4.8 Preventing Viruses in Windows

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 4.  Viruses in a Windows World

Preventing viruses in a Windows world means implementing the lessons we learned from DOS and adding a few new ones.

4.8.1 Install Antivirus Software

An up-to-date antivirus software package is a convenient way to prevent most computer virus infections.

4.8.2 Disable Booting from Drive A

Disabling booting from drive A will prevent boot viruses from infecting your machine, unless they are placed there by a dropper or multipartite program.

4.8.3 Don't Run Untrusted Code

When friends and business associates send me unexpected or untrusted files with the exploitable extensions listed in Table 3-1, I usually delete them right away. If I suspect the file is legitimate , I will try to open the file in a nonthreatening way. For example, if someone sends me a rich text file (RTF), I will open it up in WordPad. There are known exploits of .RTF files in MS Word, so I open the file up in an application with less of a chance to cause harm. Using this philosophy I have never been infected by an email bearing a virus or Trojan. Of course, if I'm sent a file that I'm expecting and I have taken the appropriate security precautions (such as disabling document macros, running a virus scanner, etc.), then I feel safer when opening the file.

4.8.4 Install Service Packs and Updates

Installing the latest service packs and updates is a great way to close known security holes. Although slow to respond, Microsoft fixes weaknesses in their operating systems with every service pack. Install the in-between patches to stay more current.

It is not a bad practice to wait at least a week or two after a new major service pack release before deploying it, unless a specific security risk outweighs the delay. Often upgrades will introduce new bugs and an updated service pack will be released with the bug corrected.

4.8.5 Reveal File Extensions

When I receive a new, unexpected file, I always examine the type of file it is before double-clicking on it. I never open or execute files with potentially dangerous consequences ( .COM, .VBS, .EXE , etc.). As we discussed earlier, Windows often hides file extensions by default, and will allow files to hide their extensions even if you explicitly told Windows not to. The .SHS , . LNK , .DESKLINK , .URL , .MAPIMAIL , and .PIF extensions are just some of the extensions hidden by default that may contain malicious code. To force Windows to reveal all file extensions, follow these instructions:

1. In Windows 9x or Windows NT 4.0, start Windows Explorer and choose View Folder Options View and uncheck "Hide files of these types" and "Hide file extensions for known file types". Ensure that "Show all files" is selected. In Windows 2000, choose Tools Folder Options View. Make sure "Show hidden files and folders" is selected, and "Hide file extensions for known file types" and "Hide protected operating system files" is unchecked.

2. You also have to remove all occurrences of the NeverShowExt value in the registry. Use REGEDIT or REGEDT32 to open the registry. Choose Edit Find. Look for NeverShowExt. When a value is found, delete it. Hit F3 Find Next. Delete all occurrences. Most, if not all, of the values will appear under the HKCR key.

You can always right-click any file and reveal its properties to see the full name .

4.8.6 Limit Administrative Logons

NT security experts recommend not routinely logging on to NT with administrator rights (full access) unless you need the additional rights. If you have Windows 2000, use its Run As feature when you need a higher level of permissions. That way, if a malicious program gets loose, it functions under the more restrictive rights of the logged on normal user . Clearly the effects of viruses, like Remote Explorer, can be minimized.

Be careful: It has been shown that some programs executed with the Run As feature can be accessed by programs running under the normal user context. For example, assume Internet Explorer was started with the Run As command with administrative privileges from a normal user's desktop. If the user opens Outlook and clicks on an email with an embedded link, the administrative session of Internet Explorer will be used to display the link's contents. The content in the browser will run within the permissions of the Administrator even though it was launched from a normal user process.

4.8.7 Tighten Security

Only the Windows NT platform has the ability to implement file and resource security. Begin by assigning users and administrators alike, the lowest level of permission they need to perform their job. Using REGEDT32.EXE , make sure the crucial parts of the registry only allow administrative access (Windows 2000 comes with stronger default registry security enabled. Make sure your Guest account is disabled. Use the flexibility and power of group permissions, policies, profiles, and security policies to implement strong security. Disable unnecessary services and startup programs. Document what is normally running on the server. Remove floppy diskettes from the computer when not needed. Lastly, maintain good physical security to all computer resources.

If you follow all of these steps, you've gone a long way toward preventing the spread of computer viruses and other forms of malicious mobile code in a Windows environment.