What Does it Take to Keep Windows Secure?

My son’s Windows 7 laptop was recently infected with some malware (adware/spyware). Mind you, I try to follow the generally-accepted recommendations for trying to prevent this sort of thing:

  • My son uses Mozilla Firefox (not Internet Explorer) with all updates installed.
  • I keep Windows 7 patched with updates from Microsoft.
  • He runs as a non-administrative user, and doesn’t know the administrator credentials.
  • The Windows 7 firewall is enabled and configured with a fairly strict set of rules.
  • The network has open source proxy server with content filters, so I can be reasonably confident he’s not visiting the really nasty sites. Obviously, content filters are never perfect and always in need to be updated, but they’re better than nothing.
  • The network itself is protected by a hardware firewall (not a simple NAT router, but a true stateful firewall), which requires that all web traffic go through the proxy (so he can’t bypass the proxy).
  • I installed Microsoft Security Essentials on his laptop to protect against malware, adware, etc., and I keep it updated.

Yet, despite all these layers of protection, I find that my son’s laptop was still infected with malware.

So I ask, in all seriousness—meaning I’m not trying to start some sort of flame war about how Mac OS X or Linux is better than Windows or vice versa—how does one protect their Windows installations against this sort of thing? I mean, what does it take, anyway? I feel like I am taking some pretty serious steps to protect Windows, and yet it still gets infected. What am I missing here?

Tags: , ,

  1. steven p’s avatar

    don’t click the links. that’s the only sure fire way.

  2. Mr. X’s avatar

    If not already doing this, using the very popular Firefox add-on Adblock Plus might help, at least in removing the temptation to click on an ad that is possibly infected. NoScript (http://noscript.net/) may also help here if you really want to draconian. It does allow a “Unless explicitly allowed, deny” configuration.

  3. Bob Plankers’s avatar

    Not installing any products from Adobe (Flash, Acrobat) is a wonderful start. I also use the Secunia Personal Software Inspector (PSI) to keep up to date with other application fixes. http://secunia.com/vulnerability_scanning/personal/

  4. dave’s avatar

    It’s basically a question of convincing your boy that every single thing he does can be a security risk, and get it through to him how each “incident” will affect him directly. Such as a week or more with no computer while it’s being scrubbed, or the loss of his MP3 collection. Things like that. It’s not a punishment, just a natural consequence of not being careful.

    For additional technical controls, install Adblock and NoScript on Firefox. NoScript will kill anything in it’s tracks, but it might be too cumbersome for him to manually whitelist things. But chances are pretty good that the infection came through him just clicking the OK button that some script popped up to get rid of it.

  5. Rob’s avatar

    Scott,

    What i find is with all the possible technology in the world, a proper mindset is the key. The thing i tell my family members and friends all the time is if you didnt specifically request something dont click it.

    I find if they keep that mindset the machine stays clean. If they go off and download 40 poker apps, and click ever banner that pops up, then nothing can save them.

    Regardless, it will always be an issue. If companies like Epsilon and HB gary cant stay secure, what makes you think Aunt Ruth can…

    I guess my message is, dont take it too hard, unfortunately sometimes you just need to be reactive as well as proactive.

    Cheers!

  6. FEJF’s avatar

    I don’t know how old your son is but in my opinion the most important step is education about the virus/malware threads of the internet. An easy example might be one of the first things I tell my friends who are new to the internet: “your bank does not write e-mails to you” ;) Or in other words: don’t click on anything that you don’t know (even don’t know from whom it was send/published or what’s inside it). Use an E-Mail client which only displays/sends text instead of html-code (so that you/your son can see the malicious java/flash/funny.jpg.exe etc stuff). Use a virus-scanning proxy with a av-scanner which is different from the one used on the browser-pc. And one last thing (even if this may offend honest people who live on revenue from google ads): install an adblocker and flash blocker. The Firefox addon flash block does not automatically execute flash but you have to explicitly click on each flash window (so everything still works after 1 click).

