Protecting Windows

The Quick Version

It's very hard to keep Windows safe from Viruses and Junk Software. Anti-virus software on its own simply won't do it. You have to take all the actions listed on this page to stay safe (or use an alternative to Windows).


Key Points

1. It's very hard to keep Windows secure.

2. Anti-virus software is not enough on its own.

3. Automatic online backups are essential, memory sticks and external drives are evil.

4. Always work in a limited account. 

5. Always use Secunia PSI.

6. Install Malwarebytes.

If you have looked at all the options (make sure you read Windows or Not? and are still totally convinced you have to have Windows, then you are going to need to know how to protect yourself. "Surely that's easy!" you say, "Just install some anti-virus software and I'm safe as houses!". Indeed it would be nice if things were that simple.

The Truth? At any one time we have a workshop full of Windows PCs that have been infected by nasty software. In almost all cases they have up to date anti-virus software. And don't listen to people who tell you that you just need "stronger" anti-virus software, those infected machines we see have every anti-virus software you have heard of and all sorts you have not. You are going to have to do a whole bunch of other things if you stand a chance against the vast computer crime industry that has grown to exploit the weaknesses of Windows. I saw a computer magazine's front cover title recently, it said "Windows Security - it's not working"sad, but true.

So now I need to apologize for how long the real answer is to the question of what you need to do to protect your Windows computer. You will say "but surely I don't have to do all that stuff", but sadly, yes you do. Protecting Windows is hard. Other geeks I am sure will be wanting me to include even more than I already have, this is really just the basics to give you half a chance.

THE CHECK LIST

Here's what you need to do:

  1. Back up your files, daily.
  2. Always work in a limited account. 
  3. Have up to date anti-virus software.
  4. Use Google Chrome to browser the Internet.
  5. Removed Adobe Flash, Adobe Reader and Java.
  6. Install and monitor Secunia PSI.
  7. Install Malware Bytes.
  8. Never install any free program from the Internet, no matter how much you want it.

People say to me, "I've never bothered with all this stuff and I have never had an infection".  Really? How would you know. Here's an example I saw in the workshop yesterday: Machine comes in, we take the drive out and scan it only to find a root-kit that had been there for over 2 years. Geeks reading this will shudder at the term root-kit. Non-geeks will wonder what I am talking about. The short answer is it's about as nasty an infection as you can get and it specializes in hiding from anti-virus software. This guy had anti-virus software from a major provider and it was blind to the infection. And yes, his credit card had been cloned recently, and no, he never suspected the computer could have had a hand in it (he suspected that shifty looking waiter from when he was on holiday). Infections don't always make a big fuss about their presence. Depending on what they are trying to achieve it might serve them well to keep quiet and lay low. So, just because things appear to be ok is no indication that you really are safe. You have to take preventative measures. The measures listed here are not theoretical. These are taken from real life experience about what the hackers are doing to attack normal people just like you.

Let's take each of those points in turn:


Back up your files, daily

You won't think that listening to people cry on the phone would form much of the job of an engineer focused on computer support for the home market. You'd be surprised. The reason is nearly always lack of backups. People buy Windows PCs, start using them and then at some random time in the future the hard drive dies, or a burglar steals it. The family photo collection, all the invoices for their small business, the music they spent thousands of hours creating, gone! One single event and its all gone.

I have talked about the plague of Viruses and Junk Software that is so badly affecting Windows. That would be enough to kill a platform, but there's a second plague: people losing their files. Ask around friends and family, have they ever lost files because of a hard drive crash or theft of a computer? It's staggering how much of this is happening. I remember doing a presentation where I asked for a show of hands on who had had this happen, it looked like a 100% hands up to me.

Backups are important because many of the files we store are far more important than the machines we store them on. You want to be looking at those photos when you are in your rocking chair in the old folks home, when this computer and the 20 that came after it went to the landfill decades ago. You can't ignore backups and hope for the best if that's what you want.

Of course people who know about computers will have advised you to get a memory stick or an external drive and back everything up regularly. You will have had good intentions, maybe even actually doing it for the first couple of times, but life will get in the way and good intentions will fall away. Maybe you are one of the incredibly rare people who actually do remember to backup on a regular basis, but when the big day happened you left the memory stick in the laptop bag and it was stolen along with it. Or the external drive was sat on top of your desktop computer when the house fire happened.

