My son’s Windows 7 laptop was recently infected with some malware (adware/spyware). Mind you, I try to follow the generally-accepted recommendations for trying to prevent this sort of thing:
- My son uses Mozilla Firefox (not Internet Explorer) with all updates installed.
- I keep Windows 7 patched with updates from Microsoft.
- He runs as a non-administrative user, and doesn’t know the administrator credentials.
- The Windows 7 firewall is enabled and configured with a fairly strict set of rules.
- The network has open source proxy server with content filters, so I can be reasonably confident he’s not visiting the really nasty sites. Obviously, content filters are never perfect and always in need to be updated, but they’re better than nothing.
- The network itself is protected by a hardware firewall (not a simple NAT router, but a true stateful firewall), which requires that all web traffic go through the proxy (so he can’t bypass the proxy).
- I installed Microsoft Security Essentials on his laptop to protect against malware, adware, etc., and I keep it updated.
Yet, despite all these layers of protection, I find that my son’s laptop was still infected with malware.
So I ask, in all seriousness—meaning I’m not trying to start some sort of flame war about how Mac OS X or Linux is better than Windows or vice versa—how does one protect their Windows installations against this sort of thing? I mean, what does it take, anyway? I feel like I am taking some pretty serious steps to protect Windows, and yet it still gets infected. What am I missing here?
-
Steve,
Try Untangle, open source application layer firewall. Good home solution.
-
I think you’re missing (or your son is, in this case) the most important feature of all: a secure Internet experience. The kind of experience given after years of use of all kinds of Internet services combined with a keen eye (and mind).
Time tells me that there’s no way to exclude at 100% all security risks – a trained use brings down alone a good 60%. Encouraging users in making good questions as “if I didn’t install any software named like this, why is it continuously popping up?” is the only way that pays itself.
-
Jenu,
Who’s Steve?
Marco,
Training and awareness are certainly important, and awareness is one that I’ve been drilling into my family’s head for years.
-
I do not envy a security professional trying to make Windows secure; it’s definitely a combination of network layer security and being mindful of the OS tools and software in place that may contribute to the possibility of a threat as well has having well defined policies to help curb and educate “bad” computing behavior.
As indicated by a previous poster, it’s a balancing act of setting policies and processes to minimize a threat and then activities to follow when the threat has been realized.
In general, I also use multiple versions of malware programs as definition recognition has varying degrees of success. Reducing known vulnerable threats keeping patches up to date helps but does not ultimately eliminate.
Education is an important element that I use in the home all the time and, like the previous remedies, isn’t always successful.
-
Scott, to help keep your apps like flash and reader up to date, you might want to look at ninite pro (https://ninite.com/pro) . Its service that comes with a utility to updating apps liek flash and reader in a silent way.
-
A product I’ve found to be helpful but not mentioned is Spybot S&D. I’ve seen its resident flag registry changes that bypassed a number of other AV products.
I second the AdBlock recommend.
The most common attack vectors I’ve seen recently are malicious iframes and Adobe (flash/reader) vulnerabilities. A number of normally trustworthy sites have had their web servers hacked and a malicious iframe embedded. An embedded iframe will trick even the best educated web surfer.
-
A couple folks on here got it right. In short, there is nothing you can do to prevent this from happening. Today’s malware can infect fully patched systems, and is often distributed through legitimate websites. Your son could get a virus from his own school’s site.
All you can do is maintain backups/images so you can quickly restore to a pre-infected state.
This doesn’t mean Windows is broken. It just means it’s the platform of choice. Viruses are written for the largest market. Linux has few viruses for the same reason iTunes doesn’t have a Linux version. Not enough people use Linux. If somehow Ubuntu became the dominant OS, it would also be the most virus plagued. -
While I’m sure you posted this question to, on some level, just get people thinking, I have to say that the answer is obviously – nothing.
All you’re doing is mitigating risk. There’s no such thing as 100% secure with anything in life. Anyone who thinks they’re 100% secure is complacent.
At your home, you can put motion lights, build a fence, hire security guards, guard dogs, arm and train yourself…and still, a dedicated attacker can penetrate your defenses, if they choose and if their methods are good enough.
You’re just trying to make yourself as hard a target as possible.
