Sensible additions to your virus scanner
by Jürgen Schmidt
Good behaviour recognition is an important component that is often missing from free anti-virus software. In good commercial products such as Norton or Kaspersky, behaviour analysis is a last and very efficient line of defence, as it monitors and evaluates program activities.
If there is an increase in suspicious activity, for instance because a program immortalises itself in the registry, records keyboard inputs and links itself into the browser's encrypted communication, there is a likelihood that a trojan is at work. In such cases, the behaviour monitor will intervene and, ideally, even prevent system manipulations.
Using a free anti-virus program doesn't mean you have to go without this added protection. PC-Tools offers ThreatFire, a free, dedicated behaviour recognition program designed to be installed alongside a conventional anti-virus program. Running it on its own without basic protection in the form of a conventional AV program with good signature and heuristics detection is certainly not recommended. After all, a single undetected piece of malware is enough to infect a system – and traditional AV solutions do filter out the large majority of those.
Threatfire should not be combined with an AV product that already contains a behaviour recognition component and in our tests, the free versions of Avira and MSE worked smoothly with it. The monitor generally works quietly in the background. When it registers suspicious activity, it will offer to either continue running the program in question or to block it. In our tests, it blocked all of the 15 manually introduced pieces of malware that slipped through the classic AV solutions' nets. Only one registry entry and one executable file were left behind. None of our tests resulted in a system being infected.
Personal firewalls are frequently discussed as another protective measure for controlling network traffic and preventing malicious activity. On the one hand, a personal firewall is to fend off attacks from outside, and on the other it is to prevent trojans from sending out illegitimately obtained data.
Anyone still directly connecting their home PCs to the internet should get a router with a built-in firewall. The router firewall will filter out things that arrive unasked-for from the internet. People who regularly connect, for instance, a notebook to potentially malicious networks need an additional personal firewall to protect their system against unwanted intrusions from outside. The Windows firewall is a very reliable way of doing this – and, in most cases, it is more efficient than third-party personal firewalls which often destabilise the protective barrier with dangerous default rules, or lack of IPv6 support.
Trying to monitor and control a PC's outgoing network traffic to prevent potential spying activities is a hopeless endeavour. Almost all modern programs have some networking features, and the information provided by a firewall doesn't allow even experts to decide whether a connection is dangerous or whether it is required to keep a computer functional. This type of monitoring only makes sense in the larger context of a behaviour analysis. Therefore, even the personal firewalls in conventional internet security suites now allow the network traffic created by programs which haven't shown any other suspicious behaviour to pass unimpeded. Stand-alone personal firewalls, on the other hand, are often intrusive and produce a constant string of alerts. In one example tested by c't magazine, installing one tiny and totally harmless program generated a total of 13 alert messages.
The latest tests of software firewalls by c't magazine have shown that none of the third-party personal firewalls performed better than the Windows firewall, especially in terms of security. So if you wish to be kind to yourself, keep using the Windows firewall and focus on updates instead.