Everybody sets out with good intentions, but backing up to external devices is disastrous. It's not the technology that fails, it's human nature. You can try and fight it, but it will always catch up with you in the end. I don't care if you are determined, I have seen this more times that I can count. The only people I see who get their data back in a disaster are the ones who have set up an automatic online backup. My favourite is Carbonite they have been around forever and it just works. You install it and forget about it. I personally have done numerous full recoveries from Carbonite, they all worked. The latest one was a guy who went out to the car, put his laptop bag down and then absentmindedly ran over it. I had him on a loan laptop with his files recovered the same day. His pride will take a little longer to heal.

The other killer thing to watch out for: putting all your stuff on an external drive or memory stick and using that as your main storage. It's so handy as you move from machine to machine. The capacity of these devices is vast, hundreds of thousands of photos in one place, it's staggering how much stuff you can lose in one second. Example? How about the external hard drive in the workshop right now. A designer with years of creative work, only on that drive and the drive died (all drives die, think of them as being like the tyres on your car, it's annoying if you get a flat, but it's not weird, it's just normal wear and tear that you plan for. You need to assume that your storage will die in the same way, because it will). If you're lucky you might be able to get a drive recovered in a workshop for $100 or so. This one was not so lucky. We are hoping we might be able to get something back on this particular drive by sending it off to a specialized high end clean room recovery, but that is at least $1,000 a time and even then, it's only a hope. How much cheaper just to put a proper backup in place?

And if someone tells you your computer is running slow "because you have too many files on it" you are talking to someone who has no idea what they are talking about. It's an urban myth. Having a lot of pictures on a hard drive makes no difference to how fast your word processor opens, for example. The computer doesn't do anything with the pictures until you go and look at the pictures. It's a myth that comes from something that is true: if you have a lot of programs on your computer and they are all running, that will slow things down. But pictures and music and such are just many inert bits of data on a disk (until you actively go looking for them). Don't move all your files to a memory stick, you will lose the memory stick. Leave them on your computer and make sure you have an online backup.

The next urban myth is people saying "I just backup everything in Dropbox". No you don't. You mean to backup everything in Dropbox. But you forget, because Windows will automatically put your pictures in the picture directory, your documents in the document directory etc. You have to specifically remember each time to say "no, I don't want it in there, I want it in Dropbox", it's like a game of Simon says. Forget to say "Simon" and it doesn't get backed up. Here's the top technical tip: The way to fix this is right click on your Documents directory and change its location to be inside your Dropbox (something like "c:\users\Fred\Dropbox\Documents", assuming that's where your Dropbox is stored on your computer). Then repeat with your other key folders (Pictures, Music, Videos, Desktop). That way you can keep putting your files into the standard directories and Dropbox will automatically back them up. The problem with this approach is Dropbox only gives you 2Gb of storage for free, so you will quickly run into their paid for storage plans, which are pricey compared to the competition. The second top technical tip is to use Microsoft's OneDrive or Google Drive in the exactly the same way. They are much cheaper and can do the same job. Incidentally, use this same technique on two or more computers and they will all synchronise their files, but that's a story for another day and another webpage.

It's a good approach, and a cheap one, but it's not as good as Carbonite, as that keeps old versions of files, allows you to recover files you have deleted by accident for up to 30 days and nags you if the backup isn't working. All excellent features.

Summary: Memory sticks and external hard drives are evil and will lose all your data sooner or later. If you think they are working you are going to be in for a big shock when it comes time to do a recovery. Online backups are good and will protect you. 

I know I am always banging on about the alternatives to Windows, but most of them have backups built in. Use an iPad, for example, and unless you specifically switch it off, all your files are backed up to Apple's iCloud. Many times I have helped people buy a new iPhone, iPad or iPod Touch (because they have lost the old one, had it stolen, dropped it in the john), signed them in with their Apple account and there's all their stuff, as if nothing had happened. I know how it works and it is still amazing to see it every time. Same with Chrome OS, everything is squirrelled away to a private encrypted locker at Google. Things go wrong, you get a new one, sign in and it was as if nothing happened. Again, it's not theory, I have personally done this many times and it works perfectly. As for Windows (in the home environment), a plague of lost, often important files. Windows can do good quality backups (with the likes of Carbonite), but it doesn't do it without careful setup and most people simply don't do that.


