2. Choosing and Installing an Antivirus Client
Antivirus software works primarily by comparing the contents of the computer with a list of known viruses (virus definitions) to
see whether any part of a computer is infected. It does this in two
different ways. The first is by scheduling recurring scans, daily or
perhaps weekly at a time of your choosing, during which the program
plods through all endangered areas of the computer. If any viruses are
found, they can be cleaned, deleted, or rendered inert, effectively
stopping the virus from spreading. Several prominent companies offer
antivirus scans of this type for free on their websites. This cleaning
approach works magnificently in some cases. In other cases, after a
computer is compromised, cleaning a virus is like trying to push a
bullet back into a gun.
Viruses are best detected and defeated before
they infect and damage a computer, which is why web-based scans alone
are not enough. Real-time protection is the second major feature of
modern antivirus programs, and the one that’s worth money. With
real-time protection, computer activity is constantly monitored.
Whenever a file is read, opened, or modified, it is checked against the
list of known viruses. With this level of protection, a virus can be
identified and stopped before it can spread or cause any damage, and
that is a valuable service indeed.
Most modern antivirus programs provide both
scheduled scans and real-time protection, but both features are only as
good as the list of known viruses they can identify. Virus writers are
an active bunch, and using an antivirus program with an outdated list is
not much better than running nothing at all.
When a new virus is detected in the wild,
antivirus vendors race to identify and capture its unique signature.
Only then can the vendor’s virus definition lists be updated and
distributed to customers, so in addition to the quality of the software
itself, the experience and knowledge of the response team is of
paramount importance. Good antivirus vendors deliver timely and
effective virus definition updates, so seek a vendor with a proven
record of responsiveness. The heavyweights in the industry are McAfee,
Symantec, and Trend Micro, but a number of well-respected smaller
vendors do a fine job, some of whose products might be a better
alternative.
If you subscribe to a high-speed Internet
service, it’s likely that your provider will supply you with an
antivirus program free of charge. Although ISPs are in general an
outstanding bunch, their generosity is far from altruistic. ISPs provide
free antivirus programs because if they don’t, unprotected systems can
bog down their networks, erode trust in their service, and cause a
string of headaches. Many hackers first go for easy targets, and an
unprotected system on a public network is soon mincemeat or, worse, can
be used as a launching pad for further attacks.
Tip
The antivirus business is
a 2 billion dollar market, where the initial cost of a software product
is quickly outweighed by costs for recurring subscription services for
updates. When selecting a product, consider yearly subscription costs
over the expected life of your computer. Multiyear subscriptions may
provide valuable discounts, but as competition increases, subscription
prices may drop. |
If your ISP provides free antivirus protection,
the ISP usually has done the homework to select a reputable vendor and
can often provide some level of support for that product. You may cross
the margin of diminishing utility by paying more for a different
antivirus program, so unless you have a specific need, try your ISP’s
recommended antivirus software if you don’t already have some installed.
If your computer manufacturer offers none, and
your ISP doesn’t either, you might need to buy antivirus software
yourself. This might seem challenging at first glance because there are
so many features to consider and product lines change frequently. For
advice on antivirus software, consult reputable periodicals such as PC World or PC Magazine, both of which maintain up-to-date information on their websites. You might also want to check out Virus Bulletin at www.virusbtn.com.
It’s great when viruses are stopped before they
get a chance to take root, but sometimes they’re uncovered only after
the damage is done. The primary job of your antivirus software is to
detect and prevent viruses. Most programs can clean and repair simple
infections, but more complex and destructive viruses require separate,
specifically designed removal tools. If you’re not careful, even if a
virus is successfully cleaned, re-infection can occur the second you
lift your finger from the mouse button. Regardless of which software
protects your computer, here are the steps to break the cycle and get
rid of a virus effectively:
1. | Manually
run Windows Update to fix any new security vulnerabilities in Windows.
To be thorough, also check vendors’ websites for updates to any
additional software you may have installed. Remember, if you remove a
virus but remain vulnerable to a relapse, you might be in for a long
day.
|
2. | Update
your virus definitions to detect the latest threats. Most antivirus
software uses definition files that become stale quickly. Don’t bring a
knife to a gun fight.
|
3. | Run
a virus scan to find and eliminate any viruses. If you clean or
quarantine a virus this way, run a follow-up scan to make sure it’s
truly dispatched. If not, at least you have identified the name of the
threat and can proceed to the next step.
|
4. | Visit
your antivirus vendor’s website and search for the identified threat.
