• Safe software download sites – Beware of deceptive download links & PUPs
• Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid Them.
• How downloading one program can give you six (!) PUPs
• Here’s What Happens When You Install the Top 10 Download.com Apps
• How-To Geek: Why We Hate Recommending Software Downloads To Our Readers
• Potentially Unwanted Programs and how to avoid installing PUPs
• Even Microsoft bundles software

Toolbars, add-ons and bundled software can install themselves in various areas of your operating system to include your browser and Windows Registry. Since some of their components and behavior are determined to be harmful, some anti-virus and anti-malware tools may detect them as Potentially Unwanted Programs (PUPs) and/or Potentially Unwanted Applications (PUAs) which do not fall in the same category as malicious files such as viruses, Trojans, worms, rootkits and bots.
 
PUPs and PUAs are a very broad threat category which can encompass any number of different programs to include those which are benign as well as problematic. Thus, this type of detection does not always necessarily mean the file is malicious or a bad program. PUPs in and of themselves are not always bad...many are generally known, non-malicious but unwanted software usually containing Adware or bundled with other free third-party software to include toolbars, add-ons/plug-ins and browser extensions. PUPs are considered unwanted because they can cause undesirable system performance or other problems and are sometimes installed without the user's consent since they are often included when downloading legitimate programs. However, some PUPs can be more nefarious that others...see The PUP That Can Detect Anti-Malware Programs.

PUPs may also be defined somewhat differently by various security vendors and may or may not be detected/removed based on that definition.
* Malwarebytes: What are the 'PUP' detections, are they threats and should they be deleted?
* Malwarebytes Adopts Aggressive PUP Policy
* Sophos: Potentially unwanted applications
* Bitdefender: What is a PUA/PUP software?
* Eset: What is a potentially unwanted application? - Eset Online Scanner FAQs #15: What are Potentially Unwanted Applications?
* Microsoft: How Microsoft antimalware products identify potentially unwanted software
* Lavasoft: What are Potentially Unwanted Programs (PUPS)?
* McAfee White Paper: Potentially Unwanted Programs
* AVG FAQ 2340: Potentially Unwanted Programs
* Symantec: Potentially Unwanted Programs

Some programs falling into the PUP category have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Since PUP detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive". Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. If you installed, use or recognize the program and it is not causing an issues, then you can ignore the detection.

Your anti-virus may not detect all PUPs. This is because anti-virus and anti-malware programs each perform different tasks as it relates to computer security and threat detection. The scanning engines of anti-virus programs and anti-malware tools look for (detect) and remove different things based on the criteria used by the vendor. Anti-virus primarily protect against viruses, worms, Trojans, rootkits while anti-malware programs generally tend to focus more on adware, spyware, browser hijackers and PUPs. There can be some overlap in functionality and detection features between the two but the security vendor defines a specific threat and what Malware Naming Standards are used.

Note: Many anti-virus programs and some security scanners have options to include or exclude the detection of PUPs because of how they are defined. If your anti-virus is not finding any PUPs, then most likely the settings have been set to exclude or ignore detection. If your anti-virus is finding but not removing PUPs, then most likely the settings are set to detect but not take any action.

Again keep in mind that not all toolbars and add-ons/plug-ins are bad. Many of them also come bundled with other free software as a common practice by legitimate vendors.

* Adobe Reader includes Google Chrome or McAfee Security Scan pre-checked by default during installation
* Adobe ShockwavePlayer includes Google Chrome or Norton Security Scan pre-checked by default during installation
* CCleaner (standard installer) includes Yahoo Toolbar pre-checked by default during installation
* Foxit Pdf Reader includes Ask Toolbar and ebay shortcut in desktop pre-checked by default during installation
* GOM Player includes Ask Toolbar pre-checked by default during installation
* GIMP includes AVG SafeGuard/Secure Search toolbar pre-checked by default during installation
* Java includes Ask Toolbar pre-checked by default during installation
* Unlocker includes Babylon Toolbar or Delta Toolbar pre-checked by default during installation

The Installers Hall of Shame contains a more comprehensive list of software bundled with unwanted junkware.

Even Anti-virus and security vendors bundle toolbars and other software with their products as a cost recoup measure. In fact, all free Anti-virus programs now come with toolbars or other bundled software except Bitdefender Free...see Has the antivirus industry gone mad?!

Downloading TIPs - Best practices:
Always try to download software directly from the vendor's official home site. Look for and read the End User's License Agreement (EULA) carefully as well as any other related documentation.

Sometimes looking at the name of the setup file before saving it to your hard drive, will give a clue to what you are actually downloading so you can cancel out of it. If the file name does not appear correctly, do not proceed. This is especially important when using third-party hosting sites which are known to use special installers which bundle other software. Some third-party hosting sites like CNET.com publish a Software bundling Policy which you should always read.

Take your time during the installation of any program and read everything on the screen before clicking that "Install" or "Next" button.

Turn on file extensions in windows so that you can see extensions. Ransomware disguises .exe files as fake PDF files with a PDF icon inside a .zip file attached to the email. Since Microsoft does not show extensions by default, they look like normal PDF files and people routinely open them. A common tactic of malware writers is to disguise malicious files by hiding the file extension or by adding double file extensions and/or extra space(s) to the existing extension so be sure you look closely at the full file name.

If you must use CNET or similar sites, check the digital signature of the .exe file you download for validity and who actually signed it. Doing that will let you know if the file has been changed.

