How to fully test your malware defenses

How to fully test your malware defenses

Here are some safe and easy ways to find out if your PC’s anti-malware tools are actually protecting you.

Do-it-yourself anti-malware testing consists of two parts: proactively probing your PC’s defenses using simulated malware attacks, and performing routine verification tests to ensure that your PC remains free of real malware.

Neither of the two methods, when used alone, is sufficient to ensure you’re protected. However, used together, they can give you a high level of confidence that your system can resist both current and future threats.

Security sites offer simulated malware

Clearly, true malware testing must be done with great care. Security professionals take expensive and rigorous steps to trap and examine malware, and to test the effectiveness of anti-malware applications. Obviously, we don’t want to willingly expose our systems to live malware!

But a number of companies have come up with a safe solution for users; they offer webpages and downloadable files containing neutered, inert, or simulated versions of malware. You can use these test samples to sniff out potential vulnerabilities in your malware defenses — without exposing your system to actual malicious payloads.

These samples aren’t all-encompassing, but they’re still useful. For example, if you’ve changed, upgraded, or altered your primary anti-malware tool, you can run some quick tests with simulated malware to ensure that the app’s basic functions are in place and active.

Keep in mind, however, that this type of testing has some significant limitations. There’s no way, for example, for users to know whether the tests are well constructed; or whether they correctly mimic the actions of real-life malware; or whether the tests are actually relevant to your usage patterns and skill levels.

To expand on just that last point, experienced PC users know to never click bogus popups such as those webpages that warn: “Multiple malware infections detected! Click here to clean.” They also know not to open unexpected email attachments, not to visit malware havens such as porn and black-hat hacker sites, and not to install software from dodgy sources. Simply put, the computing habits of experienced users close off many potential malware-attack vectors.

On the other hand, many inexperienced users haven’t developed good computer-security habits, which means they’re more likely to be suckered in by bogus — and usually malicious — exploits. Consequently, these users need far more protection and security hand-holding than do experienced Windows hands.

No one test can address the habits of both experienced and novice (or careless) users. For example, tests that sufficiently check basic, lightweight security apps might be fine for experienced users but leave novices hopelessly exposed to trouble. So, you have to select tests that match your usage patterns and skill levels.

You also need to be aware of potential hidden agendas that might underlie some anti-malware test sites and suites. For instance, companies that sell anti-malware software and services might design tests that artificially emphasize that brand’s features or approach to detecting malware.

To get the most from malware simulations, use test links and files from multiple sources — and, again, select the tests that pertain to your usage patterns and skill levels.

Also, always bear in mind that simulations can go only so far; the results can’t be taken as definitive. For a thorough check of your defenses, follow up malware-simulation tests with the real-life verification steps outlined later in this article — those verification tests are the gold standard for real-world anti-malware efficacy.

Here are some examples of free, well-known, and well-regarded tests that use simulated malware attacks; you can find many more via your favorite search engine:

• “Anti-malware Testfile” page – European Institute for Computer Anti-Virus Research
• “Test your anti-Malware solution!” page – WICAR.org
• “Security features check” site – Anti-Malware Testing Standards Organization
• “SmartScreen demo pages” site – Microsoft
• “Test your system’s malware detection capabilities” page – Fortinet
• “HIPS and firewall leak-test suite” site – Comodo
• ShieldsUP! download page – Gibson Research Corp.
• LeakTest download page – Gibson Research Corp.
• Security Test Tool download page – SpyShelter

Live anti-malware verification testing

As noted above, real-life (not simulated) verification is the gold standard for anti-malware testing. It entails periodically employing multiple tools from different vendors to thoroughly scan your system, top to bottom. If several tools from different vendors all pronounce your system free of malware, you can be virtually certain that your anti-malware defenses are working well — no malware of any kind has made it into your system.

Start with the obvious; ensure that your full-time anti-malware tool is running routine scans. For example, most anti-malware tools will scan all or part of a system daily or weekly. I recommend setting up both quick daily scans and weekly in-depth scans.

Next, add an additional layer of scanning. No anti-malware tool can be completely effective; they all have figurative “blind spots” that prevent them from detecting certain types of infections.

Periodically run additional, in-depth, full-system scans, using self-contained anti-malware apps from other vendors (i.e., not the publisher of your primary anti-malware app). If your regular app and one or more entirely different apps declare your system to be malware free, it almost certainly is.