Most likely they have instructions and tools to help remove the virus
from your computer. After a removal attempt, run another scan to confirm
success. If needed, a general web search can often reveal alternative
methods of treatment.
|
If all else fails, the fifth step to virus
removal is tried and true: reinstall Windows from scratch. Make sure to
delete and re-create the hard disk partitions during the install, and
pat yourself on the back for having a recent backup of your critical
data.
3. Windows Defender for Spyware Protection
Mark Twain famously said, “There are lies,
damned lies, and statistics.” No matter whose statistics you believe,
reports and personal experiences indicate that most if not the vast
majority of Internet-connected systems have some form of spyware
installed. It’s a big enough problem that Microsoft has
included antispyware capabilities in the box with Windows 7. Windows
Defender evolved from Microsoft’s 2005 free beta release of Microsoft
AntiSpyware and is built with technology gained from Microsoft’s
acquisition of Giant Company Software, Inc. Spyware protection is its
chief focus, but as the name implies, Windows Defender does not limit
itself exclusively to spyware protection and takes on the remainder of
malware that antivirus programs can leave untreated.
After spyware gets onto a system, it can be
difficult to remove. Let’s assume you have a cousin named Heather who,
after admittedly visiting suspicious links on MySpace, is convinced
something bad has happened to her computer. Performance has degraded
noticeably. Pop-ups abound. Like many, Heather is an avid fan of
toolbars and neat programs that do wonderfully cute things. They have
cute names such as BearShare and Bonzi Buddy, and at first seem to make
the computer more fun than it ever deserved to be.
If her suspicion is correct and the system is
indeed infested with spyware, it could take a seasoned computer expert
many, many hours to be almost certain
that the system was rid of malware. “Almost certain” because, once a
computer is compromised, it’s difficult to know with absolute certainty
that it is clean unless drastic measures are taken. Even after scouring
the system with a variety of antispyware tools, intermediate-level
system cleaners, and ultimately the more advanced power tools, it’s
difficult to be convinced that a previously compromised system is truly
clean because, just as layered defenses are so effective at preventing
malware, layered deception can be equally effective at hiding it. A more
efficient and effective route in severe cases may be to reinstall from
scratch. Not a quick or easy fix.
As with viruses, by far the best way to prevent
spyware is to stop it before it gets into the system, and Windows
Defender monitors several system locations that are the main targets. It
does its best to scan for rootkits, keystroke loggers, and other
threats that do not fall into the worm or virus category. Along with
real-time protection, Windows Defender provides the capability to
periodically scan the computer, at a time and frequency you select,
against the list of known spyware agents.
A quick scan of the usual suspect areas is the
default configuration, designed for optimal performance and daily use,
whereas a full scan exhaustively covers every file and process on the
computer. A full scan may result in slow performance while it runs, so
is intended to run only occasionally, or when you think spyware may be
lurking. To ensure up-to-date scanning capability, Windows Defender
automatically checks for updated spyware definitions before each
scheduled scan and downloads them if needed. For both real-time
protection and scheduled scans, spyware alerts are classified as severe,
high, medium, low, or unknown.
Each alert level is subject to finely granular
control, including whether to automatically remove detected spyware.
Because false positives are a risk, Windows creates a restore point
before each automatic spyware removal to enable recovery if needed. The
sensitivity and scope of real-time protection can be fine-tuned in even
greater detail or disabled altogether. Windows Defender resides in
Control Panel (icon view). Its behavior is highly configurable through
the Options section of its Tools menu, shown in Figure 3. Thankfully, default options should suit most users, although there’s enough flexibility to please discriminating tastes.
Note
Real-time protection
comes from nine software agents that protect different parts of the
system. It’s smart to leave all of them on, but each can be disabled
independently. That way, compatibility or other issues with a single
agent can be addressed while the rest stay active. The Options section
shown in Figure 3 includes a Real-time Protection link to get details on each agent. |
Arcane tweaks aside, the method for rooting out
spyware is fairly straightforward in most cases. Click Control Panel,
Windows Defender, and then the Scan menu button to perform a quick scan.
If you have a healthy level of paranoia, which does not mean they’re not after you, click the down arrow next to the Scan button and select Full Scan.
