We recently had the great opportunity to sit down with virus-removal expert Ken Dwight aka The Virus Doctor™ . Ken has been in the business of virus-removal consulting since 1972 after founding the company TeleProcessors Inc. He has published his own book and offers the popular “Virus Remediation Workshop” along with other seminars. We caught up with Ken in his off time and talked about what he does, why he does it, and his insights on the ever-changing world of IT.
IAN: I was hoping you could give people some background on how you got into this business and why.
KEN: Okay. Well, I’ve been in the business a long time, like 48 years, back in the mainframe days. But my main focus these days is on viruses and malware, and that really started back in 2002.
I’ve been working with a lot of clients, a lot of PCs, and a lot of issues. Of course, viruses weren’t new back then, but they were mostly vandalism and pranks, made by bored kids. But this one in particular came along back in 2002 called Klez, (K-L-E-Z). It just changed the whole landscape of what viruses were about, what they did, and how they operated. Because really, that was the first one that I saw that was making money at it.
That one was really a game changer as far as I was concerned. So that’s when I really started developing a specialty in viruses and actually trademarked the name of Virus Doctor, and it kind of evolved from there.
IAN: And at what point did begin to teach other people?
KEN: In general, I’ve been doing a lot of teaching over the last 15 years or so. My biggest client for about 13 years was a big, major training company. And so I did a lot of workshops for them around the country and internationally. And that really got me more familiar with the whole idea of the seminar business, the short-term, high impact training in a day or two.
Fast forward, and about 5 years ago, I put together this training to teach techies how to get rid of viruses. And that really wasn’t something that I set out to do, but I was just having lunch with a friend of mine one day, and off handedly, he said, “Gee, I wish I knew what you know about viruses.” And I said, “Well, you know, I could probably come up with something to teach you.” So one thing led to another, and it has evolved into what I now call the “Virus Remediation Training Workshop.”
IAN: That’s a great back-story.
KEN: And it’s been a big success. As you know, there are generally two ways that most techs deal with virus issues. One is what I call the Geek Squad approach, which is to back everything up, wipe and reload, and convince the customer that’s the best solution for them, when, in fact, its actually a horrible solution for them. Its even worse for the tech for a lot of reasons, but you probably already know all that.
The other common approach is to scan it with enough programs that you hope will find and get rid of everything, which is another generally not very productive way of doing things. Takes a long time. Probably won’t find everything. And then even if it does, you always wonder, “Well, did I really find everything or is there still something there waiting to bite me?”
So of course, the third approach is to have a methodical way of dealing with it step by step, logically looking at what you’re dealing with and handling a piece of it at a time. So that’s what I’m teaching in the workshops.
IAN: Sure. So when they go to your workshops, what should they expect to see?
KEN: Well, there will still be some scans involved, but the bottom line is anybody that completes the workshop will be able to find and remove any malware on any infected machines and they’ll do it in less than two hours without doing a bunch of scans, without taking the hard drive out and scanning from another machine, or anything like that.
And probably most importantly, when it’s done, they know they really got it all. And it’s not going to come back.
IAN: Nice. And do you provide them with any other resources other than just the seminar?
KEN: I do. In the seminar itself, I go into a lot of background information with an extensive coverage on the registry because most viruses are going to be hidden in there somewhere. The only exception to that – and it’s not even always an exception – is root kits. Root kits don’t necessarily hide in the registry, but it is still a possibility.
To be good at finding and getting rid of the viruses and keeping them from coming back, you really have to have a thorough understanding of the registry. That doesn’t just mean you’ve been in the regedit and know how to change a key or whatever. Really more of a complete understanding of what the registry is, how to operate different pieces of it, how they work together – that sort of thing.
So we spend really the first half of the workshop going into kind of the background, terminology, definitions, the evolution of malware, and where it is today and why the old approaches don’t work anymore. And then the registry. That’s the first half of the workshop.
The last half is the actual methodology – the step by step procedures for identifying, finding malware or getting rid of it, keeping it from coming back, and the preventive measures to put in place.
KEN: Along with that, there are some tools that everybody that attends the workshop gets, some of which you already know about and have been using – things like Malwarebytes and TDSSKiller and other really well known programs like that. But there are some other programs that are much more specific for particular types of problems, including all of my personally developed programs. Those’ll make the job go much quicker and, again, you’ll have a much higher level of confidence that you’ve really gotten everything.
