Future anti-virus support for Windows XP

Microsoft will no longer support Windows XP after April 2014. In an earlier article I outlined how XP users may secure their systems should they continue to use the obsolete operating system.

I mentioned that some anti-malware programs can help because they may prevent attackers from gaining entry through some of the security holes that are known to exist in Windows.

Many vendors support very old versions of their products. At the very least they provide signatures to customers running ancient scanners. If enough people continue to use Windows XP then those vendors will support them to some extent, even if they don't continue developing new detection and prevention technologies for Windows XP products.

Below is a list of anti-virus companies and the level of their stated commitment to Windows XP users. The following data is for consumer products only.

'Foreseeable future' means 2016 or later.

Vendor	July 2015	Mid-2015 or later	Foreseeable future
AVG			X
Avira			X
BitDefender		X
Bullguard			X
Checkpoint (ZoneAlarm)			X
ESET			X
F-Secure			X
G Data			X
Kaspersky Lab			X
Lavasoft (Ad-Aware)			X
McAfee			X*
Microsoft	X**
Panda Security			X
Symantec (Norton)			X
Trend Micro			X
Webroot	-	-	-

Last updated: 04/02/2014 1325 GMT

* Opinion, based on historical behaviour of this vendor when dealing with end-of-life operating systems.
** This support is available to users who install Microsoft Security Essentials up to April 2014, after which users will be unable to download the software.

Any vendors who are not represented above can contact me for inclusion in this chart. I will also be happy to update the above positions should they change.

The information above is based on publicly-available press material and discussions between myself and the vendors in question.

Four Fs of Anti-Malware Testing

A practical approach to testing endpoint security products

Late last year I wrote a paper and gave a presentation about testing anti-malware software at The First Workshop on Anti-malware Testing Research (WATeR 2013)  in Montreal, Canada.

The paper is published on the IEEE  Xplore website. You can download it from there if you are a member or wish to pay. Alternatively, you can download a pre-published version from here for free.

I'm sure that it will make fascinating reading. However, maybe my presentational skills need polishing as at least one person fell asleep as I spoke. He assured me later that his fatigue was due to the previous night's alcohol intake and not the material in the presentation...

Abstract— This paper presents a practical approach to testing anti-malware products, focusing on the following four areas:

1. Defining the scope of the test
2. Interpreting the test results
3. Methods of data collection
4. Managing the financial costs of a test.

I will also note a number of common mistakes that testers make and explore some of the technical and non-technical challenges that testers face, including attacks on test methodologies by the anti-malware industry and other third-parties.

While the principles discussed apply to many types of anti-malware testing, on different platforms, this paper addresses specific issues relating to testing anti-malware products that run on x86/64 platforms and exposing them to ‘live’ malware threats that actively attack systems on the internet at the same time.

Exploring web threats

How to examine malicious websites and their effects - for professional beginners.

If you want to capture a live sample of a phishing website, or a site that is infected with malware, the techniques covered will help.

These tips are particularly useful considering how malicious websites can come and go very quickly.

I wrote this presentation for a customer who wanted a way to analyse some of the main threats to its users and to help when problems occurred. The solutions and threats included:

1. Phishing websites designed to steal account details.
2. Sites hosting exploits and malware designed for stealing account details.
3. Malware infection detection.
4. Malware removal tips.

You can download a free PDF of the presentation I gave.

If you just want an introduction to HTTPReplay and Fiddler2 then this might be helpful also.

Three anti-virus testing questions/accusations

When we, at Dennis Technology Labs, publish results from our anti-malware tests internet users can be predicted to raise a number of questions, points of opinion and direct accusations.

Here are three of the most common, along with my responses:

1. The test is rigged because I don't believe that Product X would do well but it did. (Or Product Z performed badly but I know that it's good).

The test is not biased in favour of any vendor or vendor's product. Claims to the contrary should be accompanied by evidence.

We deal directly with all vendors involved in our tests and any corruption on our part would, I have no doubt, be discovered and publicised very quickly.

Our reputation is crucial and cheating in tests really makes no sense from a business perspective.

2. Testing on unpatched systems is pointless and produces worthless results.

Anti-malware tests by all well-known testing labs, including Dennis Technology Labs, AV Comparatives, AV Test and NSS Labs focus on testing the actual security software and not other elements. For this reason no tester runs what we call 'security endpoint' tests with the very latest Windows patches deployed.

To use a tired car analogy, if you were to test tyres you would use sub-optimal conditions, such as wet roads and sharp bends. Similarly, providing vulnerable software used by today's malware allows testers to stress the anti-malware software and determine which products are most effective.

In fact, what we see in terms of threats are far more likely to target third-party applications rather than Microsoft Windows components.

In an experimental test that we ran last year, we found that patching Windows with the very latest updates (on a daily basis) had a small effect in preventing the threats, but not enough to make much difference in a test such as we run.

That said, we're not saying that updating Windows is pointless. Far from it - it makes a lot of sense to fix known vulnerabilities.

3. Why doesn't this test include Product Y?

The way that we test is very detailed and labour-intensive. This means we are quite restricted in how many products we test.

Any anti-malware vendor is welcome to engage with us and discuss the inclusion of its products into the test suite.

Secure Windows XP after updates end

Sticking with Windows XP? Here's how to secure your system to a reasonable standard.

We'll cover:

1. How attackers work.
2. The significance this has for Windows XP users who will no longer receive updates to their operating system.
3. Free solutions to help secure your PC.

2014/01/14: This article has been updated, correcting NetMarketShare figures regarding how many people use different versions of Windows. In practical terms there is little difference.

Microsoft will soon stop issuing security updates for Windows XP.

