A virus is a computer program that replicates by attaching itself to another object. Viruses
can infect program files, documents (in the form of macro viruses), or
low-level disk and file-system structures such as the boot sector and
partition table. Viruses can run when an infected program file runs;
they can also reside in memory and infect files as the user opens,
saves, or creates the files. A worm
is a standalone program that replicates by copying itself from one
computer to another, usually over a network or through e-mail
attachments. The distinction between viruses and worms can be blurry and
for practical purposes is unimportant.
Historically, the
most common source of widespread computer virus outbreaks is the class
of hostile software that replicates by sending itself to other potential
victims as an attachment to an e-mail message. The accompanying message
often uses "social engineering" techniques designed to lure inattentive
or gullible users into opening the infected attachment. For example,
some viruses arrive as attachments that mimic delivery failure reports
from an e-mail server administrator. The attachment, in .zip format,
ostensibly includes details of the failed message but actually contains
the virus payload.
|
These days, most
mail servers reject all incoming messages with executable files
attached; even if the server doesn't stop such messages, modern e-mail
clients make it difficult or impossible to run executable attachments.
That simple measure completely stops most viruses written before 2003.
To work around the blockade, attachment-based viruses
now typically send their payloads using the standard .zip format for
compressed files. If the user opens the attachment, the contents of the
compressed file appear—in Windows Explorer or in the third-party utility
assigned to handle .zip files. Double-clicking the executable file
within the compressed archive sets the virus in motion. Virus writers
use a variety of tricks with .zip files. In some cases, they include a
bogus extension in the file name and then append a large number of
spaces before the real file name extension so that the actual file type
doesn't appear in the window that displays archived files. Some viruses
even encrypt the .zip attachment and include the password as part of the
message. That allows the infected attachment to slip past some virus
scanners. Most real-time scanners will detect a virus in a .zip file,
either when it arrives or when the user tries to extract the file. The
moral? Be wary of all attachments, even when they appear to be innocent.
|
Although viruses
that spread through e-mail attachments have been to blame for the
majority of attacks in recent years, some security experts believe that
other modes of transmission
represent a far greater threat and will become more prevalent in the
future. By their nature, attachments (as well as files transferred with
an instant messenger program, a more recent attack vector) require some
cooperation from an unwitting or distracted user; that requirement
dramatically limits their potential to spread unchecked. As a result,
authors of hostile software are always on the lookout for techniques
they can use to spread infections automatically.
The Conficker
worm, which made headlines in 2009, provides an example: one of its
propagation methods relies on AutoPlay, the feature that displays a menu
of options when you insert a removable drive, such as a USB flash
drive. On unprotected computers it displays an option to "open folder to
view files" when a victim inserts an infected USB flash drive in the
computer and AutoPlay runs. When clicked, that option actually executes
the worm, which then attempts to spread to other computers. Windows 7
doesn't have the vulnerability that Conficker
exploits in earlier (unpatched) Windows versions—but it also closes the
AutoPlay vulnerability, as AutoRun (the feature that placed the bogus
option in the AutoPlay dialog box) is disabled on removable drives.
Another popular mechanism is the use of scripts—written
in languages such as JavaScript, JScript, or Microsoft Visual Basic
Scripting Edition (often abbreviated as VBScript or VBS)—that
automatically take actions on the intended victim's computer when he or
she visits a webpage or views an HTML-formatted e-mail message.
Protected Mode in Internet Explorer is one defense against this type of
intrusion.
Yet another increasingly common mode of transmission uses e-mail to send a link to a compromised
website. If the intended victim clicks the link, she's taken to a page
that attempts to install hostile code automatically or prompts the
visitor to download a seemingly harmless file. The file is typically
disguised as something innocuous, such as a codec required to view a
salacious file.
You can review "top ten" lists of current threats and detections, along with links to details about each one, at the Microsoft Malware Protection Center, w7io.com/1518.
Viruses
and worms are not necessarily, by their very nature, dangerous. Most
are, however—why else would a programmer need to resort to such sneaky
techniques?—and you don't want them on your computer. Besides
replicating itself, a virus can be programmed to do just about anything
that the current user account is allowed to do, such as erase files,
make registry changes, and send information over the internet. An
important layer in a basic PC protection strategy, therefore, is to use
up-to-date antivirus software. Windows does not include any antivirus
software, but it's readily available from Microsoft and many other
vendors.
1. Finding an Antivirus Program
Plenty of good antivirus programs are available. You can start your search at the Windows 7 Security Software Providers page, w7io.com/1510,
which provides links to publishers of Windows 7–compatible security
software, including antivirus programs. (If you haven't yet installed
antivirus software, you'll find a link to this page in Action Center.
