“I’VE SEEN LAP­TOPS CON­SIGNED TO THE TIN SHED OF POS­TER­ITY AND DE­CAY, OF­TEN BY A BA­SIC VI­RAL IN­FEC­TION”

AN­TIVIRUS SOFT­WARE NOT DO­ING ITS JOB? STEVE IN­TRO­DUCES A COU­PLE OF UN­SUNG HE­ROES IN THE FIGHT AGAINST IN­FEC­TIONS

PC & Tech Authority - - REAL WORLD COMPUTING DAVEY WINDER - STEVE CAS­SIDY

Be hon­est: how many “don’t touch it” ma­chines do you have in cup­boards? How many lap­tops that, no mat­ter how pa­tient you were, you were un­able to re­store to work­ing or­der? I’ve seen some sin-bins of tens of lap­tops, con­signed to the tin shed of pos­ter­ity and de­cay, of­ten by a ba­sic vi­ral in­fec­tion.

This sim­ple ac­cu­sa­tion, that it was “virus wot done it”, of­ten gets me into trou­ble, be­cause the peo­ple car­ry­ing the keys to those tin sheds can’t match up what they saw hap­pen­ing to my as­ser­tion about the ma­chines they can’t fix. “But,” they say, “XYZ an­tivirus didn’t say any­thing about find­ing a threat.”

Sounds log­i­cal, but the truth is that no­body makes an an­tivirus prod­uct that an­nounces it’s given up re­pelling bor­ders. You re­ceive an alert when a threat is found, and you may get a dis­tinc­tion be­tween a threat on-disk, in email, in mem­ory and so forth. But a pay­load that suc­ceeds in in­fect­ing is a dif­fer­ent mat­ter. My ex­pe­ri­ence of ma­chines of all ages, eras and plat­forms is that the point at which the AV tells you it’s found some­thing is days or weeks af­ter the ini­tial, high-qual­ity stealth in­fec­tion. In the in­ter­ven­ing weeks, the in­fected PC is ef­fec­tively put into a slave auc­tion on the dark web, which means that it’s pot-luck who buys the time con­nected to the back­door ac­cess to your PC, or what they de­cide to do with it.

Those ma­chines left in your cup­board, I find, have suf­fered from a con­sis­tent sub-species of this whole class of in­fec­tion. Most have a clear trail of dam­age, which isn’t about the old-school no­tions of what viruses are for: this isn’t about show­ing you cack­ling skull an­i­ma­tions or re­pub­lish­ing your Christ­mas party pic­tures. These ma­chines have been crip­pled by a half-com­pe­tent com­bi­na­tion of ef­forts by ex­per­i­menters. That isn’t the same as be­ing in­fected by au­to­matic mech­a­nisms: I could swear, some­times, that what I’m watch­ing is a night class in hack­ery, some­where far away, all log­ging in to a re­mote-con­trol tool and dig­ging about in the Reg­istry, un­load­ing DLLs and see­ing what hap­pens.

How do you know if you’ve been hacked if your an­tivirus soft­ware won’t tell you? By far the most com­mon symp­tom is the dis­abling of Win­dows Up­dates. Win­dows Up­date is be­com­ing a se­ri­ously tough nut to crack for our clas­si­cal hacker friends – es­pe­cially when it’s time for a new ma­jor ver­sion. The cur­rent Microsoft strat­egy for those is to build a whole new Win­dows di­rec­tory on your C drive, move the apps and DLLs and links over to it, and drop the old folder on the next re­boot. This can lead to some re­mark­able slow­downs

– but there’s some­thing you can do. Wel­come, un­sung he­roes: Disk Cleanup and De­frag­men­ta­tion.

Disk Cleanup is the semi-hid­den util­ity in Win­dows 10 that re­moves un­used or one-shot files from the disk. I know, this sounds like baby-

steps stuff: but these are baby steps that you can’t ig­nore, be­cause the re­sults are ir­refutable.

