Malware — malicious software designed to disrupt computer operations, gather sensitive information, or gain access to private computer systems — is a serious and increasing security concern. Organizations and individuals alike must battle viruses, worm, Trojan horse, spyware, adware, scareware, ransomware, malvertising, nagware and more. In fact, analysts report that more than 317 million new pieces of malware were created last year (nearly a million each day), and a 2013 ESG study found that nearly half (49 percent) of organizations surveyed had suffered a successful malware attack during the preceding 24 months.
Ready to fight back? Here are the top six ways you can help protect your organization from malware.
Begin by installing good anti-malware or anti-virus software. The two terms are often used interchangeably and are not a reliable indicator of what types of threats the solution addresses. Be sure to carefully review the specific protections provided by each tool you’re considering.
Also understand that even the best anti-malware solution is no longer enough. For one thing, it takes time for vendors to identify new malware threats and update their tools. An alarming amount of time, in fact. Lastline Labs found that only half (51 percent) of tools detected new malware samples the first day, and a third of them failed to detect many of the malware samples even after two months. In addition, the most elusive malware is now so sophisticated or unique that it went undetected by the majority of tools for months, and in some cases was never detected at all.
Microsoft introduced AutoRun in Windows 98 to simplify software installation by automatically launching the program specified in the autorun.inf file on any software disc inserted into your computer. (Windows XP extended this feature with AutoPlay, which automatically launches the program of your choice to display content such as pictures, music and videos,)
For all its convenience, AutoRun has become a serious security concern. When it was introduced, it was fairly safe, since back then, only software vendors were equipped to produce software CDs. Today, however, CD writers are ubiquitous, and AutoRun provides a perfect avenue for attackers to spread malware. Moreover, vendors have created flash drives that emulate a CD drive when they are connected to a computer, so they trigger AutoRun. As a result, these devices quickly became a way for viruses such as Conficker to spread.
Disabling AutoRun altogether will help reduce your risk of a malware infection. Open the Local Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies. After you save your changes, be sure to restart your computer.
RunOnce lists specify programs that will run the next time the system starts, but not on subsequent starts. The RunOnce registry key has many valid uses, such as deleting temporary files created by program installers. But it can also be used to load malware.
To prevent RunOnce programs from executing, either enable the "Disable the Run Once list" Group Policy, or set the key DisableLocalMachineRunOnce (REG_DWORD) to 1.
When an application calls a function in a Dynamic Link Library (DLL), the default search behavior is to search the current directory, followed by the directories contained in the system's path environment variable. If an attacker gains control of one of the directories that is searched, it can place a malicious copy of the DLL in that directory.
For desktop applications, the standard DLL search order used depends on whether safe DLL search mode is enabled or disabled. Safe DLL search mode places the user's current directory later in the search order.
Safe DLL search mode is enabled by default starting with Windows XP SP2. For machines running earlier versions of XP, enable this feature by creating the SafeDllSearchMode registry value and setting it to 1.
White-listing is a proactive security technique that allows only a limited set of trusted programs to run; all other programs, including most malware, are blocked from running by default.
Of course, compiling, maintaining and protecting a whitelist is challenging. One way to ease the burden is to automatically trust certain software vendors, using their digital signature. You can also automatically trust certain accounts, processes and network locations to install or update code on the enterprise whitelist; for instance, you will likely want to trust your security patch management system and certain administrator accounts. You may also want to explore third-party whitelisting solutions.
A final weapon in your battle against malware is Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Anyone can download and install EMET with the Use Recommended Settings option to protect commonly exploited programs such as Internet Explorer, Microsoft Office, Adobe Reader and the Java plug-in. Use the Import function to add additional rules to help protect popular third-party programs such as Firefox, Chrome, Skype, iTunes, Photoshop, Thunderbird, Opera, Google Talk, Pidgin, VLC, WinRAR and 7-Zip.
More advanced users and system admins can activate additional security features, such as turning on data execution prevention (DEP) and address space layout randomization (ASLR) for third-party applications (Windows system programs enable these features by default).
To learn more about malware protection and endpoint security topics, register for an on-demand webcast, “12 Security Controls for Workstations,” hosted by Windows security guru and Microsoft MVP Randy Franklin Smith.