“I’VE SEEN LAPTOPS CONSIGNED TO THE TIN SHED OF POSTERITY AND DECAY, OFTEN BY A BASIC VIRAL INFECTION”
ANTIVIRUS SOFTWARE NOT DOING ITS JOB? STEVE INTRODUCES A COUPLE OF UNSUNG HEROES IN THE FIGHT AGAINST INFECTIONS
Be honest: how many “don’t touch it” machines do you have in cupboards? How many laptops that, no matter how patient you were, you were unable to restore to working order? I’ve seen some sin-bins of tens of laptops, consigned to the tin shed of posterity and decay, often by a basic viral infection.
This simple accusation, that it was “virus wot done it”, often gets me into trouble, because the people carrying the keys to those tin sheds can’t match up what they saw happening to my assertion about the machines they can’t fix. “But,” they say, “XYZ antivirus didn’t say anything about finding a threat.”
Sounds logical, but the truth is that nobody makes an antivirus product that announces it’s given up repelling borders. You receive an alert when a threat is found, and you may get a distinction between a threat on-disk, in email, in memory and so forth. But a payload that succeeds in infecting is a different matter. My experience of machines of all ages, eras and platforms is that the point at which the AV tells you it’s found something is days or weeks after the initial, high-quality stealth infection. In the intervening weeks, the infected PC is effectively put into a slave auction on the dark web, which means that it’s pot-luck who buys the time connected to the backdoor access to your PC, or what they decide to do with it.
Those machines left in your cupboard, I find, have suffered from a consistent sub-species of this whole class of infection. Most have a clear trail of damage, which isn’t about the old-school notions of what viruses are for: this isn’t about showing you cackling skull animations or republishing your Christmas party pictures. These machines have been crippled by a half-competent combination of efforts by experimenters. That isn’t the same as being infected by automatic mechanisms: I could swear, sometimes, that what I’m watching is a night class in hackery, somewhere far away, all logging in to a remote-control tool and digging about in the Registry, unloading DLLs and seeing what happens.
How do you know if you’ve been hacked if your antivirus software won’t tell you? By far the most common symptom is the disabling of Windows Updates. Windows Update is becoming a seriously tough nut to crack for our classical hacker friends – especially when it’s time for a new major version. The current Microsoft strategy for those is to build a whole new Windows directory on your C drive, move the apps and DLLs and links over to it, and drop the old folder on the next reboot. This can lead to some remarkable slowdowns
– but there’s something you can do. Welcome, unsung heroes: Disk Cleanup and Defragmentation.
Disk Cleanup is the semi-hidden utility in Windows 10 that removes unused or one-shot files from the disk. I know, this sounds like baby-
steps stuff: but these are baby steps that you can’t ignore, because the results are irrefutable.
There are two snags with Disk Cleanup. One is that it likes to be run as an admin account. The second that, for an effective cleanup, you need to spot the obscure “clean up system les” button. This makes the utility restart and rescan the whole drive. This is Windows XP look-and-feel at its nest, but there’s no knocking the end result once you tick “previous operating systems” in the items-to-delete list. For small tablets and laptops with only 32GB of disk, this is a lifesaver.
But not on its own. The space freed up by Disk Cleanup isn’t presented in a single lump: it’s the result of hundreds of days of ownership, updates, and whatever else your stealth virus-mongering subtenants have been up to. The net end result is fragmentation.
I know, there’s at least two sources of con dent hogwash on the subject of defrag: for one thing, Microsoft itself did us no favours by asserting that NTFS disks don’t need defragmentation. I still meet techies who repeat this one at every opportunity, and my stock reply is, “I’m sure you’re right, so you’ll be able to explain why your machine is faster after I defrag it?”
The fact is, the life of a PC has been through nearly two decades of evolution, and the limits on storage at which the assertion about NTFS was made have long since blown away.
