I am often asked just what people need to be safe these days. Is a firewall enough? Is antivirus enough? Do I need antispy, and antimalware as well? People are very understandably confused.
Here, then, is a basic explanation…
Firewalls stop intruders, such as worms and hackers, forcing their way in from the outside. Viruses are bits of malicious code that spread by themselves, and still exist, but there are not so many of them anymore because they don’t help Bad Guys make money. In other words, they could still write viruses, but they don’t much because viruses don’t tend to assist in stealing stuff. Instead, the Bad Guys tend to write keyloggers and remote controlled backdoors, which allow them to steal bank account login details, credit cards, and important personal identification like social security numbers and tax ids.
These days antivirus, antispy and antimalware have merged into the same suite, and there are really no separate products worth worrying about.
The single most important thing to understand is that 99% of all attacks now originate from the Web. When you start a web browser, it starts from a trusted place …. _inside_ the firewall, so that creates a trusted tunnel thru the firewall, and if a victim visits a website of hostile intent, the attack code is able to go right thru the firewall, and has a chance of executing on the pc.
What this means to an end user is that their antivirus suite of choice should include a dedicated web scanner. At AVG, we have LinkScanner for exactly that reason.
The next thing to understand is that a good antimalware suite now should have a good behavior monitor, such as AVG Identity Protection. Traditional antivirus/antimalware suites work by scanning for known malware … signature scanning… that works great, as long as you’re dealing with a known bit of malware, but if it’s new, it gets past the scanner until it’s updated. Simple as that. The Bad Guys know this, and produce (by using automated tools) 20,000 to 30,000 new variants each day. They actually only release 400-500 into the Wild each day, but the others are produced to make it hard for the antivirus companies to keep up, and to make it hard to know which are the 400-500 that actually count.
A behavior monitor, however, is not signature based, but instead watches for malicious behavior. For example, a new program that installs itself so that it survives a reboot, and also starts monitoring keystrokes, is very suspicious to a behavior monitor.
The best way to do security is in layers… think about a slice of swiss cheese. Any individual slice is full of holes, but if you get two slices, and place them on top of each other, they cover up most of each other’s holes. Get a third slice, and there are no holes left.
Computer security works the same… that way, each layer only has to be 80% effective, but if you have enough layers, there are no holes left, and that’s important, because the more you strive for 100% with any one layer, the bigger and fatter it gets, with more potential for conflicts and issues.
It’s classic 80/20 stuff … you can solve about 80% of just about any problem with just 20% effort.
What this all means to an end user is that they need
(1) a specialist web-scanning layer to block most of the attacks immediately, followed by
(2) a traditional scanner that’s focused on the actual malware that’s in the Wild, as opposed to the Zoo, followed by
(3) a behavior layer to pick up anything that gets by the web scanner and traditional av scanner.
Such a solution mightn’t win too many magazine “shoot-outs”, because things like this are really hard to test, but the real benefit to an end user is that they have a lightweight, nimble product that misses very little.
Keep safe, folks.