-
Tom, GS,
Thanks for your comments—clearly this is partly a rhetorical question, but it is also a practical question. If even skilled IT professionals, with multiple layers of defense, can be affected, how does an ordinary Joe stand a chance? And if the ordinary Joe doesn’t stand a chance, then I’d say Windows (and probably Linux and Mac OS X, too) *is* broken. It’s fair for a user taking reasonable precautions to have some expectation of security and privacy. I guess I’m just an idealist.
-
I’m using FF4 with the following addon’s:
-NoScript
-AdBlockPlus
-Ghostery
I’m using Avast for virus checking and OpenDNS as dns server.
Never had any problem. But……..I recently bought a new laptop. Windows 7 etc. The I thought, why not use Ms Sec. Ess. for anti virus? A few days later strange things started to happen. I removed MS Sec. Ess. and installed Avast again. Quess what? Avast found a trojan!!! Need I say more?
Regards
P.S. I don’t know your kids age, but K9 webprotection from BlueCoat is also very good and protected by a master password
-
It’s obvious you have done way more then the average user to protect your son’s Win7 laptop. I agree with others that Chrome is a good move, likewise with OpenDNS. In my house we don’t run Windows anymore, largely because this type of problem is a waste of everyone’s time. So we have a son with a Mac and the other laptops in our house run Linux, either Mint or Ubuntu. Our kids haven’t had any problems with their schoolwork and compatibility back on the schools computers. No more fighting the computers and Windows.
-
There’s a lot of fake anti-malware viruses in the wild at the moment that are proving really difficult to protect against – even with fully patched systems running up-to-date virus scanners (I just dealt with one which was shutting down the Symantec client on the laptop as part of the payload Nice.).
I agree with what most others have said though: user training (son training in your case). Most of the threats require some kind of “click” to activate, opening a file inside an attachment etc. I teach my family & friends to “kill task” if a window opens with no close button (rather than being duped into clicking a dialog) – and never click on anything they weren’t expecting! I would say:
- training!
- Fully patched system (including 3rd party apps! Adobe Flash, Reader & Java being the biggest culprits).
- Use a full featured security suite product (not the free ones) with a proper firewall, IPS module and application control as well as the basic antivirus & spyware (if the IDS/IPS module is good, it should be able to help protect against many zero day exploits like those often seen in Flash etc).
- Turn up heuristic scanning of your security product to high (false positives are better than the alternative).
- Consider using a firewall on your home network with built-in IDS/IPS. Packet inspection for suspicious behaviour is much more effective against unknown threats.…and keep doing the other things you’re currently doing.
Unfortunately a fully patched system with up-to-date virus scanner behind a router & firewall is no longer sufficient unless the user is very Internet savvy.Good luck!
-
Least privilege is necessary, but no longer sufficient. Creating and using a standard user account for day-to-day use is an absolute must. Check.
Anti-malware is neither necessary nor sufficient. Disclaimer: I do not run anti-malware on my Windows systems and neither recommend its use nor recommend against its use to others. Microsoft, however, runs the Malicious Software Removal Tool (MRT.exe) on Windows installs every Patch Tuesday.
Execution control (read application whitelisting) is what I would recommend at this point. If the Windows 7 version is Professional or Ultimate, set up Software Restriction Policy (SRP) whitelisting for both executable and dll files using gpedit.msc (note that this can easily be extended to Java .CLASS and .JAR executable files). If the Windows 7 edition is Home or Starter, use Parental Controls to explicitly select the applications that are run in the standard user account. However, note that the Home and Starter editions cannot easily be extended to include additional executable file types (meaning that javaw.exe, a trusted executable, can run malicious .CLASS and .JAR files) and do not provide dll protection (meaning that trusted executables such as rundll32.exe and svchost.exe can run malicious dll files). Most malware attempts to download and run arbitrary executables that would not be in your application whitelist and would, therefore, fail to run. The best part is that SRP is included in Windows 7, meaning that one has already paid for it. One just has to enable it. In a nutshell: write where one cannot execute (C:\Users\username\, external USB devices, etc.) and execute where one cannot write (C:\Program Files and and C:\Windows).
-
RHM,
Unfortunately, it’s the Home edition of Win7, so I don’t think that I can use SRP. That would be ideal, though.
