At the risk of being hunted down and called a spammer
like what happened to me before when I mentioned I used a rarely used AV/AM and said it weren't bad, I was accused of all kinds of things.
Let it be.
I'm into all this AV/AM stuff more than your average consumer. Some call me an expert. I'm not. Hell, I'm into it more than some guys I know that code. Dur, they are so busy coding, they do not have the time for the frivolities of the latest update that will prevent their very own code being encrypted and unreadable. Not that that would ever happen to someone like that. Well, if they don't surf the net, it might never happen seeing as the vast majority of this kind of thing is based on a vector of users browsing to the wrong occasional site.
So, AV/AM is only of limited use. Time for other tools.
Microsoft provide one. It's called EMET. It has data execution prevention, structured exception handle overwrite protection, and address space layout randomisation.
As I understand it, most of those are based on memory exploits and buffer overflow kind of thingies.
Dedoimedo is big on Emet. And seeing how big he is on Linux too, I tend to believe him. Check his toots.
Now here comes the spam bit. You will think it is spam because you never heard of it before. Because someone you don't know is recommending it. Because it's just too good to be true.
I just got a nice free shiny copy of Voodoo Shield https://voodooshield.com/ and it works in a way that is also outside the AV/AM paradigm, as EMET does.
In fact, you don't need to buy a copy, coz the free version will do most people proud.
It's very simple how it works. It has several modes depending on how you are using your computer. If you are installing software and messing about you have it to one level. If you have all that done and just use it for very specific tasks, you lock it down. There is also a middle 'learning mode' which is fairly intelligent.
I won't lie, it's a pain in the arse sometimes, like when I was building a whole win7 os. But in training mode it worked out. I would recommend this more for compos already set up and with all software installed - just lock the mofo down. Anything outside the ordinary - BANNED..
Don't know how much it costs. Don't know how many licenses you get when you buy. Don't go installing it on a comp when you are building the os.
I talked to the dev a coupla times via mail. He gave me the free license just for providing feedback on a very well known security forum. I spread the word again to audio sites and what not.
Point being - this program would work wonders against any 0 day. AV/AM is a loser's game. I can run totally without it, but I still use it being paranoid. I spend money on AV/AM. I also spend money on AV/AM for family members/friends. What's an extra license or two?
I've spent as long learning about computer security as I have learning Linux. I understand both sides of the argument. No cure for stupid and opening any ol' attachment. And I've seen the best minds of my generation struck down with nasty blackmail encryption viruses too. Experts. Of course they pretty much laughed about it, having their whole system backed up in duplicate - off line HD and Cloud solution - but that was not the point - they got burnt. And if they got burned then so can you.
Really. This is not unheard of. And this is not chaps doing research. This is chaps surfing the net and doing what they do. After taking all the precautions they take of course. They love it in a way. It proves the robustness of their solutions and they are happy to say how they got everything working back nice and normal in a matter of minutes/hours. Most of them are amateur enthusiasts as well, we aren't talking great coders here.
Some people have a fetish for this kind of thing. I understand that. I respect that. I played a while in that garden.
I now have almost a phobia against using the computer, let alone implementing new up to date 0 day mitigations against nasties. Like I said, Emet is a good 'un. Microsoft get it very right sometimes. (I slag them most of the time like most people). Then again, they have the documentation. All that ring '0' kind of stuff. The access to the closed APIs. Am I sounding like a conspiracy nut? I don't mean to. :-0
But check out that Voodoo Shield program. Apart from getting a free copy, I don't work for or know the chap doing it. He's very dedicated though, and also very approachable. I dare say, if you really knew about these kind of things, you could get him to ameliorate it in some way, if you took the time to mail him.
Typical coder. Will send you a mail asking you loads of questions, and you answer him, and you don't hear back for three days. Then it's all 'I'm sorry I was lost in the deep dark woods'. eh eh.
Then he gives you a free copy.
Having said that, it is a very effective deterrent, especially against low level encryption type stuff. No AV/AM would really cover that. Emet should, technically, but in practice it doesn't.
There are so many contradictions in the security world. So much 'voodoo'. Ah.
It's always good to have another string to your bow.
And the great thing about solutions like Emet or Voodoo shield is that they take up absolutely no cpu time and are therefore massively efficient. This is low level stuff.
There are probably more examples I could give of this kind of level of security, but suffice to say, any one that employed Emet (Microsoft - Free) and Voodoo Shield (Free for basic version which is all most people will need), would be covered to a deeper degree than if they just employed AV/AM alone.
Hedge your bets. Find a free or cheap AV that wont' bog your computer down. Employ third opinion scanning tools like Hitman Pro (which are free until you actually find an infection and need to clean it).
Apart from that, I'm sorry, I don't really know what this article was about. It was very confusingly written, with no discernible points to it. Not one of the Reg's better moments.
Then again, it gave me room to ramble...