For a fast verification checkup, I recommend using a little-known option within Microsoft’s free Process Explorer. With just a few clicks, it can scan all the running processes on your PC with over 50 anti-malware engines, hosted by the VirusTotal service.

You can also use VirusTotal (site) manually, but the automated method in Process Explorer is extremely quick — but more important, it’s much more convenient than submitting possibly hundreds of process EXEs to VirusTotal, one by one — a huge PITA.

Here’s how to use Process Explorer to automatically check all running processes on your PC:

1) Download and run Process Explorer (site).

2) Once Process Explorer is running, click its Options menu and then select VirusTotal.com/Check VirusTotal.com.

3) The VirusTotal site will open in your browser. Accept the user agreements that will appear in two places: within Process Explorer itself and in the browser window. A new column labeled “VirusTotal” will appear on the far-right side of the Process Explorer window.

4) The column shows how each running processes fared, when scanned by the 50+ VirusTotal engines. (The scans take only a few seconds.)

The results are shown as a fraction — for example, “0/52” (see Figure 1). The first number is how many anti-malware engines detected trouble with the process in question; the second number is the total number of anti-malware engines used to scan that process. Note that the number of active engines will vary from process to process.

For instance, 0/52 means that none of the 52 engines used found anything suspicious in a particular process. In other words, that process is clean as a whistle. (Click the VirusTotal column header to quickly sort by scan results.)

If one or two engines report trouble — say, you see 1/52 next to an item — it’s probably a false positive. However, if several engines report trouble — e.g., 23/52 — then it’s a strong probability that the process is malware related. In any case, if one or more processes show potential trouble, run a deep scan with a dedicated anti-malware tool, as described below.

Note: As its name implies, Process Explorer can only scan active processes. Other types of malware, such as rootkits, bootkits, or inactive malware will not be detected. Still, this simple, quick, and free test is certainly worth running from time to time as a basic validation check.

True anti-malware tools look deeper; they take considerably longer to run than does Process Explorer, but they can thoroughly scour your system from top to bottom.

I recommend manually running separate scanners (i.e., not your full-time scanner) once a week to once a month, depending on how much you use your PC and the level of malware threats. Let the scan process run over a lunch hour or overnight, so a lengthy scan won’t interfere with your work activity.

There are two major types of deep-scanning anti-malware apps:

On-demand scanners are usually self-contained tools that you launch and run from inside Windows. Because on-demand scanners are active only when specifically launched, they rarely conflict with your always-on, full-time security software.

Self-contained/self-booting scanners operate entirely outside of Windows. These tools are typically offered as downloadable ISO files, which you use to create bootable CD, DVD, or flash drives — commonly called rescue disks. These discs contain both an operating system and a malware scanner.

Because these scanners can examine a system when all other software — including Windows — is inactive, they’re especially good at sniffing out even sophisticated types of malware that might actively hide from Windows-based scanners. Also, because self-contained/self-booting scanners operate entirely independent of Windows, there’s no chance that the rescue-disk scanner will conflict with your regular anti-malware software.

For information and suggestions about these two types of scanners, see the April 14 On Security (article), “Update: Tools to remove almost any malware.”

Note: One tool mentioned in that article, Microsoft’s Windows Defender Offline, was recently changed in Windows 10. For more information, see the June 9 Field Notes column, “Windows Defender Offline goes online.” Also, for a time, the free and downloadable version of Windows Defender Offline was not available for Vista and Win7/8 users. But in a welcome development, Microsoft recently began re-offering the downloadable version on its Windows Defender Offline page.

Putting it all together: Defense in depth

If you’re careful about your online habits, employ any of the available anti-malware tools, enable your browser’s anti-malware features, proactively test your anti-malware tools from time to time by using simulated malware, and routinely perform verification testing to ensure that your PC is truly malware-free, you’ll be about as safe as current technology allows (short of disconnecting yourself from the Internet entirely).

And given the many types of threats in today’s online world, that’s exactly what we all want and need!

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum. To rate this or other stories, click over to our polls page.

 

Coping with the new rules for updating Windows 7

Only Microsoft could make Windows updating both easier and harder at the same time.

This month we move from individual Win7 security updates to the new roll-up model. But Microsoft also released some individual updates alongside the rollups.

To get through this transition, here are some steps to make the updating process less painful.

Working with the big change in Win7 updating

Microsoft’s new roll-up model for Windows 7 has a significant impact on the Patch Watch column. I can no longer give you patch-by-patch recommendations on what to install now and what to put off — or never install.

