Years ago, my mom got an email with an attachment that contained a MyDoom email worm. She opened the attachment, ran the MyDoom worm, and infected her computer. Two days later, her antivirus software recieved its weekly definition update, and finally recognized the MyDoom worm she'd opened. Too late.
In recent years I've hunted malware in the real world, and uploaded thousands of malware files to VirusTotal for analysis by about 30 types of security software, probably including the one you're using right now. The detection rates can be quite low on the malware that actually matters RIGHT NOW, the malware the bad guys are constantly regenerating to keep ahead of the antivirus vendors and keep infecting computers. I recognized a need to educate people that antivirus is not an ironclad defense by itself.
An attempt at education
About a year ago, I harvested a particular batch of malware from the real world, and scanned it with about 20 different antivirus/antispyware programs, then published the results at the AnandTech Forums as an educational topic. The intent of the test was to show that NONE of the antivirus/antispyware programs succeeded in detecting ALL the malware, and therefore it is still important to use other layers of security besides antivirus alone. Following the test results, you'll find some suggestions for securing Windows PCs.
For the test, I collected 95 malware samples, including exploits, rootkits, trojans (Zlob, DNSChanger, LoadAdv, VideoAccessCodec and others), backdoors, password-stealers, PUPs/adwares (including some DLLs, BHOs and EXEs harvested from a few live installs on my honeypot), a malicious HOSTS file, a QuickTime exploit, and a couple email worms, plus a really tough one: sneaky Frogexer images used to smuggle malicious code through the firewall. This was fresh real-world malware, hot off the bad guys' servers.
The results, in no particular order. Again, this is not a complete or scientific test, nor a buyer's guide; it merely illustrates that your favorite antivirus isn't infallible protection by itself.
And 2 weeks later? A spot check with a few of the products...
Taking your defense beyond antivirus alone: defense-in-depth techniques for Windows PCs
Try a non-Administrator user account Many people aren't even aware that they can set aside the dangerous Administrator-level powers, and use their computer in a much safer way. mech's information page about non-Administrator user acccounts The security gains you get from this step are very substantial; going back to the example of my mom and her MyDoom infection, this step alone would've prevented it.
Use firewalls If you have a broadband connection, use a router between your broadband modem and your computer(s). Also use a software firewall, such as the Windows Firewall or another of your choice. Firewalls regulate network communication between computers & networks, helping to prevent unwanted probes and attacks.
Keep your Microsoft software up-to-date Enable Automatic Updates as shown in this picture (you can reach this setting by right-clicking My Computer and choosing Properties).
Also, upgrade your Automatic Updates software to Microsoft Update, which will update a wider range of Microsoft software (including any Microsoft Office-related software). To get Microsoft Update:
for Windows XP or Windows 2000 users, go to the Microsoft Update website.
For Windows Vista users, click Start, type Windows Update in the Search box, and press Enter, then click Change Settings, and put a checkmark in the box for Microsoft Update.
Eliminate unnecessary "attack surface" Did your computer come with a bunch of junk you never use? Or has it got a lot of accumulated stuff you don't use anymore? Uninstall it. The bad guys cannot exploit something that isn't there. This includes media players, Instant Messaging and VOIP programs, email programs, web browsers, Sun Java and other popular stuff are often exploited by the bad guys.
Keep your other software up-to-date This step is VERY important in today's world. Home users, try out Secunia's new Personal Software Inspector beta (free for home use), and it'll show you how to fix many of the vulnerabilities that the bad guys use to infect computers. I also like the free Microsoft Baseline Security Analyzer, but Secunia's free utility is a must-have.
Vista users: keep UAC turned on Windows Vista has enhanced security capabilities. Some of them depend on the User Account Control (UAC) system, which prompts for approval from the computer's Administrator, before allowing potentially-dangerous actions to be completed. It's wise to leave UAC enabled. Tip: if you have issues creating or modifying files and folders, causing repeated UAC prompts, ask at a Forum for help adjusting the file-system permissions to actually fix the underlying issue.
Use your computer's Data Execution Prevention feature Fully enable your computer's Data Execution Prevention, as shown in this picture. You can reach this setting by right-clicking My Computer and choosing Properties. If a program is terminated by the Data Execution Prevention, you'll see an alert that says so. DEP stops some types of exploits right at the hardware level.
If you get Data Execution Prevention errors when you're trying to use legit programs, then use your Administrator account to make exceptions when necessary. In this picture, you can see that I added some "problem" programs to the exception list.
Disable or restrict "AutoPlay" Your computer can be automatically attacked by an infected memory card, a flash drive, a burned CD or DVD, an external hard drive or an MP3 player. This is the modern equivalent of how computer viruses spread themselves by infecting floppy diskettes in the old days. how to prevent AutoPlay attacks by disabling or restricting AutoPlay
Keep your tinfoil hat on! Do NOT install any software or add-ons you got from the Internet, unless it comes from an absolutely trustworthy author. Because when you download & install software, you cast aside your own defenses and put yourself at the mercy of the software's author. Don't do this lightly, because the bad guys will be happy to bypass all your security measures with a Trojan Horse attack, targeting YOU as the weak point in the defenses.
All that glitters is not gold Absolutely do not mess around with warez (illegal software), key generators, cracks, or any executable files you got from a P2P / file-sharing network; these are extreme risks. If there's one thing the bad guys are likely to use as bait, this is it.
Back up your stuff Some types of malware actively delete your stuff (music, documents, movies and more), or encrypt it and hold it for ransom. Be wise: establish a backup system, such as an external hard drive, and use it.
For the advanced user: Software Restriction Policy Some versions of Windows XP and Windows Vista are capable of Software Restriction Policy. If you have XP Pro, XP Media Center Edition, Vista Business, Vista Ultimate or Vista Enterprise, and you're able to use a non-Administrator user account, then check out Software Restriction Policy too.
My mom was lucky. The bad guys didn't encrypt her documents and family photos and hold them for ransom. The bad guys didn't steal her WoW account and sell off her stuff. The bad guys didn't hijack her PayPal or eBay account, or steal her identity or credit-card number, or clean out her bank account. But that's the type of stuff that's at stake these days, and cleaning up the infection two days later won't bring your stuff back once it's been stolen, deleted, or encrypted. Just one infection, might be one too many, so consider using defense-in-depth techniques in addition to a modern, up-to-date antivirus program.
mechBgon
Microsoft MVP, Windows Shell/User, 2006-2008
http://www.antisource.com/article.php/antispyware-comparisons