There are two snags with Disk Cleanup. One is that it likes to be run as an ad­min ac­count. The sec­ond that, for an ef­fec­tive cleanup, you need to spot the ob­scure “clean up sys­tem les” but­ton. This makes the util­ity restart and res­can the whole drive. This is Win­dows XP look-and-feel at its nest, but there’s no knock­ing the end re­sult once you tick “pre­vi­ous op­er­at­ing sys­tems” in the items-to-delete list. For small tablets and lap­tops with only 32GB of disk, this is a life­saver.

But not on its own. The space freed up by Disk Cleanup isn’t pre­sented in a sin­gle lump: it’s the re­sult of hun­dreds of days of own­er­ship, up­dates, and what­ever else your stealth virus-mon­ger­ing sub­tenants have been up to. The net end re­sult is frag­men­ta­tion.

I know, there’s at least two sources of con dent hog­wash on the sub­ject of de­frag: for one thing, Microsoft it­self did us no favours by as­sert­ing that NTFS disks don’t need de­frag­men­ta­tion. I still meet techies who re­peat this one at ev­ery op­por­tu­nity, and my stock re­ply is, “I’m sure you’re right, so you’ll be able to ex­plain why your ma­chine is faster af­ter I de­frag it?”

The fact is, the life of a PC has been through nearly two decades of evo­lu­tion, and the lim­its on stor­age at which the as­ser­tion about NTFS was made have long since blown away.

The other hog­wash comes in the sub­ject of SSDs and de­frag­men­ta­tion. This is more re­cent, and seems to have taken hold while SSDs were small, ex­pen­sive and fast – all of which meant that they’d sup­port only a xed num­ber of read/write cy­cles. To be hon­est, I’ve yet to come across an SSD in a per­sonal com­puter (as dis­tinct from a server) that has run out of these things. Be­sides, my ar­gu­ment here isn’t about the life­cy­cle is­sue: it’s about sec­tor sizes.

There are some blogs where you can read up on this re­con­dite mat­ter, but the ba­sic is­sue is best pre­sented by an anal­ogy. As­sume your disk (spin­ning or SSD) is ac­tu­ally a lot of kitchen cup­boards, and your les are a cook’s in­gre­di­ents scat­tered through the cup­boards by a sloppy eater. Let’s say your cup­boards look full, be­cause the sloppy eater al­ways opens the sauce or salt or pa­prika or honey in a cup­board he grabs at ran­dom. Af­ter a while, all your sauce, salt and so on have been opened; all are part-con­sumed; and, prob­a­bly, all have nger­prints on them. I don’t know about you, but that drives me crazy.

Back on track here: what a de­frag­menter would do in this kitchen is to amal­ga­mate all the part-empty con­tain­ers, then re- ll the cup­boards with full bot­tles and jars only. What starts out look­ing like a com­pletely full stor­age space sud­denly has sev­eral empty cup­boards.

This is the prob­lem of sec­tor sizes on SSDs: they’ll cheer­fully store

ve les in a sec­tor of the disk with room for 20, be­cause the sec­tor was full at some time, and now isn’t. This is how you can have disks that can say “4GB avail­able” and still tell you they don’t have enough room to com­plete an up­date or a down­load. This is of­ten re­ferred to as “con­tigu­ous free space”, and it’s im­pos­si­ble to get it back on an SSD by any means other than us­ing de­frag­ment­ing tools.

I like us­ing De­frag­gler from Pir­i­form Sys­tems, but there are oth­ers out there. De­frag­gler quali es as an un­sung hero, es­pe­cially in 2018, when our en­tire in­dus­try be­lieves that the use-case for it has com­pletely dis­ap­peared.

I’m sure there are some peo­ple out there with veins stand­ing out on their neck who are ar­dent Disk Cleanup users, and al­most daily De­frag­glers, who still have the prob­lem I started out de­scrib­ing here in the rst place - that no mat­ter how much disk space they free up, no mat­ter what an­tivirus they were us­ing, the ma­chine still won’t suc­cess­fully down­load the up­dates it’s due to re­ceive.

This is where my nal un­sung hero stum­bles into the lime­light. Search Google for “microsoft up­date troubleshooter” and you’ll come across the lat­est down­load heav­ily pro­moted by Microsoft. The Up­date Troubleshooter han­dles the grey area of the up­date mech­a­nism: it looks as if Microsoft doesn’t fancy telling the AV in­dus­try what a func­tional, op­er­a­tional Up­date sub­sys­tem looks like; and the AV in­dus­try doesn’t count dam­age to Up­date as en­emy ac­tion.