Always work in a limited account

Most types of computers have a god like mode that can do anything to the computer. Typically referred to as "root". On any other type of computer it is considered total insanity to let normal people anywhere near root.

Windows in the home is the exception. On a Windows home computer the default account it creates for you has full god like rights to anything it damn well pleases. "It's my computer" you say, "I paid for it, I want to be the ruler of all I survey". Really? If you run a piece of bad, vicious and nasty software, it will run with whatever rights you have. You really are making it very easy for anyone wanting to attack you.

Is you are using Windows, create an extra account on the PC called something like "Admin", give it a password and stay out of it. Then set all the other accounts to have a type of "standard". When you come to install software or change a system setting it will ask you for the admin password. No password, no install. If you have kids in the house, never ever tell them what the admin password is, as soon as you do the PC will get trashed because they will install junk. With an admin password setup they will have to come to you for anything that wants to install and your best policy is to turn down all requests (there is always a website that will do what they want to do without having to install, their job is to go find it). The separate admin account is an extremely effective way of reducing infections, but only when combined with a determination to not install any software downloaded from the Internet. 

And don't be tempted to say "I don't have kids, therefore I don't need this". Grownups are just as likely to get bitten by running in an Admin account. You need to lock it down.

Businesses know this. Businesses have never let a user have admin rights (see Business PCs for more details). Go on, try asking your IT department at work for root access to the PC on your desk and see how far you get.


Have up to date anti-virus software

This is the one that everyone knows about. You certainly need it, but don't for a moment assume this solves the problem of security in one hit. It does no such thing, no matter want the marketing claims are. You have to combine anti-virus with the other actions listed on this page to give yourself half a chance. Imagine your computer is your car. The anti-virus is your air bag. Important to have, but you should still avoid steering with your feet, whilst drunk (and wearing a blindfold). Your actions are more important than the safety devices in keeping you safe.

People do ask me what the best anti-virus is and I really don't have a strong opinion. It's not like there is one vendor that stands head and shoulders above the best. People often assume that Norton or McAfee are the best because they come pre-installed on their PCs and surely their computer manufacturer has just looked vigorously at the options and chosen the one it did. Nope. The anti-virus software vendors pay about $30 a machine to the manufacturers to get their stuff on each machine that ships because they know that when it runs out you will probably subscribe. Other people assume the more expensive the software is the better it is. Nope. Look at any geeks' PC and he will be running one of the free ones. Personally I use the free one from Avast. The free version of AVG is also popular and good.

The important thing is you have to have anti-virus and it has to be connected to the internet to get its updates every day (you did know that new nasty software appears every day by the thousands and that the anti-virus software has to check in to get the latest lists? Windows is a tough, rough neighbourhood). 


USE GOOGLE CHROME TO BROWSE THE INTERNET

Straight out of the box Windows will come with a program called Internet Explorer. It's a round blue E of a symbol that you probably know as the way to get onto the Internet. Here's the thing: it has a bad reputation for security. People in the know don't use it. They use other programs that do the same thing, collectively they're called Web Browsers. Grab yourself a copy of Chrome from Google:

http://www.google.com/chrome/

There are other ones and geeks can and do go on for ages about which is the best, but the consensus would be this is an excellent choice. Will it make any difference to you when you click on the Chrome symbol instead of the Internet Explorer symbol? No. It's just a browser. It's a Window you look through to see the Internet. So why bother using a different one? Because Chrome is harder to attack if you're a bad guy. That's important, because your browser is the most likely thing on your computer to get attacked. Make a point of using Chrome instead of Internet Explorer and it's one more thing to make the job of the bad guys harder.


Removed Adobe Flash, Adobe Reader and Java

These 3 programs are things that I see installed on most Windows computers I haven't worked on before. I always remove them.

Why? Are they evil? No. However, they have all had a bad time of it over the last few years. Bad guys have spent time looking to find weaknesses in them. When they find a weakness they use it to infect innocent peoples computers. Boy have these guys been successful in their nasty efforts. You can see this in the number of versions of these 3 programs that keep coming out. People often ask me why their computer keeps asking them to update Adobe Flash when they only updated it last week. The answer is that the bad guys have been successful again and Adobe has had to run around and produce a new version with that new weakness closed off.