Mark,
If I could switch to Mac or Linux for everyone, believe me I would!
All,
Thanks to everyone who has submitted suggestions and/or comments. This is fabulous information, and I have certainly gleaned a few nuggets that will help. I hope that others will benefit from the information that has been shared.
-
@slowe,
SRP is transparently built-in to Parental Controls in Windows Vista/7 Home. It presents a completely different UI and is not as feature-rich as the Group Policy Editor on corporate editions of Windows, but I have implemented and tested it against both arbitrary *.exe and *.bat files and it works.
The Application Control component of Parental Controls will present you with a list of applications to select from. The two of you, together, can select the apps that will be run in the standard user account. Just remember to add the GUI executable associated with MSE as an allowed application. You can test it with something like Sysinternals Tcpview run from somewhere in C:\User\username\ and on an external USB device.
Cheers
-
When I administered a computer lab for a large university, we used a product called Deep Freeze by Faronics. It will reset any changes to your machine once you reboot. Worked very well and saved a lot of admin time fixing things.
-
I’m going to have to agree with AT on this one. Deep Freeze by Faronics is the way to go. I have tried to muck up a PC running this on purpose and did so quite well. Upon hard resetting which was what I needed to do to shut it down (pulling the power cord and plugging it back in). All I had to do was turn the machine on and it was back to the nice clean OS it was when I froze it.
You can create some thaw space on a partition or USB stick and keep things (downloads) isolated to JUST that space.
Another option is to run some sort of filtering software by the people over at Content Watch. It limits where your son can go thus reducing the amount of places he can “accidently” become infected.
Keep up the good work Scott.
-Glenn
-
Use No-script firefox plug-in to stop unwanted scripts from running.
-
One problem we’ve run into with one of my nephews is: network protections don’t have much affect on USB thumb drives kids pass around in school.
Is there software that forces a malware scan before a thumb drive filesystem is mounted and fully accessible?
-
Jerry,
Many AV packages have the option to force a file system scan on removable devices as soon as they are mounted.
-
Chiming in a bit late here…
Yeah, I hear you with the security problems that plague every version of Windows. I’m very caucious where I browse to and the security of my machine and recently even I found some malware on my PC (the mind boggles how on earth it got there).
Get yourself a licensed copy of MalwareBytes Anti-Malware PRO. I’m convinced this is so good it could probably replace most anti-virus packages. $24.95 and a one time cost (at least it was when I bought it!). I’ve also switched my AV to Kaspersky and I feel more confident with this than the latest Norton offerings because of the comprehensive layers of protection it offers. You can download the latest version, install it without a key for 30 days free protection and try it for yourself.
Defo move to Chrome. I’ve recently ditched firefox, not because of security concerns but mainly because everytime I open the damb thing it fancies updating either itself or one of the plug-ins.
Glad I stumbled on your blog but I have to ask whilst I’m here, where can I buy a PDF copy of your latest design book? Paper copies are my favourite (because you can hug them and write your name inside the front cover), but I also like to have a PDF to carry round on my lappy for some titles.
Cheers Steve (sorry… I meant Scott).
-
to keep Windows 7 secure, you need UAC enabled to highest level virus/spam/malware/etc protection software, and a solution to allow all applications to run elevated! BeyondTrust PowerBroker is the ideal solution! (www.beyondtrust.com). It allows every user to run as standard user, but elevates the process for the user to run all apps and other installs. I have seen it in a corporation with over 300,000 users!
Derek Melber, MVP
-
Derek,
OK, call me stupid, but how does using BeyondTrust PowerBroker to allow all apps to run elevated fix anything? Now an application with elevated permissions can do EVEN MORE damage. Seems to move us in the opposite direction…
-
I am surprised none of the respondents gave you a workable solution. I thought they are geeks. Anyway don’t rely on microsoft security essentials use a commercial antivirus software like norton internet security 2011 latest and keep it updated. It works fine and has a firewall none of those malware will penetrate. he can even click on those flash links contributors are saying are dangerous
‹ Previous · 1 · 2
Site Sponsors
74 comments
Comments feed for this article
Trackback link: http://blog.scottlowe.org/2011/04/04/what-does-it-take-to-keep-windows-secure/trackback/