For me, the key rev­e­la­tion here is that the Up­date Troubleshooter, once you get it run­ning, can sit on the ma­chine for a good hour or more. What­ever it’s look­ing for, it doesn’t seem to nd quickly. Once the Up­date Troubleshooter is done, you can ex­pect the full glo­ries of the up­date sys­tem to kick off with­out de­lay.

That isn’t even the end of the un­sung he­roes sec­tion. You can run Win­dows De­fender in an of ine mode, if it looks like the dam­age to your OS and ser­vices is ex­treme – al­though I don’t see the point. If a ma­jor fea­ture up­date sets up a whole new OS next door and leaves be­hind any­thing un­wel­come, then you sim­ply trig­ger a scan once the OS up­date is com­plete.

It’s a pity that most of the techies I now meet come with two ready-made ex­cuses. The rst be­ing that Microsoft’s own tools are crap (they’re not). The other is that de­feat­ing the new own­ers of an in­fected, com­pro­mised PC is in­her­ently im­pos­si­ble. I’ve lost track of the num­ber of in­stances where the so­lu­tion was to take a deep breath, strip all the bloat­ware and fake­ware virus re­movers off the ma­chine, set­tle down with Bing Search in one win­dow and Google

in the other, and just work through the crud-re­movers and veri ably use­ful util­i­ties be­fore con­sign­ing the ma­chine to the bin.

Don’t leave your ap­pre­ci­a­tion of what’s be­ing done to gos­sip from

ve years ago. Take a look at the tools re­leased in the past year or two for what they are!

BUSI­NESS LEARN­INGS FROM CON­SUMER LABS

I re­ceived an in­vi­ta­tion to McAfee’s Con­sumer Labs tour, des­ti­na­tion Paris. How could I say no? Not that I was ex­pect­ing an­other in­vite from an an­tivirus com­pany so soon.

Much of the in­dus­try knows to knock on Davey’s door when it comes to se­cu­rity. How­ever, in the past cou­ple of years the cat­e­gories have be­come hard to track, as mega-scale net­work­ing be­comes both the trans­mis­sion medium and the tar­get for a lot of peo­ple in the busi­ness sec­tor who choose to wear the black hat. The way that com­put­ing has be­come busi­ness and in­fras­truc­ture, and then pol­i­tics, and now pretty much ev­ery­thing, has torn apart much of the rule­book on se­cu­rity.

Fool­ishly, I thought I had a han­dle on this meta­mor­pho­sis back in 2016, when I met a lot of guys who had very next-gen­er­a­tion se­cu­rity prod­ucts that had been born in­side very old-school se­cu­rity com­pa­nies. Back then, this looked a pre­dictable bit of gen­er­a­tional mar­ket turnover: the old brands would fade away and the new would take their place. I set­tled my­self down to watch the mar­ket shake­out.

A sign that you should al­ways read me care­fully then ex­pect the di­a­met­ric op­po­site of what I’ve sug­gested: noth­ing like what I ex­pected ac­tu­ally came to pass. The old brands – the guys, re­mem­ber, who by de ni­tion must have been do­ing a pretty bad job for the whole in­dus­try to let in­fec­tions both ar­rive and then set­tle in un­con­tested – just car­ried on in a gen­tly am­pli ed ver­sion of the same-old, same-old. The new men I’d been meet­ing set up shop in the cor­po­rate and gov­ern­ment sec­tor, and ev­ery­thing went com­par­a­tively quiet.

That wasn’t be­cause the new or old tools had re­ceived a shot in the arm from ge­nius coders: to me, with my old banker’s hat on, it looked as if the long-trousered mar­ket mak­ers had gone into cryp­tocur­ren­cies with their kick­ing boots on. While Bit­coin and all 700 other cryp­tocur­ren­cies had been on their ex­tended bull run (banker speak for “in­creas­ing in value”), ran­somware and viruses had a huge up­swing. Once the na­tion-state agents got into the Bit­coin mar­ket and wrecked it, the an­tivirus at­tacks calmed down. Not be­cause any­one im­proved any de­tec­tion or pro­tec­tion code, but be­cause it just got too hard to ex­tract ran­soms from vic­tims.

