On 2/02/2016 11:59 PM, Jason White via luv-talk wrote:
[Moving this to luv-talk as I'm taking it off-topic for luv-main] Craig Sanders via luv-main <luv-main@luv.asn.au> wrote:
Just wondering what is currently considered best practice for protecting a modern Microsoft Windows machine against malware and exploitation?
I'm not sure there is a good recommendation. Education is the best thing, when people don't do things they are not sure about, that is good; many of those people won't allow anything to be installed, that is better. The best advice is to make sure that people operate without admin privileges; create a separate admin user, make sure it works, then revoke admin from the normal use account. If ANY machine gets compromised with a virus or with malware, it is game over, time for a re-install or image replacement if you made one. The "never use root" for normal use in the Linux/Unix world is good; but it is many times more important in the Windows world. Any AV or other software that isn't from Microsoft (in this area), is an avenue for adding an attack surface. Certain components of Trend Micrro made the news recently, doing things very badly -- but I think it depends on the version of the software. The AV software has admin rights, so any security issues and the computer is owned BECAUSE of the AV product, in spite of it. Using AV and other "Internet Security" gives users a very false sense of security. Of course the only safe computer is one that never goes online, but that isn't much use for most people. I stick with MSE and Defender on Windows boxen; then I use judgement before installing anything -- and when something is installed, be very careful with possible "extras" of any kind. The less junk, the better. Any AV solution is only as good as the software itself and the definitions that are "known" at a point in time.
I read an interesting article over the weekend: http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html according to which MS have implemented new security measures based on the virtualization instructions of the CPU. If I understand correctly, parts of the kernel responsible for verifying signed executables are compartmentalized using virtualization. Malware can compromise the remainder of the kernel without compromising the hardware-protected code. Only signed executables can be run, and UEFI "secure boot" is used. Thus they reduce the size of the Trusted Computing Base considerably.
Malware can happen at all levels, even the BIOS or equivalent. Dell and Lenovo have pre-loaded very dangerous software on to newer machines. Trust is the biggest problem here, but what can you really do, except practice safe computing and hope that any hardware / software vendor is a good actor and anything they might risk YOUR security with is well considered (pros and cons) and only installed if it is secure.... Never use IE .... almost every single month, there are updates for IE of one sort or another. Boot verification, via UEFI -- we need to be careful of machines becoming Windows appliances and not being able to install any other OS of any kind. This is getting worse. Heck, even with Skylake processors, they will end up being unable to run Windows 7 due to Intel / Microsoft support limitations (I think mostly M$, but I'm not sure). Anyway, I'm getting off topic, so I'll quit now. Cheers A.