|
|
When you come to read the articles on Windows Security, you realize that Microsoft has implemented multiple security mechanisms that help keeping the Windows system safe. Let us remember some examples I hope you have seen:
dllcache works by making a backup of every essential dll and storing it at \windows\system32\dllcache. This directory is marked as essential system directory. When Windows detects that a dll has been modified or deleted, it restores the backup.
As soon as the virus writers became aware of this mechanism, they cracked it and armed their viruses with the ability of modifying the active dlls and their backups. Take for example, the adware threat Adware.Meplex.
As you can read on the official site, OneCare claims to be an advanced solution to fight internet threats. I gotta tell you something about monopolies. In these 25 years, whenever a new virus takes advantage of a Microsoft OS vulnerability, instead of learning from it and fixing the hole, some enterprises looked at the opportunity to create a business: "Pay us and we will eliminate the virus, and kill any future attempt of the virus to come back". If you come to think, the vulnerability constitutes a "factory defect" of the OS. When you buy something expensive, other than software, you get a warranty on defects from factory, don't you? But the license of your software comes without any warranty. Read it.
Back to the theme, the companies charge you not for fixing factory defects, but only to fight the consequences: viruses entering your system. Symantec, McAfee and Microsoft are shareholders to each other, so the whole business model generates a lot of revenue. Part of the deal consists in Microsoft revealing hidden parts of the Windows/Office/Messenger/whatever sourcecode so that the antivirus writers know how make their products work. Now Microsoft intends to get a bigger slice of the IT security market by releasing its own package. Several IT security companies claim that Microsoft won't disclose important kernel features from Windows Vista and will keep their products from working properly. That is nothing but a monopolistic practice to motivate customers to buy Windows Live OneCare.One of the heuristic technologies in major antivirus systems consists in detecting the replacement of major system calls. These systems warn the system administrator of such behaviors and restore the respective pointers to their normal state. Windows Vista Patchguard works by crashing the entire system when such a replacement is made. The problem of this approach is that PatchGuard prevents other antivirus systems from working properly, because they employ the same replacement of major system calls in their realtime detection systems. That also constitutes a monopolistic practice.
You will also find this Patchguard circumvention article quite interesting.
The Run As dialog shows the following:
Protect my computer and data from unauthorized program activity
This option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function properly.
User accounts technology is one of the most important goals achieved by Windows XP (copied from MacOS, Unix, Linux and Solaris). It establishes administrator and user accounts.
When you install Windows XP, you are asked about the names of the members of your family/office. The Setup program creates user accounts for all of them, with administrator privileges. The privilege separation is gone, and your system is an open gate to viruses and adware. Only a good system administrator will create appropriate accounts.
Scans and verifies the versions of all protected system files after you restart your computer. The executable sfc.exe can be deleted or replaced by some viruses. For example, Southghost.
From the Windows Help:
Data Execution Prevention (DEP) helps prevent damage from viruses and other security threats that attack by running (executing) malicious code from memory locations that only Windows and other programs should use. This type of threat causes damage by taking over one or more memory locations in use by a program. Then it spreads and harms other programs, files, and even your e-mail contacts.
...
By defaul, DEP is only turned on for essential Windows operating system programs and services. To help protect more programs with DEP, select Turn on DEP for all programs and services except those I select.
You can try to enforce DEP more tightly, but there are papers on the Internet of how to circumvent it.
Windows implements several well-known mechanisms to identify system files. The first one was the "System" attribute in the FAT filesystem. From time to time, Microsoft has been adding further mechanisms to identify essential system files, which cannot be erased, modified or uninstalled.
One of the fundamental ways a virus attacks Windows is by disguising itself as a system file, so Windows tries to protect it. Take as a simple example, the Eurosol trojan. With time, these mechanisms had become a mayor source of weakness to Windows itself, because the represent major overheads to the file managers and filesystem checkers, and they have reportedly left essential system files defenseless. Yet worse, Viruses and other threats have been hiding behind the standard protection mechanisms of Windows! Have you tried to delete an infected file by yourself? Have you ever read "Cannot delete - sharing violation"?
You will also find this article interesting.
In 2003, a worm called MSBlast exploited a massive vulnerability in Windows to infect millions of home PCs and showed the message: "billy gates why do you make this possible? Stop making money and fix your software!!"
I cannot help but agree with the author of this worm.
The end-user only needs:
The basic network administrator needs in addition
The advanced IT professional needs in addition
Optional security enhancements:
Is still someone thinking that there are not viruses for Linux??? That has not been true. You can find lots of ways to write successful viruses for Linux. Then, why is it more secure? Because at most you can damage a user account with it. There is no easy way to escalate privileges and affect essential system files. I invite you to dig deeper on the subject by reading reports like this, this and this.
On the other hand, the list of tools is fairly reduced. That is because you need nothing more:
I try to be respectful in the opinions I give here. Thanks for be equally respectful in your comments.