It's a dangerous internet out there. In this thread, let's discuss questions, recommendations, and techniques related to computer security.
Dealing with a nasty infection? Make a post and see if anyone has any advice. Need some recommendations on which anti-virus to use, or just have a quick question about what MBAM is? Check out the software list and ask around for testimonials. The thread's really intended to be a catch-all for any information you might need for security related issues. The OP will be updated as more information fills out, recommendations are made, news breaks, or errors are caught.
On that note, please feel free to contribute to the OP! If you know of a piece of security software overlooked, or take issue with the advice given, post it in the thread and the OP will be modified accordingly. As a
I personally am not a security expert, but many people on the forums are very skilled in this field. I plan to give as much help as I can, but hopefully this thread can become a useful info-dump. With luck we can avoid numerous redundant threads on the forum about the same problems, and have a quick-access reference for a variety of questions.
Most of the assembled links and advice are offered for Windows systems, but discussion for all OS flavors are invited.
A note on software: No single solution is 100% effective for every person. Depending on how you use your machine, different software will be more suited to your needs. As such, there's no way to tell you exactly what to install, but hopefully you can get some good recommendations about where to start if you're curious.
Current Top Recommendations.
From lurking about the forums, the following pieces of free
software have been highly recommended by a large number of people. They're listed here for quick reference, and may change or rotate depending on forum reception and popular opinion. They're lightweight, very effective, and easy to work with. If you're wondering what to get for Anti-Virus or Anti-Malware, these are solid choices. For a list with more options, see behind the spoilers.
Here's the security bread & butter - Antivirus software. Realtime threat detection and on-demand scanning constitutes the most traditional line of defense against malicious software of all kinds - Trojans, worms, viruses, and malware in general. Most, if not all, of these programs operate on a signature
based protocol, meaning that they're looking for specific and know threats based on downloaded rules. That means that you'll want to keep these programs as up to date as possible
while using them. New threats emerge all the dang time. Some A/V solutions employ heuristics based detection in addition to signatures, which means that they monitor for behavior
too. This can be effective for grabbing unknown baddies before they hit you, but it can also be problematic by causing certain false positives or incurring a heavy system load.
Not all A/V software is created equal. Results vary by product wildly, so be sure to do a little research before taking the plunge.
Be aware that no virus protection program is 100% effective at blocking malicious software. Even in spite of that, it's certainly a good idea to keep one running if you can stomach it. Many of the modern offerings have a very light footprint, and few-to-no nag screens or popups.
Not so free
(Many come with trial periods) -
Antivirus software is great, but more and more these days A/V suites miss a lot
of rogue security software or Ad-spamming greyware. It's always a good idea to pair your A/V solution with a good on-demand malware scanner. These things tend to kill fake/rogue security programs dead. MBAM is highly recommended
On-Demand and Realtime Scanners
(i.e., You're already infected)
- RKill (Malware process terminator. This will NOT clean your system, but it will murder the malware processes and allow you to launch cleaners like MBAM that may be inhibited otherwise. Check out the guide associated for further instructions).
Basic layers of defense against intrusion from internet-based attacks. From Windows XP SP2 and higher, Windows Firewall should be on by default. A large majority of people using computers should therefore already have a firewall on, but these solutions offer more robust options if you're interested.
Interesting note: Windows firewall has caught a lot of flak in the past for not having outbound protection. For XP, it certainly doesn't. In Windows Vista and Windows 7, though, it is possible to configure the firewall for outbound filtering. See here
for more details.
Personal Opinion from the OP (Take with a grain of NaCl): If you're worried about nasties, outbound blocking isn't going to help you much. Once the thing is on your system, it's too late, even if you're blocking it's communications. Outbound blocking/monitoring can be useful for privacy's sake, though.
Other Protective Software - HIPS (Host Intrusion Prevention System) and Sandboxing
can be nasty, nasty things when put to malicious purposes. I'm not an expert, so I can't explain them fully, but my layman's understanding of them is that they can effectively hide from just about anything - including your A/V and Antimalware software. The following programs are designed to detect, and/or remove rootkits from your system.
Make no mistake, though. If a rootkit gets on your system, the highly recommended course of action is to backup, clean format, and rebuild
. It's the only way to be sure you got the sucker.
(Unless specified, these programs are only for x86 machines. 64-Bit Rootkit detectors are a different matter)
Other useful software
HIPS and Sandboxing programs add a fantastic layer of first-line defense in addition to Anitvirus and Antimalware software. Most of these programs aim to prevent any software that's untrusted from running or modifying the system, or else will run programs/save files in a virtualized environment where they can't cause harm. Sometimes this means more hassle for the end user in some regards - If you actually want to get a file or program out of the sandbox, or past the HIPS, you have to do so manually - But it's very difficult for nasties to get past these layers if you have them configured correctly.
Keep in mind some of these programs take some advanced configuring, and may not play well with others. I'd recommend further research into each product before taking the plunge.
Note that as of writing this post, there are no functioning HIPS or Sandboxing programs that I know of for x64 Windows machines. Microsoft's Patchguard makes this rather difficult. (EDIT
: 64-Bit Sandboxie is available, in release form, as of 2/3)
LiveCD and RescueCD options
- Tools of great value, now owned by Microsoft.
- Autoruns - Allows you to see and manipulate/remove all startup tasks and such. Also has a very handy 'Filter Out Windows Processes' option.
- Process Explorer - Task Manger on Steroids. Allows you to see all running processes, including daughter process relations and in-use DLLs, etc.
- Process Monitor - More detailed process information, including monitoring of real-time file system, registry, and thread activity.
- Secunia Personal Software Inspector - Free tool designed to alert you to the presence of outdated and / or vulnerable software on your system. Great for keeping up with third-party programs.