So save yourself from that nonsense and remove the sorry threesome. Now you are wondering why they were on your computer in the first place, what they do and if you will miss them. Here's the answers:

Adobe Flash is a program that many websites use to provide additional functionality. Chrome has a copy of Flash built in, but its much more locked down than the version that gets installed as a separate program on your system. Removing Adobe Flash will stop Flash working in Internet Explorer, but hey, I already told you to stay out of Internet Explorer, Flash is just another good reason.

Adobe Reader takes PDF documents and puts them on your screen. If you remove it your computer will complain and say it cannot open PDF files when you try. Disaster! Not quite. Chrome can help us again. Find a PDF document, right click on it and select  Open With” then use the browse option to find c:/Program Files (86)/Google/Applications/Chrome/chrome.exe and make sure you tick the box to say always do this. Then your PDFs will always open in Chrome, which again is much more locked down.

Java is another program for programmers to add additional functions to your system. However, very few people need it on a Windows PC and hackers have loved it because of the crazy number of security problems it has had. So just remove it. If you are one of the people who does need Java (and the most likely reason is you have an 11 year old in the house who is glued to Minecraft) go into the control panel, select Java, go to the security tab and remove the tick that says “Enable Java content in the browser. Also make sure you keep it up to date (see Secunia below for more information on that). These measures will not make you 100% safe, but you will be far safer than not doing them at all.


Install and monitor Secunia PSI

If you want to stay safe it is vital you keep your software up to date. "Why?" you say "if it ain't broke don't fix it!". Sadly such seemingly sensible thinking will get you into a lot of trouble running a Windows PC. Here's why:

There is a large industry of computer criminals looking for ways to attack the software you run. Looking for what we call "vulnerabilities". Alarmingly frequently they are successful in their quest. They find a weakness in some piece of software. At this point the makers of the software in question rush around in an embarrassed funk to fix it. They then release a new version of the software on the world, that does not have the vulnerability. Of course if you are still running the old version, you are still vulnerable to attack. At this point you will say "no problem, my PC is always updating itself. I always wondered why, but now I know I am reassured". Don't be. The updates you see only relate to Windows itself. You have all sorts of other problems on the system that are probably not getting updated and are still vulnerable.

That's where Secunia comes in. Go and grab yourself a copy of the splendid (and free) program PSI right here. That will keep a careful eye on that process of vulnerabilities being found and new versions being released to fix them. It will show you when you have old versions and even have a bash at updating them for you (although it sometimes needs a manual shove to update things by hand). Don't be satisfied  with anything but a 100% clean state from Secunia.

Windows is a rough area, Secunia is telling you which windows on your house you have left open. It's not going to stop anyone coming through, but clearly you are going to be a lot safer with all the openings closed down.

Don't be satisfied  with anything but a 100% clean state from Secunia. People say to me "it's at 80%, surely that's OK?". No its not. That means 1 in 5 of the programs on your computer will let a bad guy in if he asks in the right way. Anything less than 100% is an open window in a rough neighbourhood. If Secunia says a program needs updating it will give you the option to click on it to do the update. This doesn't always work. Don't give up at this point. Go find how to get the latest version of the software. If it's Adobe Flash, for example, go to Adobe.com and look in the bottom right of the screen for their updates.


Install MalwareBytes

In the article Viruses and Junk Software, I talk about the rise and rise of Junk Software. This is software that will mess your computer up, but anti-virus software will leave alone (more details in the article as to why).  This is the one program that is any good against this stuff. Even that's not perfect. There is junk that gets past it, but right now it's the best thing we have. It's not the same as anti-virus software. It will find things that anti-virus software does not and anti-virus software will find things that Malwarebytes does not. The two are complementary.

This is a good point to say, never try and run two anti-virus software programs on the same Windows computer at the same time (some people try this in the belief the more levels of defence they have the better). They will clash with one another and either slow the machine to a crawl or miss bad stuff. Malwarebytes is not anti-virus, so it won't clash.


Never install any free program from the Internet, no matter how much you want it

stock-photo-23740853-hacker-downloading-information-off-a-computer.jpg

This is the killer one. The vast majority of messed up PCs I see (and I do see a staggering number) are suffering from self inflicted wounds. I am not saying people go out and say "I know, today I will randomly install programs from the internet until one turns my computer into a useless pile of junk that would cause even an internet addict to turn to reading a good book instead."  No. People are tempted by programs that claim to do something useful like speed up their PCs. They download it and then get a torrent of junk. If you want the details of how and why it happens, read Viruses and Junk Software.