This leaves al­most all of the an­tivirus in­dus­try in some­thing of a cleft stick. On the one hand, like any nor­mal busi­ness, they want to trade on their brand and their rep­u­ta­tion. But, at the same time, it’s all about the white-hot lead­ing edge. Last year’s in­stall might as well have been carved on tablets of stone, it’s so out of date. Mean­while, the threat land­scape doesn’t even have the good grace to evolve pre­dictably: it jumps around, like a mad vivi­sec­tion­ist’s evil ex­per­i­ment. Yes­ter­day’s threat gives al­most no clues to to­mor­row’s. An­tivirus com­pa­nies have to be both trust­wor­thy and im­mensely ex­i­ble.

So I wasn’t that sur­prised to nd that the Con­sumer Labs mostly showed me that McAfee largely treats cor­po­rates and con­sumers the same. Much of the code, tools and – im­por­tantly – the global threat-mon­i­tor­ing in­fras­truc­ture are iden­ti­cal across the sec­tors.

That threat-mon­i­tor farm, in­ci­den­tally, moves a bunch of data. It’s in the bil­lions of trans­ac­tions per day, and by some mea­sures is “big­ger than Ama­zon”. To me, that’s more of a mea­sure of the scale of the prob­lem than it is of the skills of this or that cloud ser­vice. Be­sides, the bil­lions of trans­ac­tions in the threat ma­chine are au­to­mated, whereas Ama­zon’s traf c is hu­mans click­ing on “Buy it now”.

It makes per­fect sense for busi­nesses and pri­vate con­sumers to share a threat data­base such as this. The more noti cations they get, the quicker they can tar­get the source and take ac­tion. When this point was made, the as­sem­bled rep­re­sen­ta­tives of the press leaned for­ward as one, be­cause the ob­vi­ous next ques­tion is: what ac­tions?

We didn’t get the an­swers we wanted. This is where the re­al­ity of large-scale, planet-wide an­tivirus op­er­a­tions starts to bite. In­for­ma­tion on what an AV ven­dor can or should do once they es­tab­lish the size, spread and ca­pa­bil­ity of a new threat is never go­ing to be forth­com­ing – be­cause it’s just too valu­able. And that value is on either side of the di­vide, be­tween the evil virus over­lords and the hard-pressed an­tivirus re­sponse teams. Of course, if you pay more for your an­tivirus and in­clude a con­sult­ing re­la­tion­ship along with the soft­ware li­cences, then you can be as­sured of at least a few forms of noti cation that the home user doesn’t get. The dif­fer­ence isn’t in the code, nor in the abil­ity to re­pel or de­tect the bad guys: it’s in the ght­back.

On one hand I can see the rea­son this suits the, erm, suits. Work­ing out that threat X is a red her­ring and threat Y is a ma­chine-killer is straight com­mer­cial value and ad­van­tage, no doubt about it. The ques­tion then be­comes, how much should iso­lated con­sumers ac­tu­ally get to know about a threat, and what are the case stud­ies that jus­tify the cur­rent mix of pub­lic, cor­po­rate and con­sumer dis­clo­sure?

Hav­ing the an­tivirus sec­tor make de­ci­sions on our be­half about what’s pub­lic knowl­edge, and what’s a supra­na­tional world­wide per­pet­ual se­cret, de­prives us of the kind of solid, high-rep­u­ta­tion in­for­ma­tion that drives sen­si­ble de­ci­sion-mak­ing.

The Con­sumer Labs were fas­ci­nat­ing. But like most con­sumers, I ended up want­ing to know far more about the topics hid­den be­hind that “sorry, can’t dis­cuss that” bar­rier.◆

STEVE CAS­SIDY is a con­sul­tant who spe­cialises in net­works, cloud, HR and up­set­ting the cor­po­rate ap­ple cart

Don’t be­lieve in de­frag­ging your PC? Then ex­plain why your sys­tem is quicker af­ter­wards

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.