  7. Brad C’s avatar

    Protecting Windows is hard. Something more advanced than Microsoft Security Essentials would be a simple thing you could do, but you’ve already tackled most of the low hanging fruit. The problem with most products is that they’re primarily reactive: they need to generate new signatures and get those updates rolled out to you before you’re protected from today’s threats. Sometimes that’s just not fast enough.

    I think the best solution is the ability to wipe and restore easily. Things like VMware snapshots, VDI, or any of the imaging/backup/restore products out there are the best malware protection money can buy.

  8. Andy Kitzke’s avatar

    You’re on the right path but in addition to what you’re using I’d add a software firewall so you see the requests leaving the laptop and Malware behavioral software.

    The two pieces of software I use are “Windows 7 Firewall Control” and “Threatfire”. Windows 7 Firewall Control allows you to see all outgoing traffic as well and Threatfire works in conjunction with Anti-Virus to protect the session.

    In the end however, I’ve found that no amount of software protects a user who doesn’t understand where they can and can’t travel on the internet.

    What type of Malware infected the laptop? Some Malware cookies are harmless but still show up as active Malware in scanners.

  9. Damian Karlson’s avatar

    Good question, Scott, I’d like to know the same answer. My setup isn’t as complete as yours, but I’ve fought the same battles in keeping my wife’s laptop clean. This morning I was thinking, while removing malware from her laptop, that it would be very cool to only allow her account certain actions and keep everything else in a non-persistent state. Reboot would set everything back to a known-good default state. (Perhaps a thin client solution of some sort?)

    I’ve done what I can on the education side of things, but it is tough to instill in her that same sense of paranoia (for lack of a better word) about the internet that I have.

  10. slowe’s avatar

    Steven P,

    In this case, I think we need to strike a balance between “usable” and “completely secure.” :-)

    Mr. X, Dave,

    Thanks for the recommendations on AdBlock and NoScript; I’ll give those a look. The proxy already does some adblocking, but another layer certainly won’t hurt.

    Rob, FEJF,

    I think he’s reasonably well-educated about the dangers of just clicking stuff without paying attention; I’ve drilled that into his head quite a bit. That’s one reason why I was a bit surprised at the infection. Continuing education can’t hurt.

    Brad C,

    I agree with virtualization being a useful tool, but let’s take a step back here. The number and level of controls that I’ve deployed far exceeds the average user. How is Joe Schmoe supposedly to realistically protect himself? This is just plain crazy, IMHO. Oh, and VDI isn’t exactly in the home network budget for this year. :-)

    Andy Kitzke,

    Not sure exactly what sort of malware it was, except that it masqueraded itself as Microsoft Removal Tool but clearly wasn’t. I had to boot into Safe Mode, then scan everything in order to remove it. As far as I can tell, everything is clean now.

    Anyone else have any other suggestions for additional steps I might be able to take?

  11. Ariel Antigua’s avatar

    if your not already using it…

    Another layer of protection OpenDNS with the “Web Content Filtering” set to moderate or custom.

  12. Dave C’s avatar

    Scott,

    a few things i would do is consider a beefier anti-virus package like vipre, and add open dns to your mix. to help filer your outbound requests.

  13. Doug’s avatar

    I now use Windows only for local applications, and do all browsing with Ubuntu running in a VMware Player. If anything bad happens in there, I’ll delete the VM and create a new one from the Ubuntu ISO.

  14. Dave’s avatar

    Have daughters.

  15. Ondrej’s avatar

    I relay have bad experience with the Microsoft Security Essentials. One our client switch to this antivirus and since that day, there are too many problems with viruses.

  16. Michael Thompson’s avatar

    One solution that might be in the budget is to go buy a Windows Home Server and have it automate nightly backups of your PCs and Macs. If your system gets infected, boot the computer up from the WHS restore CD it came with and do a full restore from the night before.

    It won’t prevent you from getting a virus, but it makes recovery very easy.

  17. JmD’s avatar

    I use firefox, keep win 7 updated, use MSE and dont surf on ‘strange’ sites but still have had spyware and such attack my computer a few times. MSE gets these but then they have gotten so far that they are trying to start on my machine. Most if not all time they have entered though java since I see the little java icon just before MSE shows its window (not javascript mind you). I disabled java in firefox though addons->plugin since it’s very rarely used and so far so good.

    Also to the ones that suggest “tell him not to go to strange sites”. In these times you dont have to. Just this week a worm went rampage and has infected 500’000 websites that shows fake ads on the sites it has infected though it’s sql injection attack.

  18. AV’s avatar

    NoScript is really good at this, or try to replace firefox with Google Chrome (which is more secure out-of-box, have its own flash and pdf engines etc).

  19. slowe’s avatar

    Ariel, Dave C,

    My in-house DNS server already forwards through OpenDNS, so that’s in place.

    Doug,

    I’ve considered the same thing, but the level of complexity to manage just such a solution is significantly higher. Perhaps something like Unity mode, where he didn’t have to know he was running a VM, might help.

    Dave,

    As the father of two daughters, I can definitively say that it doesn’t help.

    Ondrej,

    Your experience doesn’t seem to match others, but there are too many variables to be able to make any blanket statements about stuff like this.

    JmD,

    I suspect that’s exactly what happened here—I know him well enough to know what sort of kid he is and what kind of character he has.

    AV,

    I might see about giving Chrome a try; thanks for the suggestion.

  20. Beau’s avatar

    Is the proxy scanning traffic? I believe there are malware protection blocklists for Squid and a ClamAV plugin is available. Block .exe files at the proxy. Block P2P while you are at it.
    Unfortunately the proxy probably isn’t going to help with SSL encrypted transfers, but blocklists and OpenDNS might.

  21. François’s avatar

    Backups and backups and being able to refresh your install at will and easily.
    It costs less energy to redeploy an easy setup than trying to build a fortress…

  22. slowe’s avatar

    Beau,

    I might have to look into that. If you have a link with more information and don’t mind, drop me an e-mail (the address is on this site). Thanks!

    Francois,

    I hear you, but aren’t we really then saying that it is impossible to secure Windows and prevent this sort of infection? Aren’t we then saying that rather than try to prevent it from occurring, we should simply automate the process of recovering from it? And if that is the case, what does that say about Windows? If we agree that we cannot actually prevent Windows from getting infected, then isn’t Windows fundamentally broken? Again, I’m not trying to start a flame war here, but isn’t that what we are really admitting without actually saying those specific words?

  23. Kelly O’s avatar

    Ace package with snapshot revert.

  24. Dan Jones’s avatar

    With my kids, I did a lot of what you listed but I used K9 Web Protection instead of the proxy server you used (same idea, different product). It helped keep a lid on the cr@p sites they might try to visit without me having to maintain much of a white/black list. I also used some command line options with Spybot to run late at night and auto-clean. I am not sure that would work on Win7 or not since, at the time (and it was some time ago) it was an XP machine I was dealing with.

  25. Sharninder’s avatar

    Your son, most probably, opened an attachment from a trusted friend who was infected. Not much you can do other than educating him on email attachments and what to open or what not to open.

  26. Kevin Murray’s avatar

    Normally, I have found that these types of infections (that masquerade as Microsoft Removal Tools) enter the computer via exploits in Adobe’s software (Flash / PDF / Air). We had a user who kept getting infected with the same thing over and over again. Come to find out, she was using an infected PDF file over and over again and despite Adobe Reader saying it was patching it’s self, it infact was not. Once I uninstalled and reinstalled Adobe Reader, the problem never came back.

    As for fixing them, the best and most simple way to repair / fix / get rid of them is to boot in to safe-mode and then use the built-in “System Restore” function in Windows. As a Systems Administrator, I end up fixing a lot of computers for family and friends, and everyone who I’ve run in to with this type of problem, a quick System Restore seems to fix their problems. Only thing to remember is once you “Restore” the system, dump the rest of the restore points as virus and malware like to hang out in the System Restore.

    I would suggest you invest in a full A/V program and not depend on Microsoft’s A/V and firewall. We have a site license for AVG Internet Security 2011 at work and it blocks 99.999% of the crap my users attempt to kill their systems with. I also run it on my home system and recommend it to lots of people.

    Also, I would dump Firefox for Chrome only for the fact Chrome does a much better job of updating the browser in the background without any “help” from the user.

    And in closing, if your boy does any type of torrent downloading, make him stop. Not so much that these type of things are mainly used for downloading illegal materials, but that they are a breading ground for viruses and malware and other crap that will infect and kill your system.

  27. Greg’s avatar

    I know you said it’s not about the OS, but clearly, it is. Even with all the preventative maintenance you perform, it still gets affected.

  28. brassneck’s avatar

    I’d second Chrome, it’s also nice when you jump around OSs a lot. I think firefox (3.6) lost itself a lot of fans with my (technical) friends for one reason or another. I’ve not been tempted to install 4.

    It’s scary though. You’ve done exponentially more than an average user (and me), and still the grot squeezes through. Limiting the sites you can possibly view is probably the only way to be sure now. Or get them MacBooks (sorry, everyones been so restrained but I just couldn’t help myself :-D )

    I guess my only question is though – what did get through? How harmful was it? What could it have done to affect you (I don’t see it tunnelling personal details out or joining a botnet without one of the security layers catching it)?

  29. Marcel van Os’s avatar

    So far I haven’t run into trouble with my mother, who initially was a complete beginner. She’s come quite a way since then. I’ve configured Firefox with NoScript and have taught her not to use IE. This seems to work quite nicely. I must admit that she doesn’t visit any indecent sites and is very hesitant to click on anything that looks weird/odd.

    So it comes down to education/behavior as well as some additional tools. I’ve noticed when working with IE that things look totally different compared to my Firefox/NoScript experience.

    Most malware nowadays gets in via your browser so you cannot use a browser out of the box anymore.

  30. John’s avatar

    I would definitely recommend OpenDNS to block most “drive-by’ malware sites your son is coming across. I have the same problem with my girlfriend’s laptop. She’s a big quizzo fan and constantly comes across malware ridden sites when she’s looking to brush up on whatever the local bars quizzo topic is. Might just be as simple as teaching him what a bad site looks like. Also, an chance he’s getting infections from torrent files?

  31. Ric’s avatar

    I’d suggest Chrome is now rather more robust than Firefox. Part of the reason for this is that it incorporates a PDF plug in and Flash player, which have patches distributed aggressively by Google, and otherwise form the most common attack vectors.

    You say the machine is infected. Is the malware in the user profile somewhere, or has it infected an area that requires privileged access such as program files? The former is far easier to clean up, and doesn’t necessarily imply a security breach.

    Remember that malware infections of the user profile simply mean that software is running as the corresponding user. They may have got on by browser exploit, they may have got on by the user clicking OK to a JavaScript dialogue for example, and no amount of OS security will prevent the latter happening.

  32. Jim’s avatar

    Show him a couple of porn sites that aren’t fill of malware.

  33. simone’s avatar

    The false assumption is that malware and viruses arrive from Internet, when the main doors for malicious software are:

    * USB memory sticks
    * PDF readers exploits (install some updated version of Foxit reader)

  34. Pfunk’s avatar

    You didn’t mention any AV. Be sure to have some. Also, super important to keep the Adobe products up to date, and Java. These are difficult to keep up to date when he’s running as a non-admin, so it’s easy to get behind. Seems more malware is using these attack vectors these days.

  35. Gokalp Ercilasun’s avatar

    Scott,

    I have found that the only real solution to prevent infections is to embrace that it will occur no matter what solution you may use.

    Some of the better antivirus/firewall solutions i have seen to work well is TrendMicro’s Worry free small business or their titanium line for home users. Malwarebytes paid version is also good at real time malware protection.

    I would also recommend to use Acronis TrueImage to create daily image level backups of the computer to a hidden partition / network share. It is the fastest method to restore and still be able to mount the infected backup and export any files that you may need later on.

    Unfortunately even being technical and ensuring to keep your internet usage limited to authentic sites can get you infected these days.

    Having a sandbox approach to web browsing can help, but it is not bulletproof solution either.

    I personally have given up with wasting my time with windows for the home and have my wife, parents, and brother using a mac. It was not an ideal solution but they have adjusted and its saved me time. Considering that many users are now adapting to the mac platform, it wont be long before mac’s will start to become infected too.

  36. slowe’s avatar

    Jim,

    I think I’ll pass on that option—it doesn’t exactly jive with the Christian testimony I’m trying to live, you know?

    Gokalp,

    Once again, it seems as if the general consensus to protecting Windows is that we *can’t* protect Windows, and instead we should focus our efforts on streamlining the recovery process. Somehow, that just doesn’t seem right to me.

    All,

    Several have mentioned torrent downloads; there’s none of that going on. I will have to try Chrome, as I suspect that it was an Adobe vulnerability that was exploited. Unfortunately, buying him a MacBook just isn’t in the budget, although that would be my preference (my wife and I both use MacBook Pros). Thanks for the continued suggestions!

  37. PiroNet’s avatar

    Two options:
    1-stateless VM
    2-web-based desktop such eyeOS

  38. Ric’s avatar

    You can protect Windows. I’ve used Windows as one of my main OSs (I run OS X, Linux and Windows on one each of my work desktop, my home desktop and a laptop) for over a decade now and never had a compromise.

    You’ve got to keep the OS, and _everything_ else patched.

    You may well find Secunia’s PSI a useful tool. It essentially scans a PC for software with security vulnerabilities, and is useful for picking up things you otherwise forget about. Free for personal use also.

  39. Donny Parrott’s avatar

    UAC? Was this enabled? It has prevented many issues in my house.

    I have converted all systems (3 Laptops, 2 Desktops) to W7 and have not had to fight any issues yet. We all use IE8/9 (custom configured) for our browsing.

    It comes down to user interaction. Any system is vulnerable once the variable of [user] is called. I run no where near your level of protection and have not dealt with infections since 2008.

    Now, I have scared the living snot out of everyone in the house of the consequences of wasting my time on cleaning up something that should never have been.

    Other tips:

    1) UAC is your friend…
    2) AV set to scan removable media before use.
    3) IE controls (or whatever browser) configured to distrust all but the “whitelist”.
    4) If you don’t expect it, don’t touch it. (Alt-F4)
    5) Windows Advanced firewall…
    6) Adobe is Adobe regardless the platform…

  40. Greg Smith’s avatar

    Don’t run any browser on the desktop OS to access general sites.

    Use a desktop virtualization (XP Mode, VMware Workstation, etc) tool to run a seperate OS instance to isolate the browser & tools.
    – Patch the VM periodically.
    – Roll it back to last patched state *every* time you close it. Do not save changes
    This takes a few moments longer for the first browser launch of the day, but I’ve found the main machine gets *so* much less junk on it that you’re rewarded with better performance overall doing it this way.

  41. Kevin Murray’s avatar

    I actually think its wrong to not try and protect your systems and only focus the effort on streamlining the recovery process. You can’t throw the baby out with the bath water just because its easy or you might think its a lost cause.

    With simple protections, many of which you have already taken, you can very much protect your system. But with that, things will still get through. There is no such thing as 100% protection.

    Mac’s are actually just as vulnerable as their PC or Linux / Unix counterparts. Mac’s need protection just as much as PCs. And as you see Apple and others make gains in market share, you will start to see more and more attacks targeted at Apple and their product lines. The reason why Windows based systems are targeted the most is because they are the biggest target.

    Recovery should always be part of the plan, but not the only plan. In the 6+ years I’ve been Sys Admin at my current company, I’ve never lost a users system or server to a virus or malware. I’ve lost them due to plenty of other reasons, some of which were my own stupid fault, but not due to viruses.

    The best thing you can do, is find a good antivirus / internet security software program. I can not stress that enough. There are some ok ones that are free, but there is a saying that you get what you pay for. The best protection is going to cost some money, but its an investment well worth it.

  42. Nitin Khanna’s avatar

    NoScript and a Norton 360 installation. That ought to do it for you… Screw the Windows Firewall, it’s useless.

  43. Ric’s avatar

    @ Donny

    The user account involved didn’t even have admin rights. UAC is a red herring.

    @Nitin

    The network the machine was on has a hardware firewall. The firewall status of the laptop is irrelevant.

    Personally I’d rather have the Windows (on a vista or later machine particularly) firewall than a 3rd party software firewall as you’re confident the firewall is started as the network stack comes up. I’ve seen hosts compromised during the window when networking is up but before a 3rd party firewall has started up before now.

    @scott

    If you don’t routinely deal with end user windows machines used for web browsing, you’re on a learning curve wrt windows desktop security.

    What you consider as pretty serious steps missed out one critical one; keeping browser plug ins patched. The hardware firewall and web proxy are probably irrelevant for a machine used for general web browsing.

    I slightly wonder if the proxy content filters may actually make it more likely that the machine will get compromised. They’ll block access to undesirable but non malicious sites, but may not be updated fast enough to catch fly by night undesirable sites that exist purely to push malware, making it more likely the malicious sites will be visited.

  44. James’s avatar

    IMHO,

    Perception is Reality! This is often the problem with the mindset of security. Security’s intent is not to PREVENT security breaches only mitigate and marginalize them. If you run applications on an OS especially if you connect it to the Internet, you should not think about IF you will get infected but WHEN and how do I mitigate and marginalize the vectors, threats, vulnerabilities and therefore the overall risk.

    When you ask, how do I make “X” secure? If you mean, how do I make it impenetrable? You don’t.

    When I ask how do we make it secure, I’m asking 4 things:
    1. How do I make it so difficult to get to my stuff that you’d rather go screw with someone else? Actually I learned this from a pest control guy who sprayed my house once, when I asked him “Will this get rid of the ants?” He looked at me and said: “No, but it will make them go get food someplace else, probably just to your neighbor.” Now, I like being a good neighbor and I didn’t like this answer but after some reflection – I realized this is reality, this is how ants work.
    2. How do I make the vectors (paths to attack us), vulnerabilities and threats fewer and more narrow (insert OS flame war here)?
    3. When I get infected, what can I do to get my system back to a “clean state” in the shortest amount of time with the least cost and damage to me?
    And
    4. (Most Important) What do I do so that when I get infected I know about it in the shortest possible time frame?

    Most of the answers on here deal with some aspect of the 4 points but I think we have to understand what is being asked so we can better understand how the answers fit into the solution.

  45. slowe’s avatar

    Ric,

    The comment about third-party software (especially Adobe) and browser plug-ins is well taken; this is probably the area that I haven’t applied enough pressure. That can be fixed!

  46. Jordan’s avatar

    I really like the web of trust add on in google chrome. I’m not sure if it’s in Firefox. It puts an icon next to every link and says whether or not that thing has a good rating with web of trust. It’s helped me stay away from a lot of questionable sites.

  47. Stefane’s avatar

    Hi,

    And your son is only using this laptop for Internet access ? Or is he also using games and apps ?

    May be the problem is not the Internet content but one app YOU installed which is not clean …

  48. slowe’s avatar

    Hi Stefane,

    He runs Microsoft Office 2010 and Internet access. No torrents, no games, no IRC, no Usenet, etc. It’s a pretty simple setup, honestly. Based on the comments that everyone has provided, I’m guessing it was a Flash exploit, since he requires Flash to do some online schoolwork.

    Jordan,

    It sounds like Chrome is definitely worth investigating. Thanks!

  49. Amar’s avatar

    Hello,

    I use the following program and it has saved me many times. The paid option is worth having if you use windows.

    http://www.malwarebytes.org/

    Regards,

  50. Jonathan’s avatar

    I can highly recommend Panda AdminSecure if you want central AV/ malware etc management or any of the standalone Panda products. Panda has a technology called Truprevent which deals with any unknown threats. I have this running at a small accountancy firm and it’s very easy to setup and use. Not too expensive either.

    As an aside I would be interested in knowing what hardware firewall you got on your home network. I’m looking to get something suitable for my home office network and I’m considering the following options:

    - Cisco ASA 5505
    - Cisco 861w
    - Cisco 881w
    - Cisco SA520w

    I’m replacing an airport extreme that just doesn’t cut it in terms of security and performance.

    Any suggestions?

1 · 2 ·