Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about Malware


  • Please log in to reply
14 replies to this topic

#1 DefaultGateway

DefaultGateway

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 10 April 2016 - 07:26 AM

Let's say the Malware comes from the Internet, and wants to Infect a PC.

Which "roadblock" must the Malware get past?

 

First Roadblock = the user itself

Second Roadblock = Firewall

Third Roadblock = Anti Exploit

Fourth Roadblock = Windows Updates

Fifth Roadblock = Anti Malware

Last Roadblock = Anti Virus

 

Is the above correct?

I know that the user is the "first line of defence", but is it correct that the Firewall is the "second line of defence" and that Anti-Exploit is the "third line of defence" and so on?



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:51 AM

Posted 10 April 2016 - 07:56 AM

There's no defined order.

 

Windows updates and anti-exploit are not really a roadblock if the malware does not use exploits. Antivirus and antimalware do basically the same thing nowadays, so depending on the settings and each program; they should react within the same time roughly if detected by the product.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:51 PM

Posted 10 April 2016 - 08:05 AM

The best defensive strategy to protect yourself from from malware and ransomware infection is a comprehensive approach...make sure you are running an updated anti-virus and anti-malware product, update all vulnerable software, disable VSSAdmin.exe, use supplemental security tools with anti-exploitation features capable of stopping (preventing) infection before it can cause any damage and routinely backup your data...then disconnect the external drive when the backup is completed.Finally back up, back up, back up. Backing up data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 10 April 2016 - 08:05 AM

It's not a matter of which is the first, second or third roadblock.  Take, for instance, your firewall and antivirus.  They perform different functions.  Therefore, how can you categorize one as the "Second Roadblock" or "Last Roadblock"?  I may be wrong, but my own interpretation of "the user is the first and last line of defense" is this: The user is the one who is ultimately in control.  The user can have the best defenses in the world (if there is such a thing) but if the user can be tricked into turning off those defenses then they become worthless.



#5 RolandJS

RolandJS

  • Members
  • 4,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:51 PM

Posted 10 April 2016 - 08:17 AM

I... The user can have the best defenses in the world (if there is such a thing) but if the user can be tricked into turning off those defenses then they become worthless.

or, tricked into helping the malware make an end-run around, and/or through/right past, the defenses


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#6 DefaultGateway

DefaultGateway
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 10 April 2016 - 11:06 AM

Thank You All for Replying to this Topic.

I would like to ask some more questions regarding to Malware protection.

 

1) A user is using an Antivirus, Anti-Malware, Anti-Exploit and Firewall.

But the user never updates his/her Windows OS. His/Her Windows OS is Always Outdated.

Will the user still be "enough/sufficient" protected against Malware?

 

2) A user is not using an Antivirus, Anti-Malware, Anti-Exploit and Firewall.

But the user does updates his/her Windows OS. His/Her Windows OS is Always Up-To-Date.

Will the user still be "enough/sufficient" protected against Malware?

 

3) A user only Installs critical updates provided by Windows Update, the user doesn't Install recommended updates and doesn't Install optional updates provided by Windows Update.

Is it OK to only Install the critical updates provided by Windows Update? (not talking about the Windows 10 Updates)



#7 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 10 April 2016 - 11:17 AM

May I ask what's the point of these questions?  What are you trying to achieve?



#8 DefaultGateway

DefaultGateway
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 10 April 2016 - 11:35 AM

I am curious about what if a user uses Antivirus, but not using Anti-Malware.

Or what if a user uses a Firewall, but not using an Antivirus.



#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:51 AM

Posted 10 April 2016 - 12:36 PM

1) no, the user is, for example, not protected against exploit kits that exploit an IE vulnerability. You can not rely on anti-* to detect and stop all malware.

2) no, the user is, for example, not protected against a malicious document that delivers a ransomware

3) OK for what purpose?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 Agouti

Agouti

  • Members
  • 1,548 posts
  • OFFLINE
  •  
  • Local time:12:51 AM

Posted 10 April 2016 - 12:56 PM

I am curious about what if a user uses Antivirus, but not using Anti-Malware.

Or what if a user uses a Firewall, but not using an Antivirus.

Are you yourself considering doing these things?  Why?



#11 RolandJS

RolandJS

  • Members
  • 4,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:51 PM

Posted 10 April 2016 - 01:44 PM

I suspect a fair number of out-of-box new computers, while perhaps receiving Windows Updates, are never added to or subtracted from concerning anti-whatevers, and once the OEM-installed security software's trial-period/trial-license runs out, it - ah - runs out.  Like re-cleaned Milo seed, gets dustier and dustier and gets more and more bugs.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#12 rp88

rp88

  • Members
  • 3,082 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:51 AM

Posted 10 April 2016 - 02:47 PM

Post 1, that's sort of right, but the user can sometimes, if they slip up, let things bypass many of those layers at a time. For example a user who deliberately downloads a program they think is safe but is actually dangerous, and then tries to run it, has bypassed the firewall, the anti-exploit, updates and any browser protection already. Also in some circumstances, like drivebys caused by adverts on legitimate sites (sometimes happens to big news sites with ads round the corners), the user isn't a line of defence, everything happens much too fast. You'll need anti-exploit protection, even better script blocking and anti-exploit working together, to stop this.



Post 6,
The user doing 1 isn't very safe, but if they use a browser that isn't IE or edge and they keep that browser, any plugins, flash and such updates, but not windows they won't be so unsafe. If they add in script blocking they'll probably be ok most of the time, but it's better to have windows' security updates as well. Just check for security updates manually each tuesday evening/wednesday morning, then install them, ignore non-security updates if you don't specifically need them.

The user doing 2 can't be safe unless the system is always offline and they never plug in anything to transfer files to it (by USB/CD/DVD...) which hasn't come from a computer they know to be clean from infections and that they've scanned the files many times on.

The user doing 3 is almost* certainly safe, but still needs to be careful. non-critical windows updates are generally not security ones, they're bug fixes. This user MIGHT have the odd usability bug in some programs which they could have updated but haven't but their security will not be weakened. I don't install any windows updates that aren't security updates, there may be some usability bugs on my system that weren't fixed but I've never encountered them. As for security mine is good.


All 3 of these users could be infected though, so keep backups. All 3 of them would benefit from something like noscript, they'd also benefit from disabling plugins in browsers except on the few occasions they need to use the plugins. All 3 of them ought to follow careful practices. Without the anti-exploit the users would be much less safe, due to the driveby risk, many drivebys use newly developed viruses so antivirus and antimalware won't catch them.

*Note the word "almost", no-one is ever 100% safe. That's why backups of personal files and system images of operating systems, settings and programs are crucial to have.

Edited by rp88, 10 April 2016 - 02:49 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 RolandJS

RolandJS

  • Members
  • 4,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:51 PM

Posted 10 April 2016 - 07:49 PM

"...Note the word "almost", no-one is ever 100% safe. That's why backups of personal files and system images of operating systems, settings and programs are crucial to have..."  rp88

+1 to everything he posted!  Concerning backups, yes, they too can become infected by backing up already-infected files.  However, like wearing seatbelts, one is much better off, generally speaking, wearing them than not wearing them, when things go wrong.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#14 DefaultGateway

DefaultGateway
  • Topic Starter

  • Members
  • 187 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 11 April 2016 - 11:03 AM

Thank You All for Replying to this Topic.

I don't have any more questions for now.

 

Cheers,

DefaultGateway



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:51 PM

Posted 11 April 2016 - 03:39 PM

You're welcome on behalf of the Bleeping Computer community.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users