Remote Support - Internet Outage Detector - Articles - Billing - Programs - Testing - Contact

Why did I get infected? I was using antivirus!!!

If you know me, you know I fix computers, and I see virus infections almost every day. I see lots of computers that have Norton, McAfee, AVG, Microsoft security essentials, etc - but they get infected anyway. If you asked me why, I might have sent you to this article.

It's a common story, you go to wal-mart and buy the latest and greatest Norton anti-virus, install it, and now you are virus-proof. It pops up almost daily to tell you it updated, reassuring you constantly that Norton is doing it's job. One day, you go to facebook, but you type facbook instead, one letter off, an innocent typo, just an accident. BAM! - you start getting popups warning you your computer is infected. It won't leave you alone. It says you can clean your infection by installing this free program. You don't really want to install it but you can't get the popups to stop so "what the heck", you click YES. It installs Windows AntiVirus 3000. The popups get even worse and your computer slows to a crawl. You run a scan with your new program and it says you have more infections and it needs your credit card to clean them. Norton starts detecting viruses but when you click CLEAN there is an endless number of them until you give up and unplug the computer because you can't even click start to shut it down anymore. What happened??? Wasn't Norton supposed to protect you against this?

To understand why anti-virus programs do not work anymore, you have to understand how they try to work.

The companies that make anti-virus programs have teams of virus-watchers working around the clock, always on the lookout for new viruses. When they find one, they dissect it and choose a small part of it that doesn’t seem to be in any other file ever seen (virus or not).  Then, they add this small part of the virus to a master list, called "virus definitions" or "blacklist". This blacklist is made of small parts of every virus that has been discovered. When your anti-virus program scans a file to determine if it's a virus or not, what it is actually doing is comparing the file to the blacklist, and if it finds a match, it knows that file is a virus. This happens very quickly, and a computer can scan dozens of files per second. When your anti-virus program "updates", what it's doing is getting the latest blacklist. This usually happens several times a week.

The problem is, there is about a week delay between the time a virus is released, and when your computer is able to detect it. It takes this long because the virus has to become widespread enough for the virus watchers to cross paths with it, verify it is actually a virus, pick a small part for the blacklist, test the blacklist for false positives, release the blacklist to the public, and finally for the public's computers to perform the automatic updates. This is A WEEK!  Can you guess how much delay the virus writers have in getting the next version of their virus out?  Less than a day. Less than A DAY! As soon as the virus writers discover their virus is detectable, they quit using it. This means that most viruses are less than a week old, therefore not detectable.

Stats show the best antivirus software is only able to detect 5% of viruses that are a week old (source). We know this because of a service called virustotal.com that allows the public to upload suspicious files. Virustotal scans the suspicious files with about 50 antivirus engines all made by different companies and shows the results. When a virus first becomes discovered, researchers will go to virustotal and look at when this exact file first began to be uploaded by the public, and they usually find it's been circulating for weeks or months or even years!

Roughly 50 new viruses are discovered every day, that’s 350 new viruses every week. The blacklist files are growing faster than our national debt.  This means your computer has to work harder to compare every file it scans. Today, antivirus programs will use more resources (cpu and ram) than just about any program made. This makes computers run slower than a herd of turtles stampeding through peanut butter!

Think about the junk email you get. Have you ever tried to block each junk sender? What percentage of junk email did you end up filtering? (Probably less than 1%.) You eventually realize that the junk comes from a new sender every time. Have you ever accidentally blocked a friend? What you were attempting to do was use blacklisting technology. Blacklisting doesn't work for junk email, and it won't work for viruses either for the same reasons. Sometimes the antivirus companies accidentally block good programs too, causing major problems for huge numbers of people.

Using blacklisting for detecting viruses was effective for a long time, but that started to change around 2008. Virus writers learned not one but two new tricks. They discovered that they could scan the virus they are creating with all the popular antivirus programs to see if it was detectable. If it was, they could just change the code until it doesn't match any blacklists anymore, making it undetectable. They are using the antivirus software against us!