So, the final part of the workshop – the last hour or so – is a lab session. You go through and use those actual tools. For the in-person workshops, attendees are invited to bring an infected computer, and we actually clean it up as part of the lab session. Remotely, we can’t do that because you can’t really show that on remote connections, but the point is that this isn’t just a theoretical exercise that you go through and have a new piece of paper to hang on your wall. It’s real down-and-dirty, in-the-trenches, how-to-fix-it stuff. And so I like to use the lab session to really demonstrate that and show them how they can start using it as soon as the workshop is over.
IAN: So when people are attending these workshops – I mean, these are businesses that are willing to invest time and money in order to boost their business, obviously – do you find anything particularly different about them than other businesses that you’ve worked with?
KEN: What I found is that, for one thing, I’m mostly talking to people that do this for a living – to IT support professionals, whether it’s MSPs, break-fix shops, computer sales and service, a corner computer store, or whatever. Or people like me, consultants that are working with a lot of clients for anything IT-related.
And I’ve also had quite a few people go through it that are from in-house IT departments. And there’s certainly a need there, but it’s different in a lot of ways. For one thing, they’re more likely be able to lock the systems down, so they’re going to get fewer infections and not have to deal with the wide variety of scenarios that a break-fix shop or even an MSP has to deal with. They’re dealing with a more homogenous environment. Everybody’s got the same computer, same operating system, same applications, same printers, following the same procedures. So, again, there are a whole lot fewer things that can go wrong that the IT department has to worry about as opposed to an MSP or a break-fix shop.
So within that, and I’m just mainly talking to the outsource organization, what I found is that they really fall into three categories. About a third of the people I talk to say, “Oh, we already know all that stuff. We don’t need a workshop. We don’t need no stinkin’ training.” So I just don’t even spend anymore time with those people. Move on to the next one. And in the next group where people say, “You know, that really sounds like a good idea. We’re really getting hammered with viruses, and we don’t always fix them. And when we do, it takes a long time. We can’t bill for all of it. And we’re kind of short on cash right now, but keep us on your list.” And the other third say, “When’s the next class?”
So the point is: the people that are really serious about the business want to do a good job and they want to be as profitable as possible. When they hear that there is a workshop like this, they jump on it. And there’s some others that they kind of talk a good game but, yeah, never quite get around to doing the workshop. And others that come in and say, “We know everything.” well, we’ve all run into those before.
IAN: So these people attend your workshops, and then afterwards, what happens afterwards? I mean, do you have any kind of relationship that you maintain with them?
KEN: Yeah. Part of what they get with the workshop is access to me to help with any malware issues that they’re having trouble with or just need me to look over their shoulder or kind of hold them by the hand. I’m the first to admit that the workshop itself is pretty intimidating. It’s intense. It’s a full eight hours worth of training. And the workbook that comes along with it is 122 pages, so we cover a lot of stuff. I don’t expect anybody to absorb it all and put it all into play right out of the box. Obviously, I think they can get a pretty good start on it as soon as the workshop’s over, but I know they’re going to need some guidance, some reinforcement, or simple reminders. So part of what they get from going to the workshop is access to me for help with those things, especially for the first few repairs that they work on.
Also – and this is kind of telling a story about myself – I’ve only recently come up with a summary checklist. In the early part of the workshop, I have a flowchart that shows kind of the overall procedure and what’s involved. And it’s really a pretty simple methodology. But then when we get into all the details, the different approaches, the different tech factors, the different registry keys, and things like that, again, it becomes kind of overwhelming.
But just in the last few weeks, I’ve come up with a one-page summary. Bullet point; do this; do this; do this; if this, then that. And that’s kind of in the beta stage right now. The last workshop I did was the first time that I really included that, and I’ve said, “Hey, do this. Whatever your previous method was, follow this for the next few repairs, and tell me what your results are. Did I miss something? Is something not clear? Did you still have to do something else?”
That is a work-in-progress, but I think it’s a pretty late beta at this point. So with all that and the additional tools I’ve included recently, it actually gets that repair time down to an hour or even less in most cases.
