What’s the Risk?
There are about 75,000 new tier-1 pieces of malware coming out every day. Remember that number… 75,000 every day!. So your Anti-Virus software is realistically only going to be one layer of protection, no matter what the sales guy might say. That being said, AV is still a must. Remember the damage viruses like Conficker, Sality, Virut inflicted on non-protected networks? These are viruses that the industry does a pretty good job at protecting against, but if they get into your network and you don’t have endpoint protection, it’s can stop your organization cold.
All antivirus companies are being hit with the next wave of malware: Rogue antivirus tools like Antivirus 2010. This code throws messages on the user’s screen telling them that they are infected, and “download here to get rid of the malware”. Sure enough, that gets the trojan installed.
These new fake antivirus variants are some of the most vicious, polymorphic trojans this industry has seen. These viruses use extremely complex techniques which make detection very challenging for even the best antivirus engine. Many of these rogues are also service-side polymorphic. That means every time a “dot-exe” file is downloaded, it’s recompiled on the server-side into a different piece of code.
Some Key Things You Can Do
1. No ADMIN Privileges. Try to run as many users on “Limited User” accounts as you can (not always possible, but we urge you to try). It won’t stop all infections, but it does make a difference — probably 80% reduced infection rate.
2. Patch aggressively. The key exploit areas right now are PDF and Flash, then Windows/IE. BEFORE surfing the web, make sure you are fully patched. If you’re tight on funds and can’t afford a professional patch management solution like Shavlik or Lumension, Secunia has an excellent free / inexpensive solution. Or do it yourself, which, depending on your network size, can be challenging. However, it really is an absolute must.
3. Educate your users. The vast majority of infections these days are caused by social engineering. A user will get a funny video link on Facebook or some other social networking site, click on it, and it will say that they need to “install a special codec”, or “update Flash”. Or they will be doing a Google search and a malware site will have attached itself to an innocent keyword. The user will click and start getting crazy warnings that their machine is infected. This is the malware trying to get the user to install.
4. Do malicious web filtering. There are tens of thousands of pieces of malware daily, but only a few thousand new malware sites a day. Many endpoint protection tools offer malicious web filtering. Or use a web gateway proxy and download URL block lists, like malwaredomainlist.com. It’s not perfect but it’s not bad either.
5. Submit malware files to AntiVirus vendors. Most, if not all, AV vendors take customer submissions very seriously, and the internal escalations are always senior to anything else.
If you would like to learn how we can help please contact us firstname.lastname@example.org