The other hogwash comes in the subject of SSDs and defragmentation. This is more recent, and seems to have taken hold while SSDs were small, expensive and fast – all of which meant that they’d support only a xed number of read/write cycles. To be honest, I’ve yet to come across an SSD in a personal computer (as distinct from a server) that has run out of these things. Besides, my argument here isn’t about the lifecycle issue: it’s about sector sizes.
There are some blogs where you can read up on this recondite matter, but the basic issue is best presented by an analogy. Assume your disk (spinning or SSD) is actually a lot of kitchen cupboards, and your les are a cook’s ingredients scattered through the cupboards by a sloppy eater. Let’s say your cupboards look full, because the sloppy eater always opens the sauce or salt or paprika or honey in a cupboard he grabs at random. After a while, all your sauce, salt and so on have been opened; all are part-consumed; and, probably, all have ngerprints on them. I don’t know about you, but that drives me crazy.
Back on track here: what a defragmenter would do in this kitchen is to amalgamate all the part-empty containers, then re- ll the cupboards with full bottles and jars only. What starts out looking like a completely full storage space suddenly has several empty cupboards.
This is the problem of sector sizes on SSDs: they’ll cheerfully store
ve les in a sector of the disk with room for 20, because the sector was full at some time, and now isn’t. This is how you can have disks that can say “4GB available” and still tell you they don’t have enough room to complete an update or a download. This is often referred to as “contiguous free space”, and it’s impossible to get it back on an SSD by any means other than using defragmenting tools.
I like using Defraggler from Piriform Systems, but there are others out there. Defraggler quali es as an unsung hero, especially in 2018, when our entire industry believes that the use-case for it has completely disappeared.
I’m sure there are some people out there with veins standing out on their neck who are ardent Disk Cleanup users, and almost daily Defragglers, who still have the problem I started out describing here in the rst place - that no matter how much disk space they free up, no matter what antivirus they were using, the machine still won’t successfully download the updates it’s due to receive.
This is where my nal unsung hero stumbles into the limelight. Search Google for “microsoft update troubleshooter” and you’ll come across the latest download heavily promoted by Microsoft. The Update Troubleshooter handles the grey area of the update mechanism: it looks as if Microsoft doesn’t fancy telling the AV industry what a functional, operational Update subsystem looks like; and the AV industry doesn’t count damage to Update as enemy action.
For me, the key revelation here is that the Update Troubleshooter, once you get it running, can sit on the machine for a good hour or more. Whatever it’s looking for, it doesn’t seem to nd quickly. Once the Update Troubleshooter is done, you can expect the full glories of the update system to kick off without delay.
That isn’t even the end of the unsung heroes section. You can run Windows Defender in an of ine mode, if it looks like the damage to your OS and services is extreme – although I don’t see the point. If a major feature update sets up a whole new OS next door and leaves behind anything unwelcome, then you simply trigger a scan once the OS update is complete.
It’s a pity that most of the techies I now meet come with two ready-made excuses. The rst being that Microsoft’s own tools are crap (they’re not). The other is that defeating the new owners of an infected, compromised PC is inherently impossible. I’ve lost track of the number of instances where the solution was to take a deep breath, strip all the bloatware and fakeware virus removers off the machine, settle down with Bing Search in one window and Google
in the other, and just work through the crud-removers and veri ably useful utilities before consigning the machine to the bin.
Don’t leave your appreciation of what’s being done to gossip from
ve years ago. Take a look at the tools released in the past year or two for what they are!
BUSINESS LEARNINGS FROM CONSUMER LABS
I received an invitation to McAfee’s Consumer Labs tour, destination Paris. How could I say no? Not that I was expecting another invite from an antivirus company so soon.
Much of the industry knows to knock on Davey’s door when it comes to security. However, in the past couple of years the categories have become hard to track, as mega-scale networking becomes both the transmission medium and the target for a lot of people in the business sector who choose to wear the black hat. The way that computing has become business and infrastructure, and then politics, and now pretty much everything, has torn apart much of the rulebook on security.
