Malware prevention

- [Teacher] Malware is one of the most common threats to the security of computers and mobile devices. Malware is a term that's short for malicious software, and it consists of software that's designed for the sole purpose of disrupting the confidentiality, integrity, or availability of information and systems. There are many different kinds of malware, but let's talk about four that you'll need to know for the exam, viruses, worms, trojan horses, and spyware. Viruses are malicious code objects that spread from system to system after some human action. Viruses might be transported on removable media or spread by email attachments. They carry a malicious payload that carries out the virus author's intent, such as stealing data or joining a system to a botnet. Worms carry payloads similar to those carried by viruses, but they have an important distinction. Worms spread under their own power. They don't require any user action to move from system to system. Instead, they scan networks seeking out new vulnerable systems to compromise. Trojan horses pretend to be legitimate pieces of software that a user might want to download and install. When the user runs the program, it does perform as expected, however, the trojan horse also carries out a malicious hidden payload behind the scenes. Spyware is malware that gathers information without the user's knowledge or consent. It then reports that information back to the malware author who can use it for any type of purpose. That might be identity theft or gaining access to financial accounts, or even in some cases, espionage. Spyware uses many different techniques. Keystroke loggers capture every key a user presses and then report that back to the malware author, or they might monitor for visits to certain websites and capture the usernames and passwords used to access bank accounts or other sensitive resources. You can use the same tools to protect against all of these threats. Modern anti-malware software protects against viruses, worms, trojan horses, and spyware. Anti-virus software uses two different mechanisms to protect systems against malicious software. Signature detection uses databases of known malware patterns, and scans the files and memory of a system for any data matching the pattern of known malicious software. If it finds suspect contents, it can then remove that content from the system or quarantine it for further analysis. When you're using signature detection, it's critical that you frequently update the virus definition file to ensure that you have current signatures for newly discovered malware. Heuristic or behavior detection takes a different approach. Instead of using patterns of known malicious activity, these systems attempt to model normal activity and then report when they discover anomalies. Activity that deviates from those normal patterns. Behavioral detection techniques are found in advanced malware protection tools known as Endpoint Detection and Response or EDR solutions. These advanced tools go beyond basic signature detection and perform deep instrumentation of endpoints. They analyze memory and processor use, registry entries, network communications, and other system behavior characteristics. EDR solutions offer advanced real-time protection against malware and other security threats by using agents installed on endpoint devices to watch for signs of malicious activity. They can then trigger automated responses to defend systems from attack. In addition, these solutions often have the capability of performing sandboxing. When a system receives a suspicious executable, the advanced malware protection system sends that executable off to a malware sandbox before allowing it to run on the protected system. In that sandbox, the malware protection solution runs the executable and watches its behavior, checking for suspicious activity. If the malware behaves in a manner that resembles an attack, it is not allowed to execute on the protected endpoint. Let's take a look at anti-malware in action on a windows system. Microsoft includes Windows Defender Anti-Malware software with the windows operating system. Here's the main screen. We can see that the most recent scan performed by Windows Defender found no threats. If we want to run a new scan, we can choose the type of scan that we'd like to run, quick, full or custom, and quick Scan Now to start the scan. Windows Defender will then scan the system, looking for signs of malicious activity. And when the scan completes, we can see that it found no threats yet again. On the Update tab of Windows Defender, we can see whether our virus definitions are up-to-date. We can see here that we do have the most recent virus definitions. Then the history tab can provide us information about any quarantined items that were found during scans, and other history information about Windows Defender performance. That's Windows Defender running on a windows system. There are many other anti-malware packages available that work across all commonly used operating systems. Spam filtering is another type of filtering that most users have come to expect. If you're using a managed email service such as Google Apps or Microsoft Office 365, you probably don't need to do anything. Spam filtering is built in by those service providers and works pretty well. On the other hand, if you're running your own email server, be sure to configure spam filtering to prevent unwanted messages from reaching user inboxes. Malware protection tools provide very important information for cybersecurity analysts. However, unless you're using a centralized monitoring system, that useful information is trapped on end points inaccessible to administrators. For this reason, you should configure all anti-malware software to report results directly to either a security information and event management system or a specialized malware management solution. There you can analyze the results of malware findings to identify important security issues.