At the same time it will cease issuing updates for its anti-malware product (Microsoft Security Essentials) for Windows XP.

This is significant because a very large minority of PC users still have Windows XP installed. Should they buy a new Windows 8 PC or can they maintain a decent level of security once they are abandoned by Microsoft?

In April 2014 Microsoft will end support for Windows XP and its free anti-malware protection. However, in December 2013 29 per cent of Windows users were still running Windows XP.

To put things into perspective 44.5 per cent were running Windows 7 and only 11 per cent were running Windows 8 and Windows 8.1 combined. These figures are provided by NetMarketShare.

Clearly such a large number of people are not going to switch to Windows 7 or 8 in the next three months.

The following article explains what the threats are for Windows XP users, how they work and ways in which users can secure their old computers without having to upgrade the operating system.

How hackers do it

There are two common ways for hackers to attempt to gain access to desktop computers.

Social engineering

The first is so-called social-engineering, in which they trick victims into running a malicious program. This program may be designed to steal information, such as passwords, from the system. Let’s call this type of software ‘spyware’.

Alternatively the software might try to further trick or blackmail the victim, perhaps by claiming (ironically) that it has detected a malware infection or by locking the PC and demanding payment for releasing the system back into the user’s control. These types of threats are called ‘rogue anti-virus’ and ‘ransomware’ respectively.

For social engineering to work the user usually has to be convinced to run a program. If they are sufficiently convinced that they need to download and run a certain program (or insert a strange USB storage device) then they will probably carry on regardless of what their anti-virus program tells them.

Some may check themselves if they see a warning like, “This file is a Trojan. We recommend you should delete it.” but clearly enough users are fooled for the criminals to continue with this tactic.

No amount of patching Windows will change this situation so, for Windows XP users, this type of threat remains as significant (but probably no worse) as before.

Software exploitation

The second method is to gain access to the system using automatic attacks. These usually involve the victim visiting a website that contains some malicious code. This code, known as an exploit, runs on the target computer and gains a temporary level of control. It uses its new-found position of power to download and install malicious software, such as the aforementioned spyware, rogue security software and ransomware.

Automatic exploits only work because there are security holes, aka ‘vulnerabilities’, in the software on the victim’s computer. Vulnerabilities can exist in the applications that come included with Windows, such as Internet Explorer; in third-party applications such as Java, Flash and Adobe Reader; and even in hardware drivers (last month researchers published an exploit for Nvidia’s display driver).

If vulnerable software is updated to make it less vulnerable then exploits are less likely to work. For example, if you are still using Java version 6.x then your system is very open to attack because there are lots of known vulnerabilities for that software. Upgrading to the latest version 7.x will help, because there are fewer known vulnerabilities in the latest version of Java.

It is neither safe nor accurate to assume that any program has no vulnerabilities at all. Usually it’s just a matter of time before someone finds a new one. If a program is popular then there is more motivation for researchers to look for security holes because they affect the most number of potential victims.

Most popular exploits

It is hard to say whether attackers prefer to exploit vulnerabilities in Windows’ own files or those belonging to third-party software but, according to an update by the security blog Contagio, the exploit kits used by criminals in recent months seem very focussed on Adobe Reader, Adobe Flash and Oracle’s Java.

There are some exploits aimed at Internet Explorer 10 and earlier, many of which could affect Windows XP users. Switching from Internet Explorer to a browser that has continued Windows XP support (such as Google Chrome, Mozilla Firefox and Opera Software’s Opera browsers), and updating all other third-party applications would be a sensible move if you want to stick with Windows XP.

Updating automatically

Microsoft makes updating Windows reasonably convenient thanks to the Windows Update service. However, this does not usually provide updates for third-party software (although it does sometimes). Fortunately there is a free application that behaves in much the same way as Windows Update but for non-Microsoft programs.

Secunia’s Personal Software Inspector (SPI) will scan your PC for vulnerable applications and can automatically download and update those for which updates exist. You can also opt to have it download the updates but wait until you instruct it to install them, and you can even have it simply scan and inform you about available updates, rather than downloading anything.

How this affects users of Windows XP beyond April 2014

If Microsoft sticks to its plans then Windows XP will no longer receive security updates after April 2014. This means that any future vulnerabilities detected in Windows XP system files and the applications that come with it will remain unfixed. This appears to be great news for the attackers, who can locate security holes and use them without fear that their activities will be hindered by an impending fix.

The solution(s)

However, this is just one facet of the situation. Third-party applications and hardware drivers will still be updateable as long as their developers continue to provide support. Additionally, certain anti-malware software, including Kaspersky Internet Security and Symantec Norton Internet Security, are capable of detecting many types of exploits and can prevent them from taking control of the system.

I put together a list of anti-malware products that will continue to protect Windows XP after Microsoft withdraws support. Most, at the time of writing, were committed to the foreseeable future.

While Java is notoriously popular with hackers, you don’t need to remove it completely in order to secure your PC. You can keep Minecraft running happily on your system but simply disallow Java in the web browser.

There are at least five free and easy ways to protect against viruses and spyware. Windows XP users won’t be able to follow point #4 (i.e. update Windows) from that linked article but the rest are relevant for those sticking with XP.

Microsoft has a tool that helps to prevent the exploitation of vulnerabilities in its own software and those created by third parties. The Enhanced Mitigation Experience Toolkit is probably a little too tricky to use for everyday users but experts and the inquisitive can download it for free.

So while it is always best to fix the problem, by patching the security hole (or uninstalling the vulnerable application if you don’t need it!), there are ways to prevent the bad guys from gaining access even though the holes continue to exist.