Microsoft Updates The Free Security Essentials Antivirus

According to Neowin, Microsoft has released a new version of Microsoft Security Essentials (MSE), their free antivirus protection for PCs.  It supports:

  • Windows XP Service Pack 3 (SP3)
  • Windows Vista (Service Pack 1, or Service Pack 2)
  • Windows 7

Yes, Windows XP and Windows Vista are both still supported for this new development, even though they are both in extended support.  You can understand this exception when you consider the reason for MSE’s existence.  It exists to help prevent the spread of malware on PCs that otherwise would not be protected:

  • People who get free 90 days of AV with an OEM PC but never buy the subscription
  • People who can’t afford to or won’t buy AV

One of the best stories we have of MSE locally was when we did a community launch event for Windows 7 in Belfast.  We talked about MSE and how it could help defend against Conficker which was all the rage with unpatched PCs at the time (and unfortunately still is thanks to negligent [IMO] admins/managers).  Irish DPE, Dave Northey, saw a photographer was taking photos on behalf of the venue and asked for a copy of some of the photos.  The photographer came over at the end of the event with a USB stick.  Dave joked that he hoped that Conficker wasn’t on the stick – MSE was on Dave’s laptop and screamed about finding Conficker on the photographer’s USB device Smile

You might ask about support for Windows 8.  Good question.  Windows 8 comes with Defender built in (more later).  Defender in Windows 8 is not the Defender of old.  It actually is anti-spyware and antivirus, meaning that you don’t need to download/install MSE on it.

Built-in AV, eh?  Imagine what Symantec’s lawyers, the EU, and so on will think of that!  Many of us are presented with a browser chooser when we setup Windows 7 for the first time.  I wouldn’t be surprised if we see something similar for AV.  Personally, I’d stick with Windows 8 Defender, but there’s nothing to stop you from choosing an alternative.  I wouldn’t be surprised if OEMs continue to ship subsidised trial copies of AV and retail stores continue to push AV boxes on customers with their PC/laptop/tablet purchase.  You still have a choice, but at least with Windows 8, you have protection by default.

Adobe Acrobat Update Service And Adobe Flash Player Update Service, You Gotta Be Kidding Me!

When you did the recent update for Adobe products, did you require a reboot?  Wonder why? 


Look what’s turned up on my PC at work!  I’ve now got two services for updating a minor utility and a plugin that I cannot wait for HTML5 to kill off.

Think about it: Adobe is one of the most attacked software vendors out there, and probably their products are the ones that I update most often on my own and work machines.  Why the hell would I trust them to run a service on my computer?  Hackers must love the presence of these services.

I have uninstalled Adobe Reader (removed the Adobe Acrobat Update Service) from my work computer and switched to Foxit, a product that understands that it is a minor utility.  I’ve also disabled the Adobe Flash Player Update Service.

BTW, we don’t need an Adobe update service at work – we’ve been pushing out Adobe updates via System Center.

Technorati Tags:

Deploy The MS12-020 Security Fix Or Face The Consequences

Security experts are urging people to deploy MS12-020, a security hotfix that was released this week. 

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.

This is the sort of vulnerability that will be seized upon very quickly by hackers because RDP is typically enabled on high value assets – servers.  Deploy or be shamed like those who are still being hammered by Conficker.  In my opinion, it is professional negligence not to get patched for something like this.  BTW, I’ve read that people expect scripted attacks for this vulnerability within 30 days.  You have been warned!

Technorati Tags: ,

Microsoft Issues Duqu Workaround (MSA 2639658/CVE-2011-3402)

In the last couple of weeks we’ve heard quite a bit about the alleged “Stuxnet” variant called Duqu.  This Trojan uses a zero-day vulnerability that exploits the TrueType font parsing engine.  The Trojan replicates itself, does whatever it does (still not entirely clear), and removes itself after 36 days to avoid detection.  That last bit is sneaky; it could steal passwords or certs, high-tail it before the heat arrives, and you’d never know to reset anything that was stolen.  Very clever!

While Microsoft are working on a hotfix, they have issued an advisory that contains a workaround to prevent infection.  The actions depend on your operating system, but revolve around changing the permissions of t2embed.dll.