Foolishly, I thought I had a handle on this metamorphosis back in 2016, when I met a lot of guys who had very next-generation security products that had been born inside very old-school security companies. Back then, this looked a predictable bit of generational market turnover: the old brands would fade away and the new would take their place. I settled myself down to watch the market shakeout.
A sign that you should always read me carefully then expect the diametric opposite of what I’ve suggested: nothing like what I expected actually came to pass. The old brands – the guys, remember, who by de nition must have been doing a pretty bad job for the whole industry to let infections both arrive and then settle in uncontested – just carried on in a gently ampli ed version of the same-old, same-old. The new men I’d been meeting set up shop in the corporate and government sector, and everything went comparatively quiet.
That wasn’t because the new or old tools had received a shot in the arm from genius coders: to me, with my old banker’s hat on, it looked as if the long-trousered market makers had gone into cryptocurrencies with their kicking boots on. While Bitcoin and all 700 other cryptocurrencies had been on their extended bull run (banker speak for “increasing in value”), ransomware and viruses had a huge upswing. Once the nation-state agents got into the Bitcoin market and wrecked it, the antivirus attacks calmed down. Not because anyone improved any detection or protection code, but because it just got too hard to extract ransoms from victims.
This leaves almost all of the antivirus industry in something of a cleft stick. On the one hand, like any normal business, they want to trade on their brand and their reputation. But, at the same time, it’s all about the white-hot leading edge. Last year’s install might as well have been carved on tablets of stone, it’s so out of date. Meanwhile, the threat landscape doesn’t even have the good grace to evolve predictably: it jumps around, like a mad vivisectionist’s evil experiment. Yesterday’s threat gives almost no clues to tomorrow’s. Antivirus companies have to be both trustworthy and immensely exible.
So I wasn’t that surprised to nd that the Consumer Labs mostly showed me that McAfee largely treats corporates and consumers the same. Much of the code, tools and – importantly – the global threat-monitoring infrastructure are identical across the sectors.
That threat-monitor farm, incidentally, moves a bunch of data. It’s in the billions of transactions per day, and by some measures is “bigger than Amazon”. To me, that’s more of a measure of the scale of the problem than it is of the skills of this or that cloud service. Besides, the billions of transactions in the threat machine are automated, whereas Amazon’s traf c is humans clicking on “Buy it now”.
It makes perfect sense for businesses and private consumers to share a threat database such as this. The more noti cations they get, the quicker they can target the source and take action. When this point was made, the assembled representatives of the press leaned forward as one, because the obvious next question is: what actions?
We didn’t get the answers we wanted. This is where the reality of large-scale, planet-wide antivirus operations starts to bite. Information on what an AV vendor can or should do once they establish the size, spread and capability of a new threat is never going to be forthcoming – because it’s just too valuable. And that value is on either side of the divide, between the evil virus overlords and the hard-pressed antivirus response teams. Of course, if you pay more for your antivirus and include a consulting relationship along with the software licences, then you can be assured of at least a few forms of noti cation that the home user doesn’t get. The difference isn’t in the code, nor in the ability to repel or detect the bad guys: it’s in the ghtback.
On one hand I can see the reason this suits the, erm, suits. Working out that threat X is a red herring and threat Y is a machine-killer is straight commercial value and advantage, no doubt about it. The question then becomes, how much should isolated consumers actually get to know about a threat, and what are the case studies that justify the current mix of public, corporate and consumer disclosure?
Having the antivirus sector make decisions on our behalf about what’s public knowledge, and what’s a supranational worldwide perpetual secret, deprives us of the kind of solid, high-reputation information that drives sensible decision-making.
The Consumer Labs were fascinating. But like most consumers, I ended up wanting to know far more about the topics hidden behind that “sorry, can’t discuss that” barrier.◆
STEVE CASSIDY is a consultant who specialises in networks, cloud, HR and upsetting the corporate apple cart
Don’t believe in defragging your PC? Then explain why your system is quicker afterwards