Windows 7 - Best Practices to stay virus free

Posted on 2011-05-02
Last Modified: 2013-11-22
I've got a couple hundred W7 PC's that I need to take care. I think we do a pretty good job at keeping the machines updated and use up to date security suites, but we continue to have a few computers every week that get infected.

We've spent a lot of time and energy trying all the different AV suites. And have come to the conclusion that basically some suck and some suck less. None will keep the computer virus free and many will mess the computer up pretty good.

We've also tried running different (non-IE) browsers and have the same conclusion. Just as many viruses come in on Chrome or Firefox as IE.

We’ll be adding gateway AV soon and email is well cleansed so that helps.

So I'm looking for advice on what can be done to try and keep these computers clean while keeping them usable?

Question by:willp2
    LVL 29

    Assisted Solution

    by:Sudeep Sharma
    First thing that I would do is not to give Administrator or equivalent rights to the users. That would cut the virus infection to almost 95%.

    Even after this if the systems are getting infected then we might need to look at what kind of infection it is and need to explore the other possibilities of getting infection (the sources).

    I would like to see what other experts have to say on this

    LVL 95

    Accepted Solution

    Yep, I've been saying that for some time now... they all suck.

    The one that sucks least (to me) is Sunbelt VIPRE Enterprise.  

    Other best practices include:
    *Don't turn off UAC
    *EDUCATE your users - this can be difficult... but I've heard of companies providing training, incentives, even prizes for users that learn how to NOT get infected.
    *Don't run programs as an administrator (or allow your users to run as an administrator).
    *Use (Windows/a) firewall and don't allow things in or out unless you KNOW they need to be allowed... for example, if you use Exchange, Exchange is your mail server, it needs port 25 open to the world, in and out.  All other systems send mail through Exchange, so all other systems should have port 25 blocked OUT as well as in.
    *Use multiple levels of defense - install that AV Gateway and make sure it has a DIFFERENT scanning engine than the AV product you use on the computers.
    LVL 95

    Expert Comment

    by:Lee W, MVP
    By the way - that's in no particular order.
    LVL 26

    Expert Comment

    by:Thomas Zucker-Scharff
    I wouldn't go as far as some others in saying they all "suck".  I have found the ESET product line (I am not affiliated with ESET in any way) to be very good.  That said, I find that user education gives the biggest % increase in malware decline.  With a combination of perimetewr firewall and ESET's NOD32 AV solution on the desktops we've had one department keep ALL their computers malware free for the past 10 years (granted the sysadmin is excellent as well).
    LVL 95

    Expert Comment

    by:Lee W, MVP
    And I've found ESET to let Antivirus viruses through that sunbelt caught - and to be too aggressive, misidentifying other security related software as a virus.  And while I personally have not seen a virus VIPRE Enterprise couldn't handle, my clients aren't routinely infected... I'm sure they are out there... absolutely positive... when I get a call that VIPRE didn't catch something, so-be-it... but it's least sucky in my opinion because I've been using it at about a dozen clients with 150 machines or so for the last 18 months and haven't had any verified complaints that a virus got through.
    LVL 5

    Expert Comment

    All Av software has different ways of detecting and detect different infections. I have had a look at Microsoft forefront as it uses multiple Av engines, leew makes a lot of valid points as the majority of infections are avoidable and are down to end users lack of knowledge when it comes to pop ups, etc. I would remove all admin privaleges from the end users, ensure that UAC is set to recommended level, internet explorer pop up blocker and other default settings are in place for ie. Block port 25 outbound from all except the exchange server as this will stop any potential blacklisting. I would also look at an antimalware product such as malwarebytes, they do a corporate version which is I think is reasonably priced and can offer some realtime protection. I hope the information helps, we use Symantec endpoint protection, which can centrally manage all machines and has antimalware built in as well as proactive protection. We have found it to have a good detection rate as well
    LVL 38

    Expert Comment

    I wrote this EE Article quite a while ago and it still applies. Much of the advice is already mentioned in the excellent comments above: (MALWARE - "An Ounce of Prevention...")

    One small thing that I always configure is:
    Cookies - "First Party" set to 'Prompt' and "Third Party" set to 'Block'.
    I don't know of any legitimate website or application that needs Third Party cookies.

    LVL 1

    Author Comment

    Great response, thanks much.

    I'm sure the biggest single problem is many of the users have admin rights to the machines. I'll need to work something to get them the rights they need without giving them admin rights to the machine.

    We have been using Symantec AV Corporate, centrally managed for years. Its great as far as management goes, but we've just had bad luck with it in other ways. So we are interested in looking elsewhere.

    I wasn't aware that Forefront had multiple engines. I thought it was just a paid for version of security Essentials. I'll have to look into that.

    For me personally ESET is in the "Sucks more" category. It did a fine job at AV, but it completely ruined several machines to the point that they needed a Windows reinstall. The same things that make if very powerful at protecting the machines also means that it has fingerprints everywhere. If something goes wrong it can just destroy things. That's just my recent personal experience, I'm sure its great for others, but I'll not be going down that road again anytime soon.

    If anyone has any comments on the best way to setup limited rights while giving rights to the system when needed and for many users that would be helpful. I know technically how to do it, just looking for ideas on a system that’s manageable.

    Thanks again!
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    that is what runas or right click run 'as administrator' is for.. and it should be used very sparingly no program should have to run with admin rights.
    The easiest way to remain virus/malware free is reduced rights and user education. nothing will protect from a user that is determined enough
    LVL 1

    Author Comment

    Thanks. I do understand how it works. Just with a lot of users it can be hard to manage having to train everyone to have to enter in passwords everytime they need to do anything. Still, we have to do what we have to do.
    LVL 95

    Expert Comment

    by:Lee W, MVP
    I don't consider myself a programmer - but I could write a configuration dialogue just as impressive as Symantec does.  I often think that's their interview and test for their programmers - "can you write an impressive looking configuration page with cool ideas that we can claim we have and never make them all work at the same time?"  If the answer is yes, I think they hire you.

    Put simply, Symantec, IN MY OPINION, is not a company that provides virus protection - they provide feature ideas that other people see and ACTUALLY MAKE WORK in their competing products.  I HATE symantec.  Every major outbreak I've had to squash has been "protected" by Symantec products.  They turn working products to SH!T.

    If you're users NEED admin rights, then you have to find out why?  Is there a program that doesn't run unless they are an admin?  If so, then look at replacing or upgrading the program... or create a shortcut to it and embed the admin credentials in the shortcut so that only the program runs as an admin (replacing/upgrading is better - and if you do a good cost analysis, replacing it MIGHT be CHEAPER than continuing to repair virus infections).  Also, if the users need admin accounts - give them admin accounts.  What one company I worked at did was give everyone who needed admin rights a local admin account.  Their domain account though was JUST a user with no special privilege.  When Win7 wants them to run something as an admin, they get prompted (assuming UAC isn't disabled).  So education combined with the local admin account helps ensure they ONLY run as an admin when they NEED to.  (Education - they should learn to ask - why would this program that I've never been told I need to use need me to be an admin to run... and if they aren't savvy, call the helpdesk).
    LVL 50

    Expert Comment

    As is obvious, you should have a good proactive antivirus program installed. (Proactive means one that is on all the time and does not wait for a scan.)  And use the Security settings in Internet Explorer.  But also install SpywareBlaster and use a HOSTS file.
    All must be kept up to date.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Article by: Lee
    Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
    Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
    This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
    The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now