TIP: Open your browser, go to View > Toolbars and check the Status Bar box (Internet Explorer) or Add-on bar (Firefox). If you place your cursor over a link, the actual URL address will show up in the Status Bar or Add-on bar at the bottom of the browser window.

TIP: When searching for free software, visit the vendor's website and look for a "slim" or "zipped" version of the product as they generally are stand-alone applications in a zipped version that do not bundle or install anything else.

As more and more legitimate vendors are bundling software to recoup business expenses, folks need to take some personal responsibility and educate themselves about this practice.


TOOLBAR & ADD-ON REMOVAL TIPS:

Many toolbars and Add-ons can be removed from within its program group Uninstall shortcut in Start Menu > All Programs or by using Add/Remove Programs or Programs and Features in Control Panel, so always check there first. With most adware/junkware it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In most cases, using the uninstaller of the adware not only removes it more effectively, but it also restores any changed configuration.

Alternatively, you can use a third-party utility like Revo Uninstaller Free or Portable and follow these instructions for using it. Revo will do a more thorough job of searching for and removing related registry entries, files and folders.

Note: Some programs can be difficult to remove if their services and running processes are not disabled or turned off prior to attempting removal because they are in use. As such, it is easier to uninstall after booting into safe mode so there are less processes which can interfere with uninstalling the program.

If the program is not listed in Add/Remove or Programs and Features, and there is no uninstaller in the program's folder, the next place to check is your browser extensions and add-ons/plug-ins.
* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer

There are also more suggestion in these articles:
* How to Remove a toolbar that has taken over your Firefox search or home page
* Google Chrome Search engine and other settings taken over by an unwanted program

To reset or restore all browser settings, please refer to:
* How to Reset Your Web Browser to its default settings in Google Chrome, Firefox, Internet Explorer
* How to reset your browser settings in Internet Explorer, Firefox, Google Chrome, Opera, Safari
* How to reset Internet Explorer settings (all versions)
* Refresh Firefox - reset add-ons and settings...easily fix most problems
* Reset Chrome browser settings

Note: Resetting browser settings is not reversible. After a reset, all previous settings are lost and cannot be recovered. All add-ons and customizations are deleted, and you basically start with a fresh version of your browser.

Uninstalling and reinstalling your browser may not resolve all issues related to toolbars and add-ons. Why? Uninstalling does not completely remove all files and folders. User Profiles are generally not removed during a typical uninstall. Thus, reinstalling does not change the existing User Profile where some browser settings may have been modified so they are automatically restored after the reinstall. That means you may still have some symptoms of browser hijacking afterwards.
 
Another solution is to just create a new user profile and delete the old one.
* How to Create a new browser user profile in Google Chrome
* How to Create a new browser user profile in Firefox
* How to Create a new browser user profile in Opera, Internet Explorer, Firefox, Chrome

After performing the above steps...you can you can run specialized tools like Malwarebytes Anti-Malware, Emsisoft Emergency Kit, Hitman Pro, AdwCleaner and Zemana AntiMalware to fix any remaining entries they may find. These tools will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants. They also remove related files and folders wherever they hide...to include those within the AppData folder and elsewhere.

If you feel uncomfortable running these tools by yourself and would like assistance, then start a new topic in the Am I infected? What do I do? forum.

Important Note: When searching for malware removal assistance (and removal guides) on the Internet, it is not unusual to find numerous hits from untrustworthy and scam sites which mis-classify detections or provide misleading information. This is deliberately done to entice folks into buying an advertised fix tool or using a questionable free removal tool. They take advantage of novice users and mislead them into downloading junk software using gimmicks, false claims and other deceptive advertising. Users may be prompted to download dubious software, actual malicious files or even be redirected to a malicious web site. Typically the posted removal guides provide inadequate removal instructions that do not remove the infection. In many cases their instructions say if you need profession help to contact the site's Tech Support for assistance which is only provided for a fee and usually the actual amount is not disclosed until after you have committed yourself. The scammers may even talk you into giving them remote access to your computer (and by extension, all your private data and personal information). Do not follow such advice or download any removal tools from unknown or untrusted web sites.

About In-text advertising: In-Text Ads - Text Enhanced Ads

The double-underlined random words you sometimes see on web pages in your browser is called in-text advertising and it is very common. Kontera, Text Enhance and Vibrant are are some of the more popular advertising networks that provide in-text advertising and information services.

The double-underlined word is actually a keyword embedded within text of a web page. The keyword is intended to provide consumers with information that is related to what they are reading. When hovering your mouse over this keyword, a pop up ad is displayed with a preview of the ad the text links to. This process works by allowing webmasters to insert JavaScript code into web pages that displays relevant advertisements from an inventory of advertisers. This script scans a web page and dynamically modifies keywords an advertiser has targeted on the page and double-underlines them. The words and the double-lines under them are usually blue in color but it is not uncommon for them to appear in various other colors such as red or green.

In-text advertising is a form of contextual advertising commonly used to promote business and generate revenue to offset the cost of maintaining a web site each time a website visitor clicks on an in-text ad. Advertisements from in-text ads also help to generate targeted traffic to a website and improve their natural search engine ranking.

Delivering ads to users based on their preferences. Adware programs analyze a user's Web surfing habits to determine the type of merchandise they are likely to purchase. As a result of the analysis, "contextual ads" are made to pop up periodically. Contextual marketing is widely implemented by search engines. They display ads on the results pages based on the key words users enter for a search. In addition, contextual marketing is available for Web sites in general. The service offers to place ads on pages that are geared to the audience likely to visit the site.