I’ve become very hesitant of these workarounds.  A few months ago I worked on a site that had no choice but to deploy such a workaround for Conficker.

I was installing a ConfigMgr 2007 R3 site server.  I installed ConfigMgr and checked the health of the system (it’s easy to miss a pre-req and get some sort of error).  Then I got the strangest error that I had never seen before; the management point role would not install.  What normally happens is the site server is installed (not far from next-next-next), and then a number of default roles install automatically.  The management point is usually painless.  I googled, binged, you name it, and had no joy.  A day later and 2 things gave me the solution:

  1. I had been told of the Conficker infection and clean up job that was done
  2. I found an obscure post with a similar error that pointed to a system registry key permissions issue.

1 + 1 and I verified this key was a part of the Microsoft Conficker workaround advisory.  Now, I needed to find how this was deployed.  GPMC made it easy to find a GPO that was responsible.  Permission changes via GPO are tattooed so I reversed the edits (AV was up to date).  I forced the policy refresh on the site server, reran the ConfigMgr install and the Management Point installed.  Luckily the customer had used GPO and made this workaround very easy deploy for them, and ID/reverse for me.

By the way, part of the change was changing permissions of scheduled tasks.  It turns out that backup jobs hadn’t been running correctly for a while.

So the lesson is:

  • When there is a zero-day exploit, Microsoft can issue workarounds to prevent infection.
  • Sometimes treatment for an illness can do quite a lot of damage to the patient.  Understand what you are doing and document/communicate it.
  • If at all possible, do what my customer did.  Use a GPO because it is (a) fast to deploy and (b) fast to reverse once the long term defences (patch/AV) are deployed.  And that means impacted systems can be put back to rights.
Technorati Tags: ,

I Hope You Patch Adobe Products Like All The Others

Yesterday I quoted a Microsoft security report based on information they gather from numerous sources:

“Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 … Two vulnerabilities accounted for the bulk of zero-day exploit activity … Both vulnerabilities affect Adobe Flash Player”.

In other words, hackers have found a new sweet spot.  Most (not all) companies have copped on when it comes to patching Microsoft products.  But:

  1. Other companies make software
  2. Pretty much all software has vulnerabilities
  3. Hackers aren’t stupid.  I’m reading a book called Kingpin and it illustrates how hackers will move from one attack vector to another to find a soft underbelly.  Adobe is that new point of attack.

And there is a high profile example of that.  The Inquirer website reports that (and there is no evidence because RSA have not publicly documented this):

“Criminals used a zero-day vulnerability in Adobe Flash player to penetrate RSA defences through an embedded Flash file in an Excel email attachment. A spear phishing attack, it targeted regular employees of RSA Security disguised as a recruitment form. It breached the RSA systems, even though it first went to Microsoft Outlook’s spam folder”.

OK, it was a zero day attack.  We know this was a very organised attack, possibly sponsored by a nation.  They found a hole in Flash (allegedly) that wasn’t yet reported and crafted an email attachment to attack it, knowing that the recipient would get stung by it, thus allowing the hacker to 0wn the PC.  Unlucky. 

But even if it wasn’t a zero day attack would they have patched Adobe?  (we learned that less than 1% of attacks are zero day) I bet the answer is no.  Most companies focus just on Microsoft software.  Adobe products do automatically prompt for upgrades, but they are seriously click heavy and frequent, so most people probably disable the auto-check for upgrades, and the PCs probably go years without updating.  And that leaves those PCs vulnerable to:

  • Drive by attacks where a user navigates to an innocent website that has either been hacked (malware uploaded) or has a compromised advert that is hosted elsewhere.
  • When a user reads a document/email with a crafted attachment for attacking an Adobe product vulnerability.

In other words, patch Adobe products too, and not just Microsoft ones.  Unfortunately, that isn’t too easy (or supported) in WSUS.  However, you can do it using System Center Essentials (that’s what we use in our office) or System Center Configuration Manager.

Interesting Analysis on Patching and Attacks

Microsoft produces a document called the Security Intelligence Report on a regular basis.  Some of it hit the news today so I decided to take a peek.  The report doesn’t restrict itself to exploits of Microsoft products and is based on data that they gather from a number of sources.

