WhyTo kill malware on entry!
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
First off, WHY BOTHER??? Well, the threads that start with I CAN'T and I'm TEARING MY HAIR out say that one reason to keep as much of this off the boxes as possible is that doing so limits grief for the owner of the protected box. Curious thing is, since the malware can be used(and is usually INTENDED to) to further intrude AND use the infected host to spread with followon stuff or directly from time of infection onward use it to spread(SMTP engine stuff does this), preventing it "at the gate" on boxes has a ripple prevention effect and a ripple prevention\mitigation effect. If most of us had good AV on boxes, ISPs all did AV scans of all email incoming at the gate, and kept thier servers protected, and filtered for email spam, guess what??? There would be one HECK of a lot less viruses and other malware "in the wild." the malkware could not find a host to make home in and spread very often. Most malware has timeouts built in, or target dates to start acting.
So, what happens if those who can protect their boxes, actually DO protect their boxes?? They not only protect their boxes, but they ALSO deny the malware a vector node to spread to other boxes from their box.
So, lets look at some ways to stop malware at the gate.
There are two ways which can be used in combination to really hit email vectors for viruses. First, secure box you own with av and anti-spam you can control and teach both what is and is not junk to you. Second, ask your ISP to offer and document howto kill spam at the server as you define it, and to look at what is junked and build rules, or let you input in a farily easy way what you think is junk and what is not. My ISP does both, I and others demanded that. my surfing is faster due to junk email not taking up bandwidth beign spread-- that alone is making my ISPs existing servers and routers not have to cope with as much junk traffic, and use it for good traffic.
So what do you need to look for in an AV??? I'm not gonna say spend huge bucks for a security appliance, but I DID tell my ISP if they wanted me and 25 tech friends and their customers and thier friends (etc) to keep using thier services, they HAD to provide AV and filtering on their email. 90+% of malware enters through spam email routes as initial entry attack. Eliminate the email from having an entry point, you get a system that protects itself from 85-90% of hits automatically (no such system is perfect, some might slip through, which is why you need both filtering and AV, they backstop each other if things are done right).
Filtering works with rules, and trainable filtering allows the end user to help define what rules are in place (real good trainable filtering lets the user alos tell the filters some exceptions to rules of what is bad to get almost all the email they want while killing the junk from thier point of view of what is junk). AV with just definition sets works with specific ID rules. AV with heuristics works with rules based on how viruses have worked versus how good system processes should work.
So, since neither defs nor heuristics are perfect by themselves, and heuristics have to be carefully written so they do not damage boxes by mistaking good for bad and disabling or deleting that which is good, rules that do not damage but block repeats of previous methods used by malware AND predict part of behavior that is most often damaging and not what a good process should do need to be in place to catch a majority of the things the defs do not let the virus know specifically as to malware, while the defs let the virus killing software ID new and old things to make the killing FASTER-- both working together are better than either alone.
Why bother stopping malware at the gates of your computers web presence space and at the same time stop it from spreading from your box to others all at once??? Because of both the grief saved by you and becuase by not letting your box host the software that is malware you have a ripple effect that diminishes how viruses can spread to others. Being a good web citizen has a double effect, and the ripple prevention is AT LEAST as important to discouraging malware folks as much as the protection of your box is to you. I'll work on Howto aspects later, in another thread post in this area....
So, what happens if those who can protect their boxes, actually DO protect their boxes?? They not only protect their boxes, but they ALSO deny the malware a vector node to spread to other boxes from their box.
So, lets look at some ways to stop malware at the gate.
There are two ways which can be used in combination to really hit email vectors for viruses. First, secure box you own with av and anti-spam you can control and teach both what is and is not junk to you. Second, ask your ISP to offer and document howto kill spam at the server as you define it, and to look at what is junked and build rules, or let you input in a farily easy way what you think is junk and what is not. My ISP does both, I and others demanded that. my surfing is faster due to junk email not taking up bandwidth beign spread-- that alone is making my ISPs existing servers and routers not have to cope with as much junk traffic, and use it for good traffic.
So what do you need to look for in an AV??? I'm not gonna say spend huge bucks for a security appliance, but I DID tell my ISP if they wanted me and 25 tech friends and their customers and thier friends (etc) to keep using thier services, they HAD to provide AV and filtering on their email. 90+% of malware enters through spam email routes as initial entry attack. Eliminate the email from having an entry point, you get a system that protects itself from 85-90% of hits automatically (no such system is perfect, some might slip through, which is why you need both filtering and AV, they backstop each other if things are done right).
Filtering works with rules, and trainable filtering allows the end user to help define what rules are in place (real good trainable filtering lets the user alos tell the filters some exceptions to rules of what is bad to get almost all the email they want while killing the junk from thier point of view of what is junk). AV with just definition sets works with specific ID rules. AV with heuristics works with rules based on how viruses have worked versus how good system processes should work.
So, since neither defs nor heuristics are perfect by themselves, and heuristics have to be carefully written so they do not damage boxes by mistaking good for bad and disabling or deleting that which is good, rules that do not damage but block repeats of previous methods used by malware AND predict part of behavior that is most often damaging and not what a good process should do need to be in place to catch a majority of the things the defs do not let the virus know specifically as to malware, while the defs let the virus killing software ID new and old things to make the killing FASTER-- both working together are better than either alone.
Why bother stopping malware at the gates of your computers web presence space and at the same time stop it from spreading from your box to others all at once??? Because of both the grief saved by you and becuase by not letting your box host the software that is malware you have a ripple effect that diminishes how viruses can spread to others. Being a good web citizen has a double effect, and the ripple prevention is AT LEAST as important to discouraging malware folks as much as the protection of your box is to you. I'll work on Howto aspects later, in another thread post in this area....
0
This discussion has been closed.