Definition of: contextual marketing

What is In-text Advertising?
In-text advertising is a monetization method that has taken the affiliate marketing world by storm. As long as you've got content, we've got a commission check with your name on it! Intextual simply scans your pages, and then selects ads that go along with the subject matter. Users will only see the ads when they hover over double hyperlinked keywords that are impossible to miss. Even if someone accidentally engages an In-text ad, the widget will disappear after a few seconds without interaction or the user can simply "X" out manually.

AdMedia: Publish In-Text Ads and Make Money Online

Text-Enhance is a premium service offered to you by our publishers. We work with various websites as well as software products to help them provide value to their users. Please remember that if you are seeing Text-Enhance links, this does not mean you are "infected" or are having issues with your computer. It also does not mean websites you view have been "hacked". If you are seeing these links, it means that the website you are on or a piece of software on your computer has decided to offer you this service...If you would like to disable these links from showing up, you can opt-out here.

What is Text-Enhance

* Advertising FAQs
* Vibrant: The Leading In-content Ad Platform
* Kontera In-Text Online Advertising
* Powerlins In-text Ads
* 15+ Best In-Text Advertising Programs Compared

Most companies which utilize In-Text Ads have an Opt-Out procedure listed in their privacy statements or learn more about pages.

Example 1: Vibrant Privacy Statement - Vibrant Opt-Out Procedure

5. Controlling the Use of Your Information and Opting-Out

Example 2: Learn more about Infolinks <-scroll down to

Prefer to not see Infolinks Ads on this site? Click here to opt-out

Example 3: Vizu Nielsen Mobile Brand Effect <-scroll down to

How can you opt out?
Viewers of ad campaigns are free to opt out of measurement by the Nielsen Online Brand Effect service at any time. An opt-out button is provided at the bottom of this page. This button will download an "opt-out" or "do-not-track" cookie onto your machine and you will no longer be tracked or surveyed about ad campaigns that you may view. As long as this opt-out cookie remains on your computer, you will no longer be tracked or surveyed by Nielsen Online Brand Effect about ad campaigns that you may view. You must keep this opt-out cookie on your computer and not remove it in order to remain opted out of the collection of information through the Nielsen Online Brand Effect service. If your machine automatically removes cookies or you remove the opt-out cookie periodically, you will have to replace it by opting out again.

Example 4: Kontera Privacy Statement

If you prefer that Kontera not collect any information about your website visits for the purpose of delivering targeted advertising, you may opt out by clicking here.

Kontera Ad Choices

Do you want to disable Kontera ads?
To disable, click the link below and then refresh your internet page. If you delete or refresh your cookies, Kontera's ads will be re-activated automatically. Click here to disable.

Example 5: About Ad Choices

AdChoice is our program that lets you choose whether to receive customized advertising on eBay and on the websites of our advertising partners.

To opt out for a single browser...
To opt out for multiple browsers...

After you opt out you'll see this message: You have opted out of AdChoice. You'll still see ads with the AdChoice link and icon, but the ads won't be customized.

Example 6: Your AdChoices FAQs

Can I opt out of interest-based advertising?
Yes. The AdChoices program is all about giving you information and control so that you can make informed choices about the interest-based advertising you receive online. The AdChoices Iconwhether in an advertisement or on Web pagesgives you access to consumer choice mechanisms where you may, at any time, opt out of the interest-based advertising that you receive from participating companies.

For a list of companies which have Opting Out procedures, please refer to:

• Consumer Opt Out of Interest-Based Advertising
• Ghostery Enterprise Global Opt-Out
• Opt Out from Online Behavioral Advertising (Beta)Using the Consumer Opt Out Page (Beta)
• opt out of interest-based ads by Google through Ads Settings
• Remove unwanted ads

Important Note: Advertising websites use Cookies so opting-out is much easier than having to delete them or run a series of anti-malware scans. However, sometimes you have no choice but to delete all cookies to stop the ads. This does not always work either as some websites are designed with this in mind and if you delete your cookies, the ads will be re-activated automatically...a Catch-22 to be aware of.

In some cases you can disable In-Text Ads by hovering over one of the double-underlined words with your mouse and clicking the small "?" (question mark) at the top or bottom of the popup box. This will take you to a page that explains the ads and allow you to disable them (opt-out) using another cookie. In other cases, if you click on the Advertiser's name - i.e. AdChoices - you are taken to a page which contains opt-out information. If you just delete or refresh your cookies, the in-text advertising will be re-activated and the ads will reappear. You can also add these advertising companies to Internet Explorer's Restricted sites or disable them in Firefox with third party tools so the sites cannot be accessed.

Also be aware that there are software programs and browser extensions, add-ons/plug-ins which can be installed and used to display in-text advertisements.

Linksicle offers a free search and translation utility in exchange for agreement to install the software and receive advertising. In order to keep Linksicle free you may see banner, text, pop-up, pop-under, interstitial, video, coupon, and/or in-text advertisements through the software on websites where features operate and during general internet usage...To keep use of Linksicle free you will see ads delivered by the software on websites where Linksicles features operate and while you browse the internet.

About Linksicle Advertising
How do I uninstall Linksicle?

You may be seeing ads as part of our advertising solution for Internet properties (such as websites or web browser extensions). This solution provides content at no cost to you and displays advertisements during your web browsing experience. It was installed by you, or someone who uses your computer.

You currently have the following plugin installed...To quickly remove all software and associated advertising provided by this product, you may uninstall the program from "Add/Remove programs" on your Windows computer.