- HijackThis - Now owned by Trend Micro, HijackThis is a useful program for determining if nasties have their hooks in your browsers. A HijackThis log is sometimes requested if you're looking to remove malware, but not always. It takes a bit of experience to decipher the logs, but if you want to auto-analyze the results there are two OK-ish websites here and here. Just be aware of what you're doing before you remove anything!
- ESET Sysinspector - Tool for monitoring system changes and status. Sysinspector takes 'snapshots' of your system, and reports back 'risk' levels for each entry it finds. The real power comes from the ability to compare 'snapshots' between different time points, to see what changes have occurred to your system.
- WinPatrol - System monitoring software. WinPatrol keeps an eye on new additions and changes to your system, and alerts you to when they take effect.
- [url=Cleanup! - Free tool to remove temporary files from various locations on a Windows XP or earlier system, where malware oftentimes hide after infection.
- CCleaner - Tool to remove unwanted temporary files and/or old registry entries from a system.
In the event that your system becomes infected with a piece of malware, it's often preferable to try to solve the problem from outside the afflicted operating system instead of trying to address the issue from within. The following LiveCD and RescueCD options are bootable images that you can burn to a disk. The tools and available utilities for each vary depending on which you choose, but they will all allow you to boot into a Linux or Windows Environment from which you can address infection, or else take to directly to a scanning utility. This can be particularly useful for backing up files from an existing partition before doing a complete reformat/reinstall.
Having layers of security is always a fantastic idea. It's never a good approach to rely upon one security suite and hope it will keep you one-hundred percent safe. There are actually a number of really great ways to keep your system secure that don't
involve additional scanning applications, some of which are built right into most operating systems.
Because I'm a silly, silly goose, you can find this information elsewhere in the thread
(I neglected to account for size, and this was a late addition to the OP). Even if it sounds a bit different than usual, this is really important stuff! Take a look and see what works best for your system.
Even the most vigilant user can get infected these days, thanks to the way zero-day threats and new malware propagate at an alarming rate, and in unexpected ways. If you suspect that you've been infected, there are a number of ways verify a compromise. Try running MalwareBytes AntiMalware, an anti-virus scanner, or an online scanner from the list below. They'll let you know what/if anything hit you. If they come back positive, or you're just sure that the porn-laiden pop-ups / Scareware windows that you're seeing are a good indication that you've been compromised, there are several things you can do. It's hard to give generic advice that will work in all cases, but the following are some basic ways to approach the problem. These options are, in no particular order:
- The Nuke From Orbit: Backup your data. Clean format your hard drive. Reinstall your operating system and start over. Whatever infected you, it'll likely be gone.
Yes, it sounds severe, but to be completely honest it's the only way to be sure. Modern malware has deep-digging claws, and if it gets onto your system there's a good chance of it inviting all of its friends. Once an initial infection occurs, most nasties will launch droppers to install other trojans and such, and even deploy rootkits onto your system. There's always a possibility that, no matter how well you cleaned the system, there's something left over that you can't see. Some nasty shit like Virut will also corrupt just about everything of your system, so even removal of the virus will leave damaged files behind that can't be repaired.
If you take this course of action, be sure to scan your backups for nasty garbage before you restore them. Remember, PDF and .doc files are vectors for infection. Disable autorun for USB devices on XP (it's disabled by default on Vista and 7) before you plug in your backup drive, and ensure your stuff is clean before restoring.
It may seem like a pain in the ass, but if you're running a modern system on Win 7, reinstallation can be quite fast. And with programs like NLite and vLite it can be a bit easier to manage. Restoring from an image backup can be even more painless, if your backup solution hasn't been compromised.
- Outsider Assistance: Scan your disks from outside the operating system.
Booting from a live-CD into another operating system will ensure that whatever crap got its hooks into your machine will be inert. See the "LiveCD and RescueCD options" section in the "Useful Software List" section above for various image files that can assist in either scanning for nasties, or else allowing you to backup your system from outside the OS. Alternatively, you can mount the HDD somehow to an OS X or Linux system with A/V software, and scan through that route. A bit tricky if you go the 'pop the HDD' route, perhaps, but safer than trying to clean from within Windows, if your Windows disk is infected.
- The Inside Job: Scan in Safe Mode.
Reboot your system. Once the BIOS POST message clears, mash on F8 until you have the option to load various Windows Safe-Modes. Choose Safe Mode with Networking, and let things load up. Once you're in, download, install, and update MalwareBytes AntiMalware as necessary. Let it run a full scan, and then take action to remove any nasties. Follow this up with an A/V scan from one of the entries on the list below to make sure you're clean. Mix and match removal tools and other anti-malware solutions as necessary (It'll really depend on what you're dealing with). This approach has variable success, but can do the trick in some cases.
If you're going to try to clean an infected system from the infected partition, one of the strongest, most effective tools to root out the malware is ComboFix. Note that this is extremely powerful software, and inappropriate usage will damage your system. The link above will take you to a guide that's pretty comprehensive, so just be sure you're following along appropriately. In many cases, ComboFix is a pretty stellar way to combat even rootkits.
A couple of additional notes about this method: First is that sometimes MalwareBytes works pretty stellar in Safe Mode, but sometimes it's not ideal. The creators themselves have said MBAM isn't designed to run in Safe Mode, but anecdotal evidence suggests that's the only way to root out some nasties. Your mileage may vary, so you might want to try scanning both in and out of Safe Mode. Second, if malware is pestering you to the point that you can't even run any security/cleanup software, try using RKill to terminate the nasty process before launching your cleaners. There are several flavors of RKill to try, but you only need to use one. The others are there as alternatives in case one is blocked.
More will be added to the list as time goes on. Until then, be safe!