IAN: Nice. Well, we’re all interested in helping technicians streamline the process. That’s awesome to hear.
KEN: Yeah, especially considering the way they’re doing it now. They’re almost certainly losing money or customers or both on every virus repair they’re doing. So when performing a bunch of scans, we’re talking about a lapse anywhere from a day to two or three days. And even if it’s not hands-on keyboard time, the tech has to be doing that or nothing else. It’s still time that the customer is without the use of that computer. And that gets really expensive.
Realistically, you can’t charge for more than a couple of hours for virus repair. More than that, the customers are thinking, “Well, shoot. I can buy a new computer for that.” You and I know that’s not a fair comparison, but that’s the way customers think. So that usually ends up meaning that you’re doing a lot of work you’re not getting paid for.
IAN: Definitely. Yeah, that’s why when I was running a repair shop, everything was flat rate because you really couldn’t charge a customer that much for virus removal.
KEN: Yup, but as you know, a lot of techs are spending a lot more than a couple of hours on it.
KEN: And with mixed results at that.
IAN: So you are working with a lot of technicians. Outside of virus removal, do you see any trends in the industry right now that you think people should be aware of?
KEN: Well, in the industry itself, especially as far as malware is concerned, the trend is almost on a straight line trajectory. Every year the number of viruses out there, the number of threats, they all double. They are getting much more sophisticated, harder to detect, harder to remove, better at hiding, better at making money. The whole malware industry has gotten so much more sophisticated and it’s become so much more of a problem.
The good techs are doing what they can to try to keep up with it. There’s still a lot of them that they’re still doing things the way they were doing five or ten years ago, and that’s completely hopeless.
The other thing we’re hearing more about – I’m frankly not seeing that much of it now, but I know it’s coming – is more infections on smartphones, iPads, tablets, things like that. Of course, no platform is immune – everything from mainframes to Unix to Linux to AS400, you name it, they’ve been infected. But obviously the great majority of the infections that we hear about and have to deal with are on the Windows platform. Macs are getting their share, but there again, the virus writers are smart these days. They’re going where the biggest market is. 90% of the market is Windows so that’s where they’re concentrating their efforts. But again, they keep getting more sophisticated. With the CryptoLocker and the infections like it, they’ve made so much money. It’s been so successful from the bad guys’ standpoint that we’re going to see a lot more of those, and already are seeing them. There have been at least four major imitators of CryptoLocker already, and that’s still in kind of the first generation of that type of attack. So expect to see a lot more of that.
IAN: In terms of preventative measures, what do you recommend a tech installs on their client’s computer to prevent malware infections? You’re never going to be 100% safe, but…
KEN: That’s the whole problem. The other problem is that the tendency is to think, “If one is good then two must be better.” And so I see examples of that. In fact, I was working on a computer last week that the tech had installed four different anti-virus, anti-malware engines on there. A) that’ll kill performance; and B) while all those are installed, they’re spending too much time arguing with each other that the malware can get right past them.
So, point is, be real careful about installing multiple products, but there’s no one product that’ll do everything. The best you can really hope for is to start off with a good internet security suite that covers all the bases. Obviously, anti-virus, but also firewall, malicious website blocking, and other things like that. Even at that, even some of the major players still miss things because of the way that the more sophisticated viruses operate and their different infection vectors.
So what you also have to do is perform scans on a regular basis to see what got past them because even the best ones are only claiming to be somewhere between 20% and 40% effective had blocking infections on the way in. Most of them are pretty good at detecting the infections once they’re already on the machine. But, of course, there is no telling what else will happen while it’s on there and active.
However, there are some additional products that are coming out that kind of supplement the internet security suites and provide some additional protection. Unfortunately, there are about three of those that are getting some pretty good play these days, and they conflict badly with each other. So there again, it’s a matter of choosing one and stick with it, then double check it when possible.
IAN: Sure. Any particular preference as of right now in terms of like a vendor?
KEN: There are actually four or five vendors that I consider to be credible with a pretty decent suite of protection. The one that I’m still generally recommending to my clients is Vipre Internet Security. It has kind of all the bases covered, and it’s at a good price point, they have good support. Again, it’s not perfect. In fact, even their detection is not as good as it was in the early days. But it’s still in the 90%+ range.