The best thing you can do to improve your security on Windows is to stick strictly to the policy of not installing any software offered to you from the internet. You almost never really need them (there is nearly always a website that will do whatever it is you want) and your chances of getting something bad are infinitely higher than your chances of getting something good.


Is there anything else I can do?

Plenty. People have written entire books on the subject. But hey, I have to stop somewhere!

If I were to sit in front of a room of computer security folks and ask for suggested additions to this page every one in the room could contribute half a dozen unique points for the list. It's a complex and interesting topic (subscribe to the excellent Security Now podcast if you want to really get into it [but don't be surprised if it sounds like they are speaking english words in a random order at first], it's not for normal people, it's for geeks who want to invest the time to understand what on earth is going on and we love it). Normal people would probably be better avoiding that and posting any questions in the forums here.

The point is, Windows security is difficult and complex. The easiest way to stay safe is not to use Windows at all (see Windows or Not?), but if you are stuck with it, this page gives the key things you need to do to stay safe.


Summary

It's supremely hard to keep Windows safe. You can't rely on your anti-virus software to do it for you, you have to constantly monitor it and follow the rules listed here.



But this is all nonsense!

The slaying of myths and misunderstandings

There's a staggering amount of misinformation and urban myth doing the rounds on the subject of home computers, often nonsense that is most definitely against your best interests. So let's prepare you for when someone "who knows about computers" comes knocking by covering the popular hogwash in advance.

I don't do any of this and I've never got infected!

I did answer this one above, but hey, it's an important point. If you are not convinced I will say a little more. Two key points:

1. You don't know you have not been infection free.

2. It only takes one infection to really screw things up.

More detail: Infections keep quiet for all sorts of reasons. A common one is being part of a botnet. "A whatnet?". A botnet is formed when an evil hacker infects lots and lots of computers around the world. Each computer has a program on it that reports back to HQ waiting for instructions. In one type of scam the evil hacker will approach a business that trades online and say "give me $10,000 or I will take you offline so you cannot trade". He will then have all the PCs in his botnet send lots of traffic to the website until the normal customers of the site cannot go on the site and buy things. For the website it is cheaper to pay the evil hacker than it is to lose the business generated by normal customers. It's like the local criminals in your town could demand money from the grocery store or they would send 100,000 zombies over to hang around and stop normal people coming in to shop.

That's just one example of how a botnet can be used. The point is, you don't own your computer any more. It's owned by the evil hacker who can use it as he sees fit. He can rent out your internet connection to someone who wants to do something illegal online. If the police were to trace these illegal activities the trial would come back to you and you would have some explaining to do.

"But I have anti-virus software" you say. So do most people in the Windows world, but there are still millions of Windows PCs in botnets. Assuming anti-virus software is going to save you simply doesn't work, if it did this the criminal industry wouldn't exist. Instead it's thriving.

Point two was, it only takes one infection to really screw things up. Even if you're right and you have never followed any of the advice on this page and you have never had an infection, past performance is not a guarantee of future success. If you get an infection and it cleans out your bank account or encrypts all your files and demands payment to get them back, then that could get expensive. Far more expensive than simply investing the time to get the right computer in the first place. I always like to pepper these pages with real life examples, there are so many to choose, I just glance at my current call sheet. Here's one from this week: a friend of one of our clients offers to install a new printer for him. He did, but instead of using the CD that came with it, he searched for the software online, grabbed the first one on the list and got a torrent of infections on the computer. That took a lot of sorting out. Anti-virus software on its own was no good. The machine had to be wiped of everything on the disk and started again. There were issues with data and the special accounting software he used (he is an accountant). It cost him about $500 in the end to get it back to how he was originally. He has to use Windows because of his specialized accounting software. You may well be able to avoid it - see Windows or Not?


Your Comments

Don't be shy, say what you think. The comment system below is there for anyone to ask a question or make a point. Especially don't hold back if you are a normal person just trying to make sense of it all. It's easy to get the opinions of geeks on geeky matters. Much more interesting to hear how this works out for you or what bits need more explanation. No such thing as a silly question, jump in.