Next to Virus Protection, click Find A Program Online.)
This Windows 7
Security Software Providers page provides no independent evaluation.
Besides the usual review sites managed by computer magazines, you should
look to ICSA Labs, which tests antivirus programs and certifies those
that meet its criteria for effectiveness. You can find lists of
certified programs at w7io.com/1511. Another independent tester is Austria-based AV-Comparatives.org (w7io.com/1512).
|
Some computer experts—computer security
experts, even—proudly point out that they don't use antivirus software.
Why not? Some question its efficacy, particularly at blocking zero-day exploits for which virus definitions have not been created. (A zero-day exploit
is one that exploits a security vulnerability on the same day that the
vulnerability becomes widely known among security researchers.) Others
point to the fact that, like every additional running program, an
antivirus program adds another level of complexity and another potential
attack surface for malicious software. Indeed, at one time or another,
virtually every major antivirus program has been found to have some
vulnerability to remote exploits. Finally, what puts some folks over the
edge is the performance
hit imposed by antivirus programs that constantly work in the
background to examine each file as it's read from disk; the slowdown is
usually small, but measurable.
How is it possible to
maintain a virus-free computer without the assistance of an antivirus
program? Remember that antivirus protection is just one of many security
layers in a well-protected computer network. To have any hope of
surviving unscathed without that layer, several other forms of
protection must be in place. The network's internet gateway should
provide filtering that prevents viruses from entering through a web
browser or instant messenger connection; this capability is typically
available only in commercial-grade firewall appliances or in a separate
gateway computer that's configured for this purpose.
The e-mail server
should also have virus-blocking capability. (Many ISPs and web-based
mail services block all mail that contains a known virus.) In theory,
those network-level layers should prevent any malware from reaching your
computer, but the computer itself must be properly secured in other
ways: all patches up to date, firewall enabled, User Account Control
enabled, and a standard account set up for each user. The most important
protective layer—and the one that is most easily overlooked—is user
education and self control. Everyone
who uses the computer must have the discipline to read and evaluate
security warnings when they're presented and to allow the installation
only of software that is known to be safe. (Although a user with a
standard account is incapable of installing or running a program that
wipes out the entire computer, he can still inflict enough damage on his
own corner of the computer to cause considerable inconvenience.)
Countless successful virus attacks worldwide have proven that most users
do not have adequate awareness of safe computing methods. Indeed, our
standard advice for most users is don't even think of connecting to the internet without antivirus software! Only people who really know what they're doing, and who remain vigilant, should consider joining those anti-antivirus experts.
|
Note:
Microsoft's entry in the consumer antivirus arena is Microsoft Security Essentials (w7io.com/1513). Microsoft
Security Essentials is based on the antivirus feature of Microsoft
Forefront Client Security, a business-oriented program for protection
against viruses and spyware. Microsoft Security Essentials is available
to Windows users at no charge.
2. Using an Antivirus Program
Installing an antivirus
program is a good first step. But you're not done yet! The initial setup
enables the antivirus scanning engine—the code that checks files for
possible viruses. The most important part of the package is the database
of virus definitions (sometimes called the signature file). After
installing an antivirus package on a new computer, update it to the
latest definitions immediately. Then configure the program to enable
these features:
Install updates to program files and virus definitions using the program developer's recommended schedule, at least daily.
Scan
each file that you access in any way. This feature is typically called
real-time scanning, virus monitoring, or something similar. Don't
confuse this type of scanning with scheduled scans, which periodically
scan the files stored on your computer to find infected files.
Scan e-mail attachments and block access to infected files.
3. Scanning for Viruses—Without an Antivirus Program
On the second Tuesday of
each month, as part of its normal security releases, Microsoft releases
an updated version of a utility called the Malicious Software Removal Tool (MSRT).
This utility is not designed to block new viruses from entering a
computer; rather, its function is to clean up systems that have been
infected with well-known and widespread viruses and other forms of
malware. The MSRT is delivered by Windows Update, and on most computers,
this tool runs silently and then deletes itself; it alerts you if it
finds any infections, and lets you know if they were successfully
removed.
If you prefer to scan one or more systems manually, you can download the current executable version of the MSRT from w7io.com/1514.
Because this utility is updated at least monthly, we do not recommend
that you save this file. For details about this tool, read Microsoft
Knowledge Base article 890830 (w7io.com/1515).
As an alternative to the MSRT, free web-based virus scanning services are available from several antivirus vendors. The Windows Live safety scanner can be run from w7io.com/1516.
Warning:
Periodic scanning by
the MSRT or an online tool does not provide continuous protection
against virus infections. For that, you need to install and run an
antivirus program.
