Spyware Sucks

Ok, so tell me something I *don't* know:
http://www.zdnet.com.au/news/security/soa/Eighty_percent_of_new_malware_defeats_antivirus/0,2000061744,39263949,00.htm

The time is long past that I have depended on any antivirus or antispyware product to clean a system properly, or detect all malware files.  Instead I depend on products such as Process Explorer, GMER, Killbox, various rootkit analysers, packet sniffers and anything else that helps me analyse a system and search for, then analyse, then kill, aberrant processes and files.

At best, antivirus and antimalware products will reduce the signal to noise ratio by getting rid of the high profile, obvious, easy to remove stuff.  They may get rid of the files and services with big "shoot me" targets on their backsides, but the real important stuff is too often missed.  I have blogged several times about my work cleaning up malware infested PCs and servers and how the commercial products simply didn't pick up everything that is installed, even missing the primary re-infector.. the file/files that are instrumental to reinfection of a system. 

It doesn't do any damn good to get rid of the files with "shoot me" painted on their butts if the primary re-infector is left untouched.  I have seen HijackThis logs with *dozens* of entries pointing to randomly named malware files... each new entry being evidence of a failed attempted to remove malware by an antivirus or anti spyware application.  Is it any surprise that I have lost faith in commercial products as a whole?

A respected associate of mine pointed out that if the AV and antispyware companies are not called in to deal with the "weird and wonderful" infections that cross my desk every week, then those companies will not have the opportunity to improve their product and add detections.  That is fair enough, but here is the problem.  *Their* reach is far greater than mine.  They should be seeing this stuff before I do.  If a misconfigured terminal server is hit, and that terminal server is the only one a company has, then I don't have the freedom, or the time, to make a phone call and wait for <fill in name of antivirus company> to get back to me.  And anyway, even if they add detection for *that* malware, within a week something else will hit that is also not detected properly, and so it goes on and on and on and on and on.

So what do we do? Depending on software to protect our computers is not working.  Cure-all software isn't doing the job.  In the end, prevention is the only cure. 

Do you surf the Web using an administrator account?  That is bad.

Do you download freeware without checking into its spyware reputation?  That is bad.

Do you visit the seedier side of the internet?  That is bad.

Are you forgetting to patch your system?  Bad.

Have you turned off your pop-up blocker?  Bad.  A primary infector, nowadays, is pop-up windows.

Have you reduced your Internet security settings because a favorite site won't work properly at default security levels?  Bad.

Did you turn off your firewall 'cause your ISP told you to when you were having problems?  Bad.

Have you avoided installing Service Pack 2 for XP because one of your software products is "not supported" in SP2 environments?  Bad... stick that software on a PC that isn't used for Web surfing.  The same goes for software that will not run unless the user had administrator rights.... if you *must* use such software then fine, run as Admin, but if you must go on the net log in to a limited user account and surf from there. 

Does that sound like too much inconvenience?  Believe me, if you get infected the inconvenience you suffer then will be far worse.  Its not that hard to get used to multiple accounts.  On my networks I have two accounts, an administrator account and a regular user account. I only log in as administrator when I require elevated permissions for a specific task. For the rest of the time, I use a normal user account.  It took a little while to get used to, having to swap log ins, but the temporary pain is worth the security gain.