I’ll admit, I get around on the web. I go places that you shouldn’t go. But for the activity that I do, I’m pretty safe. There’s only a few precautions I take and I don’t think it’s all that difficult for anyone else to do.
First and foremost, I installed the MVP Hosts file. This file does a system-level blocking of any network application that tries to access an internet address that is considered advertising or malware. This makes nearly everything better, because websites don’t get bogged down with ads. There are some times that I do need to disable it, but those times are few and far between. Because it’s system-level, that means IE, Chrome, Firefox, or any other application is immediately protected.
If you go looking for it, there is a growing argument that ads should not be blocked on websites, especially legitimate content sites. I disagree. I recently read an article on the analysis of the spread of an unpatched vulnerability. The malware authors used a legitimate ad service that was utilized by many legitimate websites. This means that there is no ad service that can be fully trusted. My position is, if you want to display ads, you host them on your domain and you will take full responsibility for their content. And because the ads are on the same domain as the content, I can’t and won’t block them. Even if the ads aren’t malicious, legitimate ad services still serve up misleading ads, designed to trick you into clicking them. They make them look like authentic messages or toolbars or status bars. That’s not advertising, that’s flat-out deception.
Back to my security. Next, I block Flash, Java, and all other plugins by default on all websites. I used to do this in IE by changing the Flash plugin from blacklist to whitelist, but have come to prefer the ActiveX Filtering feature.
So, what’s the last piece of defensive software I use? Microsoft’s EMET utility, which blocks vulnerabilities at the code level. This is a really low-level utility and is not exactly user friendly, so I pretty much just run it at the default level. It’s hard to tell if EMET is working because it’s so low-level. I’ve seen it do its job twice. Once, when I was using a Java applet on Verizon’s pages to play my voicemail and another on a sketchy website where it looked like the website was trying to perform an SVG image exploit. I admitted already, I go to bad places sometimes.
Because I take these precautions, I hadn’t thought about being attacked in quite a while. On a whim, I ran MalwareBytes and it came back with zero results. My database was over 2 months old, if I saw correctly.
The only thing that I am vulnerable to is downloading Trojans and installing them myself. And that is simply a personal fault – no fault of my computer or software. I will comment that downloading software from websites has really become a minefield, with sites displaying many different “Download” buttons at once. You have to study the page and find the correct context for each button to make sure you are choosing the right one.
In summary, I feel I’m doing pretty good with the tools that are made available: KeePass, VeraCrypt (the replacement for TrueCrypt), MVP Hosts, EMET, and IE’s ActiveX filtering. I use two-factor authentication whenever it’s available. It’s not something I did all at once. I added each little piece as I went. And in total, it doesn’t slow me down at all.