I don't know what kind of funds you have or IT experience but you may want to consider a hardware firewall/* I use a FG 60M for my local network.
...or use PFsense for free on an Intel atom board for a industrial-class firewall that can replace Cisco ASAs in most deployments with no lock-in.
@Goose : security is a journey, it never stops. Even just browsing, reading the news, can get you infected by an unknown exploit.
Backup, backup, backup regularly. Because if you get hit, the best and fastest way is to wipe and re-install the OS.
If you plug in an external drive after you've been infected to copy `essential` files off, then plug it back in to the new install, you've just wasted your time if infection is carried back in on those files, or even "autorun" from the disk as you plug it in.
Everything needs scanned before moving back - but.....
AV and Anti-Malware can't detect it all, even if you give it months of thinking time.
Don't use
anything that pirated, or even
slightly dodgy from your mate down the pub who swears it his own copy and he paid for it himself. That also includes anything like videos that can exploit flaws in the Media Player - yet most people are ignorant of this.
Create a second user and perform
all non-admin tasks as that second user. The first user you create at the OS install time will be usually be given permanent admin rights on request.
That's a definite no-no. Then, after all the software is installed, create your "own" username to play games, browse the net, do normal things. Win7 is better than it's predecessors, but still amazes those of us that use other OSs that no password or key is needed to elevate to administrator privs; just a simple, easily bypassed, click that should really say "yes, remove the condom, I agree". People winged about the UAC popups in Vista, so they tamed them down in Win7. UAC didn't go far enough if you ask me.
Of course, that is a pain with certain games that require you to run as admin every time you need to install an update (AHEM!
).
After a VU is applied, change back to your normal user before you run the game.
If you're worried about drive-by attacks (*~1) consider using a modern Linux distro in a virtual machine to reduce your threat base substantially. It will cost you nothing at all and will install in about 10-30 mins with only one reboot to being fully patched up-to-date before you
or the OS itself (think about it...) starts to get online to a non-signed (ie, not the update repository to collect the latest signed update patches) web address
For web browsing, you won't have to learn a single thing to use Linux. Firefox, Chrome and Opera browsers work exactly the same but the OS doesn't give them any rights.
An important plus is all the software in the repos is free, signed, and can all be set to be automatically security patched (and I do mean
all,
all apps as well as the OS itself. The only time you need to reboot the VM is to load a new Linux kernel (it should tell you when you need to do that), you can simply `save the state` (or `suspend`) of the Linux OS so it will start in maybe 5 seconds when you next need it.
Of course, you have to keep the hosting OS and the VM app up to date yourself
For first-time Linux users, I'd recommend trying "Ubuntu" (though we use BSDs and Debian at work and I'm not personally keen on Ubuntu lol ) Heck, you don't need to get all geeky, just browse the net in relative safety.
It also depends if you have legitimate MS disks or not, many "dodgy download" MS OSs are full of rootkits from the day you install them, and can never be detected. Then you have to sequentially patch the OS from the disk-version all the way up to current before you go plug the network cable in (how, exactly does a Joe Average single-PC-crashed-home-user do that?) Add that to the fact that the majority of malware is crypted to be pseudo-unique, AV only goes so far. Packet analysis at a gateway firewall can tell you the whole story - if you poke around long enough, you could get an awful shock
(*~1) It's possible to get infected by just visiting an infected website. (or your PC automatically visiting - a whole other sad story)
see:-
http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/
http://www.theregister.co.uk/2009/06/02/digital_spy_malware/
http://www.theregister.co.uk/2010/06/08/jerusalem_post_malware/
http://www.theregister.co.uk/2009/08/24/mass_web_infection/
it's an endless battle; in theory EF could be compromised and you'd never know until you're hit. AV won't (can't) pick it up until its recognised by the companies and delivered in signature updates, that can take at best a few days, and for subtle cypted malware, a month or two. Heuristics is worked around by concealing as vendor patches, because you use so many different vendors with MS Windows PCs, how can you expect each vendor to recognise other people's patches as legit or not?
Last month we've seen (at a enterprise-level customer's site) a simple drive-by exploit rootkit a Win7 PC at first opening of the browser on a fully patched fresh install with AV (malicous drive-by ad on the default home page). Virustotal still doesn't detect the payload because it's delivered crypted differently each time, heuristics just ignores it whatever the settings. It sends out all your DNS requests, visited web addresses and username/password fields even on "safe" HTTPS-enabled sites, its an endpoint exploit remember! It then apprears to package screenies including (mouse-IRQ triggered?) screenies of the the password dropdowns or on-screen keyboard pickers, and uploads them to random IPs, seemingly on request from the C&C servers. We know that from the disk activity traces.
We replicated the setup and the test machines got infected in exactly the same way, so we watched the flows develop. As soon as the guys had found the payload source and delivery method we contacted the web-page's NOC and managed to get action within about a day of the initial contact.
Now-the worrying part....
To date we haven't seen a
single fix or signature for it even though we delivered the payloads upstream to the main AV firms the same day - 6 weeks now and counting. They have all the disk images and captures, supplied to them the first week. I don't know why we bothered wasting our time, but the customer was impressed by our initial report at least.
Go figure.
In the Corporate environment, our guys reckon that `AV` products detect about a third of the in-situ threats they see each week if you can isolate the threat and scan it on another clean PC. It usually comes in under the radar before signatures have been written. We get called in when the on-site people reach the end of the line or need independent oversight; the customer's policies or legal stuff means the breach has to be assessed, quantified and reported. This is heavy-duty stuff, not SOHO or small firms.
I'd say (without an first-hand experience of average MS-Windows users) the main threat delivery routes to home users are, in rough order:-
.Pirated software apps (even if the AV says it's clean)
.Root-kitted OS images (I mean, really, wtf do people expect?)
.Drive-by web-based attacks like I mention above
.Malicious USB or memory-card devices (like cellphones, USB sticks, cameras, picture frames, photo-booths).
.Insecure and badly patched apps on a with a badly-patched OS.
It really depends how often you plug outside sources into your PC, if you don't have a network cable in but plug USB sticks full of pirated stuff in all day, your threat vector will be skewed.
I blame the software vendors. I'm sure that black-hatters from a neighboring tribe were deviously kill-stealing mammoths from hunter-gatherers half a million years ago, so it's not like it's a new problem. Those 10 second "disaster averted" ads make me want to puke.
Long enough answer?
Remember, it's a journey, not a destination.