October’s patch release seemed especially confusing because some fixes are being address by both roll-up updates and separate patches. (Most of those separate updates are for corporate environments.) Whether this is a temporary expediency by Microsoft is something we’ll have to wait to see.

For Patch Watch followers who stuck with Win7, I’m taking a slightly different tack in this column. I’d like you to review your system and determine how “crusty” it is — and how much you depend on it.

If you have several Win7 computers, I recommend taking a cue from IT administrators: At least for this first use of the roll-up update system, install the updates on one system and carefully test that machine. Check, for example, that printer connections continue to work and there are no issues with your key applications.

If you have only one system, I suggest you not install the roll-up update until I can report back in the next Patch Watch column.

For all Win7 users, keep in mind that you can still uninstall roll-up updates if you run across problems. To do so, open Control Panel/Programs and Features and click the “View installed updates” link. Enter the patch number (e.g., KB3185330) in the search box, located in the upper-right corner of the update-list window. Right-click the update and click Uninstall. (In most cases, I prefer uninstalling updates rather than using Window’s system-restore feature.)

If this new roll-up model worries you, you’re far from alone. I’m at the Las Vegas ITDev Connections conference this week, and the attending system admins I’ve talked to are quite concerned. Most stated that they’re holding back on new updates for at least a month.

What to do: Back up your PCs before adding the October updates. After installing them, either on one machine or a test system, check that everything functions as it should. And be prepared to uninstall the update if needed. If you have just one PC, hold back the updates until I give you my follow-up in the next Patch Watch.

3185530

What’s in the October Win7 roll-up update

Win7 SP1 (and Server 2008 R2 SP1) users should see two major patch releases in Windows Update. KB 3185530 is the rollup for most security and nonsecurity fixes; KB 3188740 contains patches for .NET Framework (see the next item).

KB 3185530 includes the following security fixes (the Win8.1 equivalent is KB 3185331):

• MS16-101 – Windows authentication methods; an important re-released August patch for two vulnerabilities.
• MS16-118 – Internet Explorer; a critical cumulative update for IE 9/15/11.
• MS16-120 – Microsoft Graphics Component; a critical fix for numerous vulnerabilities in Windows graphics. Also applies to Office, Skype, .NET, and Silverlight.
• MS16-122 – Microsoft Video Control; an update for a critical remote-code-execution vulnerability.
• MS16-123 – Kernel-mode drivers; rated important, fixes five elevation-of-privilege vulnerabilities.
• MS16-124 – Windows Registry; rated important, fixes four elevation-of-privilege threats.
• MS16-126 – Microsoft Internet Messaging API; fixes a moderate information-disclosure flaw.

The rollup also includes the following nonsecurity updates:

• Improved Disk Cleanup tool for removing older Windows Updates.
• Better application compatibility.
• In Windows Media Player, removed CD-ripping copy-protection option in Windows Media Audio format.
• CPU-use issue after installing KB 3125574 (mmc.exe consumes 100 percent of CPU on one processor when closing Exchange 2010 Management Console).
• Generic Commands fail after installing KB 2919469 or KB 2970228 on devices that have KB 3125574 installed.

For admins using WSUS, you’ll be offered both the rollup and KB 3192391, which includes only the security updates. Pick one or the other.

What to do: I’ll be tracking any issues that arise and reporting back in two weeks. Test KB 3185330 or put off the update until the next Patch Watch column.

3188740, 3188743, 3188744

.NET Framework also gets a security bundle

Though IE is bundled in the above Win7 update, .NET 3.5.1 updates for the OS were released separately as KB 3188740. A Microsoft blog post explains the current .NET patching model. In short, consumers will receive bundled updates that include both security and nonsecurity fixes. Admins that use WSUS will see a security-only patch, KB 3188730.

Confused? Join the club; I’m used to seeing both KB numbers in my server-patching tool, as well as via Microsoft Update. But now we’ll see unique numbers on each platform.

The .NET rollup for other platforms include: KB 3188743 for Win8.1 (.NET 3.5) and KB 3188744 for Vista (.NET 3 SP2/4.5.2/4.6).

What to do: On Win7 systems, install KB 3188740 on a test machine first. If you only one system, wait until I report back in the next Patch Watch column.

MS16-120, MS16-121

Separate security updates for Office and Word

Rated important, MS16-121 prevents remote attacks using malicious RTF files. Note that critical update MS16-120 has separate updates for versions of Office on Vista; they include.