“In this supplemental analysis, zero-day exploitation accounted for about 0.12 percent of all exploit activity in 1H11, reaching a peak of 0.37 percent in June”.

OK, so that tells us that the vast majority of exploits take advantage of old vulnerabilities that have had patches available previously.

“Of the attacks attributed to exploits in the 1H11 MSRT data, less than half of them targeted vulnerabilities disclosed within the previous year, and none targeted vulnerabilities that were zero-day during the first half of 2011”.

People aren’t patching like they should be. That explains this:

Conficker is still (STILL!!!!) the leading infection on domain joined computers. Seriously!?!?!? It is not in the top 10 of non-domain joined PCs.

And it explains this:

“Exploits that target CVE-2010-2568, a vulnerability in Windows Shell, increased significantly in 2Q11, and were responsible for the entire 2Q11 increase in operating system exploits. The vulnerability was first discovered being used by the family Win32/Stuxnet in mid-2010”.

This report covers up to H2 2011 and MS10-046 is still being exploited because people haven’t deployed the patch.

“Detections of exploits targeting Adobe Flash, although uncommon in comparison to some other types of exploits, increased in 2Q11 to more than 40 times the volume seen in 1Q11 … Two vulnerabilities accounted for the bulk of zero-day exploit activity … Both vulnerabilities affect Adobe Flash Player”.

Adobe Flash is one of those products that is constantly badgering me to get updated at home.  I leave this turned on because Flash is a real target for attackers. 

“The most commonly observed types of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters”.

Other products like Java and Adobe Reader are nice targets too because they have vulnerabilities and are rarely patched.  At work, we patch the Adobe products via System Center Essentials.  You can also use ConfigMgr 2007 to do this.

“As in previous periods, infection rates for more recently released operating systems and service packs are consistently lower than earlier ones, for both client and server platforms. Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates”.

A) Newer products always do more under the hood to protect themselves.  B) Newer home PCs will have current AV.  C) Newer business deployments will have had a fresh installation of patching/security systems that some more mature environments have lacked, e.g. lack of WSUS, etc.

Interestingly, in the regional analysis, Italy appears to lead the pack at minimizing most malware infections (congrats!) but is second worst when it comes to adware infections (boo!). 

Don’t be so quick to blame Microsoft: 44.8% of exploits are because of the weakness that is found between the keyboard and the chair, where the user is handing over some piece of information or OK-ing something bad. 

Drive by attack download sites (innocent web sites that have been compromised, e.g. adspace that was sold and contains a Flash exploit) are on the rise.

There’s a lot of good info in the Security Intelligence Report.  You should give it a read if considering the security of your business.

Using RSA Security Tokens for VPN, etc?

Then get them replaced now.  RSA were hacked and lost control over their master keys.  This has led to hacks against RSA customers – confirmed by RSA in an open letter to their customers.

I’ve never been keen on the concept of RSA tokens.  Now we learn that they stored the master keys live on the network with a route to the net by the looks of it!!!! Even the most basic certification training course on CA admin will teach you to use an offline root CA.

Technorati Tags:

How HM Treasury Was Allegedly Attacked & How to Defend Against It

I was listening to The Guardian’s Tech Weekly podcast on the way into work this morning and they were discussing some of the recent announcements from the British government about the cyberwar research that the MoD/GCHQ is doing.  In the discussion they mentioned that there was a recent attempted attack on HM Treasury (department of finance), and that the attacks allegedly came in two forms:

  • Drive-by browsing: this is where a user innocently goes onto a legitimate website, but an outsourced advert uses a browser vulnerability to inject some software onto the user’s computer.
  • Malware attachments: Some piece of dodgy software is sent as a normal looking attachment in an email.  This file has some sort of built in attack, like a trojan downloader, and the PC becomes a bot (something the attacker can remotely control by commands that the downloader will pull down from a service or website running on the Internet).

I am not a security expert.  In fact, most of the self-proclaimed security experts that you meet are not security experts.  I have met real security experts.  They speak a whole other language that we IT Pros don’t understand.  I’ve also met “security experts” with their recently downloaded checklists who do more damage than good.  The good news is that there is lots that you can do to protect yourself from attacks such as the above.  The bad news is that there is no 100% perfect defence.  For example, antivirus scanners detect already known threats.  Someone has to get hit somewhere before a threat becomes known.  Let’s stay positive and see what could be done to protect against the above two attacks.

