A perimeter weakening malware is a program (script, macro, etc) which “lowers the defenses” of a computer (stops AV software, disables the firewall, creates an Administrator account with a certain password, etc) after which it deletes itself. The idea is that this creates an opportunity for the attacker to later come in and take over the system with standard tools (RDP, PSExec, etc).

To be clear: as far as I know this is just a concept, it hasn’t been used in any malware I’ve seen. Many of them do try to do something similar, but it is mostly an attempt to disable security software so that they can remain on the system longer. The difference is that PWM doesn’t needs to be written to the disk necessarily (the moment when on-access scanners verify the files). It can be part of an exploit, which runs from memory, does its thing and disappears.

The danger: black/white-listing solutions most probably won’t pick up on this. After all, the concept of “executable code” is so blurry that most solutions only cover ~95% of it (which doesn’t sound bad, but still leaves a lot of possibilities open). Scanning every memory page on every executed instruction is one possibility, however currently nobody does that (AFAIK) because of the performance impact…

The solutions is – you’ve guessed it – multiple layers of defense (I’m talking about companies here). Have your security suite, but also monitor the traffic, make sure that users don’t run as Administrator (sidenote: I was recently on a computer which used AVG 7.5 and was very pleased to find that they didn’t allow changing the settings from a limited account). Have policies which describe the accepted configuration of the machines and monitor it (Tenable Security seems to have some version of this built into Nessus – disclaimer: I have no relationship with them whatsoever, I never even used Nessus :-)).

One of the products the paper specifically mentions is AVG. I’ve been recommending, installing an maintaining the free version of AVG on several computers for friends, relatives and family. In this entire time the only advertisement I’ve seen was in the AVG 8 control center. No popups, no messages, no nothing. Now, your mileage might wary, but I’ve been very satisfied with AVG (for example some time back I’ve tried a free version of AntiVir, which tried to upsell me at every update). Also, in my opinion, it’s not the “software” which matters the most, but the configuration settings you use. I’ve seen well-configured free products be very light and useful and poorly configured commercial packages eat up 100% of the system resources on a quad-core machine, while blocking access to the network and not giving any information about it.

My end conclusion would be: the most important thing is not what you use, but how you use it.

The steps to installation are:

Download the install kit from the AVG website. Take care to carefully read the wording, since during the several steps it is needed to download, they will try several times to upsell you. This is not necessarily a bad thing (after all, they are giving away a product for free).

If you use Internet Explorer, you might have to explicitly authorize the download (by clicking on the yellow bar that appears on the top).

Choose to save the file (don’t run it at this point!). The following step assumes that you’ve saved the file on your Desktop.

Now that you have it saved on your desktop, launch a command shell (by going to Start -> Run and typing cmd), change to the directory to where you’ve downloaded the file (usually this would mean typing “cd Desktop“) and launch the install kit with the following parameters: /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch The easiest way to do this is to start typing the name of the install kit (avg_), then press the Tab key, which should auto-complete the rest. Now copy the command line attributes and right-click on the shell window and select Paste. Alternatively here is the official FAQ entry. The setup might ask you to close some programs (mainly browsers) before continuing, so be prepared to do so.

Now choose the Custom install option

And deselect the LinkScanner option. You could also deselect also the Email scanner option if you are not expecting “traditional” email clients to be used (if for example the user(s) only use web based email like Gmail, Hotmail, Yahoo mail, etc.).

Disable the daily scanning and finish the setup.

Now all that remains to be done is some final tweaking of the settings: open the AVG control center and go to Tools -> Advanced Settings.

Change the settings such that updates which require reboot are only applied at the next reboot, the user is not nagged about them. This usually is more convenient (and less confusing), however it may not be appropriate in cases when the computer is not rebooted for long periods (this includes the cases of laptops which are not rebooted, only hibernated or switched in sleep mode).

Finally, you might want to set the “Autoheal” option to avoid bothering the user.

To sum it up:

1. Download the install kit from the AVG website.
2. Save the install kit
3. Run the setup with the switches /REMOVE_FEATURE fea_AVG_SafeSurf /REMOVE_FEATURE fea_AVG_SafeSearch
4. Choose “Custom install”
5. Deselect “LinkScanner”. Also deselect “E-Mail Scanner”, unless you use a dedicate email client (like Outlook or Thunderbird)
6. Disable the daily scanning
7. Finish the setup
8. Launch the AVG Control Center and go to Tools -> Advanced Settings -> Update and select “Complete at next computer start”
9. You might also want to check “Resident Shield” -> Autoheal to keep things simpler