Guide to Securing Your PC!

In today’s climate what is the best approach to avoiding getting your PC infected with malware? Here are some simple steps you can take to ensure viruses, trojans, keyloggers and other nasties don’t take control of your PC

After spending years testing security products I’ve learned an important lesson.

Don’t get infected by malware.

In other words, put maximum effort into preventing infection rather than detecting and removing infection.

This statement may seem bland and unremarkable but there’s more to it than you think.

The traditional way of adding additional protection

For a long time I’ve advocated the best way of protecting your PC was by using multiple security layers based on anti-virus, anti-spyware, anti-trojans, HIPs and other security software.

It’s still a sound approach but I’ve come to believe that for most folks, the cost is too high and the additional protection afforded too little.

The cost here is not so much financial though that is an issue, but rather the serious impact adding many security layers can have on the performance of your PC.

There is also a cost in complexity. The more security programs you run the more chance they will either interfere with each other or with other programs.

Each additional layers you add increases your protection but by an incremental amount only. A good anti-virus program may offer 95% protection. Adding a good anti-spyware utility may increase this to 97%. The addition of an anti-trojan may take it to 98%.

This is because today’s security products overlap in function much more than they used to. A modern anti-virus program will detect a lot of spyware while a modern spyware program will detect some viruses, worms and trojans as well.

Although the protection achieved only goes up incrementally with each layer added, the processing load on your PC will rise more or less in proportion to the number of layers. So using adding an anti-spyware layer to your anti-virus layer will double the load on your PC. Adding in an anti-trojan as well may well triple it.

So folks, while layering is a good thing we are faced here with a law of diminishing returns.

But that’s not the only problem with the traditional layering approach to protection. If an aggressive malware program is allowed to run on your PC it may disable all your layers of protection rendering them useless.

I’ve seen it happen many times and it is a frightening sight to see all your security programs icons disappear from the system tray

Thankfully some security programs resist termination by hostile agents but the majority don’t. And even those that do resist may well prove vulnerable to new, more advanced termination methods yet to be developed by malware programmers.

My approach these days is simple: if you allow malware programs to run on your PC don’t expect your security programs to fully protect you. If you are lucky they will but with security, you shouldn’t rely on luck.

So how do you prevent infection?

The basics

1. Ensure you keep Windows and MS Office completely up-to-date by applying the latest fixes from the Microsoft Update Service.
2. Make sure your other software products are also fully updated, particularly popular products like Firefox, Opera, the Adobe Reader, Sun Java, Flash plug-ins and media players. The easiest way to do this is to use the free Secunia Software Inspector
3. Be carefull where you surf. In particular stay away from sites offering commercial software serial numbers, keygens and other hacked material. Avoid accidentally wandering to hostile sites by installing McAfee Site Advisor, a free browser plug-in that appends site security ratings to search engine listings.
4. Never click on email attachments from untrusted sources however tempting and attractive such attachments may seem. Similarly, never click on links in email from unknown correspondents.
5. Never install programs unless you are fully confident they are clean. In particular, only download files from trusted sources and never install programs that friends give you on removable media unless you have verified that are clean by submitting them to free web based testing services such as Jotti and Virus Total.
6. Install a robust firewall to ensure worms can’t secretly enter your PC via the internet. My current favorites are the free Comodo firewall and ZoneAlarm Pro but there are several other excellent choices including Jetico and Netveda to name but two.

These basic measures are surprisingly effective in keeping your PC free from infection. Indeed, I’ve known users who follow these rules and don’t use any additional security products yet have never had a malware infection.

However, sticking to these rules is not easy; it requires a level of discipline most users don’t have. Who hasn’t been tempted to open a funny PowerPoint email attachment or install a free game?

And it’s not only a question of discipline. These days you can get infected simply by innocently surfing to a hostile web site or opening a “loaded” MS Office document. You need more protection that the basic security rules can provide.