Defending Against Drive-By Browsing

Drive-by browsing has been around for some time.  I’ve attended presentations by Microsoft’s Roger Grimes (serious security dude), where he talked about the website of a certain conservative news broadcaster.  They sold advertising space on their website.  Other than the space, they had no control over content.  That was done by the online advertiser.  And they probably did more outsourcing or bidding.  Allegedly, browsing this website could cause you to become a victim of an attack that was built into one of these outsourced adverts.  You’d just browse the site and *BANG* your PC downloaded a trojan downloader.  In other words, it was 0wned.

The most basic defence against drive-by attacks is to keep your browser up to date with security fixes.  Don’t be a fanboy sheep: all browsers are vulnerable.  I remember listening to another podcast (TWiT Windows Weekly) a few months ago where they discussed how Safari took seconds to smash, and Chrome/IE lasted a bit longer but eventually gave in at some hack-athon.  Google and Microsoft are constantly releasing updates.  Google do it via new versions of Chrome.  Microsoft do it through security hotfixes.

If you run anything but the smallest business then you need to manage these updates.  This is one of IE’s strengths because it can be updated immediately (or after internal testing) via Windows Updates, WSUS, and System Center (Configuration Manager 2007 or System Center Essentials 2010).  There really is no excuse for a business not to be doing this, monitoring patch update levels, and remediating any deployment issues.

This adverts are effectively downloading a trojan installer.  A proxy malware scanner can help defend against this.  Forefront Threat Management Gateway (TMG) includes a Malware Inspection Filter, as do many other firewall and proxy products.  I’ve always like the ISA (now TMG) family because they are AD integrated, and I can reuse security groups and user accounts for rules and exceptions.

Malware Attachment

The problem with email is that is pretty open, and trusting.  If I know the name or IP address of your SMTP gateway then there’s nothing to stop me from creating a malformed email that appears to come from someone you know and trust, and attaching a piece of malware to do bad things to your PC (and then your network).

Last night I read about some executive of a large corporation who sent out a memo to all employees to instruct that they should confirm the source of all emails before opening them. That certainly is one way to prevent the opening of an attachment. I just wonder if this executive answered the 20,000+ phone calls from his employees when they called to confirm that he really sent that email. Let’s get real – people have jobs to do and they cannot spend 3/4 of the day calling people to see if so’n’so really sent an email. Why would we have email at all in that case?

Sure we can do a bit of user education.  I don’t need to open an attachment with a .EXE file extension.  I don’t need to read an email from the wife of some deposed king.  And I really don’t need pills for you-know-what Smile  Common sense education helps.  But as Steve Riley has said in presentations in the past: the vulnerability lies in the meat that sits between the chair and the keyboard.  If we cannot fix that. then maybe we need to wrap our email system in defences to counter those weaknesses.

Lets start with the mail server.  Stick some malware scanning on there, like Forefront for Exchange (or another solution).  That will protect the server against external threats.  I know you’ll interject here with another suggestion (and I’ll get there).  Think about how IT is changing.  Consumerisation of IT has caused users to bring all sorts of devices onto our networks.  Lord knows what they connect to when they are not on our network.  And those same devices will be used to connect to the company’s mail services.  You need to protect the company’s email (and reputation) against those internal threats.

Next up is the online malware scanning service, such as Forefront Online Protection for Exchange (FOPE) or others.  The company’s MX record points to this, all incoming email is scanned for spam and malware, and then sent on to the company’s SMTP gateway.  You’re in complete control – you can even integrate the management of Forefront for Exchange with FOPE via a free (I believe) management console (it also can manage Forefront for SharePoint).  Now you can filter out the incoming rubbish before it gets to the company’s expensive Internet connection, and you have a layered defence.

Third Party Update Catalog

We aren’t finished yet.  Antivirus scanners are not perfect, especially when it comes to custom written or brand new threats.  The more serious attacks out there are not done by script kiddies in a basement; they’re done by organised crime, your competitors, and state agencies.  They have the time and money to create new programs to leverage discovered vulnerabilities.  For example, it’s one thing to scan for Conficker, it’s another thing to fix the vulnerability that it attacks so you can prevent anyone else from attacking it.