Text Enhance Uninstall Instructions
Text Enhance Browser Extensions Uninstall Instructions

These extensions are usually bundled with other free software you download and install. Since they are often installed without your knowledge or consent, they are classified as Potentially Unwanted Programs (PUPs).

Note: Many of these extensions are cross web browser plugins for Internet Explorer, Firefox and Chrome so make sure you check all your browsers to remove or disable even if you seldom use them. See this Example: Advertising Support Uninstall Instructions

Managing-Disabling-Removing Browser Add-ons:
* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How to Manage Extensions in Google Chrome
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer

If an extension is not removable (or not found) then you need to find the root software with which it came bundled with. Generally it can be found in Programs and Features in Vista/Windows 7/8 or Add/Remove Programs in Windows XP. In most cases, using the uninstaller of the software not only removes it more effectively, but it also restores any changed configuration. Important! Reboot when done and delete the Program folder if it still exists. After uninstallation, then you can run specialized tools like Malwarebytes Anti-Malware, AdwCleaner and Zemana AntiMalware  to fix any remaining entries they may find.

Instead of Programs and Features or Add/Remove Programs in Control Panel, you can also use a third-party utility like Revo Uninstaller Free or Portable which does a more comprehensive job of searching for and removing related registry entries, files and folders. Follow these instructions for using it.

Common programs responsible for ads which may be found in and removed from Add/Remove include:

AlllCheapPeruiCe 5.2, Allyrics, BetterSurf, BLoCkTheADApp 3.2, Browse2Save, CouponMeApp, DownloadTerms 1.0, DVDX Player 3.2, Fast Free Converter, Feven 1.7, live player 3.2, LyricsViewer, LyricXeeker, LyricsWoofer, LyricsFan, Media Player 1.1, Plus-HD, Savings Bull, Savings Wizard, Start Savin, SimpleLyrics, TheBlooccker 1.3, TubeAdblOCkER, YoubeAdBlocker 1.2, Youtube Downloader HD, WatchItAdBlocake, WebCake 3.00, Websteroids, Video Media Player 1.1, Video Player, ViewPassword

File Sharing (P2P), Torrents, Keygens, Cracks, Warez, and Pirated Software are a Security Risk

The practice of using keygens, cracks/cracking tools, warez, torrents or any pirated software is not only considered illegal activity but it is a security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft.

Keygens, Cracks, Warez, and Pirated Software

Of six counterfeit Microsoft Office disks tested, they found that five were infected with malware. Of the twelve counterfeit Windows disks tested, they found that six could not install and run, and so could not be tested. They were duds!

Of the six counterfeit Windows disks that could run and be tested successfully:
* Two were infected with malware;
* 100% of the six copies had Windows Update disabled;
* 100% of the six copies had the Windows Firewall rules changed.

In total of the twelve counterfeit software copies that could be installed successfully (six Office and six Windows) and tested:
* Seven copies (58%) were infected with malware
* A total of 20 instances of six different types of malware code found

The Hidden Risks of Using Pirated Software

Recent research shows that websites and programs related to software piracy are likely to be infected with malware due to the way they are distributed...over 50% of all pirated files are infected with malware that are constantly repacked to evade even the most up-to-date anti-virus programs. Software piracy acts as a gateway for cybercriminals to infect computers, leaving individuals and their personal data vulnerable to malware infection.

File Sharing, Piracy, and Malware

...pirated software and cracks — programs designed to generate product keys or serial numbers for popular software and games — are almost always bundled with some kind of malware...downloading pirated software and software cracks is among the fastest and likeliest ways to infect your computer with something that ultimately hands control over of your PC to someone else.

Software Cracks: A Great Way to Infect Your PC

Cracking applications are used for illegally breaking (cracking) various copy-protection and registration techniques used in commercial software. These programs may be distributed via Web sites, Usenet, and P2P networks.

TrendMicro Warning

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

* IDC study on The Dangers of Counterfeit Software
* IDC White paper: The Dangersous World of Counterfeit and Pirated Software
* Software Piracy on the Internet: A Threat To Your Securiy
* File Sharing, Piracy, and Malware
* Pirated software carries malware payload that can cost billions

When you use these kind of programs, be forewarned that some of the most aggressive types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection which can turn a computer into a malware honeypot or zombie. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

Using these types of programs or the websites visited to get them is almost a guaranteed way to get yourself infected!!

.
 

File Sharing, Torrents, and Peer-to-Peer (P2P) Programs

File sharing networks are thoroughly infested with malware according to security firm Norman ASA and many of them are unsafe to visit or use. The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. This practice can make you vulnerable to data and identity theft, system infection and remote access exploit by attackers who can take control of your computer without your knowledge.

...It is almost never safe to download executable programs from peer-to-peer file sharing networks because they are a major source of malware infections.

Software Cracks: A Great Way to Infect Your PC
 
Some file sharing programs are bundled with other free software that you may download (sometimes without the knowledge or consent of the user) and can be the source of various issues and problems to include Adware, Potentially Unwanted Programs (PUPs), and browser hijackers as well as dangerous malware. Users visiting such sites may encounter innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. Many malicious worms and Trojans, such as the Storm Worm, have targeted and spread across P2P files sharing networks because of their known vulnerabilities.

Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. Some P2P programs are also configured to allow other P2P users on the same network open access to a shared directory on your computer by default. If your P2P program is not configured correctly, you may be sharing more files than you realize. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source increases your exposure to infection because the files you are downloading may actually contain a disguised threat by hiding a file extension or by adding double file extensions and/or extra space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension. The best way to eliminate these risks is to avoid using P2P applications and torrent web sites.