Protection is better than cure

The best way to increase your level of protection is to make sure that if a malware program sneaks its way on to your PC that it is never allowed to run on your PC in a normal Windows environment.

A normal Windows environment is a user account with full administrator rights. It’s probably what you are using right now as it is the default setup in all recent versions of Windows up to but excluding, Windows Vista.

There are three way you can keep malware well away from your normal Windows account.

1. Use a Windows limited user account for your daily work
2. Run all high risk programs with limited rights
3. Run all high risk programs in a sandbox or virtual machine

Each method has its pros and cons so let’s look at them individually.

Option 1: Use a Windows limited user account for your daily work

Using a limited user account can be very effective in preventing malware infection as most malware products need full administrator rights to install themselves. In a limited account they just can’t get a foothold.

It’s easy to set up a limited user account. Just go the Control Panel, select User Accounts and create a new user account as a limited user. Then sign in to this account for your normal computer work rather than the account you a currently using

Setting up a limited account may be easy but using it can be a real pain. For example you won’t be able to install most programs. You won’t be able to update others. You won’t be able to access any part of the PC other than your own documents and the shared documents area. Heck, you won’t even be able to change the system date!

Some folks can work with these limitations or work-around them by swapping to a full privilege administrator account when they need to install programs or do other more advanced tasks. Others use the Windows “Run as” command and similar utilities to temporarily elevate their privileges when needed.

Most users though, find using a limited account to be simply too awkward and inconvenient. Sure. their computer is safe but that’s little comfort if their PC is only barely usable.

That said using a limited account is an excellent solution for advanced users prepared to tolerate the inconvenience or ordinary users with basic computer needs. If Granny never does anything but check her mail and browse to newspaper sites to read the headlines than setting her up with a limited account is a good way to go. Do expect phone calls though; one day even Granny is going to need to do something that requires administrator privileges.

Option 2: Run all high risk programs with limited rights

This is a more practical strategy. Run as a full administrator user but restrict the rights of all programs such as your browser and email client that can be sources of malware infection.

Getting this to work could be a complex business but thankfully there are some free utilities available that were written to perform this exact task.

The best known of these is DropMyRights. It allows users to easily create special versions of their browsers, email clients IM client, media player or other internet facing programs that run from a full administrator account but with the restricted rights of a Windows limited user.

It’s a simple and neat solution that provides good protection from infection yet doesn’t inconvenience the user in the same way as working from within a limited user account. I’ve written a practical guide to running programs using DropMyRights. You can find it here

The approach however has some weaknesses perhaps the worst of which is downloaded files. Yes you are safe from infection while using a browser but if you run any files you download then you can easily be infected if those files contain embedded malware.

There’s no easy way of getting around this either. However our next solution provides the perfect answer.

Option 3: Run all high risk programs in a sandbox or virtual machine

The strange name “sandbox” derives from the Java world where it refers to the highly contained and restricted environment in which Java programs (applets) are allowed to run. They are allowed to “play in the sandbox” but not go outside it. The important point is that while running in the sandbox, the programs have no access to your PC.

So it is with sandbox security programs. While browsing or engaging in any computer activity within the sandbox you are totally corralled off from your other parts of your PC. Any files you download are isolated to the sandbox. Similarly, any programs that are executed only do so within the sandbox and have no access to your normal files, the Windows operating system or indeed any other part of your PC.

That means that if you get infected by malware while using the sandbox your “real” computer is nor affected. Furthermore you can close the sandbox and all that’s within it is erased including any infections, leaving your real PC in a pristine state.

Sandboxing is a great security solution for preventing infection. There are also some excellent sandboxing programs around including my favorite, the donationware utility “SandBoxie.”

There are some downsides. Sandboxing creates a two-worlds view of your computer and this confuses some users. It is not necessarily always clear whether at a given moment you are working in the sandbox or not. Overcoming this potential confusion requires users to be attentive and disciplined. If they get it wrong and think they are surfing in the sandbox when they are not it’s possible to become infected.