When the scan completes, Windows Defender will either report that it finds no problems, as shown in Figure 4,
or enumerate all potentially unwanted software it finds. At that point,
if you’ve had enough of this spyware nonsense and just want it gone,
click Remove All. To control exactly what will be removed and what will
stay, peruse the Review Items section. It includes detailed information
on each item detected, and relevant links to Microsoft’s online
Malicious Software Encyclopedia if applicable. After you’ve removed the
unwanted software, or quarantined it if you’d rather put it in the
penalty box and investigate further, you can verify a clean bill of
health with a follow-up scan.
For those of you who enjoyed the Software
Explorer feature in previous versions of Windows Defender, you won’t
find it in the latest version that’s bundled with Windows 7. Microsoft
streamlined Windows Defender to act mainly as a malware scanner and
removal program (its original purpose) rather than the more
comprehensive tool that it had become. To get a detailed, consolidated
view of software running on your computer, or a more detailed way to
check up on suspicious software (such as the lack of a digital
signature), use AppLocker or a third-party anti-malware tool.
|
Malware
is not usually digitally signed because its authors are not often
interested in being identified. However, programs that are set to
auto-start can also provide clues about persistent malware, which
prefers to restart automatically when the computer is rebooted. For
advanced malware detection and removal tools, including those that
report on digital signatures, few sources can match the Sysinternals
website, a widely respected provider of free Windows power tools.
The reigning champion of its ilk is Process Explorer, available for download at www.microsoft.com/sysinternals.
Microsoft bought Sysinternals and hired the brains behind it, software
gurus Mark Russinovich and Bryce Cogswell. Unlike antivirus programs,
which can interfere with each other, it’s safe (and recommended) to use
multiple antispyware programs. In addition to Windows Defender and
Process Explorer, we also recommend SpywareBlaster, available at www.javacoolsoftware.com.
|
One interesting feature of Windows Defender is
its use of Microsoft SpyNet. There is strength in numbers, and SpyNet
leans on the collective wisdom of all participating users to inform
decisions about installing unknown or suspicious software. In the
television quiz show Who Wants to Be a Millionaire, contestants are asked to answer multiple-choice trivia questions for cash. Once per game,
when stumped, contestants may choose to “Ask the Audience” for
assistance. Studio audience members each electronically enter their best
answer; the contestant is instantaneously presented with a graph
indicating which answers are most favored by the audience.
SpyNet works much like “Ask the Audience,” but
instead of cash, you’re playing for the safety of your computer. When
Windows Defender detects suspicious changes that it has yet to classify,
you can see how other SpyNet members responded to the alert and make
your own informed choice about how to proceed. Not quite as exciting as a
quiz show, perhaps, but a fresh approach to spyware defense. It’s
important to note that on the television show, “Ask the Audience” is a
mixed bag. The audience is often correct on pop culture or general
knowledge questions, but sometimes it is wrong.
It’s also important to note that participation
in SpyNet is elective and turned off by default. When joining,
participants must select either Basic or Advanced membership, which
controls how much information will be sent to Microsoft about the
potential spyware on your computer. Sending information of this kind
involves a degree of trust and is not appropriate for everyone.
Note
As evidenced by the
layout of the Security heading in the Action Center, there is often one
program to block spyware, another to fight viruses, and yet another to
provide a network firewall on a single PC. The industry trend is toward
convergence. Many antivirus programs now use their scanning technology
to identify and remove spyware, and some include a personal firewall as
well. Some packages even include rootkit and phishing protection in some
form. In coming years, we might see the evolution
of an Integrated Security Client rather than a grab-bag of specialized
applications, or at least more cohesive suites of products. Comprehensive
PC management services, which include malware defense, are another
interesting development. In May 2006, Microsoft launched Windows Live
OneCare, an attempt at a more holistic approach to PC management
including malware protection, preventative maintenance, backups, and
tech support. In the second half of 2009, a new offering called
Microsoft Security Essentials (MSE) takes over this job. |
Essentially, Basic membership sends detailed
information about files, complete URLs, and possibly search terms, in
addition to what actions you took in response to the potential threat
and some general computer information. Advanced membership can contain
personal information from file paths and may provide memory dumps, which
could provide valuable information to Microsoft engineers but could
also contain the most sensitive data on your computer.
For detailed information
about what kind of information is sent based on membership type, and
how Microsoft promises to protect your privacy, a link to the Windows
Defender Privacy Statement Online is provided in the Microsoft SpyNet
section of Windows Defender.