• 3118301 – Office 2007
• 3118317 – Office 2010
• 3118317 – Office 2010

MS16-0121 should show up as separate security updates for all current versions of Office. They include:

• 3118307 – Office Compatibility Pack SP3
• 3118308 – Word 2007 SP3
• 3118311 – Office 2010 SP2
• 3118312 – Word 2010
• 3118331 – Office 2016
• 3118345 – Office 2013
• 3127898 – Word Viewer

(OS X systems with Office for Mac should see KBs 3193442 and 3193438).

What to do: Install any of the updates in MS16-120 and/or MS16-121 if offered.

3185614, 3192440, 3194798

Cumulative updates for various flavors of Win10

Microsoft’s stated goal is to simplify Windows updating, but along with Vista, Win7, and Win8.1, it’s supporting three versions of Windows 10. The cumulative updates include: KB 3192440 for Win10 RTM, KB 3185614 for Win10 1511, and KB 3194798 for Win10 1607.

All three updates contain most of the security updates noted above for Win7 (MS16-101, MS16-118, MS16-119, MS16-120, MS16-122, MS16-123, and MS16-124); it also includes security updates for Edge (MS-16-119) and the Windows Diagnostics Hub (MS16-125).

In addition, these updates include the following nonsecurity fixes and enhancements, listed on the “Windows 10 update history” page:

• More reliable Bluetooth and storage-file system
• Printer drivers won’t install after adding security update KB 317005
• Sign-in errors after installing security update KB 3167679 (MS16-101)
• Must sign in again before using just-installed app
• New entries in Access Point Name database
• Excessive battery use when Win10 Mobile connected to Wi-Fi
• Sign-in fails with fingerprint and iris recognition in Win10 Mobile
• Excessive CPU use with Win10 Mobile.
• Issues with media playback, daylight-saving time, authentication, IE 11, and Windows Shell.

What to do: Install or defer (your option) KB 3185614, KB 3192440, or KB 3194798.

3194343

The usual round of critical Flash Player issues

At this point, it’s nice to get back to a relatively simple update. KB 3194343 is the monthly critical Flash Player fix for Win8, Win8.1, and Win10. There’s also the usual separate update from Adobe for Windows 7.

Adobe’s Oct. 11, security bulletin, APSB16-32, notes that Version 23.0.0.185 patches a relatively modest dozen vulnerabilities.

Also, IE 11 will begin blocking out-of-date Flash ActiveX controls, as documented in a Microsoft Edge Team post. For Win7 users, I’ll discuss this in more detail in the next Patch Watch column.

What to do: Install KB 3194343 and/or check that you have the most current version of Flash Player.

Vista gets its own separate batch of updates

The end-of-life for Vista is April 11, 2017. So it’s not surprising that Microsoft hasn’t moved the OS to the new roll-up model. (Microsoft might still do so.) You should to see the following versions of the aforementioned security updates:

• 3167679 (MS16-101) – Windows authentication
• 3183431 (MS16-123) – Kernel-mode drivers
• 3190847 (MS16-122) – Microsoft Video Control
• 3191203 (MS16-120) – MS Graphic Component
• 3191256 (MS16-124) – Windows Registry
• 3193515 (MS16-126) – Microsoft Internet Messaging API

What to do: I recommend that Vista users hold back on these separate patches until I hear more about any issues.

A ‘modest’ list of Office nonsecurity fixes

This might be the shortest list of nonsecurity Office patches in a very long time. There are none for Office 2007 or 2010.

Nevertheless, one update has already run into trouble. As noted in MS Support article 3198535, Microsoft has recalled KB 3118373, an Excel 2016 update. After installing it, some users received a “Microsoft Excel has stopped working” error message. If you installed the update, Microsoft recommends removing it.

Oddly, the many of the Office enhancements have a similar theme — enhancing the use OneDrive for Business. Perhaps there was a cut-and-paste problem, or perhaps there’s a bunch of Office components that had to be changed.

