Tuesday, December 1, 2015

If You Get Viruses, Fire Your Technician - Or Yourself

There's a simple formula for avoiding viruses on your computers. I am extremely frustrated when I go to professional conferences hear people talking about Cryptolocker and other viruses.

There is no excuse for letting your computer get viruses today. Really. Zero.

Twenty years ago a client asked me if computer consultants created viruses so they could stay employed. I said no, we don't have to because the bad guys are creating enough. That's still true.

BUT I have met a lot of consultants recently who do not do the best job they can of patching systems . . . because they want your computer to break. In my opinion, these are amateurs at best and incompetent technicians at worst.

How We Get Viruses Today

Virtually every virus today requires YOU to install it. Something pops up on your screen and you click YES. When that happens, you are to blame and you should pay for the cleanup.

Virus manufacturers try to trick you into clicking in many ways. The most common are

1) A fake virus scanner pops up and says your system is infected. You click to "clean" your machine, but you're really installing a virus.

2) Fake web sites look like the real thing, so you start clicking on stuff. Again, at some point a program wants permission to install something and you say yes.

3) You receive emails with fake lures. For example, your bank needs you to read a notice or says your deposit did not go through. You panic and click. And infect.

4) You receive an email with an attachment, often with a fake extension. You open it and infect your machine.

Five Simple Steps to Zero Viruses

It is extremely easy to stop getting viruses ever again. But you have to do all five. If you do less than five, then you will get viruses. Note: You computer consultant should recommend these steps to you and pressure you to do them. This is worth paying for because it's cheaper than cleaning up one nasty virus.

Step One: Have a good, current anti-virus program. In addition, know what it is! Open it. Look around. See how the quarantine looks. Be comfortable with it. That way, when something pops up and says you have an infection, you will know that it's NOT your anti-virus program and you can close it without clicking.

Step Two: You need a good patch management system. This will cost a little money every month, but it guarantees that your operating system and all your software is up to day. There's a big buzz every week about Microsoft updates. Of course you ignore it because it's not your job. But those updates (as well as updates from Adobe, QuickBooks, Sage, and others) are critical to the health of your computers.

Very often, these updates do not install automatically (even when set to) and sometimes fail to install for weeks or months. That's why you need a managed system. Your computer consultant should be making sure all these patches are applied. On rare occasions, a patch should NOT be applied because it causes problems. Your computer consultant should manage that as well.

Step Three: No one in your company should have "administrative rights" on your computers. As soon as you take away admin rights, programs cannot be installed. Viruses are programs. They need admin rights to install and infect your computer. Once you take this away, 99% of all viruses are stopped dead in their tracks.

WHINE: I always hear the argument that it's a pain in the neck to contact the computer guy every time we need to install something. A) No it's not. B) Here's another thing you can do.

Have your computer consultant create a special Administrative account on your computer. Call it something like AdminX with a password that's easy to remember. This doesn't have to be a super secure password if you have a properly set up and secured network. Now, when a program asks for Administrative credentials in order to install a program, you can put in the AdminX username and password. Ideally, that will slow you down, make you think, and NOT install viruses.

If you do install a virus, you'll know instantly that you did it yourself and you can give up the lame excuse that you browsed to a web site and magically got a virus.

Step Four: You need a good firewall with an anti-virus module installed. That means you can't use a crappy $39 router any more. You need a real firewall with a real anti-virus module - and a subscription to keep that up to date. Yes it costs money. But it costs less than fixing one nasty virus.

Step Five: You need good habits. As you read above, YOU are the cause of all viruses. So change that, educate your people. And stop clicking on everything on the Internet!!! Here are a few rules. Follow these and you life will be good:

1) If you have any doubt whatsoever, do not click. For example, if your bank has a message for you, close the email and log on to your bank site. Since you initiated the connection, you'll know you are at the real bank site. If there's a message, it will be there.

2) Do not open email from someone you don't know. Just delete it. Really. The world will keep spinning.

3) Do not open any email attachments unless you asked that person to send you that file. Even if it looks like it came from your mother or best friend. Send them an email and ask them if they sent you something. If they say no, delete it.

4) Have your computer consultant enable "view extensions" on your computer. That way, you can look for files with two extensions and you can delete them without opening. These files have names like: FILE.DOC.EXE or FILE.PDF.JS.

In the 21st Century, I believe it is unscrupulous for computer consultants to let their clients get viruses and lose data. It costs the client a lot of money and is completely avoidable.

At the same time, business owners who are not willing to pay for a good firewall, good anti-virus software, and a patch management program are just asking for trouble. It costs money to run your business the right way. If you don't buy a managed service contract and you don't invest in basic security, then please don't complain when you have to pay money to clean up a virus or two. Or three.



  1. Almost there with you. Just don't forget that only newer firewalls installed by top-end-competent companies can scan SSLVPN traffic, which is what most traffic is today. Every time someone tells you to pickup a file from Dropbox, Box, iDrive, or any other encrypted file share, if you're not doing DPI scanning on SSL traffic, you are risking disaster. And by the way, almost nobody is doing this sort of DPISSL scanning, because it is hard to setup and costs some real money to get going with!

  2. Agreed, Josh. But, again, it costs money to be in business. The cost of being secure vs. paying for cleanup is purely a math (insurance) problem. Some people are better at math.

  3. I agree that your steps are good recommendations, but you are missing a few important details. Users actually get as much as 85% of malware from compromised web sites. Is it really a user's fault if they visit the reader's digest website, and get exposed to an exploit kit running on the front page?

    Now, if they are up to date on all their patches and have limited admin rights, that will probably be enough to protect them. Probably. It would be even better if they were running a browser without Java or Flash enabled at all, though, or running with click-to-play turned on so flash content doesn't run automatically.

    I also question the value of anti-virus these days. IT budgets only go so far and spending heavily on AV isn't worth it. It is trivial to crypt malware to bypass it altogether, and any targeted phishing email will do that. Better off investing in technologies to detect intrusions. Reasonable IDS/IPS and a properly configured network can be had for less than most AV and have loads more value.

  4. I have to say, after 20 years in this business, I've never seen one of these magical web sites that can infect a machine that's properly patched and not running as an administrator. I have seen sites that pop up and ask you to click "Yes" to something.

    Patching can be totally automated on an unlimited number of machines for very little money. Running as a non-administrator is a quick one-time change followed by regular standard operating procedures. So no matter how small your budget it, you can do all of this for less than the cost of cleaning up one computer.

  5. I agree with Karl. The last viruses any client had was when some employee goofed off opening their personal Gmail or Hotmail and browsed for junk; and this happened to clients who asked us to open security filter (go figure). We use gateway IDS, Content Filtering and OpenDNS filtering so junk can’t even get onto the network. So now employees resort to using their own devices & data plan to download junk but whatever; as long as company systems stay clean.

  6. What is "a good firewall with antivirus module installed"? We're using a Juniper SRX240 with AV which is used to scan emails. It doesn't sound like that's exactly what you mean but.. is it?

  7. Actually, Anon, that's a great firewall/AV product. Generally speaking, you want to avoid the under-$100 "firewall" products. They are super basic and really only intended for home use. Once you get to $500 or $1000 plus modules for AV, intrusion detection, etc. then you know you have a true business class solution.

    Very often the difference boils down to three things: Feature set, speed, and memory. All of those mean a good firewall will add security to your network without becoming a huge bottleneck for the business.