Preventing viruses in a Windows world means implementing the lessons we learned from DOS and adding a few new ones.
An up-to-date antivirus software package is a convenient way to prevent most computer virus infections.
Disabling booting from drive A will prevent boot viruses from infecting your machine, unless they are placed there by a dropper or multipartite program.
When friends and business associates send me unexpected or untrusted
files with the exploitable extensions listed in Table 3-1, I usually delete them right away. If I suspect
the file is legitimate, I will try to open the file in a
nonthreatening way. For example, if someone sends me a rich
text file
(RTF), I will open it up in WordPad. There
are known exploits of .RTF
files in MS Word, so
I open the file up in an application with less of a chance to cause
harm. Using this philosophy I have never been infected by an email
bearing a virus or Trojan. Of course, if I’m sent a file that
I’m expecting and I have taken the appropriate security
precautions (such as disabling document macros, running a virus
scanner, etc.), then I feel safer when opening the file.
Installing the latest service packs and updates is a great way to close known security holes. Although slow to respond, Microsoft fixes weaknesses in their operating systems with every service pack. Install the in-between patches to stay more current.
When I receive a new, unexpected file, I always examine the type of
file it is before double-clicking on it. I never open or execute
files with potentially dangerous consequences (.COM, .VBS,
.EXE
, etc.). As we discussed earlier, Windows often hides
file extensions by default, and will allow files to hide their
extensions even if you explicitly told Windows not to. The
.SHS
, .LNK
,
.DESKLINK
,
.URL
,
.MAPIMAIL
, and
.PIF
extensions are just some of the
extensions hidden by default that may contain malicious code. To
force Windows to reveal all file extensions, follow these
instructions:
In Windows 9x or Windows NT 4.0, start Windows Explorer and choose View→Folder Options→View and uncheck “Hide files of these types” and “Hide file extensions for known file types”. Ensure that “Show all files” is selected. In Windows 2000, choose Tools→Folder Options→View. Make sure “Show hidden files and folders” is selected, and “Hide file extensions for known file types” and “Hide protected operating system files” is unchecked.
You also have to remove all occurrences of the
NeverShowExt
value in the registry. UseREGEDIT
orREGEDT32
to open the registry. ChooseEdit
→Find
. Look forNeverShowExt
. When a value is found, delete it. HitF3
→Find
Next
. Delete all occurrences. Most, if not all, of the values will appear under theHKCR
key.
NT security experts recommend not routinely logging on to NT with
administrator rights (full access) unless you need the additional
rights. If you have Windows 2000, use its Run
As
feature when you need a higher level of permissions. That way, if a
malicious program gets loose, it functions under the more restrictive
rights of the logged on normal user. Clearly the effects of viruses,
like Remote Explorer, can be minimized.
Warning
Be careful: It has been shown that some programs executed with the
Run As
feature can be accessed by programs
running under the normal user context. For example, assume Internet
Explorer was started with the Run As command with
administrative privileges from a normal user’s desktop. If the
user opens Outlook and clicks on an email with an embedded link, the
administrative session of Internet Explorer will be used to display
the link’s contents. The content in the browser will run within
the permissions of the Administrator even though it was launched from
a normal user process.
Only the Windows NT platform has the ability to implement file and
resource security. Begin by assigning users and administrators alike,
the lowest level of permission they need to perform their job. Using
REGEDT32.EXE
, make sure the crucial parts of the
registry only allow administrative access (Windows 2000 comes with
stronger default registry security enabled. Make sure your
Guest
account is disabled. Use the
flexibility and power of group permissions, policies, profiles, and
security policies to implement strong security. Disable unnecessary
services and startup programs. Document what is normally running on
the server. Remove floppy diskettes from the computer when not
needed. Lastly, maintain good physical security to all computer
resources.
If you follow all of these steps, you’ve gone a long way toward preventing the spread of computer viruses and other forms of malicious mobile code in a Windows environment.
Get Malicious Mobile Code now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.