The second trick they learned is that it was getting easier to simply trick the user into installing the virus rather than trying to outsmart the security built into windows. Virus writers discovered that the easiest way to infect a computer was just ask the user to install the virus. What happens is, hackers buy domain names like facbook (spelled wrong) and sometimes email you legit-looking links to it. They design the site to look like the real facebook so you don't notice you went to the wrong site. They put advertisements on the counterfeit site that say you are infected, even though the ad did not scan anything. An ad cannot scan the computer anyway, it's just an image. Sometimes they make the ad look like a window with the X to close button at the top, and place it in a popup, making it look very real. When you click the X, you really clicked the ad, which redirects you to a page telling you the infection can be fixed if you install this program. This "program" IS the virus. They give it an innocent name like Windows AntiVirus 2012 to reassure you it is safe. They copy the icon from AVG, making it look familiar.  You download the virus and install it. Now the hackers have total control of your computer. They can do anything from disabling norton to sending spam to stealing passwords for your email and online banking. They can see everything you type and every move you make. At this point, they make money by selling your identity to other hackers OR by displaying ads which other bad guys pay for to have displayed. The fake antivirus program then pretends to scan the computer and reports you are infected but it needs your credit card number to fix anything. Most people call me at this point, but if you enter your credit card number, you have a bigger problem. Not only do they get the $20 to $80, but they also sell your credit card info to other hackers. You will need to tell your credit card company to cancel your credit card, reverse the charges, and send you a new card. You will also need to change all passwords for anything important to you like email or banking sites or facebook.

 

So what do you do to prevent this? There has to be a better way, right? Yes there is, but first I would like to review the reasons anti-virus programs suck so much.

1.         They rely on blacklists, therefore are not capable of detecting new viruses. It is estimated that 80% of the viruses circulating at any time are less than a week old, which means your antivirus program can only detect 20%. This is simply not enough!

2.         They consume precious resources that your computer needs to run at top speed. Most antivirus programs use over 200MB of ram, not to mention the Internet bandwidth used to download blacklist updates. This puts a noticeable delay in almost every program you run. A computer running AVG that takes 5 seconds to start Internet Explorer will take less than 1 second after uninstalling AVG. The blacklist files are getting so big, the delay in scanning files has increased unacceptably!

3.         They nag you. With all the popups that remind you it needs updating or is updating, or has updated, or is scanning a file, or checking your email, or telling you it's firewall has blocked somebody trying to ping you. It's like they think that's the only program you run, and you have all day to sit around keeping it updated and reading everything it has to say. Most people want to do other things with their computer too!

4.         They cause other problems, especially Norton and McAfee. They want to take over your computer and intercept every packet of data to scan it. It inserts itself in places it shouldn't be, and causes other programs to break. I can't count how many times I've seen Norton "protect" a user from their email, or the entire Internet, making them completely inaccessible. Most anti-virus programs want to also be your firewall. If you are using windows XP, Vista or Windows 7, you already have a firewall built into windows that works just as good, and doesn't nag you. I've seen McAfee mess up windows so bad that I couldn't fix it without reinstalling windows.

5.         They falsely detect good files as viruses. Sometimes the good guys pick the wrong part of a virus to include in the blacklist. Lets say they pick the part that deletes files. Viruses are not the only programs that have code that deletes files. Your web browser deletes files you when use the "delete temporary internet files". If your anti-virus program scans your web browser and detects the part of it's code that deletes files, it will try to delete your web browser! I've never actually seen a web browser get deleted, but I have seen critical components that are required to boot the computer get deleted, forcing the user to reinstall windows to fix the computer, which will cost $75 - $150 at a computer shop.

6.         They do not stop viruses from reading your banking passwords and other personal data.

7.         They do not stop viruses from messing up things that are not reversible without reinstalling windows.

 

You might wonder why computer shops still try to push antivirus software. This is because computer shops are financially motivated. They make money by selling you this software, then make more money when you get infected and you bring it back to them to have it cleaned. If you follow MY method, I will personally clean all your viruses for free! (but you won't be getting infected anyway if you use my method)

The secret to my method is right under our noses. I use a feature which is already built into Windows and it's totally free. It is called SRP (Software Restriction Policies).

Before you jump into SRP, make sure you understand how to use UAC properly.

Then, you can continue to my SRP Article.