• US-CERT: Risks of File-Sharing Technology
• A Study of Malware in Peer-to-Peer Networks
• SANS Institute Peer-to-Peer File-Sharing Networks: Security Risks
• More malware is traveling on P2P networks these days
• File Sharing, Piracy, and Malware

Many security forums ask members to remove P2P software before assisting them with malware disinfection. The nature of such software and the high incidence of infection or reinfection is counter productive to restoring the computer to a healthy state...see here.

Using P2P programs, file sharing or browsing torrent sites is almost a guaranteed way to get yourself infected!!
.

There are no guarantees or shortcuts when it comes to malware removal - When should I reformat?
 

Stop Trying to Clean Your Infected Computer! Just Nuke it and Reinstall Windows

There are no guarantees or shortcuts when it comes to malware removal, especially when dealing with backdoor Trojans, Botnets, IRCBots and rootkits that can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. These types of infections are dangerous because they not only compromise system integrity, they have the ability to download even more malicious files. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.

When dealing with Remote Access Trojans (RATS), there is a greater chance the computer has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed. In some cases, such as with a polymorphic file infector, the infection may have caused so much damage, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

The severity of infection will vary from system to system, some causing more damage than others. The longer malware remains on a computer, the more opportunity it has to download additional malicious files which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes. Since infections and severity of damage will vary, it may take several efforts with different, the same or more powerful security scanners/tools to do the job. Even then, with some types of infections, the task can be arduous and still is impossible to be 100% sure that all malware has been removed.

Security vendors that claim to be able to remove file infectors and backdoor Trojans cannot guarantee that all traces of the malware will be removed as they may not find all the remnants or correct all the damage. Wiping your drive, reformatting, and performing a clean install of the OS, performing a factory restore (reset) or using a recovery disc provided by the manufacturer removes everything and is the safest action but I cannot make that decision for you.

Many experts in the security community believe that once infected with this type of malware,the best course of action is to wipe the drive clean, reformat and reinstall the OS with your Windows CD/DVD installation disk, restore from a disk image or use the factory restore (system recovery) disks provided by the manufacturer.

• When should I re-format? How should I reinstall?
• Where to draw the line? When to recommend a format and reinstall?

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

This is what security expert miekiemoes has to say: Virut and other File infectors - Throwing in the Towel?

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall...dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall...After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

If your computer was compromised also be sure to read: I have been hacked...What should I do?

Beware of Phony Emails & Tech Support Scams

Tech Support Scamming through unsolicited phone calls, browser pop-ups and emails from "so-called Support Techs" advising "your computer is locked or infected with malware", “all your files are encrypted", "suspicious ransomware activity" and other fake messages has become an increasing common scam tactic over the past several years. The scams may involve web pages with screenshots of fake Microsoft (Windows) Support messages, fake reports of suspicious activity, fake warnings of malware found on your computer, fake ransomware and fake BSODs all of which include a tech support phone number to call in order to fix the problem. If you call the phone number (or they called you), scammers will talk their victims into allowing them remote control access of the computer so they can install a Remote Access Trojan in order to steal passwords and other sensitive personal information which could then be used to access bank accounts or steal a person's identity.

• Anatomy of a support scam website

More recently, these criminals have diversified their techniques to target customers of ISP (Internet Service Providers), computer manufacturer, and anti-virus software, especially if your personal information was compromised (hacked) from any of those companies.

• Cold-calling Scammers Target Antivirus Customers, Diversify Their Tactics
• Phone Scams Getting More Sophisticated
• Trojan.Tech-Support-Scam Family of Badware

In the majority of these cases the scammers use social engineering to trick a victim into spending money for unnecessary technical support or to buy an application which claims to remove malware. They typically use bogus error or warning messages (web page redirects & pop-ups) to falsely indicate that your computer is infected or has critical errors. This is done as a scare tactic to goad you into calling a phony tech support phone number shown in the pop-up alert and allowing the scammer remote control access to your computer in order to fix the problem. In some cases you are instructed to download malicious software which will actually infect your system. If the victim agrees, the support usually costs hundreds of dollars and often leaves the victim's computer unchanged or intentionally infected with malware.

Sometimes the scam tactic involves tricking their victims into believing that their computer is infected by having them look at a Windows log that shows dozens of harmless or low-level error entries. The scammer instructs their victim to type "eventvwr" in the RUN box to open Windows Event Viewer and points out all the warnings and error messages listed under the various Event Viewer categories. The scammer then attempts to scare their victims into giving them remote access to the computer in order to fix it and remove malware. More nefarious scammers will install a backdoor Trojan or Remote Access Trojan in order to steal passwords and other sensitive personal information.

• Beware of US-based Tech Support Scams
• FTC cracks down on tech support scams
• Information on Tech Support Scams
• Tech Support Scams – Help & Resource Page
• How to Protect Yourself From Tech Support Scams

The scammer may claim to be an employee affiliated with Microsoft or Windows Support. However, there have been reports of scammers claiming to be affiliated with major computer manufacturers such as Hewlett Packard, Lenovo and Dell, well known security vendors like Symantec, Panda, McAfee, etc. and even popular ISPs.

• Microsoft Help Desk Tech Support Scam
• Fake Windows Defender Prevented Malicious Software Scam
• Fake Microsoft 1-844-879-7840 Suspicious Activity Tech Support Scam
• Scammers target Dell customers after apparent data breach
• Latest tech support scam stokes concerns Dell customer data was breached

“Hello....I am calling you from Windows.....”

