Several people wrote (of yesterday's entry) to ask that if I disapprove of Symantec's security solutions, what do I recommend? And what do I use myself?
First of all, it's not entirely about software, and certainly not about one product. One package from one vendor can never be the solution to everything. What I do is fairly simple, and I have little or no problem with malware. Here's what I recommend, because here's what I do, in decreasing order of importance:
- Be behind a router. They're cheap, and extremely strong protection from unsolicited outside connections from script malware, which studies have shown scan your IP address every few seconds. Even if you only have one PC in the house, get a router. They contain a Network Address Translation firewall, and most allow you to block specific ports. The one I use is the Linksys 8-port router/switch, model BEFSR81.
- Don't use IE. Just don't. Almost anything is safer. I have it installed because the occasional nitwit Web site won't render correctly without it, but IE often goes untouched for months on end. Use either Mozilla Firefox (which is free) or Opera, which has also been free for about a year now, and is superb.
- Make sure “install on demand” is turned off in your browser. Certainly, if you run IE at all, this is desperately necessary.
- Don't use either “big” Outlook or Outlook Express for email. These are malware magnets largely because they're so popular, but they also have some fundamental problems that make them spam facilitators. (They also use IE to render HTML-formatted email, which makes them vulnerable to most of the same exploits that plague IE.) I used Poco Mail for a long time, but recently abandoned it for corrupting my mailbase. I use Mozilla Thunderbird now, and am quite happy with it, even though Poco has a few nice features that I miss on occasion.
- Don't surf to porn, warez, or obscure music sites, especially those that offer deals that seem too good to be true. These are the primary source of browser exploit trojans.
- Research every piece of “free” software you install, thoroughly”and resist installing stuff on impulse. This especially includes browser toolbars and ridiculous crap like those heavily advertized smileys, which are highly malevolent spyware and have gotten some of my nontechnical friends into a world of trouble. If you must fool with such stuff, buy a copy of VMWare Workstation 5 and learn how to use virtual machines (VMs) as software testbeds. I test everything I download in a VM before I ever think of installing it directly on the hardware. Stuff that I end up not using much I just leave in a VM image on my very big hard drive.
- If you must surf to dicey sites, do so from a browser operating in a VM. I go to ebook pirate sites regularly watching for pirated Paraglyph material, and when I do so, I pinch off a new image of a standard VM and then revert it to the stored image when I'm done, whether it looks like I was attacked or not.
- Use a low-profile virus checker like AVG. I have used AVG Free for some time now, having also tried Panda and found it too resource-hungry. Viruses are less of an issue than they used to be, especially if you're not so stupid as to open any email attachment that rides in the door, or install warez downloaded from P2P networks.
- Use a two-way software firewall. I use Zone Alarm and have some some years now. It allows me to control what actually gets out to the Internet, and it lets me know when any app even tries to connect. Much modern software, even if it's completely legitimate, wants to “phone home” for reasons never entirely explained. ZoneAlarm puts an end to that. Also, if you contract some kind of spyware or trojan, ZoneAlarm will let you know when the bad stuff tries to make an outside connection.
That's what I do. Interestingly, I don't do something that makes a lot of sense, and I really should try it: Run Windows as something other than admin. If you create and work from within a limited-permissions account, malware based on exploits (or anything else, for that matter) cannot install itself. You have to reboot into admin to install software, but how often do you actually install software? If you're configuring Windows for a non-technical person who is primarily interested in Web and email, and perhaps word processing, this is a very good thing to do. Unfortunately, some software doesn't work correctly in limited user accounts, and you may not know which software fails until you try it.
Finally, before all my Mac friends start yelling, you can buy a Mac. Macs are largely immune to malware because the machines are fairly rare and sparsely connected (compared to Windows) and malware authors are looking for raw numbers. However, if Apple would ever get its head out of its own you-know-what and decide to become a major player, the bad guys could turn their attention to OS/X. I have not yet been convinced that Mac software is somehow inherently exploit-free and I think complacency would be a very bad thing.
So there you have it. Note that a lot of my list cooks down to, “Don't be an idiot.” It isn't all about software. It's about common sense and a little caution. The best trainable, configurable anti-malware system is you. [Jeff Duntemann's ContraPositive Diary]