 |
 |
2009 is ancient history when it comes to where malware is today. Windows 7 was only released in July '09 and Vista adoption was low; the vast majority of systems deployed were XP executing everything with local admin rights. The low-hanging fruit was everywhere, every conceivable buffer overflow gave you immediate root access to the system. It's not like that any more. The Windows out of box config doesn't let you arbitrarily execute everything with admin rights, it defaults to a restricted user and elevates through secure user interaction. Folder integrity levels were introduced to help prevent some classes of browser exploits from breaking out of their temp cache directories. Malware writers know this, and they intentionally avoid needing admin rights and triggering unexpected UAC dialogs because it can tip people off that something is on their system. If you're building a botnet, the last thing you want is for it to be so noticeable that the computer gets hauled in for repairs, removing the infection. The browsers got locked down so they looked for the next best thing: Browser plugins that don't bother honoring any of the security improvements that Microsoft is building in to their own products. First it was Flash, then Acrobat, and now we're on Java. These exploits consistently do not need or request admin rights to deliver their payload; you can harvest personal information, install a keylogger, attach to a botnet, steal email, or run a local sniffing proxy that routes browser traffic through it all on a restricted user account without any problem. Don't get me wrong, you shouldn't be giving your users admin rights. Take it away and there will be a dramatic drop in system problems from viruses along with all the other issues that comes along with it. But it's not going to stop 90% of infection attempts from succeeding, not in 2013. Further sandboxing or block lists can help as well, but those can incur a large management overhead and valid domains are often the ones inadvertently hosting malware attacks these days. Anything short of an approved process list derived from hashes is going to be ultimately ineffective to some degree (again, management nightmare and can be bypassed by registering a dll in to an existing process), and you're going to be blind to whatever has bypassed the perimeter protections that are in place. That's where anti-virus software fits in to this. It may be 50/50 on stopping a new threat through heuristics, but over the following day or two samples are submitted, definitions are updated, and the files executing on your system are rescanned and either cleaned up on the spot or generate an alert so they can be manually addressed. If that isn't in place, you're blind. On Thu, 7 Feb 2013 18:29:13 +0000, Hoort, Brian <[log in to unmask]> wrote: After years of cleaning systems and asking about operator behavior just prior to the infection, and at times reading reports of the top 10 AV's averaging between 48-52% effective at blocking *emerging* threats, I've increasingly been convinced operator behavior is far more effective (yet elusive) than AV protection. Multiple times to test this theory I've removed my AV for months (6-9?) and instead run several of the multiple layers of protection you suggest; usually an ad blocker or MVPS hosts file (which could be done at the network level), NoScript or Sandboxie. Web of Trust is also helpful. Of three times doing this test over the last five years, I have yet to get an infection, while those I support continue to become infected at regular frequency while running up-to-date AV. Pair this information with the BeyondTrust 2009 Microsoft Vulnerability Analysis, which strongly advocates removing admin rights (with a better success rate than AV software against emerging threats, I should point out) and I think we've got an interesting case for either replacing AV (radical!) or at least supplementing it and no longer considering AV our only defense at the desktop level. I highly recommend reading BeyondTrust 2009 Microsoft Vulnerability Analysis, if you haven't already : https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CD0QFjAA&url=https%3A%2F%2Fwww.techdata.com%2F(S(5qsgeo45hwjh1on5noga4r45))%2Fbeyondtrust%2Ffiles%2Fwp039_BeyondTrust_2009_Microsoft_Vulnerability_Analysis.pdf&ei=j7kTUempHsfd2QX6kICYBw&usg=AFQjCNFtFkBKWy9fSHud-zZVW30RBgd8vA&sig2=1h3_vug2kvPFnYBPX6yccg&bvm=bv.42080656,d.b2I Brian Hoort College of Agriculture and Natural Resources Technology Services Helpdesk Michigan State University Helpline: (517) 355-3776 http://support.anr.msu.edu