The other vendors I consider to be credible – and I don’t cringe when I see them on a client’s machine – would be Symantec, believe it or not. A lot of people like to knock Symantec, and they’ve sure had their problems over the years. But their current product line , in my experience, does a good job of protection. It’s still a little bit bloated, but machines today are so much more powerful than they were back when Symantec really got their black eye for performance. The machines are more powerful. They’ve got more RAM, faster processors. So you don’t have to be as worried about performance now as you did in the older days.
Kaspersky does a good job, too. And ESET NOD32 is one you don’t hear much about, and they’re not my first choice, but they have credible products.
There are over 60 different anti-virus vendors out there. So there’s lots to choose from. Some of them were good in the past and not so much anymore, and vice versa.
Like I said, those are the main ones where I don’t cringe when I see them on somebody’s machine. On the other hand, none of the free anti-virus programs are up to handling today’s malware. So if you think you’re doing your clients a favor by getting them a free anti-virus program or free firewall, you’re not. All you’re doing is providing a false sense of protection. It simply takes a modest investment to have good protection. When you look at the cost of paid anti-virus, internet security programs, it’s almost a joke how inexpensive it is for the protection you’re getting. Its basically a really cheap insurance policy. Like in the case of Vipre or Symantec or any of those, they’re all way less than $100 per year per computer. And for a lot of them, you’re talking about $60, $70 a year for three computers. So just get some real cheap insurance and get rid of any freebies.
IAN: Awesome. Do you have any other advice that you would like to pass on?
KEN: Beyond what I mentioned already, without even taking the workshop or even going to the webinar, there’s so many things that techs can do for their clients, their users, that will reduce the likelihood so much of getting infected. It’s the silly stuff that we all know but, I still see people that aren’t doing it. Keeping up with Windows updates. Applications, whether it’s Office or the different browsers – Firefox, Chrome – always need to be updates as new vulnerabilities are being found and then patched.
So there’s some automated tools to keep track of those and apply the updates, and frankly, that’s one of the things I like about Vipre Internet Security. They have what they call the auto update feature that you get your updates for Flash, for Adobe Reader, for Java, for Shockwave, and all those different programs, which are huge sources of vulnerabilities.
So if you just get your clients to keep everything up-to-date, automate as much of it as you can so they don’t have to make the decision. Of course any time a box pops up, with an Adobe update available or something, they always say, “No, I’ll do that later,” or “I don’t want it,” “Go away,” or whatever, not understanding how important that is, and how many vulnerabilities are being taken care of in every update.
So there’s still a big aspect of user training required. Of course most users aren’t geeks. You can’t really speak to them in geek terms or even get them to understand how important this stuff is. But they, eventually, will hear some stories about what’s happened, about some virus, a good example is with CryptoLocker. It just amazes me how many people didn’t have backups in place. Because that’s really the only solution with a CryptoLocker-type infection. You can either pay the ransom and hope for the best, and a lot of people have done that – over $200M worth as far as we know. But of course, there are no guarantees and you’re dealing with criminals. It just happens that the original CryptoLocker developers made the decision that if you paid up, they would give you your encryption key and get your data back. But the imitators, who knows? They might just be perfectly content to take the $300, $500, or $1500 and not give you anything back. So the only real solution is to have backups. And off-site backups are not going to get encrypted.
So that’s one more thing to pound the users over the head with. You got to have backups, and don’t just have an external hard drive plugged in all the time; it’s going to get infected, too.
IAN: Do you have a preferred method of backing everything up?
KEN: Got to be a cloud-based backup. Whether it’s one of the big players – Carbonite or Mozy— or one of the many many others. A lot of my clients are resellers for other cloud-based backup systems. If you can do a good service for your clients – make a few bucks at it, too, so much the better.
IAN: Sure. Thanks so much for your time Ken. In closing, how can people learn more about you?
KEN: Oh, that is a great question I’m happy to answer. The best way is to go to my website thevirusdoc.com. Head to the Virus Remediation Training Workshop. That gives information about the workshop and the free webinars. There’s also a FAQ document, a video of me talking about who should attend and why, and the schedule of upcoming workshops. Again, I do those virtually and in person at different locations and I do one just about every week.
You can learn more about The Virus Doctor at his website: thevirusdoc.com