It’s been a while since my last blog entry.  So I decided to write this entry, based on a recent conversation with a customer in reference to Security and Antivirus.  This may be more of instruction than personal blog material, however I felt compelled to do it.
 Let me open with a statement that I want to make perfectly clear.  Antivirus products are like pizza toppings; no two I.T. Professionals will agree on the best (or some figure close to that).  Also, I will be writing this for the general user, so some I.T. Professionals may find it quite basic and lacking in technical depth.
 I have been in the I.T Field for roughly 14 years.  Antivirus programs have evolved quite considerably from the beginning days, however the basic principle remains the same, across many different products.
  • Act as a liaison between the buffer and memory, compare each file against an entry in your definition database.
  • Delete, disinfect or Quarantine files that match the ones in the definitions.
In later years, a new development changed the Antivirus programs and made them much more efficient and took loads off of the development and research teams that were used to compile the definition databases.  This was called the Heuristic AV engine.  With this, Antivirus programs could effectively detect new threats that were not already listed in their definitions.  The Heuristic engines were composed of many different variables that raised alert flags within the system when certain criteria were met.  The local installation of the Antivirus program would then give a choice to the user, whether to accept or block said suspicious file.  These were also, in the background, sent to the Antivirus companies for further analysis.  Analysts would confirm the new-found threat and include the definition in next month’s definition update.
 For years, this was the way Antivirus programs worked, and to this day, some of them still use this method.  However, with the advent of the “Cloud”, came a new and better way of dealing with virus definitions.  There are a few notable products that use this technology, however I am going to use one in particular, who helped pioneer this approach, Panda Security.  Now that most internet speeds are high enough to handle this constant connection, it was feasible to eliminate the need to compile definitions every 30 to 45 days. Instead, Antivirus programs could stay connected to their databases online.  The difference this made, is that new found viruses and threats could be sent to the database and within a matter of 6 minutes, everyone else that used that particular Antivirus program was protected against the new found threat.  This made the spread of viruses much slower (within the circle of users for that particular product).
 Another great leap forward was the utilization of the Windows subsystem: VSS (Volume Shadow copy Service).  Webroot security has implemented the use of this service in order to battle malicious threats that hijack a user’s files and holds them for ransom.  One threat in particular is the Cryptolocker virus, which encrypts a users files and gives them 10 days or so to pay the ransom before access to the files is permanently lost.  Webroot, can restore the files, using the copies in the VSS system, since the encryption is, at the moment, unbreakable.
 Now that I have given you a crash course in Antivirus technology, I want to drill down to the bedrock of the reason behind my post.  NO ANTIVIRUS PROGRAM IS 100% EFFECTIVE! Remember this, and you will already be ahead of the game.  There are a few things, as a user, that you need to know when dealing with threats and the internet as a whole.
  • Get familiar with the interface of your Antivirus program.
  • Look at hyperlinks in your email before you click them
  • Be cautious of free software
  • Learn how to close your browser without clicking the “X”
  • Use Internet Explorer for downloading Chrome or Firefox ONLY.
  • Learn how to determine a secure website vs. non-secure.
 Let’s start with the 1st one, Getting familiar with your Antivirus interface.  If you have ever fallen victim to a rogue Antivirus program, then you will know exactly where I am going with this.  Many times, embedded in websites, are Javascript commands that pop a small window up (usually in the bottom corner), that appear to be an alert from your Antivirus; stating that you have n amount of viruses.  It instructs you to “click here” to begin removing them.  Once it finishes with the “scan”, it tells you that you need to purchase the upgrade for 39.95 in order to complete the disinfection.  This is what is known as a rogue antivirus program OR ransomeware.  Believe it or not, I know of MANY MANY people that gladly paid that 39.95 and didn’t know any better.  The best way to counter this is to get familiar with the way your Antivirus program looks and reacts.  That way, these “warnings” should look out of place and are easier to pinpoint.  How do I  know what my antivirus looks like when I get a virus, without actually “getting a virus”?  Simple.. there is what is known as as the eicar test file (which originally stood for: European Institute for Computer Antivirus Research).  You can obtain this test file from AND ONLY FROM:
 Second, inspect hyperlinks in your email before you click on them.  Hackers and programmers in general are very good at making hyperlinks appear to be for a particular website, when in fact, you will be directed to somewhere totally different.  Most of the time, once you click it, it is too late.  Generally in every email program, when you hover over a  link, the address that it takes you to will be displayed on the bottom-left of your program window.  For instance, you receive an email about your online bank password expiring.  They need you to click the following link:  When you hover over the link, the bottom display shows an entirely different address like: This should be a red flag, indicating that you need to delete this email immediately and NOT follow the link.
 Next, Be cautious of free software. If you think that programmers sit at their computers and write thousands of lines of code, just to make a piece of software for you and not charge anything for their time, the server space or the bandwidth it takes to accommodate downloads, think again.  These pieces of software are usually made available in exchange for your email address, personal address, phone number OR they can contain scripts that monitor your web surfing profiles or worse, record passwords and report back to their developers. Ever started getting penis enlargement emails?  Think back, there was most likely a free piece of software, free game or free online dating profile that you acquired recently.
 Next, what happens when you click to see that cat video and it takes you to a page with a big warning in the middle about your PC’s performance?  You know it is a scam, but the “X” on the window does not look like a regular “X” for closing Windows.  Good observation, most of the time, those “close” buttons will actually trigger the execution of a malicious script.  How do I safely close this without interacting with the suspicious button?  The answer is:  Alt + F4.  Pressing these two keys will effectively close whatever the “active” window is on your screen, in this example, it would close your internet browser.
 Sit around a group of I.T. Professionals long enough and you will start to hear the jokes fly, in reference to Internet Explorer.  This is not due to some comedy embedded in the browser, this is a psychological mechanism for coping with a magnitude of problems stemming from this horrible, wretched, unsafe browser.  I could write an entire paper on why you do not use Internet Explorer, but for now, just take my word for it and leave it for when you need to download Google Chrome or Firefox.
 Finally, learn how to distinguish when you are on a secure website.  Generally, you want to concern yourself with this only during times when you are entering personal information on a website. In the VERY TOP of your browser, you will see the URL of the site you are currently visiting.  A secure site should start with “https://” notice the “s’”, it stands for secure.  Get used to looking for it and if you do NOT see it, do not fill out whatever information it is asking for.
 As I stated in the beginning, this entry in intended for the general user.  My fellow I.T. Friends would have two or three more pages of Dos and Don’ts, however knowing and following those that I have stated above will keep you more secure than you would without.  If you take anything away from this, please remember that having an Antivirus program is not a license to compute without concern.  Antivirus does nothing if not accompanied with a little common sense and knowledge.
To my fellow I.T. guys that follow my blog, I know it’s killing you that I left something out, so feel free to comment below.


Popular Posts