So you can use Windows Update, WSUS, ConfigMgr, or SCE to patch Windows.  Great!  The attachment that was used in the allegedly attack on HM Treasury was allegedly based on an Adobe product.  How often do you see Adobe products looking to update themselves to fix some security issue?  It feels to me like it happens a few times a week.  I bet most of you, and your users, disable these annoying updates – and that’s what the attacker is betting on!  They can write a custom attack, build it into a PDF (or whatever), send it to a user in your organisation using a crafted email that appears innocent enough, it’ll sail through the scanners (because it is an unknown attack), the attachment is opened in a vulnerable reader, and *badda bing* the attacker now has control of a PC on your network.

*PANIC* This is where you uninstall Adobe Reader, Flash, etc, and use third party alternatives – not so fast, my friend! (Why do I keep quoting Lee Corso?).  Adobe products, like every other, has vulnerabilities.  If you think those other readers don’t then you’re fooling yourself.  If you’re a big enough target, then an attacker will figure out what third party reader you use via social engineering, and craft an attack for that.  With Adobe, you at least have a way to force updates for your users.

No, we cannot trust users to run Adobe updates by themselves, just like we cannot trust them to run Microsoft updates for themselves.  Adobe has created software update catalogues that we can use in System Center Configuration Manager (MSFT’s main way to adopt/control consumerisation of IT) and System Center Essentials.  This will allow you to centrally download, test, approve, and deploy updates to relevant machines in an automated, and scheduled manner, with deployment deadlines.  Now you can force those vulnerable PCs to update, and secure your network against those vulnerabilities.


With all this you get layered defences.  Is it 100% secure?  No.  Like I said, I’m honest enough to say that I’m not a security expert but I know that with the above systems, you could protect yourself against the same attack that allegedly targeted HM Treasury (based on the information that I heard this morning).  Combine this with protection for PCs, servers, SharePoint, Lync, and so on, and you’ll have a nice fortress.  You can’t rely on people to protect the castle, and that’s why you need an automated portcullis approach like this.  The responsibility then falls on you as the gatekeeper to ensure that the gate is built correctly.

Note: I don’t know why some people always assume that virtual machines (on any hypervisor) assume that security should be any different for them.  The virtualised workloads still need the same levels of protection that they physical alternative would.

CAO Calls in the Cops Over DDOS Attack

The Irish Independent is reporting that the CAO has called in the Gardaí (Irish police force) to investigate the repeat DDOS attacks.  Logs have been handed over.  The Gardaí actually don’t do any investigation; it’s done by one of the universities (UCD I think).  Maybe they should run Windows Server 2008 R2 for their web servers and add the beta of Dynamic IP Restrictions Extension for IIS.

CAO Website Hit by DDOS Attack Yesterday

Yesterday I talked briefly about the college course application process.  This is managed by a government organization called the CAO.  Students can find out about their coolege course offers via a website, or later via the post.

The website in question was a victim of a DDOS attack yesterday, the day the announcements were posted online. 

A DDOS (distributed denial of service) attack is a ccordinated attack that makes use of comprimised PCs from around the world.  These PCs are infected with trojan downloaders.  A DDOS client is downloaded and installed.  The DDOS client receives instructions from an IRC channel or a website on a regular basis.  The entire architecture is referred to as a botnet.  There are many such botnets in the world, some containing a few hundred machines, some a few thousand, some with hundreds of thousands of DDOS clients, and it’s rumoured that there are some with millions of machines under their control.

The owner of these botnets will sell their services or even access to parts of the botnet.  The botnets can be easy to use; there are even online videos to train you in the use of a simple GUI command console.

Together, even a few hundred bots (or DDOS clients) can fire an amazing amount of traffic at a web server or online presence.  These requests can be valid, or they can be simple TCP connect handshakes that aren’t completed by the client (SYN attack).  The recipient server or intermediary network appliances can be overwhelmed.  A TCP conenct table can be filled, a CPU can be driven to 100% utilization, or a network connection can be filled.

