II – Thou shalt have Anti-virus software installed, updated and active.
Summary:
In conjunction with the first commandment, having Anti-Virus software installed, updated and active on your desktop, laptop or mobile device dramatically improves your security posture. This adds another layer of protection in the fight against the bad guys.
Don’t for one second think that just having Anti-Virus on your device will give you enough protection. It will most certainly not as Anti-Virus vendors are always behind the virus creators*. The virus creator makes a new virus and releases it on the internet. Until an Anti-Virus vendor gets to analyse that virus, they cannot add it’s signature into their software. So for that period of time (it could be minutes, more likely hours and sometimes days) your device is at risk of being infected by that virus.
So that covers installed and updated. Why did I say you need to have it “Active”? Surely it is always active? Some sneaky viruses, quietly disable popular Anti-Virus software. There are also some people who think that Anti-Virus use too much resources on the device and this negatively affects things like games. So they may disable the AV while they are playing their game. While there is a low risk of a virus getting in through the game, if you use Dropbox, Google Drive, iCloud, etc. and share files with others, a virus infected file may get into your device through this route. So if your children use a device for gaming ask them to not disable the Anti-Virus software or better still password lock the settings for it.
That’s all there is to it. I will continue below with some details on the subject of Viruses. So if you are not interested in such particulars, just make sure your Anti-Virus software is installed, updated and active.
Detail:
Virus growth over the years:
I actually wrote a paper about computer viruses back in 1993 and at that time the McAfee Anti-Virus package had reached 1,500 viruses that it scanned for. McAfee had been going for 4 years at that stage and the rate of virus creation was growing worryingly in those days. Desktop PCs were slow machines to begin with and RAM was significantly restricted in the MS-DOS/PC-DOS days (remember the 640KB maximum, before jumping through hoops to access memory up to 1,024KB boundary and beyond). Anti-Virus (AV) software was a significant drain on resources and it was not uncommon for users to have to disable it to be able to do actual work.
Today, it is hard to get an actual figure for the amount of Viruses out there. Back in 2012, Symantec claimed it was scanning for 17.7 million viruses, but a considerable amount of these appear to be tiny variations of the same virus. At least modern devices have more power and memory with which to be able to run AV.
The perfect Anti-Virus scanner?:
*The statement I made above about AV always being behind the creators is not entirely accurate as AV packages scan for Virus-like behaviour and block that, So if my newly created virus displayed that type of behaviour it would be caught instantly and not need to wait for a signature to be determined. There are also packages that calculate checksums of executable files which can be used to verify if the file has been changed in any way. This method can slow down the machine, as each checksum is calculated and you need to be absolutely certain to have started with a perfectly clean device in the first place. So they are by no means perfect solutions.
Infection vectors:
There are three primary vectors for viruses to replicate. The first is by infecting executable files (.exe or .com). There are a couple of ways that they achieve this. One way is the virus will load itself into memory and “watch” for the operating system loading files. When it detects an executable is being loaded, it will see if it has already infected that file and if not, then it proceeds to infect it. The other way is that when the virus executes, it scans accessible drives for executable files and then infects them.
The next vector of infection is via Macros. Adobe PDF and Microsoft Office packages allow executable scripts, called Macros, to be embedded in their documents. When a document is opened, these macros may be executed. This is one of the primary ways that Ransomware is using to spread. I refer you to Commandment V (5) for how you should handle such attachments received via e-mail – “Thou shalt cast aside messages from strangers and not open attachments/click links they may send you.”
Finally Boot Sector viruses actually replace the first sectors on the system drive, where the PC hardware always looks for the boot loader (the piece of software that tells the hardware where to find the operating system files to load). So these ones execute before the operating system and any AV package gets loaded. These were sometimes used for Stealth Viruses, which when loaded into memory would use various methods to hide their existence from the operating system and more importantly AV packages. Luckily the AV community copped on to that behaviour and know how to find even the stealthiest of virus.
It’s not all about the Viruses:
AV software not only scan for Viruses, but also things like Trojan Horses, Rootkits and Spyware. I’m not going to get into these in this article, but will come back around to them in a future post.
A lot of the commercial AV packages now come as Suites where, along with Anti-Virus, they bundle a Firewall, Browser protection, banking/shopping protection, parental controls, etc. These all add further layers of protection and are to be encouraged, though I sometimes find on lower-end consumer devices that these suites consume a lot of resources and tend to slow the machines down.
I personally prefer to pick and choose different standalone packages for my multi-layered protection, but then again I’m an awkward type that knows what he likes. J
Conclusion:
If you have any comments, suggestions or questions on the above, please leave a comment below.
Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.