TL
R, how can secure windows 7 because just got raped by a nasty virus.
Just had a very nasty virus in my windows 7 installation. I mostly use linux and so I'm not really up to date on what security software is needed for windows, I have AVG installed and all windows security options enabled as default and though i would be safe.
I was just starting to watch some family guy streamed through a common website. Illegal yes but a common activity. Nothing too dodgy.
All of a sudden a big screen pops up, fullscreen. I live in Swizterland and all the text was in German so I didn't understand it (I live in the french part) but I did read some lines land it seemed to be accusing me of possessing kinderpornographie, terrorist emails, drug paraphernalia etc. It seemed to provide some means of paying online through the post office, which is common here, and entering a pin code to unlock. Everything looking very official and well designed so it did scare me. Normally the language errors make these things dead give away but in german i had no clue. It knew my IP, location and ISP, but this stuff is relatively easy to get.
The fact is that if they thought had childporn on my computer or were sending terrorist emails they would not want me to pay 150CHF! So total scam.
Anyway, I could not close this window at all, no Alt+F4, couldn't bring up a task manager, nothing. Re-booting, same thing. Safe-mode, same thing. totally locked out. Manged to restore windows to an earlier restoration point and its OK now.
Did a complete scan with AVG and nothing. So how can I secure windows in the future?
The problem with AVG (And MSE and other AV solutions commonly praised on this forum) is that it relies on traditional out-dated mechanisms to protect you from viruses.
AVG rely on a huge team of malware researchers obtaining malware samples, ripping them apart in a lab and then pushing a 'signature' down to your PC. This leaves a massive window of exposure. Here's a typical timeline:
05/11/2011 08:00 - Legitimate web sites start unknowingly serving a new strain of malware via their advertising network. The malware also exhibits brand new behaviour which has never been seen before.
05/11/2011 09:00 - AVG obtain a sample and they get to work on creating a fix.
05/11/2011 11:00 - A signature is created and is ready for download by all AVG clients.
06/11/2011 08:00 - AVG does its daily update.
As you can see, in this example there is a period of 24 hours where if you visited the infected site you are unprotected. This is actually a very generous example, sometimes it can take weeks/months for the security vendors to detect the stealthiest strains of financial malware.
The industry has started to change, and the first organisation to truly offer instant protection was a small British company called Prevx. Prevx were acquired by Webroot last year and they recently launched a new suite called Webroot SecureAnywhere.
Here's how the same timeline works for Webroot SecureAnywhere:
05/11/2011 08:00 - Legitimate web sites start unknowingly serving a new strain of malware via their advertising network. The malware also exhibits brand new behaviour which has never been seen before. You visit the web-site and the new strain of malware is downloaded to your machine. On execution, Webroot connects to the cloud to obtain a classification (Good, Bad, Unknown). Because the file has never been seen before, the unknown file is placed in 'monitor' mode. While in monitor mode, users are continually protected from malicious behaviour and are
generically protected from things like key-logs, screen grabs, system modifications, replications etc. While in monitor mode, a local journal of every single change the unknown file makes to your PC is recorded.
05/11/2011 11:00 - Webroot researchers identify the threat and update their global database. A 'bad' classification is then pushed down to the agent. Because we have a record of every single change the file had made to the PC, these changes will be reversed, leaving your machine in its former healthy state.
Essentially, new solutions like WSA protect you from the point of infection (not just detection), minimizing the window of exposure and ensuring that your machine can return to a perfect healthy state.
Sorry for going on about this new product, but I think it's a very interesting concept.
