On a day-to-day basis, we encounter far too many small businesses who have accepted viruses and other malware as an unavoidable part of their life. Their machines are constantly having problems, the anti-virus finds malware every week (assuming there is anti-virus), and they have lots of unexplainable “weird” little issues.
REACTIVE VS. PREVENTATIVE
Unfortunately, the given wisdom of the industry seems to focus on anti-virus, anti-spyware, content-scanning, and other for-pay services and products. However, common sense preventative maintenance is almost never suggested as a low-cost alternative.
It doesn’t have to be that way!
The typical approaches encountered to combat malware is reactive. In other words, its leaving your front door and all your windows unlocked, but having a security guard swing by once a day and check up on the place.
A better way is to be proactive, and close the vulnerabilities that make most malware effective in the first place.
As an example, how do you maintain your car? You change the oil, don’t abuse it, and follow a scheduled maintenance plan. You don’t (I hope) avoid all that but periodically take it to your mechanic for a rebuild at several thousand dollars a pop.
A BETTER WAY
The first is proactive, the second reactive.
Can you guess which approach costs more money? (Hint, its the reactive approach.)
Following is a list of 5 simple preventative steps you can take to stop malware in its tracks. The best part is that it wont cost you a dime for products.
These are listed in order of how difficult they are to do. The first is the easiest, and the last is the most difficult.
1. Automatic Updates
Turn on Windows Automatic Updates. Have it automatically do the updates, not just notify.
This is the single most effective way to protect yourself against infection. A very large portion of the malware in the wild depends on one or more unpatched vulnerabilities to make the initial infection.
If you’re always patched within a few days of the patches being released, then a very large portion of all malware will just fail on your system.
The common argument is that sometimes windows updates break things. That’s true, but its a very small number. Based on 10 years of doing this sort of work, I’d put the number significantly below 1%.
Based on this, a simple risk analysis shows that patching automatically is the best bet.
2. Use a Modern Web Browser
Use Internet Explorer 8 (IE8) or FireFox for your default browser.
IE6 and IE7 have long histories of being very vulnerable to drive-by-downloads, ActiveX vulnerabilities, and other general nastiness. Don’t use them. IE8 is quite an improvement, and actually relatively good, especially given Microsoft’s history of browsers. The potential challenge is that you may have internet apps or other legacy systems that depend on IE6 running ActiveX controls.
In addition, IE8 on Vista or Win7 runs in a very tightly sandboxed mode by default called Protected Mode. It actually runs with less privileges than a standard, non-admin limited user account. This is a defense-in-depth approach, such that even if something does get through, it’ll have little to no ability to do harm.
If you cant move to IE8, then try out FireFox. Firefox is an excellent browser, and will serve you well in most cases.
Keep in mind that FireFox is now popular enough to be specifically targeted by malware attacks. So you have to keep it patched to current. In balance, if you cant rely on keeping FireFox patched to current, then you’re better off with IE8.
3. Use a modern email client
If you’re still running Outlook 2000 or XP, especially if they are not patched fully, then you have a number of wide open holes in your system.
Consider upgrading to the current version of Outlook or GMail if you’re a business, or Thunderbird or a web client if you’re a home user. For home users, the built in Outlook Express or Vista Mail is adequate, provided that you are keeping the system fully patched via recommendation #1 above.
In general, the days of emails automatically executing malware on viewing is a thing of the past, but only if you’re not still using a mail client from 1999.
4. Keep the Naughty 5 Patched
Adobe Acrobat and/or Acrobat Reader. Adobe Flash Player. Quicktime Player. Java. Firefox.
These are rapidly becoming the primary targets of many attacks, as they’re much more difficult to keep patched to current than the built-in operating system software.
They are critical however. Adobe’s products in particular are notorious for a nearly endless stream of vulnerabilities. There are even techniques that allow an attacker to exploit a vulnerability in some versions of Flash that allow them to break out of the IE8 Protected Mode.
Unfortunately, there’s a reason this item is #4. It’s not simple for home users, or businesses without strong IT departments to keep these up to date on all computers. So that means that you do them manually. Once a month should suffice in most cases.
5. Run as Non-Administrator/Limited-User
This is the big one. If you can do this and #1, you’re going to be largely (though never completely) protected, even without anti-virus.
Unfortunately, for home users and small businesses without strong IT shops, this step can sometimes be difficult to do.
Vista and Win7 make it simpler, as UAC (despite its very vocal detractors) is significantly better than RunAs and MakeMeAdmin were on XP (for those brave few who tried running as non-administrator in XP).
However, this is probably the single most effective approach, after patching. The vast majority of malware out there requires administrative rights to be able to install itself and do its evil. If you aren’t running as admin, then most of this stuff is just stopped in its tracks.
If you’re a business still running XP, and you have some level of IT support available (either in house or outsourced), and viruses/malware are a consistent problem, try this. Even if you have a couple pieces of software that don’t run well as non-admin, your IT staff or consultants can often tweak the system to make them work.
Bottom line, if you can operate in this mode, malware will be nearly a thing of the past in your business.
Did you notice that none of those required buying anything from anybody, with the possible exception of your IT provider?
On top of this, you can also use the typical means (anti-virus, mail scanning, etc). These provide a wonderful defense in-depth.
But I can tell you from years of experience. There is a direct correlation between these 5 preventative approaches, which we use internally in our business, and problems with malware. We have none.
The bottom line here is one of cost. It’s simply cheaper to run your systems with a little bit of preventative maintenance, than to have to clean them up periodically. And what business owner wouldn’t prefer their staff spending time doing their business, rather than fighting with their computers?
We actually see more than an order of magnitude difference in support costs and quantity between clients that run as non-admin (and follow the other 4 steps) and those that don’t. The savings can really be quite significant.
In other words, prevention beats firefighting, any day of the week.