In Search Of An Up-to-Date Definition
Maybe we've just been lucky with car insurance. When somebody reversed into the side of my wife's parked car some weeks ago, our insurance company sorted it all out with one phone call, got the car fixed within a week, and even aggressively pursued the other insurance company to get the excess we paid refunded. Somewhat different to a friend's experience where their budget insurer led them a merry dance for several weeks, and left them severely out of pocket at the end. After paying the premiums for years, they suddenly discovered they were barely covered for anything.
But I've just had a similar experience with virus and malware protection. I've suffered over the years with the well-known issues surrounding many of the mainstream AV packages, such as instability, incompatibilities, and hassle installing and removing them; though newer versions have resolved a lot of these problems. Mostly I've tended to use packages such as CA, Norton, Avast, and AVG. However, since becoming a 'Softie, I've been forcibly migrated to the arms of our own threat management suite, Forefront.
We have our own custom installer for Forefront, which connects the client application to the backend big iron that hosts the management infrastructure; and on my corporate domain-connected machine it seems to work fine. But installing the stand-alone client on other machines has been an interesting revelation in how we depend on stuff that may not actually be doing anything. For example, I just clicked "Update definitions" in Forefront, and it says I have the latest definitions installed. Yet when I go to the Malware Protection Center it tells me that there have been five new versions since then, and my current version is at least two days out of date. There are over 90 new threats identified since the version I've got installed. But clicking "Update definitions" does nothing.
Mind you, I suspect it's partly to do with the fact that it keeps trying to send packets out through some weird ports, and my network firewall just bats them back again. The log full of connection errors would tend to confirm this, and probably not being able to talk to its big iron is not helping the situation. Though it's not just Forefront that seems to have had issues - the Windows Defender installation on a couple of Vista machines suddenly decided some months back that it was fed up downloading updates, and just stopped doing so.
So, on all of these machines, I've switched to the new Microsoft Security Essentials package, and so far it seems to do what it should - though I notice that scans and definition updates only seem to spring into life when the machine is reasonably idle. My wife has a habit of switching on, doing her email, then immediately powering off again, and I generally find I need to turn the thing on while she's out to get it up to date. Last week it suddenly started flashing red and complaining that the definitions were a week out of date. Yet it refused to do anything about it despite being left it in peace for an hour to do its internal housekeeping. It looks like it doesn't attempt to "catch up" if it missed a scheduled scan by running one as soon as possible afterwards (which you'd assume it would do). And when you start a manual scan, it doesn't automatically download the latest definition files first. So even if my wife had decided to click the "Scan now" button - and, let's face it, why would she - it would scan using definition files seven days out of date.
But what really annoyed me was that my locked down Web browser machine, which runs 24 hours a day and is mostly idling, suddenly popped up a warning that Forefront had out of date definitions. On investigating the stored definition files, it seems like it hasn't actually updated since November! Yet the Windows event log is full of blue "information" entries describing how hard it's working to protect my machine. So then I looked at the virus definition updates in my local Windows Software Update Service (WSUS), which religiously downloads Forefront updates every night (all 80MB, and there's usually three of them).
Amazingly, all of these are marked as "Not Applicable" for all of my machines. Obviously Forefront, unlike Windows Defender, doesn't look in WSUS - but goes direct to somewhere else. I wonder how much bandwidth I've wasted in the last year downloading these. That reassuring green tick in WSUS for the machines, which I assumed meant I was fully patched and up to date, means nothing in terms of malware and virus protection. It seems like every machine on the network needs to download its own copy of the definitions every time. But maybe that's better from a security perspective.
So now I'm migrating all of the non-domain-joined machines to Security Essentials, and my daily task before using each machine is to click the "Update" and "Scan now" links. Maybe the dev team for Security Essentials will help out by adding an option that you can set so it will download definitions and scan immediately if it missed a scheduled one. And one more thing guys, how about allowing us to schedule a mixture of scans? A quick scan every day and a full scan every week, for example.
Then, after all this fun, I decided the next morning to have a more thorough look at the "dangerous" software installed on my wife's laptop and my Web browsing box. I have to say I wasn't prepared for the horrors I found. On the laptop Firefox was still version 3.0.6, Flash was a year out of date, Adobe Reader was two whole versions past its sell-by date, Shockwave at least two minor releases out of kilter (it was only recently installed), and Java a whole version number adrift. On my Web browser box Firefox was still an old version 3.5 release, and Adobe Reader required the latest updates (which I've actually been telling friends and neighbors to make sure they install on their home machines).
The reason is, of course, that none of this stuff auto-updates when you are running as a non-admin user. OK, so you can't run Windows Update as a non-admin, but it does do it in the background automatically. Firefox grays out the "Check for updates" menu option, so you might think all is well and it's looking after you in the background. Nope - you need to log in as an administrator to be able to click the menu link, and to actually perform the update. The same seems to apply to Adobe Reader, though it removes the "Check for updates" link rather than disabling it. And what about Flash, Shockwave, Java, and all the other weird extensions that seem to be indispensible for Web browsing these days? How do I check if they're up to date? In the end, I just logged in as an admin, went to the respective sites, and installed the latest versions over the top of what was already there. Though there's probably some I missed because I've never heard of them before...
I guess it's interesting to ponder over whether software should update itself automatically. Obviously the O/S needs to in order to protect the less technical users (the computing majority). But should other programs do this? For example, I wouldn't expect my text editor (TextPad) or picture editor (PaintShop Pro) to do this. I run versions that are well out of date on some machines because they do what I need and I can't justify buying and learning a new version. But stuff that exposes me to risk, such as Web browsers, email clients, and the associated browsing junk, surely should auto-update - at least to resolve security vulnerabilities.
OK, so maybe there's a problem with them not being able to access the system if the updates aren't delivered through Microsoft Update. I did read a couple of blog posts that suggested the answer is to give all user accounts write and modify permission for your Program Files folder tree, but I'm not convinced that's a great plan. Though whether it introduces more risk than running out of date browser and Web software that has known vulnerabilities is an interesting question.
Maybe I'm just naive, but why doesn't software that may expose you to risk simply pop up a warning when it's out of date but can't automatically update? I suppose there's the risk that users could be fooled into trying to install some malware that pretends to be an "essential update for your system". The problem is that the current situation seems to be full of holes, and maybe it's no wonder that viruses and malware continue to flourish and spread. Still, hopefully after this round of updates I'm covered for the time being.
Or until somebody reverses into the side of my server cabinet...