Microsoft does not make unsolicited phone calls, display pop-up alerts in your browser to call a support number or send unsolicited email messages to request personal or financial information or to fix your computer.

• Protect yourself from tech support scams
• Tech support scams
• Avoid scams that use the Microsoft name fraudulently
• Is that call from Microsoft a scam?
• Don’t fall for phony phone tech support
• Microsoft Scams: Identify & avoid scams that fraudulently use the Microsoft name
• Tell Your Relatives: No, Microsoft Won’t Call You About Your Computer
• Microsoft calling? Mind the tech support scammer!

Not answering any questions and hanging up the telephone is the best way to deal with phone scammers...then report them to the appropriate authorities.

Tech Support Scamming using browser pop-up alerts with telephone numbers from "so-called Support Techs" advising your computer is infected with malware has also become an increasing common and prolific scam tactic.



In some cases, the scam may be a web page which looks like a BSOD and includes a tech support phone number to call in order to fix the problem.



In other cases, tech support scammers will use web pages with screenshots of fake anit-virus software displaying warnings of bogus malware infections. Instead of enticing their victims to purchase a license key to remove the fake malware, the scammers scare them into calling a toll-free support number in order to continue the scam, often selling useless high priced support plans. Programs that are part of the Rogue.Tech-Support-Scam use legitimate utilities bundled with Trojans that display fake alerts that try to scare you into calling a remote tech support phone number.

• Avoid this BSoD Tech Support Scam
• Tech Support Scammers Bring Back FakeAV
• “Your PC Is Infected” Round-up…
• Your PC/Device needs to be repaired BSOD Tech Support Scam
• Tech Support Scams – Help & Resource Page

As with phony email and phone scams, the warning alert may claim to be affiliated with Microsoft or Windows Support. Again, Microsoft does not contact users via web page messages, phone or email and instruct them to call tech support to fix your computer.

Closing the web browser and then relaunching it usually eliminates the bogus warning message and is the best way to deal with these scams. If the browser freezes or hangs, you may have to close it with Windows Task Manager by selecting End Task.

Scammers and cyber-criminals are very innovated...see Tech Support Scams use new Tricks to Hold Browsers Hostage. They are always developing creative and more sophisticated techniques to scare their victims into providing personal information or stealing their money for financial gain. The criminals can target specific browsers like Microsoft Edge, Google Chrome, specific devices like Apple and even your iPhone or iPad.

• Microsoft Edge...Can Be Abused for Tech Support Scams
• Tech support scams and Google Chrome tricks
• Scammers target Apple customers
• Fake iOS Crash Reports hijack your iPhone or iPad

Some scam sites may lock up the browser, load the page in full-screen mode or spawn an infinite loop of repeating fake alert dialog boxes that prevent the victim from closing the web page or navigating away from it. This repeating "dialog loop" essentially is a script that reloads the fake pop-up alert every time victims attempt to close it. Microsoft Edge in Windows 10 includes Dialog Loop Protection that enables Microsoft Edge users to stop repeating dialog loops via a checkbox in order to escape or close the page. Google Chrome has a feature to "Prevent this page from displaying additional dialogs". Some Tech Support scams have similar alerts while others are simply made up and clicking OK can produce the opposite effect. If you are dealing with this type of scam, click the OK button at the bottom of the alert and you should then see a box that says "Do not allow this site to create new pages". Check that box and close the window.

If the warning alerts continue to appear after closing and reopening the browser, they could be the result of an ad-supported browser extension, adware or potentially unwanted programs typically bundled with other free software you download and install. In that case, you may need to check for and remove unfamiliar browser extensions and add-ons/plug-ins or reset your browser to its default settings. After that you may want to perform security scans with programs such as as Malwarebytes Anti-Malware, Emsisoft Emergency Kit, Hitman Pro, AdwCleaner and Zemana AntiMalware.

• How to remove Tech Support Scam Popups in your Browser
• How to Remove Adware from a PC
• How to use Emsisoft Anti-Malware to scan and clean malware from your computer
• How to find and clean malware infections with Emsisoft Emergency Kit
• How to use Malwarebytes Anti-Malware to scan and clean malware from your computer

Resources to protect your browser, privacy & help prevent browser pop-up ads and scams:

• uBlock Origin for Chrome, Firefox, Edge, Safari, Opera, a general purpose blocker which can block both ads and scripts.
• uBlock for Chromium, Firefox, Safari
• uBlock vs. uBlock Origin: what's the difference?
• AdBlock for Firefox, Chrome, Safari, Internet Explorer, Opera
• Adblock Plus for Chrome, Firefox, Safari, Internet Explorer, Micorosft Edge, Opera, Yandex
• AdBlocker Ultimate for Firefox, Chrome, Safari, Internet Explorer, Yandex
• Adfinder for Internet Explorer
• Adguard for Chrome, Firefox, Safari, Internet Explorer, Micorosft Edge, Opera
• Malwarebytes Add-on, an extension which provides malware, scam, advertising/tracker and clickbait protection.
• HTTPS Everywhere, an extension that encrypts your communications, making your browsing more secure.
• Fraudscore for Firefox
• NoScript - NoScript FAQs
• ScriptSafe for Chrome
• Privacy Badger for Firefox, Chrome, Opera
• Ghostery for Firefox, Chrome, Safari, Internet Explorer, Opera, a tool which allows you to block beacons, trackers, advertising, analytics, widgets and cookies. (Ghostery FAQs - How to configure Ghostery to stop Trackers)
• SpywareBlaster Free...see here for detailed information.