For the full list of nonsecurity Office updates, see the October MS TechNet article

Windows

• 2952664 – Windows 7; Win10-compatibility helper, no GWX code
• 3181988 – WSFC integrity scanning, usbhub.sys.mui error

Office 2013

• 3118369 – Excel; conditional-formatting failures with VBA
• 3039737 – Office; no description
• 3118367 – Office; various fixes
• 3115156 – Office; Norway proofing, Czech corrections
• 3118354 – Office; Outlook and Digital Signatures add-in
• 3118351 – Project; numerous fixes
• 3118347 – SharePoint Server Client lost attachments of list item

Office 2016

• 3118329 – Office; better OneDrive for Business synching
• 3118264 – Office; better OneDrive for Business synching
• 3118373 – Excel; recalled
• 3118333 – Office Language Interface Pack; accuracy, Russian corrections
• 3118374 – Office; various enhancements, better OneDrive for Business synching
• 3118330 – Office; various enhancements, better OneDrive for Business synching
• 3115500 – Office; rebranded solutions model? (an incomprehensible description)
• 3118375 – Outlook; various fixes
• 3118328 – PowerPoint; better OneDrive for Business synching
• 3118323 – Visio; better OneDrive for Business synching
• 3118263 – Office; better OneDrive for Business synching
• 3118262 – Office; better OneDrive for Business synching

What to do: Put the nonsecurity updates on hold until we have more information — and we’ve sorted out this month’s Win7 security fixes.

Regularly updated problem-patch chart

This table provides the status of recent Windows and Microsoft application security updates. Patches listed below as safe to install will typically be removed from the table about two months after they appear. Status changes are highlighted in bold.

For Microsoft’s list of recently released patches, go to the MS Security TechCenter page.

Patch	Released	Description	Status
3175024	09-13	Windows Kernel	Install
3177186	09-13	Windows SMBv1 Server	Install
3178539	09-13	Windows Lock Screen	Install
3182373	09-13	Silverlight	Install
3183043	09-13	MS Edge	Install
3184122	09-13	VBScript engine	Install
3184471	09-13	Windows; also KB 3187754	Install
3184711	09-13	MS Exchange Server; also 3184728, 3184736	Install
3184943	09-13	Windows PDF Library	Install
3185319	09-13	Internet Explorer cumulative update	Install
3185611	09-13	Win10 RTM cumulative update	Install
3185614	09-13	Win10 1511 cumulative update	Install
3185852	09-13	MS Office; see MS16-107 for full KB list	Install
3185876	09-13	Windows Secure Kernel Mode	Install
3185911	09-13	MS Graphics Components	Install
3188128	09-13	Adobe Flash Player	Install
3189866	09-13	Win10 1607 cumulative update	Install
3185330	10-11	Win7 rollup update	Wait
3185331	10-11	Win8.1 rollup update	Install
3192440	10-11	Win10 RTM cumulative update	Install
3192441	10-11	Win10 1511 cumulative update	Install
3192884	10-11	MS Graphics Component; Vista: 3191203	Wait
3192887	10-11	IE cumulative update; see MS16-118 for full list	Wait
3192890	10-11	Edge cumulative update	Install
3192892	10-11	Kernel-Mode Driver; Vista: KBs 3191203, 3183431	Wait
3193227	10-11	Windows Registry; Vista: KB 3191256	Wait
3193229	10-11	Diagnostic Hub; Win10 editions	Install
3194063	10-11	MS Office, use link for full list	Wait
3194343	10-11	Adobe Flash Player	Install
3194798	10-11	Win10 1607 cumulative update	Install
3195360	10-11	MS Video Control, Vista: 3190847	Wait
3196067	10-11	MS Internet Messaging API; Vista: KB 3191256	Wait

Status recommendations: Skip — patch not needed; Hold — do not install until its problems are resolved; Wait — hold off temporarily while the patch is tested; Optional — not critical, use if wanted; Install — OK to apply.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum. To rate this or other stories, click over to our polls page.

 

Changing the updating rules for Windows 7

Microsoft’s move to roll-up updates for Win7 has generated much confusion and angst.

That’s clear, based on a lengthy discussion in the forum. Tell us what you think about the change.

The following links are this week’s most interesting Lounge threads, including several other new questions for which you might have answers:

Office Applications
General Productivity	What Office 2016 updates are installed?
Word Processing	Mail merge labels with multiple formats
Spreadsheets	Copy Values > 0, based on certain criteria
Microsoft Outlook	Set up iPhone calendar in Outlook 2016
	Unable to open .docx attachments
Windows
General Windows	Debate whether apps make migration easier
Windows 10	Ongoing: Windows Update woes
	Troubles with Windows Media Player
Windows 7	October’s change in Windows Update policy
	Installing .NET Framework 4
Windows Servers	Access files without dedicated VPN server?
Other Technologies
Security & Scams	Open suspicious file in Notepad?
	Ongoing: How good is Windows Defender
Hardware	What to do about a bad laptop screen?
Other Applications	Virtualbox Display drivers

Starred posts are particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.