Anti-virus? What for?

A well know hacker, going by the handle of holy_father, is offering his services to make software modules undetectable by the most popular anti-virus and root kits scanners.

This is worrying. AV and root kit scanners are known to be good at catching popular malware but now, for a few Euros, one can get by the most popular ones, at least for a period of time.

While I am certainly not advocating disposing of your AV there exists a number of malware which are happily running on many workstations all around the globe.

For example, anti-virus vendor Sophos reports that the number of key-logging Trojans has tripled in the first six months of 2005 when compared with the same period in 2004. If the AV cannot catch ALL malware, how can we tell that our computers are now owned by a hacker? We cannot.

How can you mitigate this problem then? Use administrative accounts only when absolutely necessary, of course.

Most malware, on the desktop at least, requires Administrative privileges to install and replicate. A quick look at the virus activity for the first 6 months of 2005 http://www.sophos.co.uk/pressoffice/pressrel/uk/midyearroundup2005.html shows that virtually all of them, when executed, copy themselves somewhere under the SystemRoot directory and create a registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run\. There exists many other techniques (see also www.rootkit.com ) but most, just like the two mentioned above, do require administrative privileges.

This is clearly an issue with management of your systems. It is an issue of Security and it is an issue of Compliance. Understanding how to manage with least privilege is critical. Doing the analysis of those users who have administrative rights and why they have those rights is critical. After the analysis of the situation you will be prepared to begin to determine how to address these issues.