Tuesday, April 29, 2008

some critical thinking on fake alerts for the user

tad heppner over at the mcafee avert blog had an interesting user-centric post about fake alerts pushing rogue anti-malware products... what interested me was that it presented some ideas that a user could theoretically apply (like safe hex) to determine whether a particular security alert is trustworthy or not, but i think he could have taken this further...

his suggestion of using responsible browsing practices is a little vague (and some fake alerts don't even make it obvious that they have anything to do with browsing in the first place), doing a bit of research on what you're being asked to install/buy is a good idea (though i suspect people won't have the presence of mind to do that when scare tactics of "you have a virus" are being used), and looking for secondary indications of infection is just a little too technical...

now, presence of mind when scare tactics are being used will always be a problem, but if a user can keep their head and not panic then this line of thought might come in handy: if the alert is warning you that you have something bad on your computer and then asking you to install/buy something then it stands to reason the alert didn't come from something you already installed/bought... now unless you intentionally went to a website that scans your system without needing an install that means that whatever is giving you an alert examined your system without your permission... i think we all intuitively understand that things shouldn't be searching through your files without your permission so that alone should signal to the user to stay away from it, whatever it is...

another good (and somewhat related) idea is to be familiar with what the security alerts from your actual security software looks like so that when a strange one pops up you'll be able to tell that it doesn't belong... downloading the eicar standard anti-malware test file should probably cause anti-virus software to pop up an alert so you can see what that alert is supposed to look like and how it's supposed to behave... that's not the only security software a user may have installed, mind you, but there aren't necessarily simple standard ways of triggering alerts from those other security products, and that's something someone might want to look into...

0 comments: