Malware & endpoint security

Key takeaways Malware is software written to harm — its types (virus, worm, trojan, ransomware, spyware, rootkit) describe how it spreads and what it does. It gets in through predictable doors: bad attachments, trojanized downloads, and unpatched vulnerabilities. Defending an endpoint is mostly good hygiene — updates, least privilege, and tested backups carry most of the load. Backups are the one defense that reliably saves you from ransomware. This builds on the common attacks.

“Malware” — malicious software — is the catch-all for programs written to hurt you rather than help you. The names attached to it can sound like a zoo of exotic threats, but for a defender they mostly answer two questions: how does this thing spread, and what does it do once it’s in. Once you can recognise the categories and know the handful of doors they come through, defending an ordinary endpoint turns out to be mostly unglamorous hygiene.

The categories (defensively)

These labels describe behaviour, not separate products — one real piece of malware often combines several. The goal here is recognition, not construction:

  • Virus — attaches itself to a file or program and spreads when someone runs that host. It needs a person to carry it.
  • Worm — self-propagates across networks on its own, with no human action — which is why it can spread explosively fast.
  • Trojan — disguised as something useful (a game, a tool, a cracked app) so you install it yourself, then it does its real work in the background.
  • Ransomware — encrypts your data and demands payment for the key. It attacks the availability of your data — the “A” of the CIA triad — by taking away your access to it.
  • Spyware / keylogger — quietly steals information: what you type, your passwords, your files, your screen.
  • Rootkit — hides deep in the system to stay invisible and persistent, making itself and other malware hard to find or remove.

The point isn’t to memorise the taxonomy — it’s to notice that these spread differently, which is exactly what tells you where to put a defense.

How it gets in

Malware doesn’t materialise out of nowhere. It comes through a short list of entry points, and every one of them is something you can guard:

  • Malicious email attachments and links — the classic delivery vehicle, often wrapped in a phishing message that talks you into opening it.
  • Trojanized downloads — real-looking software from an untrustworthy source, carrying a payload.
  • Drive-by web content — a compromised or hostile page that exploits your browser or a plugin just by being visited.
  • Removable media — a USB stick that auto-runs or invites you to click.
  • Unpatched vulnerabilities — a known hole in software or a network service that lets malware (especially worms) walk straight in.

Notice how many of these need you to act — open, run, click, plug in. The ones that don’t, like worms hitting an unpatched service, are exactly why patching is non-negotiable.

Endpoint defenses

An endpoint is any device a person uses — laptop, desktop, phone, server. Defending it is layered, and the layers are mostly cheap habits:

  • Keep software patched. Most malware exploits known holes that already have fixes. Timely updates close the door before it’s used.
  • Run as a non-admin user. Day-to-day work under a limited account means malware that lands inherits limited power. This is least privilege in action, and it blunts a huge fraction of attacks.
  • Use antivirus / EDR. Antivirus catches known threats; EDR (endpoint detection and response) also watches for suspicious behaviour. Treat them as one useful layer, not the whole plan.
  • Don’t run untrusted code. The surest way to avoid a trojan is not to install software from sources you can’t vouch for.
  • Enable disk encryption. It won’t stop malware, but it protects your data if the device is lost or stolen — a different threat the same endpoint faces.

No single item on this list is a silver bullet. Stacked together, they are why a well-kept machine is a hard target.

Ransomware & backups

Ransomware deserves its own paragraph because it’s the threat where preparation matters most. Its entire business model is taking away access to your own data and selling it back to you. Antivirus may catch some strains, and patching closes some doors, but the one defense that reliably saves you from losing data is a clean copy the malware cannot touch:

  • Tested, offline or immutable backups. Offline (disconnected) or immutable (write-once) means the ransomware can’t encrypt your backups along with everything else. Tested means you have actually restored from them — an untested backup is a hope, not a plan.
  • Segmentation. Dividing your network so an infection on one machine can’t reach every other one limits the blast radius. This is defense in depth applied to spread — one compromised endpoint shouldn’t mean all of them.

With good backups and segmentation, a ransomware hit becomes an annoyance and a cleanup, not a catastrophe.

If you’re hit

Assume it will happen to someone eventually, and know the moves in advance:

  • Isolate the machine. Pull it off the network immediately to stop spread and cut any attacker’s remote access.
  • Don’t pay blindly. Paying funds the crime, doesn’t guarantee your data back, and marks you as a payer. Explore recovery from backups first.
  • Restore from backups. Rebuild from a known-clean copy rather than trusting a machine that was compromised.
  • Investigate the entry point. Find out how it got in and close that door, or it happens again. This is where monitoring and incident response earns its keep — logs tell you the story.

Quick check: the most reliable defense against losing data to ransomware is...

Recap

  • Malware is software written to harm; its categories — virus, worm, trojan, ransomware, spyware, rootkit — describe how it spreads and what it does.
  • It gets in through a short list of doors: bad attachments and links, trojanized downloads, drive-by web content, removable media, and unpatched vulnerabilities.
  • Endpoint defense is mostly hygiene: patch, run as non-admin (least privilege), use antivirus/EDR, don’t run untrusted code, and encrypt disks.
  • The one defense that reliably beats ransomware is tested, offline or immutable backups, backed by segmentation to limit spread.
  • If you’re hit: isolate, don’t pay blindly, restore from backups, and find the entry point so it can’t recur.

Next up: defense in depth