When I built my first Network Environment antivirus software it was a good idea, but still largely optional. In fact, at the time we only had one PC that was actually on the Internet. It seems that as my career progressed, so did the threats. In my first large network, we were installing antivirus software on all our PC’s. This was followed by antivirus software for our Servers and a version especially for our Exchange Server.
In time, I became an IT Director we had to add antispyware tools to the repertoire. Lo and behold today we install Internet Security software to protect against viruses, spyware, rootkits and spam – not to mention giving users intrusion protection, firewall, parental controls, data theft and email safety scan.
Rumor has it that soon these packages will start your car, check for dangerous fumes and scan all mail for “weapon-ized” bio-chemicals.
I know I am being a bit over the top but it makes the point. We are adding more and more tools to combat against the growing tide of threats. The truth is, even with all this security we are still vulnerable.
There is no “silver bullet,” I recall running an antispyware scan on a user’s machine that found and cleaned 856 different threats. After a restart, I ran a scan with another spyware program. This one found 445 other threats (yes, they were different – I checked the log reports).
No doubt, I could have installed three other scanners and got three more varying results.
Therefore, what can we do? How do we keep ahead of the storm? One answer is to pull your systems off the Internet. Of course that’s the equivalent to selling everything and moving into a cave – not a viable business strategy.
So, what alternative is there?
Reinforcements have arrived
The answer lies in a somewhat older technology called Windows hosts files. The hosts file uses entries to resolve domain names to IP addresses just like DNS. DNS takes the name of a host such as “rare-tech.net” and converts it to the IP Address (188.8.131.52) of the host.
However, the hosts file takes precedence over the DNS mappings. Moreover, unlike DNS, which is controlled from the server, the host’s file is on the individual PC and is controlled by the local machine.
Overriding DNS is not a bad thing since adware servers are often listed in DNS servers. The idea of converting IP addresses into understandable naming conventions is terrific. However, machines have now way of knowing that the IP Address that it is converting to a name is actually an ad server or some other sort of rogue system.
An easy way of handling this is to edit the host’s file to send the request for these sites to the IP address 127.0.0.1, which is the local host. Since the system will continue to translate the address as a local host, it will just send it into an endless loop. This of course provides no ill effects to your PC.
There are arguments for and against the hosts file method. Some state that using hosts files slows down the browsing experience; others argue that malware slows you down even more. In testing these methods, I found no significant performance issues.You will need to try it and judge for yourself. However, it does effectively foil any attacks on your system.
However, as you can imagine, the number of entries you would need to include are a bit overwhelming. In addition, as I mentioned earlier, many of the most popular software vendors do not find all the same malware attacks.
How can we be more even more effective?
Making protection simpler
Obviously, manual input is not the way to go. Not only is initial input a massive undertaking, keeping it updated would be a daily administrative task. Thankfully there is a better way – several actually.
There are a number of different solutions to automate the process. You can use Winhelp 2002, which will backup your current hosts file and install a fully populated list. Dan Pollack provides a cut and paste solution. Also, there are tools to help automatically update the hosts file. Tools like FaltronSoft’s Hosts File Updater, HOSTS Secure or Abelhadigital’s HostsMan.
HostsMan seems to have the best set of features and automates the update process every 12 hours. Two things to keep in mind: you cannot change the update schedule interval, and you need to restart your machine for the newest updates to take effect on your system.
As you could guess, the bad guys know exactly what we are doing, so some malware is designed to change your host’s file. They do this either by redirecting traffic to phishing sites, blocking Security updates or modifying the registry to change where the operating system looks for the Host’s file.
Check to ensure your security software protects against registry changes and changes to the hosts file. If not, there is always the age-old method of logging in with a non-administrative account. This is still the best way to protect from these kinds of changes. The reality is, though, it does not always work in every situation.
Now these solutions do not mean you get to stop paying your annual subscription to your favorite security software. After all, these methods are meant to work in conjunction with your current solution, not as a replacement. Think of it as the predator /prey relationship. The predator spends time looking for the weakest of the herd. If one of its potential victims proves to be too much of a challenge, it moves on to easier hunting.
I understand no one wants to be called a victim or prey, but that is the point. A little bit of diligence, an extra layer of security and then these terms are nothing more than an illustrative analogy rather than a grim reality. Best of all, this is a free solution that is easy to implement and maintain.