This confusion is particularly evident with downloaded files. Files in the sandbox are not really permanently on your computer unless you deliberately move them from the sandbox to your real PC. If you shut the sandbox without moving them they will be lost forever.

This two-worlds view is simply too confusing for some users. With sandboxing, a confused user can be an unsafe user.

There are other problems too. Sandboxing is only available for PCs running Windows 2000 and later. Furthermore sandboxing can create problems on some PCs. Indeed I’ve known PCs to seize up totally with a sandbox installed. Luckily though, this is not common.

Virtual machines such as VMWare and Microsoft’s Virtual PC are similar to sandboxing but take the idea one step further by completely separating the virtual machine from the real PC at a conceptual level. Rather than have a sandbox as part of your real PC you have a virtual PC that is notionally fully distinct from your PC.

This difference aside these two virtualization models have a lot of similarities. Infections that are incurred in the virtual machine cannot affect the real PC. Similarly shutting down the virtual PC removes all trace of infection.

Unfortunately they also share the same user confusion: “Am I in my real PC or the virtual one?”

The greater separation provided by the virtual machine approach does offer more robust security model than sandboxing but it comes at a cost. Virtual machines consume a lot of memory and a have a fair degree of processing overhead compared to sandboxing. And moving between the real and virtual machines can be more awkward than with sandboxing. Like sandboxing virtualization can be troublesome on some PCs.

From a user’s perspective sandboxing is the more attractive option though IT professionals would probably prefer the greater flexibility and superior isolation offered by virtual machines. I’ve written a practical guide to surfing using a sandbox which you can find here.

Security wise both offer excellent protection from malware infection. The protection is so good that disciplined users don’t really need many other security products to protect them.

Indeed all you need is a good firewall and a good anti-virus program. Combine these with a good sandbox and you will have better security than other users who employ five or more different layers of active security software protection.

Even better your PC will run fast; a complete contrast to machines running multiple security products.

What about on-demand scanning?

OK I’ve come out heavily against running multiple active security products but what about passive security products like on-demand scanners?

An on-demand scan is one you manually initiate. It may be an anti-virus scanner, an anti-spyware scanner, a rootkit detector or a keylogger scanner.

I’m all for on-demand scans as, unlike using products that employ active monitoring, they don’t impose an on-going overhead on your computer. The only computer power they consume is while they are actually performing a scan.

Take for example a good anti-spyware scanner like the free version of AVG Antispyware or the excellent free Panda Anti-rootkit detector. They consume virtually no computer power unless you actually run the programs. And because they are not constantly running they are less inclined to cause any problems with other programs.

So by all means runs on-demand scans periodically: weekly, monthly whatever. They are a good backstop to your Anti-virus program.

Conclusion

When it comes to today’s aggressive malware programs, preventing malware from ever getting on your PC is a better strategy than trying to intercept it when it tries to run.

You can prevent malware getting on your PC by combining safe computing practices with other techniques such as reducing the privileges of high risk programs, sandboxing and the use of virtual machines.

Reducing the privileges of high risk programs is a simple workable solution for most users. Sandboxing and virtualization offer a more complete solution but are not entirely free of practical problems. For those who can work with these problems, sandboxing and other virtualization solutions offer the best way currently available to prevent malware installing itself on your PC.

With these elements in place the only active security software you really need are a good firewall and broad spectrum anti-virus program. That said you can, indeed should, supplement these with periodic on-demand scans of your PC with a good anti-spyware product and a good rootkit detector. These on-demand products won’t impose the on-going overhead you would incur with security software that uses active monitoring.

None of this comes without cost. Defensive computing requires time and discipline. Users not prepared to put in the effort are advised to stay with a layering strategy using multiple security products.

For me, the days of running five or more active security software products on my PCs are over. Your Grandmother was correct, an ounce of prevention is worth a pound of cure.