Ad-based malware IS everywhere

[gangrel]

So I'm just doing this and that, when Bitdefender pops up with a message saying an infected web resource was detected (and blocked). Hmmm...

I wasn't actively browsing at the time, so it wasn't a page I'd opened. Browser 1 has 4 pages open...Google Drive, Google Sheets for 2 files, and 7zip. None of these have any other elements. Browser 2...2 GMail tabs. One to a forum that has no ads. One to a web comic that doesn't stream ads. 3 others...Tom's home page, and 2 to Food Network. These DO stream ads.

It certainly appears that it was one of these two sites. And these sites are just about as reputable and mainstream as you can get. Nor am I criticizing the sites at all. The takeaway is: DON'T assume any more that ANY web site that serves ads is safe. It is NOT enough to stay on the straight and narrow. Scanning for malware and viruses post facto is too late; we had a spate of people asking for help in removing malvertising infections; those can be VERY hard to eliminate, as they hide really well.

Real-time protection is essential.

 

[itmoba]

You've pretty much hit the nail on this one dead straight. Personally, whenever I need to conduct business that's security sensitive (e.g., checking my bank account online) I use a VM guest of a customized live-distribution to make sure that nothing gets saved. On host browsers, I disable JavaScript, Adobe Flash, Microsoft Silverlight, and Java (whether it's OpenJDK or Oracle JDK depends on what I'm developing). I also run Adblock+, Ghostery, and NoScript (or ScriptBlock, depending on the browser). Of course, there're other settings I've enabled or disabled, but I won't go into it here. I've also purposefully disabled my webcam and microphone (i.e., permissions modification of the kext or its temporary removal).

Is this kind of setup overkill? Yes -- maybe, for most people, but not for me. Personally, I do whatever steps I can to ensure my privacy and security, so I don't care about other's opinions about its austerity (that is to say, not unless it's lacking -- those comments I welcome with open arms). One of the best steps that can be taken, I think, when it comes to installing software is to check the SHA hash and compare it to the one provided by the software developer. Sadly, as you said, people catch the problem too late. Still, the truth of the matter is that many of the problems expressed and encountered could've been averted if people exercised better judgment. Oh well, as Ned from Southwark would say, "mmm, better luck next time."

 

[gangrel]

I've got Flashcontrol to block Flash, and yes, most of my browsing is done within a VM...this also should make cleanup, should something bad happen, nothing more than building a new VM at most. But that's something of a PITA, and not necessarily a step just anyone can do. Everyone SHOULD have AV installed...one does see people asking for help to remove a virus, who didn't. I'm almost tempted to say, well what did you expect? And others that 'rely' on MSE and Windows Defender...showing that Defender IS probably worse than nothing at all. It wasn't all that long ago that a decent anti-virus program was enough...with Malwarebytes and other tools perhaps as a backup plan. Those days are over.

 

[itmoba]

When the Melissa virus came out in 1999, I remember writing a patch to fix one of its variants in 2000. I purposefully infected a computer I had at home running Windows 2000 Server edition to figure out how to fight the damn piece of software. Suffice it to say, McAfee wasn't even courteous enough to give me credit -- nor did they give me credit for another fix I gave them for the ILOVEYOU worm. Oh well, screw them.

Anyway, I agree with you that Windows Defender is a piece of @!#$. Truthfully, I think that it's about as worthless as Windows ME (probably the worst widely distributed OS ever created). Sadly, while the number of tools to counter malware has exploded, none of them are even close to a distant cousin of a panacea.