Reporting Phone Fraud and Tech Support Scams:

• Reporting Phone Scams
• FTC Complaint Assistant
• WhyCallMe Complaint
• Report a technical support scam to Microsoft
• How to Report the Microsoft phone scam
• How to report fraudulent e-mail messages that use the Microsoft name and logo
• Action Fraud: UK’s national reporting centre for fraud and internet crime

Best Defensive Strategy against ransomware (crypto malware)

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a comprehensive approach to include prevention. Make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage, disable VSSAdmin.exe, close Remote Desktop Protocol (RDP) if you do not need it and routinely backup your data.

The widespread emergence of crypto malware (ransomware) has brought attention to the importance of backing up all data every day on a regular basis. The only reliable way to effectively protect your data and limit the loss with this type of infection is user education and to have an effective backup strategy. Preferably keeping a separate, offline backup to a device that is not always connected to the network. Therefore...your best defense is back up, back up, back up and the best solution for dealing with encrypted data is to restore from backups. Backing up data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.

• The smartest way to stay unaffected by ransomware? Backup!
• Avoid having your files encrypted by ransomware...Prevention before the fact is the only guaranteed peace of mind on this one.

Backing up Data Resources:

• The Backup Rule of Three
• What’s the Best Way to Back Up My Computer?
• Windows Backup - The essential guide
• How to Backup Your Computer - The Complete Guide
• Computer Backup Options

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.

Ransomware Prevention Tips:

• How to Protect and Harden a Computer against Ransomware
• How To Lock Down So Ransomware Doesn't Lock You Out
• SANS Enterprise Survival Guide for Ransomware Attacks
• Ransomware: Best Practices for Prevention and Response
• Ransomware: 7 Defensive Strategies
• How to Strengthen Enterprise Defenses against Ransomware
• Best practices for securing your environment against ransomware
• Ransomware Do's and Dont's: Protecting Critical Data
• How Businesses Can Best Defend Against Ransomware Attacks
• 11 things home users can do to protect against ransomware
• 22 Ransomware Prevention Tips for the home user
• Why Everyone Should disable VSSAdmin.exe Now!

You should also use an Anti-Exploit program to help protect your computer from zero-day attacks and rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

Malware can disguise itself by hiding the file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension so be sure you look closely at the full file name as well as the extension so be sure you look closely at the full file name as well as the extension. In some cases, you may not see the double extension because file extensions are hidden by default in Windows. If you have chosen the option to unhide file extensions, you still may be fooled if the malware writer named the file with extra spaces before the ".exe" extension. The real extension is hidden because the column width is too narrow to reveal the complete name and the tiny dots in between are nearly invisible.

If you cannot see the file extension, you may need to reconfigure Windows to show known file name extensions.

• 50+ File Extensions That Are Potentially Dangerous on Windows
• How Hackers Can Disguise Malicious Programs With Fake File Extensions
• Why you should set your folder options to “show known file types”

Kaspersky labs advises RDP Bruteforce attacks are on the rise particularly by those involved with the development and spread of ransomware. IT folks should close RDP if they don't use it. If they must use RDP, the best way to secure it is to either whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, only allow RDP from local traffic, setup a VPN to the firewall, use an RDP gateway, change the default RDP port (TCP 3389) and enforce strong password policies, especially on any admin accounts or those with RDP privileges.

• Ransomware using Remote Desktop to spread itself
• Ransomware spreads through weak remote desktop credentials
• Brute force RDP attacks depend on your mistakes
• Ransomware and RDP – Close those RDP ports now and stay vigilant!
• RDP Attacks: What You Need to Know and How to Protect Yourself
• RDP brute force attacks: 5 tips to keep your business safe
• Basic Security Tips for Remote Desktop

You should also rely on behavior detection programs rather then standard anti-virus definition (signature) detection software only. This means using programs that can detect when malware is in the act of modifying/encrypting files AND stop it rather than just detecting the malicious file itself which in most cases is not immediately detected by anti-virus software.

Some anti-virus and anti-malware programs include built-in anti-exploitation protection.

Emsisoft Anti-Malware includes a Behavior Blocker which continually monitors the behavior of all active programs looking for any anomalies that may be indicative of malicious activity and raises an alert as soon as something suspicious occurs. This advanced behavior blocking technology is able to detect unknown zero-day attacks, file-less malware that resides only in memory, zombies (the hijacking of host processes to load malicious code which execute via script parser programs), and file-encrypting malware (ransomware) attacks. Emsisoft's three security levels (or layers) of protection help to prevent the installation of malware and stop malicious processes before they can infect your computer. With the release of v2017.5, Emsisoft now has a separate Anti-Ransomware module.

• Emsisoft’s Behavior Blocker vs. 20 crypto ransomware families
• New: Emsisoft Anti-Malware 12 – Keeping you safe from ransomware

ESET Antivirus and Smart Security uses a Host-based Intrusion Prevention System (HIPS) to monitor system activity with a pre-defined set of rules (Advanced Memory Scanner) to recognize suspicious system behavior. When this type of activity is identified, HIPS stops the offending program from carrying out potentially harmful activity. ESET's enhanced Botnet Protection module blocks communication between ransomware and Command and Control (C&C) servers. ESET Antivirus (and Smart Security) includes Exploit Blocker which is designed to fortify applications that are often exploited (i.e. web browsers, PDF readers, email clients, MS Office components). This feature monitors the behavior of processes, looks for and blocks suspicious activities that are typical for exploits including zero-day attacks. ESET's Java Exploit Blocker looks for and blocks attempts to exploit vulnerabilities in Java. ESET Antivirus (and Smart Security) also includes script-based attack protection which protects against javascript in web browsers and Antimalware Scan Interface (AMSI) protection against scripts that try to exploit Windows PowerShell.
 

Windows Defender Exploit Guard (introduced in Windows 10 Fall Creators Update) includes four components of new intrusion prevention capabilities designed to lock down a system against various attack vectors and block behaviors commonly used in malware attacks before any damage can be done. Exploit protection consists of exploit mitigations which can be configured to protect the system and applications whenever suspicious or malicious exploit-like behavior is detected. Controlled folder access protects common system folders and personal data from ransomware by blocking untrusted processes from accessing and tampering (encrypting) sensitive files contained in these protected folders. Attack Surface Reduction (ASR) is comprised of a set of rules which helps prevent exploit-seeking malware by blocking Office, script and email-based threats. Network protection protects against web-based threats by blocking any outbound process attempting to connect with untrusted hosts/IP/domains with low-reputation utilizing Windows Defender SmartScreen. Windows Defender EG is intended to replace Microsoft’s EMET which was confusing to novice users and allowed hackers to bypass because the mitigations were not durable and often caused operating system and application stability issues as explained here.

Malwarebytes 3.0 Premium with Anti-Exploit & Anti-Ransomware includes a real-time Protection Module that uses advanced heuristics scanning technology to monitor your system and prevent the installation of most new malware, stopping malware distribution at the source. This technology dynamically blocks malware sites & servers, prevents the execution of malware, proactively monitors every process and helps stop malicious processes before they can infect your computer.

Ransomware Prevention Tools:

• Malwarebytes 3.0 with Anti-Exploit & Anti-Ransomware
• Malwarebytes Anti-Exploit standalone
• Kaspersky Anti-Ransomware Tool for Business (Free) - How Kaspersky Anti-Ransomware works
• CryptoPrevent - CryptoPrevent FAQs
• NoVirusThanks OSArmor
• Cybereason Ransomfree
• AppCheck Anti-Ransomware
• Cybersight RansomStopper
• Check Point ZoneAlarm Anti-Ransomware
• McAfee Ransomware Interceptor - How to Use Interceptor, FAQs
• TEMASOFT Ranstop - Ranstop FAQs, Support, System Requirements
• CryptoDrop
• GS Anti-Ransomware
• CryptoLocker Tripwire for file servers
• HitmanPro.Alert with CryptoGuard
• Ransomware Simulator
• MBRFilter - Using MBRFilter against Ransomware that modifiy the Master Boot Record
• Bitdefender Anti-Ransomware
• WinPatrol WAR - WinPatrol WAR Documentation
• Microsoft’s Enhanced Mitigation Experience Toolkit (EMET)
• Symantec's NoScript or AnalogX Script Defender
• List of Anti-Ransomware Software & Comparison
• Acronis Active Protection Ransomware fighter for Acronis True Image 2017 - How Acronis Active Protection works

Other Malware Prevention Tools:

• Carbon Black
• Faronics Anti-Executable
• NoVirusThanks EXE Radar
• AppGuard Personal
• Simple Software Restriction Policy

Important Note: Keep in mind that some security researchers have advised not to to use multiple anti-exploit applications because using more than one of them at the same time can hamper the effectiveness of Return-oriented programming (ROP), and other exploit checks. This in turn can result in the system becoming even more vulnerable than if only one anti-exploit application is running. In some cases multiple tools can cause interference with each other and program crashes,

Quote

While you should use an antivirus (even just the Windows Defender tool built into Windows 10, 8.1, and 8) as well as an anti-exploit program, you shouldn’t use multiple anti-exploit programs...These types of tools could potentially interfere with each other in ways that cause applications to crash or just be unprotected, too.

How-To Geek on Anti-exploit programs

ROP is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing. It is an effective code reuse attack since it is among the most popular exploitation techniques used by attackers and there are few practical defenses that are able to stop such attacks without access to source code. Address Space Layout Randomization (ASLR) is a computer security technique involved in protection from buffer overflow attacks. These security technologies are intended to mitigate (reduce) the effectiveness of exploit attempts. Many advanced exploits relay on ROP and ASLR as attack vectors used to defeat security defenses and execute malicious code on the system. For example, they can be used to bypass DEP (data execution prevention) which is used to stop buffer overflows and memory corruption exploits. Tools with ROP and ASLR protection such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) use technology that checks each critical function call to determine if it's legitimate (if those features are enabled).

• The State of Return Oriented Programming in Contemporary Exploits
• An Analysis of Address Space Layout Randomization
• Anti-exploitation features explained

As such, users need to know and understand the protection features of any anti-exploit/anti-ransomware program they are considering to use.
 

Important Fact: Security is all about layers and not depending on any one solution, technology or approach to protect yourself from cyber-criminals. The most important layer is you. No amount of security software is going to defend against today's sophisticated malware writers for those who do not practice safe computing and stay informed. It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software. Cyber-criminals succeed because they take advantage of human weaknesses...relying heavily on social engineering to exploit the the weakest link in the security chain.

Thus, the user is the first and last line of defense and security is a constant effort to stay one step ahead of the bad guys.
If you have not done so already, you may want to read:

• Simple and easy ways to keep your computer safe and secure on the Internet
• How Malware Spreads - How your system gets infected