The motive for an attack can be varied.  Sometimes it is a practice run: an attacker will go after a small target to verifiy the system works before hitting a bigger target.  It can be a case of blackmail.  An email will be received by the victim soon after the attack starts to demand payment to cease the attack.  Sometimes it is a case of someone getting their jollies for bragging rights, e.g. “I took down XYZ!!!” on some blackhat forum.  It can even be a case of corporate espionage (this does happen!).  And it can be political: Al Jazeera was allegedly hit not long after the George W. Bush & Tony Blair Iraq war.  There is talk of Georgia being hit during their troubles with Russia a few years ago.

A past customer of mine was once hit.  They were a small business.  It started on a Sunday with a SYN attack.  The web servers couldn’t deal with it.  We configured the network appliances to deal with it by reducing the TCP handshake timeout.  All was well for a few hours.  Then the attacker simply increased the size of the attack.  The network appliances were overwhelmed and we had to implement filters to block all attempts to reach the web servers.

This attack went after the URL of the website in question.  Changing the IP address of the server would make no difference (and it didn’t – the customer demanded it was done).  Changing the location of the server would make no differnce.  Distributing the website across servers in many locations might have worked for a while … until the DDOS attack grew in size once again.  The customer thought about buying a dedicated DDOS prevention appliance.  Nice idea but:

  1. They are not perfect.  They have false positives (blocking legitamte connections and losing online customers) and they also allow a certain amount of attack traffic through.
  2. The appliance will start out by handling the attack.  This requires network, memory, and CPU resources.  The attacker can simply grow the attack with a few mouse clicks and the spend of a few Euros or Rubels.  This will cause one of those resources to become a bottleneck and the website is offline once again.

These _very_ expensive appliances cannot grow to match the capabilities of a DDOS attack at the same pace or even the same price.

What hope is there?  Only the most serious of attacks will last more than 3 days.  I know, 3 days is an eternity in the online world.  There are certain *ahem* professionals out there who can trace the botnet coordinator and DDOS it.  That will terminate an attack.  You can pay the ransom … but that means the attacker knows you are desperate enough to pay.  Pay once and you might pay again and again.  You can call the authorities but that might do little for you.  If the botnet is rented or it’s a relatively small attack then it will prbably end after 3 days because that appears to be the normal period to rent a botnet.  That’s what I was told by a security expert when my old customer was hit.  Sure enough, the attack ended after 3 days.

The only real defence I can see is an IDS (intrusion detection system) that is hosted and maintained by your ISP.  This has to be a massive system.  The bad news is that gaining access to these systems is very expensive.  The configuration is a pain for the admins.  Some schemes will initiate the IDS for your IP addresses when you inform the ISP of an attack, taking a short while for the defence to kick in.  Some are online all of the time but you risk false positives with legitimate traffic being filtered.

What about the CAO?  A consultant that was quoted in the article said:

“This is something every website is vulnerable to. There is not really anything they can do short of spending huge sums of money on extra servers in differing places around Ireland,”

The computer says “no!”.  Sorry, but if an attack is hitting a URL then it doesn’t matter where you move the site to or how you load balance it.  Eventually the DNS record TTL will expire and the attack will commence on the new location.  Load balancing just scales out your system and a DDOS will scale out much quicker and more economically than you can.  The attackers aren’t idiots.  Even if you do succesfully come up with alternative URLs, they can update their attack instructions in seconds.

He said hackers usually go after more high-profile sites such as Amazon or eBay.

The computer says “no!”.  The Irish media reported that there were a spate of attacks on small Irish businesses earlier this year.  They were ransom attacks, i.e. “we’ll stop the attack if you pay us”.  The irish police and an associated research unit confirmed the story.  We don’t hear about these attacks because companies are embarressed.  They see them as a breach of security (they aren’t).  We only hear about these attacks when they are visible, i.e. big attacks that might take down a Twitter, an Amazon, or the CAO.

Unfortunately, DDOS is a result of the fairly trusting nature of the basics of Internet technology.  Firewalls, IDS appliances, and all that stuff can only do so much.  You can do your bit to reduce the risk by ensuring that your computers are up to date with patches every month.  This vastly reduces the risk of being infected with a trojan downloader.