To help prove the point, I'm going to create a
fictions anti-malware product and we're going to say that whatever
you use is that good. Soussan's AntiMal 3000 (SAM3K) is its name,
and it has sensors planted all over the internet such that no
malware in any form can exist for more than 2 minutes without my new
product detecting, categorizing, and creating signatures for it.
Theses new signatures are distributed to every system that runs
SAM3K every hour, so that on average your definitions are at most 30
Malware signature follow the "Faberge Organics Shampoo"
distribution model -- your system gets and update, and tells two
nearby systems of the updates, and they tell to systems, and so on
and so on. This distributes the update load and prevents the Soussan
Antimalware Servers from bogging down updating all those nicely
protected clients and servers all over the world. These updates are
encrypted with such a world class algorithm that no malware can
possibly break into its encryptions.
Pretty cool product, isn't it!
As good as this is, in the average 30 minute old
scenario there are 120 newly created programs that can infect your
system and not be detected by SAM3K. In fact, since you started
reading this article 4 new malicious programs are now on the net
and infecting computers.
Read that again and think about it for a minute: 4
new malicious programs every minute. At the end I'll go through the
math to substantiate that number.
How about some good news?
Yes it is bad. But the good news is that much of today's
malware, once installed, attempts to install other bits of malware as
well. So while the initial "grappling hook" that got into your PC might
not be detected, chances are that some of that malware's buddies that he
is downloading and installing is detected. If you are sitting there
doing nothing special and getting alerts from your anti-malware software
that says it blocked an infection, chances are pretty good you are
infected with something that your anti-malware can't see but you are
watching it catch other bits of malware that are in its database.
I'm infected - now what?
I'm going to throw a thought out there which I
expect will stir up some controversy - it is no longer cost
effective to attempt to clean a system from malware. The best path
for a system that is infected that you need to use reliably is to
take your data off, wipe the hard drive completely clean, and
reinstall the operating system and all your programs from known good
media. Then put your data back on.
Take your typical ½ terabyte drive. Fill it to 1/3,
so 500/3 = 166 GB of data. On a Core2 Duo I've watched scanners take
more than an hour to check every file. Lets say the scan found some
malware and cleaned it. What are the chances, given the 4 new bits
of malware created every minute, that some other malware is still on
the system? And even if it was completely and truly cleaned, what
about any latent damage that wasn't fixed when the malware was
removed? Your end result might very well be a system that is clean
but exhibits other issues that you'll never be able to explain or
fix. Or worse, you think it is clean but a lurking in the shadows keystroke logger
is running and sending your bank login to a bad person.
Remember, no matter how good a cleaning product you
have, there is lots of malware that it won't detect and more of it
every minute. Even if you clean your system with multiple cleaning
products and they all say your system is fine, are you willing to
trust logging into your bank account, paypal account, or credit card
company's on-line account and feel safe that you haven't just handed
your account information over to someone in China, Romania, or some
So after the hour of automated scanning and
cleaning, you still can't totally trust your system.
If you think I'm exaggerating,
read this article where I walk you
through cleaning a system that came into my lab. And while I'm
not a full time malware cleaning person, I'll put my capabilities
well above average in this area, and the only times I actually try
to clean systems anymore are when it is a personal challenge. Even
then, cleaning is still often the long way to a usable system.
So what is your best defense?
Teach your users -- family, friends, employees --
how to be safe online. How to recognize a fake message from a real
one. How to ignore greeting cards, notices from your bank saying you
need to log in and change your password, pop-ups from fake
applications saying you are infected and we'll clean you for free,
and stay off the porn sites!
What is your best, most cost
effective recovery strategy?
Start with a known good system setup the way you
like it, then get yourself a good image based backup. External
terabyte sized USB drives are $100, store your image and another
copy of some important files there. Got malware? Sigh - copy your
data off, restore the image, and put your data back on.
That or be prepared to reinstall everything. An
operating system can be 1/2 hour if it is a single CD image from a
manufacturer or a multiple-hour thing -- I'm holding a 10 CD restore
set of discs for an HP Pavilion a32n that took 2.5 hours
to feed in all the disks.
Then you've got all the security packs, patches, and
other system updates. Another half hour or more depending on your
Then all the driver updates for hardware installed
Then all your application software. Do you even have
it all? Do you know where it is? Do you have any install codes you
might need? Are you going to have to call the manufacturer to get
your license / install count reset on any of these?
Then you have to reconfigure your system -- how do
you connect to email? If to a server and you use Outlook, do you
know your settings? Your password? What server to connect to? What
is your user name?
Do you have a palm? Or some other PDA that syncs
with your contact information? You'll have to setup that for
synchronization as well.
Which is easier -- doing all that, or restoring from
Even with the image based backup you'll have to both
save off and then restore your data. Plus, any security updates,
patches, drivers, etc. that were done since the image was taken will
also need to be downloaded and re-applied. But I'll bet that is a
whole lot easier and straightforward than all the steps listed for
when you don't have an image backup.
If you found this helpful (or not),
please send me a brief email -- one line will more than do. If I see people
need, want, and / or use this kind of information that will encourage me to keep
creating this kind of content. Whereas if I never hear from anyone, then why
I can be reached at:
das (at-sign) dascomputerconsultants (dot) com
(C) 2009 DAS Computer Consultants,
LTD. All Rights Reserved.
Reference information for
the proof of the theory ...
01/02/2009 EMSI Software's AV signature count:
2522473, Kaspersky: 1537714
03/12/2009 EMSI Software's AV signature count: 2955818, Kaspersky:
EMSI signature count delta: 433,345 Kaspersky: 343,175, 388,260
average pattern count growth over that period
Time between samples: 68 days
388,260 malware signatures / 68 days = 5709 new
malware signatures per day
5709 / 24 hours = 237 new malware signatures per hour
237 / 60 minutes = 3.96, rounded up to 4 new malware signatures PER
Raw data gathered from:
http://www.pcsecuritylabs.net, 1/8/2009, PCSL Total Protection
Testing 2009 NO.1 Summary Testing Report January 8, 2009. & PCSL
Total Protection Testing 2009 NO.3 Summary Testing Report March 31,
The following items below this line
are for search engines to assist them in indexing this content.