Microsoft Windows Desktop Security

Occassionally I am asked about securing a Microsoft Windows desktop system against viruses and similar unwanted intruders. When the August and September 2003 email viruses infected several friends' computers I decided to prepare this short document. Please note that this document focuses on keeping a clean Windows system clean.

There are two basic kinds of viruses. The obvious virus is the one that takes over your computer and attempts to replicate itself on other computers through your computer.

The other, less obvious kind of virus, is the hoax virus which is an email that states, in dire terms, how a vicious virus is running around and if you find a particular file on your box you are infected, and please warn everyone you know if you are infected because you will have infected their systems as well. The problem with this virus is the file in question happens to be a legitimate file and by removing the file you've trashed your computer. However, before you trashed your computer you emailed all of your friends that your computer was infected, you apologized profusely for possibly infecting theirs, and here is how you tell whether you are infected, etc.

The effect of both viruses is the same in so far as they alter your computer and replicate themselves across the internet. The second kind of virus uses human intervention to spread itself and is actually quite easy to control. The secret is, whenever you receive an email that tells you that you may have virus XYZ on your computer, you should use your favorite search engine, e.g. http://www.google.com, and read up on the virus XYZ before you do anything to your computer or email your friends that they may be infected.

The following is Symantec's web page devoted to hoax viruses: http://www.symantec.com/avcenter/hoax.html .

True viruses require more work to defend against. They come in several flavors but in all cases must be run on your computer before they are activated and take over your computer. The common mechanisms they use to run on your computer are:

  1. automatically running from your Microsoft Outlook or Outlook Express email application
  2. automatically running from your Microsoft Internet Explorer web browser
  3. automatically running from within Microsoft Word
  4. automatically running from within Microsoft Excel
  5. finding a Microsoft IIS or PWS web server on your system and running an insecure program on your computer through your web server
  6. getting you to run an executable email attachment

Items 1. through 4. can be corrected by keeping your Microsoft Windows operating system and Microsoft applications updated with security patches. Microsoft only supports recent versions of its products. See http://www.microsoft.com/windows/lifecycleconsumer.mspx for information on which specific Microsoft Windows operating systems are currently supported and when support will end. So the sequence I am about to describe is only useful on newer versions of Windows. The steps to update your Microsoft Windows operating system and Microsoft applications are:

Item 5., "finding a web server on your system and invoking insecure programs", can be corrected by disabling the web server that came with your version of Microsoft Windows. If you really want to run a web server from your home system please buy and read recent books that discuss how to secure your web server. You should also join a security email list that will email you with notifications of Microsoft web server vulnerabilities. My web server receives several virus probes every hour looking for the common vulnerabilities in Microsoft web servers. Keeping your version of Windows updated with critical patches as noted above will close some of these doors, but other doors are left open from the default setup of the web server.

Item 6, "getting you to execute an email attachment", is the big trouble maker and is how most viruses spread. If you install and maintain a good anti-virus package you decrease, but do not cut to zero, your chances of getting infected. The reason you can still get infected is a virus can be in the wild for several days before the virus is caught, studied, and virus signatures made available for your anti-virus program. There is an additional delay between the time the new virus is incorporated into a file of virus signatures and you download the new file of virus signatures for use by your anti-virus program. I am not saying don't use anti-virus programs because they certainly help, but to rely on them to keep your system clean is misguided. Many viruses can hide from anti-virus programs provided they get in and settled before the anti-virus program knows how to stop them. I know of several computers that were infected with viruses even though the computer had a moderately recent copy of an anti-virus package running on it.

How many email viruses are there? I use the anti-virus scanner clamav on my email server to filter out viruses and automatically download new virus signature files daily. On September 6, 2003 there were 9,567 virus signatures in the file. Over a hundred of those virus signatures were new in the seven preceeding days.

My strong recommendation is that you never, ever, open an attachment. Shy of that, if you know that someone is going to email an attachment to you please save the attachment to your hard drive and then attempt to open the file with the application that you are expecting the attachment to be for and never just double click on the file.

There are two reasons why this level of paranoia is justified. The main reason is that many email viruses grab FROM addresses, SUBJECT, and email content from emails that are laying around in the infected system. Hence you can get an email that, on the surface, came from someone you trust with perfectly reasonable subject and content, but that in reality came from someone else's infected computer who had your trusted friend's email address in their addressbook. The other reason this level of paranoia is justified is Microsoft typically hides the actual file extension because they consider it too techie, but the viruses take advantage of this and hide the dangerous filename extension after an innocuous filename extension.

Summing up, the short cut to keeping a Microsoft Windows desktop computer clean is to keep the operating system updated with critical security patches and to absolutely never, ever, open attachments.

The other route you can go to decrease your chance of infection is to avoid the Microsoft mono-culture. Virus writers take advantage of the fact that over 90% of desktop users are bound to Microsoft and hence typically target their viruses against Microsoft products.

It is easy to swap out your Microsoft IE, Outlook, Word, and Excel for free equivalent non-Microsoft products. For instance:

If you are running an older unsupported version of Microsoft Windows you should either upgrade to a supported version of Windows or install Linux, a free alternative, on your computer.

How can you tell if your system is already infected? If you have a commercial virus scanning program such as McAfee's or Symantec's you should update your virus definitions for your virus scanning program and force a manual scan of your system.

If you don't own a license for one of the commercial virus scanning programs you can still go to either McAfee or Symantec and download and run a program that will inspect your computer for viruses. If a virus is found you will then have to download and run a program for each virus found on your computer to scrub it off your system.

Please note that there is no guarantee that a virus scanning and repair program will restore your computer files to the condition they were before your system was infected.

On a final note, if you rely on a virus scanning program to protect you from viruses in attachments then you must manually download new virus definition files from your provider daily, and even then there is a window of a couple of days during which you are vulnerable to infection. The reason for this is the commercial virus scanning programs automatically update their virus definition files weekly but a virus can easily spread through most of the world in a day or two. The recent so-big virus variation was running rampant through Gainesville less than two days after it was first spotted by security experts and hence was not caught by the commercial virus scanning programs that had not yet run their scheduled weekly automatic update.

Heitzso
[email protected]
September 8, 2003